TUCoPS :: Phreaking Voice Mail :: cvmbhack.txt

Hacking VMBs

Hacking VMBs (Voice Mail Boxes)

By Cyber Thief 



 Have you ever wanted to hack a voicemail box? Well, you've come to the 
right place because this file will show you how to do it. Enough of the
shit, let's get started.

Step 1: Finding a System

 Hacking voicemail can be an easy five step process if done correctly. The
first step is to find a system to hack. There are several ways one would 
find it. First off, you could do some old fashioned manual scanning of 
your favorite 800 prefix. Although this is a long and tedious process. An 
easier way would be to look in the phone book for companies that boast 
"24 hour answering service". Make a list of these as well as other numbers 
that are likely targets. You could also start a collection of business cards. 
Business card phone numbers are often great sources for VMBs. Anyway, you're
bound to run across some systems. When calling a suspect number, listen for 
a recording that sounds digital. The system should sound a lot better than 
your average answer machine. If you hear something in the greeting about 
extensions, then search no more. Extension numbers are a dead give away.
By the way, do not, I repeat DO NOT attempt to hack systems you know have 
been hacked in the past. If you acquire a box on such a system, it will not 
last as long. Your ultimate goal would be a virgin system that has had no 
prior experiences with hackers.

Step 2: Gaining Access

 Once you've found a mailbox system, you must determine the access sign.
This is probably the easiest part. Access signs are either *, 0, or #. 
On some systems they may be 8, or 9 but that is pretty unlikely. When 
calling the system and entering the correct access sign, you should be 
prompted for a mailbox number. This is where things get tricky so pay close 
attention to the next two steps.

Step 3: Finding a Valid Box

 Before finding a box to take over, you must find a VALID box on the system.
When prompted for the mailbox number, enter 10 (followed by # or * if 
required). If you receive an error, try 20. Continue counting by tens until
you are prompted for a password. If you receive more errors, try counting
by hundreds (100, 200, 300, etc.) If more errors occur try counting by
thousands. When you reach ten thousand with no success go back to the 
beginning and count by fives or tens until you reach ten thousand. 
 Some voicemail systems also give you the option of searching for a 
subscriber by using his or her last name. If such an option is made 
available to you, use it to your advantage. Most systems will allow you
to key in the first few letters of the subscriber's name. Try common last 
names like Smith, Jones, Brown etc. If this works, you'll receive a listing
of valid boxes to call. This will give you some idea of where to search. 
 If you still have no success, pack up and go home. I guess it was never 
meant to be. Oh well, VMBs are not for everybody. 
 By this time, most of you should have found a valid box. Let's assume the 
box you found was number 120. Let's also assume that 110 is not a valid box 
number, but 150 is. At this point you'll want to do some basic scanning to 
determine the range of boxes. Scan 119 and below. Keep checking until you 
start getting errors. Write down the last valid box number you reached 
before the errors began. Do the same with 120 on up, and 150 on up. This 
should give you a fairly accurate view of how the boxes are mapped out on 
the system. 

NOTE: On some systems such as Meridian Mail, you will be prompted for a
      password no matter what box number you type in. This can be deceiving
      since you believe you have found a valid box when in fact you have 

Step 4: Finding a Vacant Box

 Once you have found some valid boxes, start scanning for vacant boxes. 
Vacant mailboxes are either boxes that were created by the system 
administrator for future employees, or boxes that were abandoned when
an employee was fired, transferred, etc. How do you identify a vacant box?
Simple. Call the system after hours and enter in some of the valid box 
numbers you recorded during your earlier scanning. You should be listening 
for a greeting that sounds like one of the following...

A. "Box 120 please leave a message".
B. "Box 120".
C. "Please record a message after the tone".

 Of course, if you encounter any outgoing messages recorded by a human 
assume the box is in-use. NEVER take over a box that is in-use by an 
employee. You'll feel cool for a few days, but when the owner logs in
to check his messages, he'll see evidence of your tampering and change his
password. In this case you'll be the one locked out! 

Step 5: Cracking the Password

 All right, this part is EASY. I shit you not, getting the password is the 
easiest part of the procedure besides hacking out the access sign. If your
mailbox is currently unoccupied the password should be reset to the default.
The default is the generic password the administrator sets after the box is
created. Here is a list of some common default passwords...




The Box number plus 1 (eg. 1201)
1 plus the box number (eg. 1120)

The box number itself (Box number = 120, Password = 120)

 Those are all the password combinations you'll need to know. Just use 
common sense and you should get in. Don't give up until you've exhausted ALL
of the above mentioned possibilities. If none of the defaults work you have
either attempted to hack an employee's box (most employees change the 
password, but some are really stupid) or the system has had problems with
hackers in the past and as a result there are no vacant/default boxes.

Maintaining your Mailbox

 Once you've gotten into a box, don't change a thing...yet. First, see if 
there are any messages. If there are, listen to them. If the messages sound
new (some systems will leave the date the message was recorded) you must 
have hacked a box that is already in use. Go back to step four and try again.
If the messages are several months/years old, or sound universal it is 
probably safe to use the box. Sometimes universal messages are sent to every
box in the system by the administrator. Don't confuse these with actual 
personalized messages. Another good way to determine box status is to call
the suspect box and leave a message yourself. Wait a few days/months and log
in again. If the message has been listened to, an employee probably controls 
the box. If the message is still new, chances are the box is abandoned.
Once you've determined the status of the box, you can change the password 
and the outgoing message. Although I would recommend you make your first 
outgoing message something generic like "Hi, you've reached my box, leave a 
message". Wait a month or two and see if your box still exists. If it does, 
you can change the greeting to say whatever you want. The waiting is a 
necessary evil. If you set your first outgoing message to say something like 
VISIT MY YO FUNK RAD PAGE G", your box will not last long. I would also 
recommend you change the password to prevent outsiders from accessing your


 Once you've successfully hacked a box, become familiar with it's features. 
Some mailboxes are connected to PBXs and thus have dial out capabilities! 
With some systems you can only call numbers that are local to the system. 
In other cases there is no restriction on calling which means long distance 
and toll calls can be placed at the expense of the system administrator. If 
your box does have dial out, abuse the fuck out of it before it is turned 
 Other voicemail features include the ability to create distribution lists, 
leave messages for other users, message notification, and more. 
 Distribution lists are just like mailing lists. Say your three best friends 
have boxes on the same system. You can make a distribution list with their 
box numbers, and forward messages to all three boxes with only a few key 
presses. So, the distribution list is almost like CC (Carbon Copy) in email. 
You can save multiple user's IDs and forward one message to all of them 
 Message notification is a setting that will have the system call you when 
a new message is received. Just enter your phone number and you're set. 
Although I would advise against this. Otherwise you may get a call from a 
pissed off system administrator demanding to know WHY your number is on 
message verification. The bottom line is you shouldn't screw with it. 
But, if you have the urge just look for a feature called "message 
verification" or "follow me".

How Long Will My Box Last?

 This question is difficult to answer. I've had boxes that lasted for
up to six months. However, I don't think there is any way to guarantee the
longevity of your mailbox. 
 If the system is on an 800 number you can count on your box being deleted
eventually. This is because 800 numbers have to foot the bill every time
someone calls them. Even if your system is local, calling the 800 number 
will guarantee a charge. If the administrator finds you're calling just to
make use of a stolen box, you can bet your bottom dollar it will be deleted.
 Another common problem is the random system check. Every once in awhile the
administrator will perform "security or maintenance exercises". If you find
a universal message in your mailbox referring to this, change everything 
back to normal. Hopefully he will think nothing is different and leave your
box alone. Be sure to tell your friends not to call you during this time 

Hacker Resistant Systems and Other Problems

 Some of the more desirable systems have certain safeguards to prevent 
outsiders from obtaining mailboxes. While the obvious countermeasures 
include effective management of vacant/unused boxes, and smart password 
selection, some systems have their own security features that make the 
modern voicemail hacker's task much more difficult.
 Systems such as Skytel, require the user to enter his/her password prior 
to selecting the box number. This renders the traditional hacking methods 
inoperable since most rely on vacant boxes and default pass codes. In 
addition, these systems will automatically log the user off if too many 
errors occur.  
 A few systems will allow only limited access to vacant boxes. In other 
words, the box exists with the default pass code but the user can not change
the greeting, or even configure the box to receive messages without consent
of the administrators. In this scenario, it is the administrator's job to
"activate" the box by recording the greeting, and setting up the extension.
I have encountered this annoying feature on several new systems including
Meridian. The only real "fix" is to hack the administrator's box and do 
the configuration process yourself. Good luck with that!

A Discussion on Systems

 The purpose of this section is to briefly touch on some of the voicemail 
systems you are likely to encounter. I will provide general background 
on each system, as well as default passwords if they are available.

Alltel - This is a voicemail system for cellular telephone users only.
         From your cellular phone, dial #99 and "SEND". Enter your security
         code, and you are in. All vacant boxes will have a default password
         of 9999. Alltel voicemail has several desirable features including
         the ability to change your security code, record a personal 
         greeting, create a "greeting schedule", and forward messages to 
         other users.

A.S.P.E.N. - Most people will agree that A.S.P.E.N. (Automated Speech 
             Network) is one of the best voicemail systems. To find a vacant 
             box, scan some common three digit numbers until you hear an
             automated voice say "You entered XXX. Please leave a message at 
             the tone...BEEP". Hit # and enter the box number when prompted. 
             A friendly female voice will discuss some of the better 
             features of the system and ask for your "temporary password". 
             The password is usually four digits. It is probably one of 
             those on my default list. Features to look out for include
             the ability to control message playback speed, message 
             forwarding, and "envelopes", extended absence greetings,
             the awesome ability to create and moderate "guest boxes" for 
             friends, and distribution lists.

Audex Voice Power - From the onset, Audex systems are difficult to identify. 
                    When calling a suspect number, hit *7. It should respond
                    with "Welcome to Audex Voice Power, please enter 
                    extension and # sign". Box numbers are three or
                    four digits and usually start with a 2. The password 
                    will be the same as the box number. You are required to 
                    hit # after entering the extension number, and the 
                    password. Features include easy message recording and 
                    forwarding, as well as out call for message receipt 
Centagram - Most Centagram systems are direct dial. This means that each
            customer has his/her own 800 number where you can leave messages
            without having to go through extensions. You can only hack these
            systems if you have the valid number of at least one legitimate
            user. Once you have a valid box, scan other numbers in sequence.
            Most, if not all, Centagram systems will group the boxes together
            in "blocks". Upon calling a vacant box, you should hear a generic
            greeting. Before you are told to leave a message, hit #.
            You will be prompted for a password. The password will usually
            be the last four digits of the box's telephone number. If this
            does not work, try some of the defaults mentioned above. 
            Centagram systems are very user friendly, and the nice lady 
            will guide you through a list of options upon entering the box.

Cindi - Cindi systems are pretty easy to get into, and they tend to have 
        some nice features. Upon calling the system and pressing #, you 
        should hear "Please enter the person's name using your touch tone
        keypad, last name followed by first. To enter a Q or Z push 1..."
        The disconnection message should sound something like "Thank You,
        Good day". Mailboxes are usually grouped together in blocks and will
        be either 3 or 4 digits. To log in you'll have to call the vacant 
        box and hit "0" when the message starts playing. The default password
        for Cindi systems is also "0". Features include message recording
        and forwarding, playback volume adjustment, call placements, 
        distribution lists, certified messages, and the ability to create 
        guest accounts for friends.

Meridian - These systems are the easiest to identify. Upon calling the 
           number you should hear a female voice say "Meridian Mail.... 
           Mailbox?" The box numbers are usually four digits and are 
           grouped together in a logical fashion. The default password
           is the same as the box number. Meridians have some nice features,
           including the ability to dial out (some systems). Other features
           include message forwarding, and "envelopes", distribution lists,
           personal greetings inside the mailbox, and the ability to log out.

Message Center - The Message Center is the easiest direct dial system to 
                 hack. Once again, you must find a valid box in the prefix
                 you are scanning. After you have successfully located a box, 
                 hit * twice to access the main Message Center Board. It 
                 should say something to the effect of "Welcome to the 
                 Message Center. Please enter a mailbox number or wait". 
                 Enter box numbers in the same prefix and listen for a 
                 generic message. Once you've located a vacant box, hit
                 * once to log in! It's really that easy. Although features
                 are lacking, it is always nice to have a direct dial box. 

Octel - Not much is known about these systems. Upon calling the system and
        hitting the # key, you'll be prompted for a mailbox number. Enter
        the number followed by # and you'll get the password prompt. Feel
        free to try some of the defaults from my list above. Remember, all
        commands made outside the box must be followed by #. Once inside,
        you'll be walked through the basic setup. Some Octel systems will
        require you to change your pass code immediately. Desirable features
        include the ability to control message playback speed and volume, 
        message notification, future delivery option, "private" delivery
        option, faxing feature, and distribution lists.
One Connect - Perhaps the most useful voicemail system currently on the 
              market. Most One Connect systems are direct dial. Virgin 
              boxes will give you set up instructions when called. Press *
              for the password prompt, and key in the default code 1234.
              Once inside, you can listen to messages, retrieve faxed 
              messages, set up message verification, call long distance
              numbers using the PBX, configure instant paging, and even set 
              up a toll free loop where callers can reach you. 

Q Voice Mail - This system is very similar to Cindi, and is pretty easy to
               hack as well. The greeting should say "Welcome to Q Voice 
               Mail Paging". Mailbox numbers are usually five digits, and the
               default password for vacant boxes is "0".  

RSVP - These systems suck! They can only hold 23 boxes. Upon calling, hit
       * for the directory of boxes. If you hit # first, you'll be given
       a list of options. As soon as you select any option, you'll be 
       prompted for a mailbox number. The mailbox numbers are almost always 
       two digits. The password will be the same as the box number.

Skytel - One of the more difficult systems. Skytel voicemail is a bitch 
         because you are required to enter the password first, followed by
         the box number. Many new voice mail systems are adopting this 
         method since it makes hacking next to impossible. The best way to
         hack Skytel is to get a PIN number of a user and call customer
         support claiming to be the dissatisfied customer. Call 1-800-SKYUSER
         (1-800-759-8737) for Customer Support.

Sperry Link - An all around nice system that can be a bitch to hack. Call it
              up and you'll hear "This is a Sperry Link voice station. Please
              enter your user ID". Just try some common numbers in sequence.
              Most IDs are five digits. If you hear "This is an XXX answering
              service" you have found a valid box. Hit *# to get the log in
              prompt. At this point you'll just have to guess the password.
              Try some of the defaults from my list. The passwords are 
              usually four digits.

Xerox - This system is not very common. Features include message recording
        and "delivery", the ability to skip to the end of a given message, 
        notification of non-delivery, future delivery, and a reply option.
        Call 1-800-TEAM-XRX (1-800-832-5979) for more information on Xerox 
        voicemail systems.

 In addition there are many other systems not listed here. You'll encounter
these unnamed systems too. Some of them are nice others are not. 


 I hope you've enjoyed my file. If you have any questions, comments, or if 
you would like information about other files I've written, please feel free 
to contact me. You can do so by sending email to cyberthief@deathsdoor.com.
You could also leave a message on my voicemail. Call 1-800-553-2112 after 
business hours and press "1104". This will forward you to my mailbox where 
you can leave voice messages. Since the box is hacked, I have no idea if it 
will still be valid when you read this. Although it should be up for quite 
awhile. If it does not work, you can call 1-800-289-6689 for my direct dial 
mailbox. It takes five rings for the system to pick up, but once it does 
you'll be asked to leave a message.

--*- Boundary Sn946+gqUW.Dq?'d-VSFÁS--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH