Leaderboard


Popular Content

Showing content with the highest reputation since 06/22/2018 in all areas

  1. 2 points
    There's few things in this world that remain shrouded in secrecy for twenty years, but 711 numbers and their foundation have done an excellent job of exactly that. That all changed though, with a post in the some numbers thread. More specifically, with two numbers: (800) 860 0169 and (800) 860 0867. Don't bother checking, they're both the same. When you call either, crunchy, 20 year old ADPCM crackles to life with "This is the West Interactive audio system. Enter your access code now." The access codes as it turns out, are pretty easy to guess. The passwords, equally so. I'll share a list at the end of this. But assuming you're not lazy or intimidated by phones and actually called, give it 7278 and password 7278. Then, push 3 to test the program. Sound familiar? So what, you may ask, is this thing exactly? The program itself is just a placeholder for unassigned numbers. Nothing special. The rest of the system is something else, though. Explore what I've found, and help continue the hunt if you like it. 0 - Reads back 811-000-0000 + invalid entry recording 1 - Doesn't allow call counter, allows blocked caller list, invalid, but works with password 0, 2 (plays announcement asking you to call 800-366-5588 with password 0) 2 - Invalid 3 - Invalid 4 - Doesn't allow call counter, invalid 5 - Reads back unit ID, line number, ACD test application 6 - Doesn't allow call counter, invalid 7 - Invalid 8 - Invalid? 9 - Reads back unit ID, line number, call time (local), plays fake busy signal 10 - <unassigned or new passcode> 11 - Invalid 12 - Doesn't allow call counter, invalid 13 - Hangs up 14 - Invalid 15 - <unassigned or new passcode> 16 - <unassigned or new passcode> 17 - Invalid 18 - <unassigned or new passcode> 19 - Doesn't allow prompt recording, ShopNBC IVR 20 - Invalid 21 - Invalid 22 - <unassigned or new passcode> 23 - <unassigned or new passcode> 24 - <unassigned or new passcode> 25 - <unassigned or new passcode> 26 - <unassigned or new passcode> 30 - Invalid (old psychic line) 96 - <unassigned or new passcode> 97 - <unassigned or new passcode> 98 - <unassigned or new passcode> 99 - Recorded beeps (x3) 00 - Reads back ? 01 - <unassigned or new passcode> 02 - <unassigned or new passcode> 000 - <unassigned or new passcode> 099 - <unassigned or new passcode> 100 - Doesn't allow prompt recording, invalid 101 - ShopNBC IVR 102 - Invalid 103 - <unassigned or new passcode> 104 - Prompts for APN number 105 - <unassigned or new passcode> 106 - <unassigned or new passcode> 107 - <unassigned or new passcode> 108 - <unassigned or new passcode> 109 - <unassigned or new passcode> 110 - <unassigned or new passcode> 111 - Doesn't allow call counter, invalid 112 - <unassigned or new passcode> 113 - <unassigned or new passcode> 114 - Allows blocked caller updating, Invalid 115 - <unassigned or new passcode> 116 - <unassigned or new passcode> 117 - <unassigned or new passcode> 122 - <unassigned or new passcode> 123 - Invalid 124 - No menu, hangs up promptly 125 - <unassigned or new passcode> 150 - <unassigned or new passcode> 166 - <unassigned or new passcode> 170 - <unassigned or new passcode> 180 - <unassigned or new passcode> 190 - <unassigned or new passcode> 200 - <unassigned or new passcode> 202 - <unassigned or new passcode> 211 - <unassigned or new passcode> 222 - Invalid 300 - <unassigned or new passcode> 303 - <unassigned or new passcode> 311 - <unassigned or new passcode> 322 - <unassigned or new passcode> 333 - No menu, Call accounts facility temporarily unavailable recording 400 - <unassigned or new passcode> 444 - Invalid 499 - <unassigned or new passcode> 500 - No options, immediately reads back 800-404-4890 and transfers 501 - <unassigned or new passcode> 502 - <unassigned or new passcode> 555 - Allows blocked caller update, invalid 599 - <unassigned or new passcode> 600 - <unassigned or new passcode> 611 - <unassigned or new passcode> 666 - Invalid 699 - <unassigned or new passcode> 700 - <unassigned or new passcode> 711 - <unassigned or new passcode> 777 - <unassigned or new passcode> 799 - <unassigned or new passcode> 800 - <unassigned or new passcode> 809 - <unassigned or new passcode> 810 - <unassigned or new passcode> 811 - Allows blocked caller update, <recorded beep tone> 812 - <unassigned or new passcode> 813 - <unassigned or new passcode> 888 - Allows blocked caller update, invalid 899 - <unassigned or new passcode> 900 - Invalid 901 - <unassigned or new passcode> 902 - <unassigned or new passcode> 958 - <unassigned or new passcode> 998 - <unassigned or new passcode> 999 - Same as main IVR on toll-free 000 - <unassigned or new passcode> 080 - <unassigned or new passcode> 0000 - Doesn't allow prompt recording, invalid 0001 - Invalid 0002 - Invalid 0003 - Reads back unit/line #, invalid call time + hangup 0005 - Invalid 0006 - Reads back 3547-179, phone number, caller #, "sorry, you did not ring" 0007 - Gives unit ID, line number, call time, xfers to operator 0008 - <invalid application> 0009 - Taco poll 0010 - <unassigned or new passcode> 0011 - Gives unit ID, line number, call time (local + epoch?), hangs up 0012 - Invalid 0013 - Voice capture thingie 0014 - <unassigned or new passcode> 0015 - <unassigned or new passcode> 0016 - <unassigned or new passcode> 0017 - <unassigned or new passcode> 0018 - <unassigned or new passcode> 0019 - <unassigned or new passcode> 0020 - <unassigned or new passcode> 0022 - <unassigned or new passcode> 0030 - <unassigned or new passcode> 0033 - <unassigned or new passcode> 0044 - <unassigned or new passcode> 0053 - <unassigned or new passcode> 0054 - <unassigned or new passcode> 0055 - Gives unit ID, line number, call time (local), billing test? Astro line, talks about charging $3.99/min 0056 - Invalid 0057 - <unassigned or new passcode> 0065 - <unassigned or new passcode> 0066 - Invalid 0067 - <unassigned or new passcode> 0077 - <unassigned or new passcode> 0087 - <unassigned or new passcode> 0088 - Invalid 0089 - <unassigned or new passcode> 0097 - <unassigned or new passcode> 0098 - <unassigned or new passcode> 0099 - Invalid 0100 - <unassigned or new passcode> 0101 - Invalid 0102 - <unassigned or new passcode> 0103 - <unassigned or new passcode> 0123 - <unassigned or new passcode> 0111 - <unassigned or new passcode> 0200 - <unassigned or new passcode> 0211 - <unassigned or new passcode> 0222 - Reads back unit ID, line number, 12345, hangs up 0298 - <unassigned or new passcode> 0299 - <unassigned or new passcode> 0300 - Invalid 0301 - Runs program w/o options, reads unit/line # and disconnects 0302 - Runs program w/o options, invalid, loops 0303 - No menu, cardholder services survey line, does voice capture for some reason near end of call 0304 - No menu, reads back unit ID, line number, "To start the program, press one. To change the date and time, press two. To change the ANI, press three. To change the APN, press four. To change the CSG box, press five. To change the ICOMS box, press six. To change the informix box, press seven. To change the CLASS database, press eight." 0305 - Doesn't allow call counts option, hangs up quickly 0306 - Hangs up quickly 0307 - <unassigned or new passcode> 0308 - <unassigned or new passcode> 0309 - Doesn't allow prompt recording, hangs up quickly 0310 - "Welcome to the <something> line", hangs up 0311 - "Hello world", hangs up 0312 - Invalid 0313 - Invalid 0314 - Invalid 0315 - Invalid 0316 - Invalid 0317 - <unassigned or new passcode> 0318 - <unassigned or new passcode> 0319 - <unassigned or new passcode> 0320 - <unassigned or new passcode> 0321 - <unassigned or new passcode> 0325 - <unassigned or new passcode> 0326 - <unassigned or new passcode> 0327 - Invalid 0328 - Invalid 0329 - Invalid 0330 - Invalid 0331 - <unassigned or new passcode> 0332 - <unassigned or new passcode> 0333 - Reads ten zeroes and disconnects 0334 - <unassigned or new passcode> 0340 - <unassigned or new passcode> 0400 - <unassigned or new passcode> 0403 - <unassigned or new passcode> 0404 - Call counts menu not available, invalid 0405 - Doesn't allow prompt recording, invalid 0406 - <unassigned or new passcode> 0407 - <unassigned or new passcode> 0408 - <unassigned or new passcode> 0409 - Invalid 0410 - Invalid 0411 - Invalid 0412 - Reads back unit number, line number, prompts for test DNIS, credit card number (client is Commdata) 0413 - Invalid 0414 - <unassigned or new passcode> 0415 - <unassigned or new passcode> 0444 - <unassigned or new passcode> 0500 - <unassigned or new passcode> 0501 - <unassigned or new passcode> 0502 - <unassigned or new passcode> 0503 - No call counts menu, invalid 0504 - No menu, hangs? 0505 - Hangs? 0506 - No menu, invalid, loops 0507 - <unassigned or new passcode> 0508 - <unassigned or new passcode> 0509 - <unassigned or new passcode> 0510 - Invalid 0511 - <unassigned or new passcode> 0512 - Doesn't allow prompt recording, invalid 0513 - No call counts menu, hangs? 0514 - No recording menu, hangs? 0515 - <unassigned or new passcode> 0516 - <unassigned or new passcode> 0517 - <unassigned or new passcode> 0519 - <unassigned or new passcode> 0520 - Invalid 0521 - Hangs? 0522 - <unassigned or new passcode> 0523 - <unassigned or new passcode> 0528 - <unassigned or new passcode> 0529 - <unassigned or new passcode> 0530 - Call counts option not available, does silent voice capture, plays back 0531 - <unassigned or new passcode> 0532 - <unassigned or new passcode> 0540 - <unassigned or new passcode> 0550 - <unassigned or new passcode> 0555 - <unassigned or new passcode> 0603 - <unassigned or new passcode> 0604 - <unassigned or new passcode> 0605 - <unassigned or new passcode> 0606 - Invalid 0607 - Reads back unit ID, line number, call time (020855), disconnects 0608 - Reads back unit ID, line number, call time (1529128930), Spanish order line, 4919 0609 - Invalid 0610 - <unassigned or new passcode> 0611 - Test recording of mic scuffling? Or invalid. 0612 - Invalid 0613 - <unassigned or new passcode> 0614 - Invalid 0615 - Invalid 0616 - <unassigned or new passcode> 0617 - <unassigned or new passcode> 0618 - Doesn't allow prompt recording, invalid 0619 - Invalid 0620 - <unassigned or new passcode> 0621 - Doesn't allow prompt recording, TTS voice, "Sorry, all of our agents are currently busy. Please try again later." 0622 - Invalid 0623 - <unassigned or new passcode> 0624 - Invalid 0625 - <unassigned or new passcode> 0626 - <unassigned or new passcode> 0627 - Recorded beeps x2, hangs? 0628 - Comcast Digital Phone IVR 0629 - <unassigned or new passcode> 0630 - Invalid 0631 - <unassigned or new passcode> 0632 - <unassigned or new passcode> 0633 - <unassigned or new passcode> 0634 - <unassigned or new passcode> 0635 - <unassigned or new passcode> 0636 - <unassigned or new passcode> 0637 - <unassigned or new passcode> 0638 - <unassigned or new passcode> 0700 - <unassigned or new passcode> 0705 - <unassigned or new passcode> 0706 - <unassigned or new passcode> 0707 - Invalid 0708 - Doesn't allow prompt recording, invalid 0709 - Invalid 0710 - <unassigned or new passcode> 0711 - Reads back unit ID, line number 0712 - Doesn't allow call counter, invalid 0713 - <unassigned or new passcode> 0714 - Invalid 0715 - <unassigned or new passcode> 0716 - <unassigned or new passcode> 0717 - Invalid 0718 - Doesn't allow running program 0719 - Doesn't allow prompt recording, Invalid 0720 - Invalid 0721 - <unassigned or new passcode> 0722 - Doesn't allow prompt recording, invalid 0723 - Invalid 0724 - Invalid 0725 - Invalid 0726 - Reads back unit ID, line number, call time, other time?, hangs up 0727 - Long silence, transfers to after hours rec 0728 - <unassigned or new passcode> 0729 - No menu, West hotline 0730 - <unassigned or new passcode> 0731 - <unassigned or new passcode> 0800 - <unassigned or new passcode> 0805 - <unassigned or new passcode> 0806 - <unassigned or new passcode> 0807 - <unassigned or new passcode> 0808 - Doesn't allow prompt recording, hangs up 0809 - <invalid application> 0810 - Reads back 358-596, 0811 - Reads back 3547-181 (unit ID, line number), starts recording audio samples 0812 - <unassigned or new passcode> 0813 - <unassigned or new passcode> 0900 - <unassigned or new passcode> 0907 - <unassigned or new passcode> 0908 - <unassigned or new passcode> 0909 - No menu, invalid, loops 0910 - <unassigned or new passcode> 0999 - <unassigned or new passcode> 1000 - Doesn't allow call counter, reads back strange numbers (398-399-99-11,111 222-2:52 AM) 1001 - Invalid 1002 - Invalid 1003 - <unassigned or new passcode> 1004 - Reads back unit ID, line number, prompts for date, hour, APN, ten digit MDN (Cricket phone number) 1005 - Allows blacklist updating, invalid 1006 - <unassigned or new passcode> 1007 - Doesn't allow prompt updating, invalid 1008 - Invalid 1009 - Invalid 1010 - <unassigned or new passcode> 1011 - <unassigned or new passcode> 1012 - <unassigned or new passcode> 1013 - Invalid 1014 - <unassigned or new passcode> 1015 - Invalid 1016 - Invalid 1017 - Record beep x2 1018 - Reads back unit number, line number, prompts for default/different scenario, test ANI. Scenarios read back four digit + two digit number, hang up 1019 - Same as 1018? 1020 - Doesn't allow prompt updating, gives 711 number-esque response (minus DTMF) 1021 - Only allows program testing/blacklist updating, reads off numbers and hangs up 1022 - <unassigned or new passcode> 1023 - Invalid 1024 - No menu, reads back unit ID, line number, routes to old Comcast IVR 1025 - <unassigned or new passcode> 1026 - <unassigned or new passcode> 1027 - "To start the program, press one. To change the date and time, press two. To change the ANI, press three. To change the APN, press four. To change the data rate, press five. To choose the program, press six, to change the host library, press seven." <default program number is eSecuritel customer service IVR> 1028 - Same as 1027? 1029 - Credit report ordering IVR, pulls docs from phone numbers, but may want street number/apartment/ZIP verification to read last name 1030 - Same as 1029? 1031 - "I'm sorry, due to heavy call volume, all our representatives are currently busy. Please try your call again later." 1032 - <unassigned or new passcode> 1033 - <unassigned or new passcode> 1034 - <unassigned or new passcode> 1035 - <unassigned or new passcode> 1036 - <unassigned or new passcode> 1037 - <unassigned or new passcode> 1038 - <unassigned or new passcode> 1039 - <unassigned or new passcode> 1040 - Allows voice prompt updating, reads back unit/line number, call time, drug info line IVR. Lots of voice prompts. 1041 - <unassigned or new passcode> 1042 - <unassigned or new passcode> 1043 - <unassigned or new passcode> 1044 - <unassigned or new passcode> 1045 - <unassigned or new passcode> 1046 - <unassigned or new passcode> 1047 - <unassigned or new passcode> 1050 - <unassigned or new passcode> 1060 - <unassigned or new passcode> 1068 - <unassigned or new passcode> 1069 - <unassigned or new passcode> 1070 - Invalid 1071 - Doesn't allow prompt recording, invalid 1072 - Doesn't allow prompt recording, invalid 1073 - <unassigned or new passcode> 1074 - <unassigned or new passcode> 1079 - <unassigned or new passcode> 1080 - <unassigned or new passcode> 1084 - <unassigned or new passcode> 1085 - <unassigned or new passcode> 1086 - <unassigned or new passcode> 1087 - Doesn't allow call recording, invalid 1088 - "I'm sorry, but that is an invalid entry. Please try again." 1089 - <unassigned or new passcode> 1090 - Doesn't allow prompt recording, DHL Express technical difficulties rec 1091 - <unassigned or new passcode> 1092 - <unassigned or new passcode> 1093 - <unassigned or new passcode> 1094 - <unassigned or new passcode> 1095 - Invalid 1096 - <unassigned or new passcode> 1097 - <unassigned or new passcode> 1098 - Reads back unit ID/line number, makes weird beep, hangs up 1099 - Invalid 1100 - Doesn't allow prompt recording, reads back unit ID/line number, call time, hangs 1101 - Disconnects 1102 - <unassigned or new passcode> 1103 - <unassigned or new passcode> 1104 - <unassigned or new passcode> 1108 - <unassigned or new passcode> 1109 - <unassigned or new passcode> 1110 - Doesn't allow prompt recording, invalid 1111 - Indian woman, "Hello world" 1112 - Doesn't allow prompt recording, hangs up? 1113 - Doesn't allow prompt recording, reads back unit ID, line number, recorded beeps (x2) 1114 - Reads back unit ID, line number, call time (local), prompts for 0 for live op 1115 - <unassigned or new passcode> 1116 - Invalid 1117 - <unassigned or new passcode> 1118 - <unassigned or new passcode> 1119 - <unassigned or new passcode> 1120 - <unassigned or new passcode> 1130 - <unassigned or new passcode> 1140 - <unassigned or new passcode> 1180 - <unassigned or new passcode> 1195 - <unassigned or new passcode> 1196 - <unassigned or new passcode> 1197 - <unassigned or new passcode> 1198 - Invalid 1199 - Call counts menu not available, invalid 1200 - Doesn't allow prompt recording, Invalid 1201 - Invalid 1202 - <unassigned or new passcode> 1203 - <unassigned or new passcode> 1210 - <unassigned or new passcode> 1211 - "Hello world... <digits voice> 2" 1212 - Invalid 1213 - Reads back unit ID/line number, prompts for APN, "We're sorry, there are currently no available calls (powells?). Please use the chat function within Gateway if you are scheduled to work. Or send an email via the support site for assistance. Thank you, goodbye." 1214 - <unassigned or new passcode> 1215 - No menu, reads back unit ID/line number, "Please enter your test ANI", Centralink outage reporting line 1216 - <unassigned or new passcode> 1217 - <unassigned or new passcode> 1218 - Test line, calling card delivery line, "Your calling card will be delivered to you in three to four years. Thank you for calling." 1219 - <unassigned or new passcode> 1220 - <unassigned or new passcode> 1221 - <unassigned or new passcode> 1222 - Invalid 1223 - Reads back unit ID, line number, "To test Spanish open, press one. To test Spanish closed, press two." 1224 - <unassigned or new passcode> 1225 - Invalid 1226 - <unassigned or new passcode> 1227 - <unassigned or new passcode> 1228 - Doesn't allow prompt recording, invalid 1229 - Allows blocked caller updating, invalid 1230 - Reads back unit ID, line number, "Welcome <# key>. "Enter the 10-digit mobile number <# key>" 1231 - <unassigned or new passcode> 1232 - <unassigned or new passcode> 1233 - Invalid 1234 - <unassigned or new passcode> 1235 - Invalid 1236 - No menu, hangs up 1237 - <unassigned or new passcode> 1238 - <unassigned or new passcode> 1239 - <unassigned or new passcode> 1240 - Invalid 1241 - <unassigned or new passcode> 1242 - No call counts menu, "Welcome to the final application. The unit ? and line is...", hangs up 1243 - <unassigned or new passcode> 1244 - <unassigned or new passcode> 1245 - <unassigned or new passcode> 1246 - Invalid 1247 - <unassigned or new passcode> 1248 - Allows blocked caller list updating, reads back unit ID, line number, call time (Unix epoch?), Asmanex order line 1249 - Reads back unit ID, line number, prompts for date, APN, says "Welcome" x3, goes to technical difficulties rec 1250 - <unassigned or new passcode> 1251 - <unassigned or new passcode> 1252 - No call counts feature, reads back unit ID/line number, test survey line 1253 - <unassigned or new passcode> 1254 - No call counts feature, invalid 1255 - <unassigned or new passcode> 1256 - Reads back unit ID/line number, "This is a test. Goodbye." 1257 - <unassigned or new passcode> 1258 - <unassigned or new passcode> 1259 - <unassigned or new passcode> 1260 - <unassigned or new passcode> 1261 - <unassigned or new passcode> 1262 - <unassigned or new passcode> 1263 - <unassigned or new passcode> 1264 - <unassigned or new passcode> 1265 - <unassigned or new passcode> 1266 - <unassigned or new passcode> 1298 - <unassigned or new passcode> 1299 - <unassigned or new passcode> 1300 - Doesn't allow prompt recording, invalid 1301 - <unassigned or new passcode> 1302 - <unassigned or new passcode> 1307 - <unassigned or new passcode> 1308 - <unassigned or new passcode> 1309 - <unassigned or new passcode> 1310 - <unassigned or new passcode> 1311 - Invalid 1312 - <unassigned or new passcode> 1313 - Doesn't allow prompt recording, allows caller blacklists, rings several times and disconnects 1314 - <unassigned or new passcode> 1315 - Doesn't allow call counting, reads back unit ID/line number, call time, "Hi, this is a test message!" + MOH, forwards to 402-517-6591 1316 - <unassigned or new passcode> 1317 - Reads back unit ID/line number, call time, prompts for date/time, day of week, test APN, # of calls, agents, goes to test GE queue 1318 - <unassigned or new passcode> 1319 - <unassigned or new passcode> 1320 - <unassigned or new passcode> 1321 - <unassigned or new passcode> 1322 - Reads back unit ID/line number, prompts for 10-digit APN 1323 - <unassigned or new passcode> 1324 - <unassigned or new passcode> 1325 - <unassigned or new passcode> 1326 - <unassigned or new passcode> 1327 - <unassigned or new passcode> 1328 - <unassigned or new passcode> 1400 - <unassigned or new passcode> 1411 - <unassigned or new passcode> 1444 - <unassigned or new passcode> 1497 - <unassigned or new passcode> 1498 - <unassigned or new passcode> 1499 - Call counter disabled, reads back unit ID, line number? Weird guessing game program? 1500 - Reads back unit ID, line number, call time (local time), "Press one for baseline application, press two for Chase Leisure application, press three for Chase Extras application, press four for national city application, press five for new PNC application" 1501 - Reads back unit ID, line number, University of Vermont smoking call-in study, wants five-digit ID 1502 - Reads back unit ID, line number, "To start the program, press one. To change the date and time, press two. To change the ANI, press three. To change the APN, press four. To change the Informix box, press five." 1503 - "Please enter your ID" 1504 - <unassigned or new passcode>? 1505 - Reads back unit ID, call time, "On this test call, press one to use the system date, or press two to change the date 1506 - <unassigned or new passcode> 1507 - <unassigned or new passcode> 1508 - <unassigned or new passcode> 1509 - <unassigned or new passcode> 1510 - <unassigned or new passcode> 1511 - <unassigned or new passcode> 1512 - <unassigned or new passcode> 1550 - <unassigned or new passcode> 1554 - <unassigned or new passcode> 1555 - Allows updating blocked callers, test survey line? Disconnects after greeting 2 1556 - <unassigned or new passcode> 1600 - <unassigned or new passcode> 1611 - <unassigned or new passcode> 1650 - <unassigned or new passcode> 1666 - <unassigned or new passcode> 1699 - <unassigned or new passcode> 1700 - Invalid 1701 - <unassigned or new passcode> 1702 - <unassigned or new passcode> 1711 - <unassigned or new passcode> 1740 - <unassigned or new passcode> 1747 - <unassigned or new passcode> 1748 - <unassigned or new passcode> 1749 - Reads back unit ID/line number, 402-555-3010 w/weird digits, call #, Office Depot IVR 1750 - Invalid 1751 - <unassigned or new passcode> 1752 - <unassigned or new passcode> 1800 - <unassigned or new passcode> 1811 - <unassigned or new passcode> 1850 - <unassigned or new passcode> 1900 - <unassigned or new passcode> 1989 - <unassigned or new passcode> 1990 - <unassigned or new passcode> 1991 - <unassigned or new passcode> 1992 - Has caller blacklist, invalid 1993 - <unassigned or new passcode> 1994 - Invalid 1995 - Invalid 1996 - <unassigned or new passcode> 1997 - Invalid 1998 - No call counts menu, reads back unit ID, line number, hangs? 1999 - Invalid 2000 - Invalid 2001 - Invalid 2002 - Invalid 2003 - Immediately starts recording (x2), makes weird beep, hangs up 2004 - Invalid 2005 - Invalid 2006 - <unassigned or new passcode> 2007 - Forwards to AT&T Wireless call queue 2008 - No menu, invalid, loops 2009 - Invalid 2010 - Call counts menu disabled, Community Care Rx member IVR 2011 - Reads back unit ID, line number, prompts for date, APN, 10-digit MDN (Cricket phone number), xfers to Cricket prepaid activation IVR 2012 - Reads back unit ID, line number, prompts for date, APN, 10-digit MDN (Cricket phone number), immediately tries to look up account info 2013 - <unassigned or new passcode> 2014 - No menu, AT&T Wireless IVR 2015 - <unassigned or new passcode> 2016 - <unassigned or new passcode> 2017 - Call counts menu disabled, reads unlabeled numbers and disconnects 2018 - <unassigned or new passcode> 2019 - Call counts menu disabled, "Hello, thank you for calling this test message. Goodbye." 2020 - Allows blocked caller update, weird beep x2 + hangup 2021 - <unassigned or new passcode> 2022 - <unassigned or new passcode> 2023 - <unassigned or new passcode> 2024 - <unassigned or new passcode> 2025 - <unassigned or new passcode> 2026 - <unassigned or new passcode> 2027 - <unassigned or new passcode> 2050 - <unassigned or new passcode> 2098 - <unassigned or new passcode> 2099 - <unassigned or new passcode> 2100 - Doesn't allow prompt recording, silence? 2101 - <unassigned or new passcode> 2102 - <unassigned or new passcode> 2103 - <unassigned or new passcode> 2111 - <unassigned or new passcode> 2150 - <unassigned or new passcode> 2210 - <unassigned or new passcode> 2211 - No menu, "Hello, this is a test call. Hello hello." 2212 - <unassigned or new passcode> 2221 - <unassigned or new passcode> 2222 - No menu, reads back 0166-052 + invalid prompt 2223 - <unassigned or new passcode> 2250 - <unassigned or new passcode> 2300 - <unassigned or new passcode> 2310 - <unassigned or new passcode> 2311 - <unassigned or new passcode> 2320 - <unassigned or new passcode> 2330 - <unassigned or new passcode> 2340 - <unassigned or new passcode> 2349 - <unassigned or new passcode> 2350 - *8 + xfer to Liberty Mutual IVR 2351 - <unassigned or new passcode> 2450 - <unassigned or new passcode> 2550 - <unassigned or new passcode> 2555 - <unassigned or new passcode> 2650 - <unassigned or new passcode> 2750 - <unassigned or new passcode> 2811 - <unassigned or new passcode> 2850 - <unassigned or new passcode> 2899 - <unassigned or new passcode> 2950 - <unassigned or new passcode> 2996 - <unassigned or new passcode> 2997 - <unassigned or new passcode> 2998 - Invalid 2999 - Invalid 3000 - Reads off unit/line #, disconnects call 3001 - Reads off unit/line #, poll line (billing test?) 3002 - <unassigned or new passcode> 3003 - Invalid 3004 - <unassigned or new passcode> 3005 - <unassigned or new passcode> 3006 - <unassigned or new passcode> 3007 - <unassigned or new passcode> 3008 - <unassigned or new passcode> 3010 - <unassigned or new passcode> 3022 - <unassigned or new passcode> 3031 - <unassigned or new passcode> 3032 - <unassigned or new passcode> 3033 - Invalid 3034 - Invalid 3035 - <unassigned or new passcode> 3044 - <unassigned or new passcode> 3050 - <unassigned or new passcode> 3100 - <unassigned or new passcode> 3133 - <unassigned or new passcode> 3150 - <unassigned or new passcode> 3310 - <unassigned or new passcode> 3311 - Hangs? 3312 - <unassigned or new passcode> 3333 - <unassigned or new passcode> 3433 - <unassigned or new passcode> 3999 - <unassigned or new passcode> 4000 - Test application w/indistinguishable speech 4001 - <unassigned or new passcode> 4002 - <unassigned or new passcode> 4003 - <unassigned or new passcode> 4004 - <unassigned or new passcode> 4044 - <unassigned or new passcode> 4096 - <unassigned or new passcode> 4097 - <unassigned or new passcode> 4098 - <unassigned or new passcode> 4099 - "Welcome to Centermaine power's administrative program. Enter your password during the six second silent interval." 4100 - "You are returning a call to an AT&T calling card network system, and the party that called you cannot be reached at this number." 4101 - <unassigned or new passcode> 4102 - Invalid 4103 - <unassigned or new passcode> 4104 - <unassigned or new passcode> 4105 - <unassigned or new passcode> 4111 - <unassigned or new passcode> 4200 - <unassigned or new passcode> 4300 - <unassigned or new passcode> 4321 - <unassigned or new passcode> 4411 - <unassigned or new passcode> 4444 - <unassigned or new passcode> 5000 - <unassigned or new passcode> 5100 - <unassigned or new passcode> 5200 - <unassigned or new passcode> 5250 - <unassigned or new passcode> 5299 - <unassigned or new passcode> 5300 - Doesn't allow prompt recording, allows blacklist updating, invalid 5301 - <unassigned or new passcode> 5302 - <unassigned or new passcode> 5303 - <unassigned or new passcode> 5330 - <unassigned or new passcode> 5340 - <unassigned or new passcode> 5348 - <unassigned or new passcode> 5349 - <unassigned or new passcode> 5350 - Invalid 5351 - <unassigned or new passcode> 5352 - <unassigned or new passcode> 5360 - <unassigned or new passcode> 5370 - <unassigned or new passcode> 5400 - <unassigned or new passcode> 5450 - <unassigned or new passcode> 5511 - <unassigned or new passcode> 5555 - Allows blocked caller list to be updated, won't allow prompt recording, invalid 6000 - <unassigned or new passcode> 6611 - <unassigned or new passcode> 6665 - <unassigned or new passcode> 6666 - Won't allow prompt recording, reads back unit ID, line number, 0317, prompts for test ANI + DNIS (Pepco outage reporting system) 6667 - <unassigned or new passcode> 6999 - <unassigned or new passcode> 7000 - <unassigned or new passcode> 7100 - <unassigned or new passcode> 7200 - <unassigned or new passcode> 7260 - <unassigned or new passcode> 7275 - <unassigned or new passcode> 7276 - <unassigned or new passcode> 7277 - Sends *8, transfers to Charles Schwabb queue 7278 - Reads back unit ID/line number, 711 number script 7279 - <unassigned or new passcode> 7280 - <unassigned or new passcode> 7300 - <unassigned or new passcode> 7400 - <unassigned or new passcode> 7500 - <unassigned or new passcode> 7600 - <unassigned or new passcode> 7700 - <unassigned or new passcode> 7777 - Invalid 7800 - <unassigned or new passcode> 7900 - <unassigned or new passcode> 8000 - <unassigned or new passcode> 8086 - <unassigned or new passcode> 8087 - <unassigned or new passcode> 8088 - Insurance IVR 8089 - <unassigned or new passcode> 8090 - <unassigned or new passcode> 8100 - <unassigned or new passcode> 8188 - <unassigned or new passcode> 8288 - <unassigned or new passcode> 8388 - <unassigned or new passcode> 8488 - <unassigned or new passcode> 8500 - <unassigned or new passcode> 8855 - <unassigned or new passcode> 8888 - <unassigned or new passcode> 9000 - <unassigned or new passcode> 9099 - <unassigned or new passcode> 9100 - Reads back unit number/line ID, psychic line 9101 - <unassigned or new passcode> 9102 - <unassigned or new passcode> 9103 - <unassigned or new passcode> 9104 - <unassigned or new passcode> 9105 - Card services IVR, refers to 888-998-3587 9106 - <unassigned or new passcode> 9107 - <unassigned or new passcode> 9108 - <unassigned or new passcode> 9109 - <unassigned or new passcode> 9110 - <unassigned or new passcode> 9117 - <unassigned or new passcode> 9118 - <unassigned or new passcode> 9119 - Doesn't allow prompt recording, reads back unit ID/line number, disconnects 9120 - Invalid 9121 - No menu, invalid, loops 9122 - <unassigned or new passcode> 9123 - <unassigned or new passcode> 9124 - <unassigned or new passcode> 9125 - <unassigned or new passcode> 9126 - <unassigned or new passcode> 9130 - <unassigned or new passcode> 9150 - <unassigned or new passcode> 9199 - <unassigned or new passcode> 9200 - <unassigned or new passcode> 9300 - <unassigned or new passcode> 9378 - <unassigned or new passcode> 9400 - <unassigned or new passcode> 9500 - <unassigned or new passcode> 9600 - <unassigned or new passcode> 9700 - <unassigned or new passcode> 9800 - <unassigned or new passcode> 9996 - <unassigned or new passcode> 9997 - <unassigned or new passcode> 9998 - Invalid 9999 - "Enter message number" 00000 - "Please enter your six digit password" 00001 - <unassigned or new passcode> 00002 - <unassigned or new passcode> 00010 - <unassigned or new passcode> 01990 - <unassigned or new passcode> 10000 - <unassigned or new passcode> 11000 - <unassigned or new passcode> 11100 - <unassigned or new passcode> 11110 - <unassigned or new passcode> 11111 - Doesn't allow call counter, "I'm sorry, you aren't allowed to use this service" 12345 - Invalid 20000 - <unassigned or new passcode> 22222 - Doesn't allow prompt recording, invalid 30000 - <unassigned or new passcode> 33333 - <unassigned or new passcode> 40000 - <unassigned or new passcode> 43210 - <unassigned or new passcode> 44444 - Doesn't allow call counter, invalid 50000 - <unassigned or new passcode> 51111 - <unassigned or new passcode> 55555 - Allows caller blocking, Invalid 60000 - <unassigned or new passcode> 66666 - <unassigned or new passcode> 70000 - <unassigned or new passcode> 77777 - Invalid 80000 - <unassigned or new passcode> 88888 - Informants practice program? 90000 - <unassigned or new passcode> 99997 - <unassigned or new passcode> 99998 - <unassigned or new passcode> 99999 - Does not allow running test program 000000 - Invalid 100000 - Does not allow prompt recording, reads unit/line number, call time, forwards to rep 100001 - Invalid 100002 - <unassigned or new passcode> 100003 - <unassigned or new passcode> 100004 - <unassigned or new passcode> 111111 - Invalid 222222 - Does not allow running test program 300000 - <unassigned or new passcode> 333333 - Immediately records prompt, 123456 - Does not allow prompt recording, invalid 999999 - <unassigned or new passcode>
  2. 2 points
    at various points in my life i've written little handscanner assistant utilities.. yes, i know there are some already out there - whatever.. i like to code. i've been working on a new project called cons0le (and cons0le-web). i restarted this project because i recently obtained a dialogic diva card and wanted to play with some of the features of the card. at this point i am reaching out to see what realistic features any of you might want to see added to such an app... It is a windows based app written in vb.net and also a javascript counterpart web based app. current working or to be worked on items are: - random/sequential dialing of multiple npa/pre/suff - extreme scheduling/timing of scan jobs - dtmf detection - dtmf send either via dial string or live during call via mouse clicks - outgoing .wav either on outgoing calls or incoming calls - tone detection in general - definable call documentation as well as presets (vmb, ringout, etc..) - sync with a master web app which will provide a "phone book" type interface - master web app will also be able to generate npa/pre/suff and log calls via presets/user definable buttons - f2f syncing of results files. (encryption type is still up in the air on this..) All of the above is already set in stone.. I would love to hear any suggestions for other features though.. doc
  3. 2 points
    Sure! I had to go through this myself, only without the benefit of an account on the translations card to work with. Depending on what software release you have (if you're trying to install a C-LAN card, I assume it's a fairly late release. I don't think it'll work with anything below release 7) you have a few different options here. 1) The easiest is to just boot the system with no translations card installed. Once you've got it running, log into it with the username inads and the password indspw. Go ahead and insert the memory card into the reader. Or just skip all this crap and if you have something that accepts linear flash (ATA flash for the later systems) PCMCIA cards, just stick it in that. Anyway, assuming you're doing the Definity method, type 'upload translation'. Or maybe it's download; I think they made it to be upload from the Definity instead of to the terminal emulator. On one, it'll copy the flash card's contents into RAM and say "Prepare to receive file". Use xmodem to receive the file, and you'll have a copy of the passwords (albeit XORed or something; it's not anything particularly sophisticated. I don't know the algorithm, but I can give you as many plaintexts as you want if you need them. It doesn't seem to be anything standard, but it looks like Base64 at first glance) from the switch. 2) If you have a release 6 or lower processor, you can boot with no translations card again, and overwrite the bytes for the init (superuser; the one that lets you activate any feature you feel like having) password with the ones of a password you know (there's no RAM protection; the rva command should let you do this. I'll attach a ramdump of the pam process to this post). For added shits and giggles, there's even a byte you can change to make a password expire. In some situations, that might be the only way you have to change it. I dunno a lot about the way the header works, but in release 6 and 8, there's a byte that indicates what type of account the username is - or maybe it's an account ID. By default, It's 0x00 for init, 0x01 for inads, 0x02 for craft, and I think the rest are in descending order of account privileges. It might be possible to have two init or inads accounts. However, if the init account is set to prompt for an ASG login (which in release 8/+, it is by default), it'll try and give you a challenge/response for the init account. If you do have a release 8/+ translations card, one thing I've found you can do is change the account ID for the init account to 0x01 (so it doesn't prompt for an ASG challenge/response), write the password to one you know, and then write it back to 0x00 when you're logged in. Though you'll get slightly higher privileges than the inads account, it seems to know what you're doing, and disables the option to change purchased features. Or activate the switch to begin with >.< . For release 8/+, I think there's really only one course of action that can be done at the moment; log in as inads (or init with the above method; the only difference is under inads, it'll try to hide this, but it'll still accept it) and type 'go debugger local'. The switch has a lot of nice things in here, including a simple disassembler. If you speak R3000 assembly, you can probably figure out why/how the switch knows you've been screwing around with the accounts. Judging by how it complains about my *cough* modded release 6 card, I assume the init password is derived from something specific to the software version, and newer releases, knowing that, will complain if you've changed it. If you decide to take this route, lemme know. There's a bit more detail I can go into about the debugger and general Oryx/Pecos operation. 3) You can boot it with no translations card, and upload a fully unlocked release 6 translations backup I made to your card. On newer releases, this'll still work, but you'll be relegated to release 6 features, and it won't let you save; the newer processor releases seem to know something is up, and will claim the card is corrupted. Normally I'd just upload it, but there's some stuff I'd rather not have public on the translations backup I made. Lemme know if you want it. pam.bin pam_r8.bin
  4. 1 point
    I've been working a little bit with the Definity today, and thought an update would be warranted: So through some quick trial and error and comparing to older releases, I was able to find the 2560 byte blob that is the license file in the translations, an identical copy stored in RAM by the fg_mapa process. Strangely enough, there seems to be some sort of redundant copy of this around somewhere; if you start manipulating the copy in fg_mapa and tell the switch to test the license, it'll very quickly change it back to what it should be. Thankfully, the switch comes with some very nice debugging utilities that should make figuring out where it's getting another copy to fix this (it isn't the translations card; I tried pulling that out. Though obviously, if you corrupt the copy on the translations card, it's going to have a much harder time getting another copy from RAM when you reboot. This helped verify a lot of this) a lot easier. There's going to be a few things to consider here, like how an actual license file differs from what the Definity stores (you're supposed to be able to paste it in using the ossi interface on the switch. The Definity won't accept the license you pull from RAM, however), but all in all, this should make the rest of the process a lot less painful.
  5. 1 point
    welp.. i've been working on three projects for a bit and am along far enough to mention them... http://www.wardialers.org - will be the largest collection of wardialers, ld code hackers, vmb hackers, telenet scanners, scene transfer software, underground bbs software and more that has ever been compiled for 8/16 bit computers. DOS/Windows stuff may come later but that is not my focus right now as you can find that stuff anywhere. 8/16 bit stuff is starting to get lost and I am going to ensure that doesnt happen. http://www.8bitunderground.com - discussion of old school phreaking as well as the apps used.. maybe not too interesting to most people on binrev - who knows? http://blog.8bitunderground.com - rants and humor that surround the underground scene and technology in general. I have an absolute SHITLOAD of stuff to add to wardialers.org so please bear with me - but the site is open for business so to speak.. doc
  6. 1 point
    There's always been little slip-ups in the way AT&T restricts 800 numbers from 101-0288-0, for anyone old enough to remember that. But more recently, they've been doing some sort of weird call distributing technique; for example, if you're in one of these affected areas, they'll distribute calls to different OSPS switches throughout the country. Something about the trunk group you come in on instructs the network to allow 800 calls out from OSPS again from these areas. If you're around any of these areas, I've confirmed with some friends that it'll work: Washington, DC San Francisco, California Ontario, California Fresno, California Muskegon, Michigan Oberlin, Ohio Cincinatti, Ohio Lincoln, Nebraska Orlando, Florida Tampa, Florida Manchester, New Hampshire Denver, Colorado Dickinson, Texas Des Moines, Iowa Springfield, Massacheusetts Chicago, Illinois Rolla, Missouri Kansas City, Missouri Fargo, North Dakota As always, toll-free calls through the Honolulu and San Juan OSPSes will go through like they always have. There's also a few interesting scenarios, like tiny LECs with direct trunks to OSPS, where toll-free traffic has always gone through.
  7. 1 point
    How are you even able to call out from OSPSes these days? A couple of years ago AT&T got rid of their calling cards, so I haven't been able to explore OSPS systems like I used to. Unless you still managed to keep a working card somehow? And are you using the CVS technique to get to them or something else?
  8. 1 point
    Yup, the newer cards are ATA flash. The older ones (release 8/-), linear. If you don't want to bother with finding something to plug it into, the Definity can xmodem it to you. Boot it with no translations, log in as inads, plug it in, and type upload (I think. It's relative to the direction of the Definity) translations. Anyway, as for where to start, I'd get the switch to print a copy of the license data - list config license, I think. Then, with the system booted, if you have inads access under normal circumstances, get a ramdump of pam and compare it to a dump of the same process with no translations card installed. If that's not possible, just the latter is probably fine; the translations card will probably give most of what we need. The challenge with that, if we want to try and load/edit licenses through the memory card (obviously a great start. I'd really like to know where it's supposed to load this stuff in, though), is that it uses some weird format with a bunch of checksums. Ostensibly the best way to deal with that is to use the bulletin board feature; you could just write a 1 or something to it, upload the translations somewhere, then change it to a 2 or 0 or whatever, and see what changed.
  9. 1 point
    Sure, but keep in mind that the one time password algorithm for the Definity is based on DES. I'm not a crypto guy, but based on what I know about DES, having faith in that even if an attacker doesn't have the keys seems like a dangerous game. Much like the passwords as well, the ASG keys for init and inads are probably the same for every processor using a specific build. Though I guess the problem with that is you don't know what build it is until you log in or physically look at the sticker on the processor. This'll definitely have to be explored further at some point - maybe they use the same inads or craft or whatever key on every build. Ostensibly, yeah. The header and object files we got from the RPM should allow anybody who uses it in their code to encode and decode license keys, and from the look of the functions, probably make and test valid ASG keys as well. The idea behind disassembling the object files was to try and get an idea of how the functions work - and that's still a valid choice, but it might be less work to just use them as is through trial and error. Of particular note in asg.h is this: struct lic_info { unsigned char version[4]; unsigned char filler[6]; unsigned char hexkey1[8]; unsigned char hexkey2[8]; }; along with the four functions in license.h . Since gewt has a switch with a valid license, I was hoping we could use this to test data we know for sure works against anything we happen to write with these ASG functions. Sure! I'll send you a PM.
  10. 1 point
    I doubt it. You'd probably see the debugger command in there if it was doing that. From there, you can manually invoke the xmodem process, but I have no idea what sort arguments it wants. Every time I've tried, it just immediately kills itself. In any case, firmware updates for cards or translations and whatnot are typically what it's used for via the upload and download commands. You probably could; the only time it's ever bothered me about that sort of thing is when a process crashes, but there's easier ways to fool it. The real problem is under most translation cards, the inads user will prompt for ASG. You're fine if you boot the system with no card, but then you need to be able to feed it a license. That should be in the translations file. Using what we have in the ASG development headers, figuring out exactly what's going on shouldn't be too hard once we identify where the license is. Keep in mind it's designed explicitly for the product ID in the translations card, and probably the serial number on your CPU card though.
  11. 1 point
    I think it's all stored in the place you described. There's a PIN if I'm not mistaken, that brings it up to 20 hex bytes right next to the key in question. You'll see that particular set of bytes change every time you change your key. It's less big than you might think . Some people with Avaya PBXes are less than responsible, and put development packages on the internet: ftp://ftp2.veracomp.pl/net/avaya/Software/SES_5_1_2/Releases/rpms/asgtools-1-0.AV10.i386.rpm ftp://ftp2.veracomp.pl/net/avaya/Software/SES_5_1_2/Releases/rpms/asgtools-devel-1-0.AV10.i386.rpm While you can't get the source, you can get some header and object files used for ASG functions in their x86 platforms. They're relatively readable with a trip through a decompiler and some deducing which variables are which ( http://pastebin.com/c6znKRUF ), but more importantly, it shows that the earlier ASG stuff is a one time password algorithm based on DES. At some point - probably in the mid 2000s, they got enough sense in their head to switch to AES. This is important not just because the one time passwords are annoying/used to lock down the switch, but because release 10 and up, where all the really fancy features come into play, want you to upload a license key based on ASG. Yeah, I think the IP media processor won't work without a relatively recent release; ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/media/minhardwarevintages.pdf . If your release is 7.1 or something though, allegedly you can put this crazy thing in your switch and get IP trunks. Though it's sorta like adding a car to your pool because you don't like getting rained on while you swim. http://www.ebay.com/itm/Avaya-Lucent-Definity-TN802-V2-MAPD-Board-w-8MB-Card-HDD-/391312141904?hash=item5b1c056e50:g:atcAAOSw5VFWOpHM That depends on what you can get to work. You absolutely do need to use that software with a Dialogic card, but they make T1 cards too. I'd be surprised if Avaya didn't put support for that into their software. I think there's something to differentiate between analog and digital interfaces in the software. But then again, I tried it with my Dialogic T1 card and it didn't want to cooperate. Though I think that was probably a good thing in the long run. It wound up being used for...better things. http://thoughtphreaker.omghax.ca/audio/ligatt_megaphone.mp3
  12. 1 point
    OK, now on to something more complex, the challenge response mechanism for ASG logins. Not sure if this should be a new thread, let me know. The basic sequence is when you try to login to, say init, which is ASG protected, the system gives you a challenge number and wants a response. Here's the back story: When your account is created on the Definity, a secret key, is either machine generated or manually input for your username, (or init, or whatever). Both you and the definity know that secret key. When you try to login, the definity gives you a number that you have to run through the algorithm with your secret key, either on a hand held device or the management software. The resulting number is what you enter for the response to the Definity. Of course, it is doing the same. The response you give it must agree with what it generates internally so that it will let you in. Hope that makes sense. So where is the per username secret key stored? In the username record in PAM or somewhere else? I've read that it is either 14 hex or 20 octal digits. And the response is 7 digits(?). The secret key is displayed on the change login screen if you have high enough privilege to see it. On to poking around in memory.... After looking through the R8 Pam file you have attached to this thread, I've noticed something different about the 2 init records. There's the one at 264d0. If you look at the one at 38f60, there is an additional 16 digit hex string at 38f66. Could that be the secret key??????? If it is, all we need is the encryption algorithm!!! (Like that's a tiny thing!)
  13. 1 point
    rva is pretty straightforward to use; type rva process [whatever process you want to look at. For example, pam] a [address you want to dump. Though it's hex, it doesn't want a preceeding 0x before it] c [number of bytes you want printed out in hex format; for the maximum, 255, you'd tell it FF] The virtual memory addresses we want to look at always start at 0x400000. In the case of release 6, the init password is stored in a couple of places. The first is 0x423487, and since the password data is 12 bytes long, which is the value C in hex, you'd want to type: rva process pam a 423487 c c . There's also another address it's stored at; 0x435537. This one, I think (though I could be wrong. You could definitely try both if you're interested, but you can just log in and change it anyway) is the one it actually checks when you log in. As usual it's C bytes, but wva wants an extra argument; v/value. If you want to write different bytes, you'll have to do it one at a time, like wva process pam a 435537 c 1 v 00. If you want to overwrite everything, you could increase the count, and give it something like wva process pam a 435537 c c v 00 . Anyway, there's also a debugger command that lets you dump RAM. This is best for dumping the whole process. While you can use a script or something to spit everything out with the rva command, it takes a painfully long time to cough out even the smallest things. This, by contrast, should get pam (220 kb) in about ten minutes or so. Not exactly amazing, but it's more what you'd expect from a 9600 baud serial link. So just type, for example, rd -f (number of bytes you want)x pam 0x400000 , and it'll do the rest. The x indicates we want the bytes in hex format, rather than something horrible like octal numbers. The count can be as high as you want; it'll just keep going until the end of the file before throwing an error at the end. Just for the sake of completeness, here's a valid example command: rd -f 2000000x pam 0x400000
  14. 1 point
    At this point, you could probably just log in using the craft account; the password is "y0urthe1". I'm surprised; it actually only took a few hours to figure out. Let me explain how it works; it's actually pretty funny. So go ahead and boot your Definity without a translations card, and we can get started. As before, log in with inads, but this time type 'go tcm'. From here, you'll see a new, and from the looks of it, very, very nifty shell once you've gotten you're switch running with no restrictions. If you type klog, you can see a printout like this; support your local Oryx (Oryx g4.34)$ support your local Pecos$ Boot image vintage: G3V8i.02.0.034.5$ Boot image build information: 03/21/00-21:39:28;gaz;fld;alawint;G3V8.pj$ If you're not familiar with Oryx/Pecos, Oryx is the kernel, and Pecos is a series of processes that runs on top of it. But back to the password thing, if you're looking to do a lot of comprehensive work with the password file on the switch, you should do a full dump of the RAM allocated to the pam process. But that's kind of a big pain in the ass. If you're just looking to get the passwords, the switch actually makes it relatively easy. At the TCM shell, type this; prec pr_login nread_prec 0 And it should come back with something like this; PR_LOGIN 696e 6164 7300 006c 756a 6521 7376 6a2e 'inads luje!svj.' PR_LOGIN 0000 006c 756a 6521 7376 6a2e 0000 0001 ' luje!svj. ' PR_LOGIN 0101 0101 0001 0101 0101 0101 0101 0100 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0100 0000 0000 0000 0101 0101 ' ' PR_LOGIN 0101 0100 0000 b21a 22c3 69b8 786c 0000 ' " i xl ' PR_LOGIN 0000 0000 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff ' ' See? It even gave us a little ASCII printout! Wasn't that nice of it? It'll ask you to press enter a few times before giving you the passwords for all users. So once you've got it, you'll probably notice a few things. For one, there's a lot of exclamations in the password file. Secondly, the dadmin account will probably read something like this; PR_LOGIN 6461 646d 696e 0021 214b 5621 5953 2121 'dadmin !!KV!YS!!' PR_LOGIN 2121 2121 214b 5621 5953 2121 2121 2101 '!!!!!KV!YS!!!!! ' PR_LOGIN 0101 0101 0101 0101 0101 0101 0101 0100 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0200 0000 0000 0000 0201 0101 ' ' PR_LOGIN 0101 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff ' ' So why so many exclamation points? The exclamation point is a null character as far as the passwords are concerned. The byte I highlighted in bold is the one responsible for the user ID. So I'm going to change the password for craft from crftpw to crftpw1 and re-run the TCM shell command. There's a byte you can change in the RAM to make it force you to change your password. It's good in a situation like this where the switch won't let you change your password normally. It's sort of a pain in the ass to find, but let me know if you want me to point it out. Anyway, you'll notice the first two lines just changed to this; PR_LOGIN 6372 6166 7400 006c 7577 7231 636e 2121 'craft luwr1cn!!' <-- crftpw1 PR_LOGIN 2121 216c 7577 7221 636e 2121 2121 0001 '!!!luwr!cn!!!! ' <-- note old password stays the same (crftpw) This would be a good time to mention the Definity has two copies of your password, as you've no doubt noticed. But the old one stayed the same in this case, as far as I can tell, to enforce the password policy. Namely so that when your password expires, you can't just change it back to the old one. So what changed? Just one character - the 1 at the end. And sure enough, one of the null characters changed to a 1. Obviously though, it's not just as simple as scrambled characters. So next, let's change the password to aaaaaa1. PR_LOGIN 6372 6166 7400 007a 7a7a 7a31 7a7a 2121 'craft zzzz1zz!!' <-- aaaaaa1 PR_LOGIN 2121 216c 6977 7237 636e 2121 2121 2101 '!!!liwr7cn!!!!! ' <- crftpx2; I did a little trial and error before doing this. Notice the position of the 1 stayed the same. So at this point, it's obvious they're just substituting one letter (or number) for another. I'll save you some time here, and just say since a translates to z, b is x, c is c, d = v, e = b, and f = n. So with that in mind, let's figure out how this stupid byte swapping trick they're doing works. 5624713 efbd6ac PR_LOGIN 6372 6166 7400 0062 6e78 7639 7a63 2121 'craft bnxv9zc!!' <-- abcdef6 PR_LOGIN 2121 216e 6e6e 6e39 6e6e 2121 2121 2101 '!!!nnnn9nn!!!!! ' So there you go. First is the fifth password character, then the sixth, second, etcetera. Cute. So when encoding... a = z, b = x, c = c, d = v, e = b, f = n, g = m, h = a, i = s, j = d, k = f, l = g, m = h, n = j, o = k, p = l, q = q, r = w, s = e, t = r, u = t, v = y, w = u, x = i, y = o, z = p, 1 = 1, 2 = 7, 3 = 2, 4 = 8, 5 = 3, 6 = 9, 7 = 4, 8 = 0, 9 = 5, 0 = 6 For uppercase characters, the same concept applies; A= Z, B = X, and so on. So here's something I've been waiting to see for a long time. Let's pull up the record for the init password. PR_LOGIN 696e 6974 0000 0065 3132 3265 6a68 2121 'init e122ejh!!' PR_LOGIN 2121 2165 3132 3265 6a68 2121 2121 2101 '!!!e122ejh!!!!! ' PR_LOGIN 0101 0101 0101 0101 0101 0101 0101 0100 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0000 0000 ' ' PR_LOGIN 0000 0000 0000 0000 0000 0000 0001 0101 ' ' PR_LOGIN 0101 0100 0000 7de9 d15e 9ce8 a068 0001 ' } ^ h ' PR_LOGIN 0000 041b 0000 000c 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff 0000 0000 0000 0000 ffff ffff ' ' PR_LOGIN ffff ffff ' ' Using the concept we just talked about, we can infer that the default init password is n3m3s1s. So just to check, I changed the craft password to n3m3s1s; PR_LOGIN 6372 6166 7400 0065 3132 3265 6a68 2121 'craft e122ejh!!' <-- n3m3s1s; same as init password. Lulz. PR_LOGIN 2121 2143 5670 5836 6f5a 2121 2121 2101 '!!!CVpX6oZ!!!!! ' Can you say insecure? The Definity can! Or as it'd say, ctjbwse12b2! . If you'd care to learn the order of the remaining bytes (that's the maximum length of 11 characters), that's "insecure133". EDIT: I talked with Chronomex earlier, and she pointed out that the characters map to the keys on a Qwerty keyboard backwards. Somehow Nortel got the idea this substitution cipher/byte swapping thing was a good idea too, so you'll see the something like it on Meridians. There's actually an NES game that did a better job at this. https://www.reddit.com/r/TreasureMaster/comments/9iyaf/we_have_our_first_breakthrough_courtesy_rj45_and/
  15. -1 points
    always fun to come back after a few years and see how something like this turned out. https://github.com/signalapp/Signal-Android/issues/5474 http://www.bbc.com/news/technology-41776215 At this point is there any trust left?