Hacking VMBs (Voice Mail Boxes)
By Cyber Thief
9/14/98
Introduction
------------
Have you ever wanted to hack a voicemail box? Well, you've come to the
right place because this file will show you how to do it. Enough of the
shit, let's get started.
Step 1: Finding a System
-------------------------
Hacking voicemail can be an easy five step process if done correctly. The
first step is to find a system to hack. There are several ways one would
find it. First off, you could do some old fashioned manual scanning of
your favorite 800 prefix. Although this is a long and tedious process. An
easier way would be to look in the phone book for companies that boast
"24 hour answering service". Make a list of these as well as other numbers
that are likely targets. You could also start a collection of business cards.
Business card phone numbers are often great sources for VMBs. Anyway, you're
bound to run across some systems. When calling a suspect number, listen for
a recording that sounds digital. The system should sound a lot better than
your average answer machine. If you hear something in the greeting about
extensions, then search no more. Extension numbers are a dead give away.
By the way, do not, I repeat DO NOT attempt to hack systems you know have
been hacked in the past. If you acquire a box on such a system, it will not
last as long. Your ultimate goal would be a virgin system that has had no
prior experiences with hackers.
Step 2: Gaining Access
-----------------------
Once you've found a mailbox system, you must determine the access sign.
This is probably the easiest part. Access signs are either *, 0, or #.
On some systems they may be 8, or 9 but that is pretty unlikely. When
calling the system and entering the correct access sign, you should be
prompted for a mailbox number. This is where things get tricky so pay close
attention to the next two steps.
Step 3: Finding a Valid Box
----------------------------
Before finding a box to take over, you must find a VALID box on the system.
When prompted for the mailbox number, enter 10 (followed by # or * if
required). If you receive an error, try 20. Continue counting by tens until
you are prompted for a password. If you receive more errors, try counting
by hundreds (100, 200, 300, etc.) If more errors occur try counting by
thousands. When you reach ten thousand with no success go back to the
beginning and count by fives or tens until you reach ten thousand.
Some voicemail systems also give you the option of searching for a
subscriber by using his or her last name. If such an option is made
available to you, use it to your advantage. Most systems will allow you
to key in the first few letters of the subscriber's name. Try common last
names like Smith, Jones, Brown etc. If this works, you'll receive a listing
of valid boxes to call. This will give you some idea of where to search.
If you still have no success, pack up and go home. I guess it was never
meant to be. Oh well, VMBs are not for everybody.
By this time, most of you should have found a valid box. Let's assume the
box you found was number 120. Let's also assume that 110 is not a valid box
number, but 150 is. At this point you'll want to do some basic scanning to
determine the range of boxes. Scan 119 and below. Keep checking until you
start getting errors. Write down the last valid box number you reached
before the errors began. Do the same with 120 on up, and 150 on up. This
should give you a fairly accurate view of how the boxes are mapped out on
the system.
NOTE: On some systems such as Meridian Mail, you will be prompted for a
password no matter what box number you type in. This can be deceiving
since you believe you have found a valid box when in fact you have
not.
Step 4: Finding a Vacant Box
-----------------------------
Once you have found some valid boxes, start scanning for vacant boxes.
Vacant mailboxes are either boxes that were created by the system
administrator for future employees, or boxes that were abandoned when
an employee was fired, transferred, etc. How do you identify a vacant box?
Simple. Call the system after hours and enter in some of the valid box
numbers you recorded during your earlier scanning. You should be listening
for a greeting that sounds like one of the following...
A. "Box 120 please leave a message".
B. "Box 120".
C. "Please record a message after the tone".
Of course, if you encounter any outgoing messages recorded by a human
assume the box is in-use. NEVER take over a box that is in-use by an
employee. You'll feel cool for a few days, but when the owner logs in
to check his messages, he'll see evidence of your tampering and change his
password. In this case you'll be the one locked out!
Step 5: Cracking the Password
------------------------------
All right, this part is EASY. I shit you not, getting the password is the
easiest part of the procedure besides hacking out the access sign. If your
mailbox is currently unoccupied the password should be reset to the default.
The default is the generic password the administrator sets after the box is
created. Here is a list of some common default passwords...
000
111
222
333
444
555
666
777
888
999
0000
1111
2222
3333
4444
5555
6666
7777
8888
9999
123
321
The Box number plus 1 (eg. 1201)
1 plus the box number (eg. 1120)
The box number itself (Box number = 120, Password = 120)
Those are all the password combinations you'll need to know. Just use
common sense and you should get in. Don't give up until you've exhausted ALL
of the above mentioned possibilities. If none of the defaults work you have
either attempted to hack an employee's box (most employees change the
password, but some are really stupid) or the system has had problems with
hackers in the past and as a result there are no vacant/default boxes.
Maintaining your Mailbox
-------------------------
Once you've gotten into a box, don't change a thing...yet. First, see if
there are any messages. If there are, listen to them. If the messages sound
new (some systems will leave the date the message was recorded) you must
have hacked a box that is already in use. Go back to step four and try again.
If the messages are several months/years old, or sound universal it is
probably safe to use the box. Sometimes universal messages are sent to every
box in the system by the administrator. Don't confuse these with actual
personalized messages. Another good way to determine box status is to call
the suspect box and leave a message yourself. Wait a few days/months and log
in again. If the message has been listened to, an employee probably controls
the box. If the message is still new, chances are the box is abandoned.
Once you've determined the status of the box, you can change the password
and the outgoing message. Although I would recommend you make your first
outgoing message something generic like "Hi, you've reached my box, leave a
message". Wait a month or two and see if your box still exists. If it does,
you can change the greeting to say whatever you want. The waiting is a
necessary evil. If you set your first outgoing message to say something like
"YO THIS IS CYBER THIEF THE AWESOME K-RAD ELITE HAXOR LEAVE A MESSAGE OR
VISIT MY YO FUNK RAD PAGE G", your box will not last long. I would also
recommend you change the password to prevent outsiders from accessing your
mail.
Features
---------
Once you've successfully hacked a box, become familiar with it's features.
Some mailboxes are connected to PBXs and thus have dial out capabilities!
With some systems you can only call numbers that are local to the system.
In other cases there is no restriction on calling which means long distance
and toll calls can be placed at the expense of the system administrator. If
your box does have dial out, abuse the fuck out of it before it is turned
off.
Other voicemail features include the ability to create distribution lists,
leave messages for other users, message notification, and more.
Distribution lists are just like mailing lists. Say your three best friends
have boxes on the same system. You can make a distribution list with their
box numbers, and forward messages to all three boxes with only a few key
presses. So, the distribution list is almost like CC (Carbon Copy) in email.
You can save multiple user's IDs and forward one message to all of them
simultaneously.
Message notification is a setting that will have the system call you when
a new message is received. Just enter your phone number and you're set.
Although I would advise against this. Otherwise you may get a call from a
pissed off system administrator demanding to know WHY your number is on
message verification. The bottom line is you shouldn't screw with it.
But, if you have the urge just look for a feature called "message
verification" or "follow me".
How Long Will My Box Last?
---------------------------
This question is difficult to answer. I've had boxes that lasted for
up to six months. However, I don't think there is any way to guarantee the
longevity of your mailbox.
If the system is on an 800 number you can count on your box being deleted
eventually. This is because 800 numbers have to foot the bill every time
someone calls them. Even if your system is local, calling the 800 number
will guarantee a charge. If the administrator finds you're calling just to
make use of a stolen box, you can bet your bottom dollar it will be deleted.
Another common problem is the random system check. Every once in awhile the
administrator will perform "security or maintenance exercises". If you find
a universal message in your mailbox referring to this, change everything
back to normal. Hopefully he will think nothing is different and leave your
box alone. Be sure to tell your friends not to call you during this time
either.
Hacker Resistant Systems and Other Problems
--------------------------------------------
Some of the more desirable systems have certain safeguards to prevent
outsiders from obtaining mailboxes. While the obvious countermeasures
include effective management of vacant/unused boxes, and smart password
selection, some systems have their own security features that make the
modern voicemail hacker's task much more difficult.
Systems such as Skytel, require the user to enter his/her password prior
to selecting the box number. This renders the traditional hacking methods
inoperable since most rely on vacant boxes and default pass codes. In
addition, these systems will automatically log the user off if too many
errors occur.
A few systems will allow only limited access to vacant boxes. In other
words, the box exists with the default pass code but the user can not change
the greeting, or even configure the box to receive messages without consent
of the administrators. In this scenario, it is the administrator's job to
"activate" the box by recording the greeting, and setting up the extension.
I have encountered this annoying feature on several new systems including
Meridian. The only real "fix" is to hack the administrator's box and do
the configuration process yourself. Good luck with that!
A Discussion on Systems
------------------------
The purpose of this section is to briefly touch on some of the voicemail
systems you are likely to encounter. I will provide general background
on each system, as well as default passwords if they are available.
Alltel - This is a voicemail system for cellular telephone users only.
From your cellular phone, dial #99 and "SEND". Enter your security
code, and you are in. All vacant boxes will have a default password
of 9999. Alltel voicemail has several desirable features including
the ability to change your security code, record a personal
greeting, create a "greeting schedule", and forward messages to
other users.
A.S.P.E.N. - Most people will agree that A.S.P.E.N. (Automated Speech
Network) is one of the best voicemail systems. To find a vacant
box, scan some common three digit numbers until you hear an
automated voice say "You entered XXX. Please leave a message at
the tone...BEEP". Hit # and enter the box number when prompted.
A friendly female voice will discuss some of the better
features of the system and ask for your "temporary password".
The password is usually four digits. It is probably one of
those on my default list. Features to look out for include
the ability to control message playback speed, message
forwarding, and "envelopes", extended absence greetings,
the awesome ability to create and moderate "guest boxes" for
friends, and distribution lists.
Audex Voice Power - From the onset, Audex systems are difficult to identify.
When calling a suspect number, hit *7. It should respond
with "Welcome to Audex Voice Power, please enter
extension and # sign". Box numbers are three or
four digits and usually start with a 2. The password
will be the same as the box number. You are required to
hit # after entering the extension number, and the
password. Features include easy message recording and
forwarding, as well as out call for message receipt
notification.
Centagram - Most Centagram systems are direct dial. This means that each
customer has his/her own 800 number where you can leave messages
without having to go through extensions. You can only hack these
systems if you have the valid number of at least one legitimate
user. Once you have a valid box, scan other numbers in sequence.
Most, if not all, Centagram systems will group the boxes together
in "blocks". Upon calling a vacant box, you should hear a generic
greeting. Before you are told to leave a message, hit #.
You will be prompted for a password. The password will usually
be the last four digits of the box's telephone number. If this
does not work, try some of the defaults mentioned above.
Centagram systems are very user friendly, and the nice lady
will guide you through a list of options upon entering the box.
Cindi - Cindi systems are pretty easy to get into, and they tend to have
some nice features. Upon calling the system and pressing #, you
should hear "Please enter the person's name using your touch tone
keypad, last name followed by first. To enter a Q or Z push 1..."
The disconnection message should sound something like "Thank You,
Good day". Mailboxes are usually grouped together in blocks and will
be either 3 or 4 digits. To log in you'll have to call the vacant
box and hit "0" when the message starts playing. The default password
for Cindi systems is also "0". Features include message recording
and forwarding, playback volume adjustment, call placements,
distribution lists, certified messages, and the ability to create
guest accounts for friends.
Meridian - These systems are the easiest to identify. Upon calling the
number you should hear a female voice say "Meridian Mail....
Mailbox?" The box numbers are usually four digits and are
grouped together in a logical fashion. The default password
is the same as the box number. Meridians have some nice features,
including the ability to dial out (some systems). Other features
include message forwarding, and "envelopes", distribution lists,
personal greetings inside the mailbox, and the ability to log out.
Message Center - The Message Center is the easiest direct dial system to
hack. Once again, you must find a valid box in the prefix
you are scanning. After you have successfully located a box,
hit * twice to access the main Message Center Board. It
should say something to the effect of "Welcome to the
Message Center. Please enter a mailbox number or wait".
Enter box numbers in the same prefix and listen for a
generic message. Once you've located a vacant box, hit
* once to log in! It's really that easy. Although features
are lacking, it is always nice to have a direct dial box.
Octel - Not much is known about these systems. Upon calling the system and
hitting the # key, you'll be prompted for a mailbox number. Enter
the number followed by # and you'll get the password prompt. Feel
free to try some of the defaults from my list above. Remember, all
commands made outside the box must be followed by #. Once inside,
you'll be walked through the basic setup. Some Octel systems will
require you to change your pass code immediately. Desirable features
include the ability to control message playback speed and volume,
message notification, future delivery option, "private" delivery
option, faxing feature, and distribution lists.
One Connect - Perhaps the most useful voicemail system currently on the
market. Most One Connect systems are direct dial. Virgin
boxes will give you set up instructions when called. Press *
for the password prompt, and key in the default code 1234.
Once inside, you can listen to messages, retrieve faxed
messages, set up message verification, call long distance
numbers using the PBX, configure instant paging, and even set
up a toll free loop where callers can reach you.
Q Voice Mail - This system is very similar to Cindi, and is pretty easy to
hack as well. The greeting should say "Welcome to Q Voice
Mail Paging". Mailbox numbers are usually five digits, and the
default password for vacant boxes is "0".
RSVP - These systems suck! They can only hold 23 boxes. Upon calling, hit
* for the directory of boxes. If you hit # first, you'll be given
a list of options. As soon as you select any option, you'll be
prompted for a mailbox number. The mailbox numbers are almost always
two digits. The password will be the same as the box number.
Skytel - One of the more difficult systems. Skytel voicemail is a bitch
because you are required to enter the password first, followed by
the box number. Many new voice mail systems are adopting this
method since it makes hacking next to impossible. The best way to
hack Skytel is to get a PIN number of a user and call customer
support claiming to be the dissatisfied customer. Call 1-800-SKYUSER
(1-800-759-8737) for Customer Support.
Sperry Link - An all around nice system that can be a bitch to hack. Call it
up and you'll hear "This is a Sperry Link voice station. Please
enter your user ID". Just try some common numbers in sequence.
Most IDs are five digits. If you hear "This is an XXX answering
service" you have found a valid box. Hit *# to get the log in
prompt. At this point you'll just have to guess the password.
Try some of the defaults from my list. The passwords are
usually four digits.
Xerox - This system is not very common. Features include message recording
and "delivery", the ability to skip to the end of a given message,
notification of non-delivery, future delivery, and a reply option.
Call 1-800-TEAM-XRX (1-800-832-5979) for more information on Xerox
voicemail systems.
In addition there are many other systems not listed here. You'll encounter
these unnamed systems too. Some of them are nice others are not.
Conclusion
-----------
I hope you've enjoyed my file. If you have any questions, comments, or if
you would like information about other files I've written, please feel free
to contact me. You can do so by sending email to cyberthief@deathsdoor.com.
You could also leave a message on my voicemail. Call 1-800-553-2112 after
business hours and press "1104". This will forward you to my mailbox where
you can leave voice messages. Since the box is hacked, I have no idea if it
will still be valid when you read this. Although it should be up for quite
awhile. If it does not work, you can call 1-800-289-6689 for my direct dial
mailbox. It takes five rings for the system to pick up, but once it does
you'll be asked to leave a message.
--*- Boundary Sn946+gqUW.Dq?'d-VSFÁS--
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
