Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Voice Mail :: mer-ninj.txt

Hacking Nortel Meridian Mail

-o[ hacking meridian mail - an overview ]o-
-o[ D4RKCYDE                            ]o- 
-o[ by hybrid <>         ]o-----------------------------------

I think I have read about 6 guides to hacking meridian mail, and they get
worse all the time. Every meridian text I have read concentrates on the
features and architecture of the meridian mail system, however I am supprised
at the lack of information available that concentrates on the actual hacking
of meridian mail. This article with concentrate on various techniques that
can be used when hacking meridian mail.

For those of you who are unaware, meridian mail is a voice messaging system
designed by Nortel technologys and has many advanced features. Alot of
people seem to think that hacking voicemail networks is lame; bullshit. I
would argue that meridian mail is the most advanced voice platform there is
when it comes to voicemail and voicemail networking. Meridian is way more
advanced than any other voicemail system out there, it puts Octel, Audix,
Aspen, Phonemail and other network leaders such as Infostar to shame.

Meridian is designed to be fairly secure, but like most networks it can be
very vulnerable if you know the weak points. The only voicemail system that
I believe offers a respectable level of security is the Audix voicemail
platform, but thats another article. Unlike the other meridian mail guides
out there, I'm not going to rant on and on about meridian mail features and
network architecture, I've written several files on that already, so I'm
going to get staight to the point; here is how you hack meridian mail (the
effective way).

Before you do anything, you need to be able to identify a meridian mail
system properly. There are many different ways to identify a meridian mail
system, most of the time people only pick up on the real obvious meridian
mail systems, where you get a login prompt after you have dialed the number,
(" meridian mail, mailbox?.. "). However, there are many different ways to
identifying a meridian mail system. The voiceprompts on merdian mail are all
in a female voice, and can adopt a multitude of forms from different accents
to different languages, depending on where you are. The majority of the time
the voice prompts will be Americian-English in accent, and quite monotone in
nature. There are several different prompts you can come accross when dialing
a meridian system. As I said before, the most obvious one would be.. 18OOxxx
xxxx.. " meridian mail, mailbox? ". Here is a table to show you different
types of meridian mail dialin examples.

[ " meridian mail, mailbox? " ]

Here you are confronted with the meridian user login prompt, your only option
here is to guess a box number and password. Here is where meridian mail can
be a real bitch, there is no way of telling if you have dialed a valid box on
the system, you could hit any number of digits and still get a password
prompt. Either way, you will usually have 3 login attempts before you will
hear somthing like: " login incorrect, please contact your system
administrator for assistance, goodbye. " Because there is no way of telling
what prefix the mailbox/extension numbers are in from this dialin prompt, you
are dialing blind, so your only hope with this type of dialin prompt is
simple guess work, or if you read this, an educated guess.

Most systems will have 4 digit boxes, which will usually have a default
passcode set to be the same as the box number. The login convention is like
this: you dial your mailbox number xxxx suffixed by [ # ] you then recieve
the password prompt which will ask you to enter your password followed by the
# key. Like I said before, there is no way of telling if you have found a
valid box because you will be asked for a passcode whatever you enter. So,
for this type of login prompt we simply guess. The box ranges could be 3
to 5 digits long+ depending on the size of the voice network, 4 digit boxes
is the most common though. Just try random boxes like this.. 5463 [ # ] 5463
[ # ], 3788 [ # ] 3788 [ # ] etc etc, until you successfully login to a valid
box. (more on this later) note: if someone trys to incorrectly login to a
valid box to many times, the system will disable the box so even the
legitimate user cant access it, they would subseqently have to goto the sys-
admin in order to get the box reactivated. 

[ " express messaging, to mailbox? " ]

Here is another common meridian prompt that you are likely to come accross.
It is simply a meridian prompt for an external users to leave a message for
someone on that system, if they know the persons extension/mailbox number.
Here you cant really go wrong, because you are able to find out what prefix
the mailbox/extension numbers are likely to be in. You will get one of these
2 system messages after entering an extension/mailbox number + [ # ].

a) " There is no mailbox at, xxxx "
b) " mailbox xxxx, please leave a message at the tone. (or the persons
     recorded name - if they bothered to set one).

If you guessed an invalid mailbox number, just keep trying until you find a
valid mailbox and you should recieve system recording [ b ]. When you have
successfully managed to find a valid box, note the prefix down as there is
bound to be a nice cluster of mailboxes in that area aswell. You now have
the option to do a few things. Once you get system recording [ b ] you could
hit * and you will hear " there is no recorded message, to record a.... " or
if you waited for the tone prompt to record you message for that mailbox hit
[ # ] and you will get " recording stoped " (wherever you get lost with the
commands of meridian mail, simply hit [ * ] to here a limited set of help on
message/mailbox commands.

Now, you could hit [ 81 ] and you will recieve the standard meridian mail
login prompt as described above, but all you can do here is try to login as
the box number you successfully guessed, which should work most of the time,
but if it does'nt you need to find more boxes, which can be achived by
dialing various extensions on the internal pbx system. I will discuss this in
a little while.

[ " the person at extension xxxx is not available to take your call, please
    leave your message at the tone. " ]

Again, here you can hit * to get your list of options, such as [ 81 ] to
login, 0 xxxx[ # ] to dial an extension etc. 

[ " mailbox xxxx, please leave your message at the tone " ]

Again, hit [ 81 ] to login, * to get message options.

[ " the person at extension xxxx is not a subscriber to this service, call
    answering cannot be completed at this time, transfering to an attendant,
    one moment please.. or: please try again later, goodbye. " ]

Here there is not alot you can really do, unless you have dialed the number
after buisness hours and it transfers you to the attendtant/operator who is
not likely to be there so a recorded greeting would be in place, where you
would be able to login, dial around the system as normal.

[ " please dial the number of the person you are calling. " (hit * and you
    will hear: " you have reached an automated service which will connect you
    to the phone number you enter.. " you also have an option to dial by
    name. ]

Here is meridian's biggest vulnerabily, you are able to dial extensions on
the system. Big deal I hear you say. The fact is, if you are going to hack a
meridian mail system effectivly, you need to get to this prompt so you can
explore the entire system. You can get to this prompt through many ways as
discussed before, or by dialing 0 number # at a recording prompt, but this
prompt can usally be found by direct dial.

You are looking for a number of things here, such as modems on extensions
(meridian remote administration), valid extensions (valid mailboxes) and
meridian goodies such as the MICB built in meridian conference bridge.
Other things to look out for on meridian extensions are prompt maintanance
extensions, PA extensions (where you control the companys PA system) and
external lines. (more on external lines in a while).

Guessing valid extensions is fairly self explanitory, but sitting there for
ages getting " that number cannot be reached from this service " over and
over again can be a little off-puttting, so we employ our own ways of gussing
an extension number. Here is a vulnerablity that exists on most meridian mail
systems where you are able to get an extension prompt, I give a guy called
'public_nuisance' credit for this, as he was the person who origionaly found
this meridian vulnerabilty. This is what you do if you cant seem to guess a
valid extension.

First start at the higher numbers and work your way up, for example, hit 8
then [ # ] you will get either " beep, that number cannot be reached from
this service, please try again.. " or " pause.. your call cannot be completed
at this time, transfering to an attendant, one moment please.." If this is
the case, and you get " transfering to an attendant " quickly hit [ * ] a
couple of times and it will drop yo back to the dial extension prompt. Now,
here is where the vulnerability lays, if you recieve that system recording,
it means that the system is expecting more digits to be dialed after [ 8 ] or
whatever number you choose to start with. So next you try dialing 89[#] if
you get the same system recording it means it wants more digits so just hit
** again to get back to the dial extension prompt, or you may get " that
number cannot be reached... " which means you need to try 8 then somthing
else like 87[#] see where I'm going?.. Basically you are trying to step up
the digits and looking for the system anouncment that says " transfering to
an attendant " where you will hit [ * ] a few times, and keep dialing adding
more digits to the seqence each time until eventually you find the prefix of
box/extension numbers.

                1       2       3       8[ # ]  " your call cannot be 
                        |                         completed at this time "
                        |                         ( ** )
                4 <-x-- 5 <---- 6      87[ # ]  " that number cannot be 
                                |                 reached from this service "
                                |      89[ # ]  " your call cannot be  
                7 <-x-- 8 ----> 9                 completed at this time "
                                                  ( ** )
                        |             896[ # ]  " your call cannot be 
                        0                         completed at this time "
                                                  ( ** )
                                     8965[ # ]  " your call cannot be 
                                                  completed at this time "
                                                  ( ** )
                                    89654[ # ]  " that number cannot be
                                                  reached from this service "
                                    89652[ # ]--> [ ring ring ring ring ]

So, in the above diagram/working example, we see that the valid extension
number was [ 89652 ], this was found via the means of a proccess of
elimination with the help of the extension vulnerability. This way you do not
have to sit there for ages guessing vaild extensions, you just step up and up
through the trunk selection. This method can also be used if the system is
configured for through-dialing but has a passcode protecting the outdial
service, in which case you can get the passcode by using the above
vulnerabilty because meridian outdialing passcode protection is based on
trunk selection on the pbx system.. way-to-go Nortel ;]

One of the reasons people hack meridian is because of its nice outdialing
feature. Usually once inside a box, you can sometimes get an outside line by
dialing 9 before the number. So for example, if inside a box, you dial 0,
1234 [ # ] that will put you through to extension 1234. But if system
outdialing is enabled you can simply dial like this, 0,9,number [ # ] and
this will select an exteranl trunk and route your call to the outside. On a
poorly configured system (which most are) you may be able to dial externaly
without even loging into a mailbox. For example, if you get to the dial an
extension prompt, you could simply prefix the number with a [ 9 ] and your
call would be proccessed as normal.

Word of warning though. Meridian logs all routing activity, so for example,
say you called your g/f via the means of meridian outdialing, the system
administation part (MAT - meridian administration tool) would log the
following; you dialed 0,9,npa-blahblah[ # ].. meridian will log the
extension (or origionating location) from where the call attemt is commuing
from, it will then log the number, the time of the call, length of the call,
and even how long it took you to dial the digits. (very handy for the 'law').

There are several ways around this though. for starters, dont even think
about calling a meridian direct from your home if you are going to use one
for outdialing, if you do, route you call. Or, if you managed to find the
remote administration dialin modem on one of the extensions, you can
configure your own trunks for through-dialing ie; with no origionating point
or call tracking features enababled. Now, thats enough of the extensions and
call routing etc, now for the rest of the article.

If you dial a number and you get somthing like " press 1 for blah-blah, hit
2 for yack-yack " etc etc, dont just pass it off as some IVR system whatever,
because meridian can be configured to act as a dialin menu aswell. Infact,
this is the most popular type of meridian dialin that you are likely to come
accross. To identify the menu system as meridian, you can use the following:

If you hit an invalid key that is not in the menu options you may get:

[ " that command is not recognised " ]

Again, this is a dead givaway that the system is likely to be meridian based.
If this is the case, it is likely that in the dialin menu, you may have an
option to dial an extension number, leave a message (express messaging) login
to meridian mail etc. If none of those options exist, call the number back
after buisness hours, and try out all of the options until you eventually get
routed to an un-attended extension where the extension owners voicemail
greeting should come on, where you will be able to do what was discussed
before. If all else fails, simply hit [ 0 ] for the operator, if they are not
attending the switchboard, the general voicemail box for that company should
come on, and you can do your stuff.

Now, you know how to identify a meridian mail system, and have managed to
login to a box. Heres what to do next.. When you have loged into a box you
will hear somthing like " you have no new messages " or " you have x new
messages " or " your mailbox is full, to delete a message you no longer
require press 76 " or " your password has expired, to change your password
press 84 " etc etc. Now, you know the defualt password for the system, so
you need your own box. The mistake alot of people make when hacking meridian
is they take over a box that they think is not being used becuase it has no
messages in it, the fact is, if a box has no messages in it, it's likely that
the legitimate owner checks thier messages on a regualar basis. What you are
looking for is a box that either asks you to change your password, or a box
with backdated new messagess from like months ago.

To scan for more valid boxes, login to the one that you have access to, and
hit 75. You will then be asked to enter the mailbox of the recipient, where
you have the option to address the message to multiple boxes, ie: 5400#,
5401#,5402# etc etc. keep addressing the message to seqnetial boxes, so you
are scanning the system internaly. eventually, when you have written down a
list of valid boxes, hit [ # ], then, 76 to erase/cancel the message. You
will then be retured the the mailbox main menu, where you can hot 81 to
re-login to meridian mail, try 2 boxes from your list, if they dont have the
default passcode, log back into a box that you know the passcode to, then 81
again to go through the next 2 boxes on your list, this way you can avoid
being loged off from the system, and keep going until your fingers fall off.

Eventually you will find a box as described before that is not in use (either
loads of backdated messages, or passcode change prompt). You can then hit 84
to change your passcode, and then you can call the box 'yours'. I'm not going
to list all the functions/options available on meridian mail user boxes,
simply becuase all you need to do is hit [ * ] to have them read out to you
by the automated system help. All you need to know really is that [ 2 ] will
play any messages you have, 76 will erase it, 71 will reply, 79 will send,
75 to compose a message, etc. A few notes on meridian mail:

If outdialing is enabled, you may find that certain numbers are blocked, for
example ld numbers, numbers prefixed with a 1, or 01 for UK. This can be
overcome in most cases. If you can call the external operator [ 09,00# ] go
through the usuall bullshit with him/her/it to get them to dial/place the
call for you. Or you can find a telco service provider that offers 8OO
numbers that bill back to the line you are calling from. Or if you are in the
UK, you can sometimes trick the outdial baring by prefixing your call with
things like 9,[141] or 9,[1470] etc.

You can sometimes set the operator assistance number for your voicemail box
to dial an external number, when inside the box hit 82 then follow the
prompts. The number you set would usually be prefixed with a 9, then suffixed
with a # to end the string of entered digits. So when someone calls your
extension/mailbox and they hit [ 0 ] at your personal greeting, they would
get routed to a number of your choice, instead of the internal operator. This
feature can be usefull for simple diverters, but again, not very safe.

Meridian Integrated Conference Bridge (MICB) is a fully integrated, all-
digital audio conference bridge from Nortel (Northern Telecom) designed to
improve and simplify enterprise conferencing capabilities. MICB provides fast
and reliable access to an in-house conference bridge, eliminating the need to
frequently contact conference service bureaus or accommodate complex third-
party conference bridge equipment. Offering simple plug-and-play installation
within a Meridian 1 Intelligent Peripheral Equipment (IPE) shelf, software
keycode activated upgrades, and a variety of flexible features for increased
conference control, MICB is for organizations requiring frequent audio
collaboration to keep multiple dispersed parties connected with critical
communication. As an integrated solution, a single MICB card supports up to
32 ports and up to 10 simultaneous conference calls. There are four MICB card
capacity options available: 12, 16, 24 and 32 ports. If the conferencing
requirements increase, software keycodes activate additional ports on the
MICB card to support the larger port capacities. In addition, multiple MICB
cards can be supported within the Meridian 1 Communications System.

Expunged from one of my previous meridian files, an extract from a Nortel
technical document explaining how meridian call-logging is implemented etc.

"Detect and Alarm Toll Fraud"

Day by day, your Meridian 1 operates, routing calls to and from your company.
Ever wonder what your traffic calling patterns look like on a realtime basis?
Using MAT Call Tracking, you can now visually monitor traffic patterns. How
long are station users on the phone? What percentage of calls are incoming,
outgoing, or via tandem tie lines? These are a few of the available features.
Better yet, you can set up your own meter to visually cue on the criteria
that you want to monitor. Have you ever been a victim of toll fraud? Want to
know who's making long international calls, as they happen? The integrated
alarm filter can detect these scenarios and alarm you when the event occurs.
With multiple alarming notification methods, the system is sure to reach you,
where ever you may be.


Call Tracking is an on-line call monitor and alarm application for the
examination of call usage patterns leading to toll fraud detection. Graphs
are used to indicate trends and provide displays of unusual calls, enabling
you to adjust equipment and services to maximize resources. Multiple
filtering templates allow for your customization of [ toll fraud ]
criteria. The Call Tracking Module provides a number of alarm notification
options to alert you when the filter criteria have been met. Call Tracking
is designed to be used with Call Accounting but can also exist on a stand-
alone basis.

Welp, thats it for this brief overview of hacking meridian. Shouts to:
[ D4RKCYDE ] [ 9X ] [ B4B0 ] [ downtime ] [ zomba ] [ substance ] [ gr1p ]

   " 4-wire trunk circuits were converted to 2-wire local cabling,
     using a device called a hybrid. Unfortunately, the hybrid is
     by its very nature a leaky device. "

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH