ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜ Û ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û ÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ßÜ Üß ÜÜÜÜÜÜÜÜ Û Û Û Û Û ßÜß Û Û Û ßÜß Û Û Û Û Û Û Û ß Û Û Û ß Û Û Û Û ÛÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÛ Û Û Û Û Û Û Û ÛÜÜÜÜÜÜÜÜÜ Û Û ÜÜÜÜÜÜ Û Û ÛÛ Û Û Û Û Û Û Û ßÜ Û Û Û Û Û Û Û Û Û ßßßßßßß Û Û Û Û Û Û Û Û ßßßßßßßßßßßßßß Û Ü Û ÛÛÜÛÛ Û Û Û Û Û ÜÛ Û Û ß Û Û Û Û Û Û ÜßÛ Û Û Û Û Û Û Û ßßßßßßßßßßßßßßßßßßßßßßßßßßß Üß Û ßßßßßßßßßß Û ßßßßßßßßßß Û ßßßßßßßßßßßßßßßßßßßßßßßßßßßßß ßßßßßßßßßßßß ßßßßßßßßßßßß Taking Your Machine Presents -+-+-=====================================================================-+-+- ______________________ ______________ _______________ / / / / / /| / / / / / / | /______________________ / /______________ / /______________ / | | | | | | | | | | | | | | / | | | _______|/| | / |_______ _______|/| |/_____ / | _______|/____ | | | | | | | / /| | | | | | | | / / | | | | | ______|/ | |/______ / | | | | | | | | | | | | | | | | | | | | | / | | / | | / | | / | | / | | / |_______|/ |_______|/ |_______________|/ [ Time For a Change ] Issue 5 04/26/97 --------------------------_______________________------------------------- INTRODUCTION ____________ Once again, the forces that be have delayed the release of TFC by nearly half a year from my estimated release date. But things have been slow, and submissions few. In addition, we at TYM have re-shifted our focus, so you will find articles on more obscure systems here and in future issues. In this issue we visit a the console for Rolm's PhoneMail systems, take a brief tour of Lexis-Nexis, examine Tracer building control systems, look at various possibilities with patching, and Terminal gives us v1.1 of the TYM 303 CO Lister. If you like TFC, drop me a line. I will keep making it if people are reading it. If you have written (or can write) something that would be of interest to readers of TFC, send it along as well. The more quality submissions I get, the more frequently I can release TFC. Feel free to send article submissions, comments, suggestions and threats to: gitm@obscure.sekurity.org or gitm@demonic.com Since many of my readers are unfortunate enough not to understand this, I will try to make it clearer: DO NOT SEND ANYTHING TO ANY MAIL ADDRESS REGARDING TYM OR TFC IF YOU CANNOT ENCRYPT IT. Thank you. Due to the fact that I have been without stable mail since the last release, the letters section will not appear in this issue (nor perhaps the next). BE SURE TO ENCRYPT ALL DATA SENT TO ME. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAzKQ+AcAAAEEAK6nuXQ3IzOelTVY+SrV93bBwiJLqIYSmj7H+f0HUm8+fQC9 o8cWdV2cOopL6rNQQ5cT1D3v0SnhXKLUoTOdC2wlUaYJJhNqmaScAI2dqO8MZyic fBjoSMxPmLySGp16+66UePsFIc63yXVH6wcGWfGC386KMfY8BKqlGu53jv3hAAUR tDFHaG9zdCBpbiB0aGUgTWFjaGluZSA8Z2l0bUBjb21tYW5kLmNvbS5pbnRlci5u ZXQ+iQCVAwUQM0xYpvSJzP2npH3pAQFHGAP+LuUkIqzyIlHGH5GAFj8Rg5OVu0mD WSVSYXMfCdndjHhP0pj7PXABcc9Tnnp0JivrIxv2CzIaIkFNSzCIlZRtVH71JqNA MguZPidf+S/d0b8xecncM9tAI7cMFExY6bN0X9nYhBGVoNZpBuhJrRPteT4baKGh uZ1a4lvORG85sueJARUDBRAymnUOUS5P0GkfnNkBASMCB/0Xv0DMtXtRSLeKUZo6 kTyT8+LIiAssxUY0nePm+6UQFxjUC0NL/Z5/MeBjpz5zZU+hs8XLNB3bGnT1gviL cOzvWEaY55pTyPgbiRn1AMMSQSIrQ4eKY46Nej/yvyRNfmoLS2joMY/0rCc6Kk/h 11yvyNF2ydEHI+HuHlLL/JIA4RNAyoGieQnqDtA3jfYHysJ2u2ohdotK1ayrlOQT CagsblruwoLWXzJEA3AZlAIC8q45SMRvTP50nLPVIIJW0LUSwNL6MzBHTifg0a1i pYnR8NhhVhsf/ymJ9GPEbrmz+Il+YY9S2ZqS6VUrjuhgkwFwR0sVGDsuAu3SQfej I/L4iQCVAgUQK/Kth3qNvtuZCNx9AQFnLAP/QfHqB8Bd5rrUtmCCxngfrNSNVwaa nF+yDL83cYUtMUhy/Mn5DBBvWVe8kkKbX6KjmwUTg565lxdLmfmpHCUrW02yz2uv n93VR1OAGb2xwbinBb+xzmM5FEEEZD+7yG1hM0S3/qM/96/9hzDhhg/NJnfxDdHO OyOic14ej8dRfhqJAJUDBRAylTk34ccb9PWH5PUBAWblA/45j5i11QUN5eQvEDLm bvw+yGD5MNBrOo75FCJm7mpCPB8aP61pyGzb7uycIGvseUiyaCKyqoo9LfGMReeb c3QEh1qIZvoWVsiEAIE9ZmmTVOcOURLjhz/92hmG/45d5xHb60lpBqIubZTWe+Zd yA1l7SE6UKRa3oSAZMpdk/iZlA== =qBwf -----END PGP PUBLIC KEY BLOCK----- --------------------------_______________________------------------------- [ INDEX ] Editorial: The Internet.............................By: Ghost in the Machine 1. The Use and Abuse of Rolm PhoneMail..............By: Ghost in the Machine 2. Lexis-Nexis Internals............................By: Ghost in the Machine 3. Inside Tracer L/Tracer 100 Systems...............By: Silicon 4. Extending Patching Technology....................By: Ensign Wesley Crusher 5. Local Corner: 303 CO Lister v1.1.................By: Terminal & Ghost in the Machine ----------------------------------------------------------------------------- TYM - [ A TYM PRODUCTION ] - TYM ----------------------------------------------------------------------------- All material appearing in TFC (Time For a Change) is copyrighted. Permission is granted to copy and distribute this magazine in whole or part, as long as the original authors are credited for their work and no part of this magazine is ever republished in a rag such as Phrack. Copyright (c) 1997 TYM Communications. All rights reserved. Editor in Chief: Ghost in the Machine Co-Editor: Ensign Wesley Crusher ASCII Artist: Terminal Writers: Ensign Wesley Crusher, Ghost in the Machine, Silicon, Terminal Greets to: Radikahl, Bug, Demonika, Dr. Fonk, Van Hauser and the THC gang, Caliban, Jazmine, Elastic, Phillip K. Zimmermann, Motion, everyone in #phreak, x0x, and the one armed man. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TFC Issue 5 Editorial The Internet -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The 'net' is no longer a place that I find it interesting to be a hacker. Staying on the net after it became polluted with morons and flakes of all kinds who fancy themselves as hackers had pretty much messed up my idea of what the hacking world was about these days. It's easy to get wrapped up in the elitist shit that permeates the net scene, but believe me, gentle reader, there is more to hacking than what you will find there. The quest is to own everything, get root here, get root there. Oh boy! There's a new Solaris bug! It grates on my nerves, and after thinking about it for a while it doesn't take long to realize that this behavior not only has nothing to do with hacking, but it has nothing to do with ANYTHING. As I have mentioned before (and hopefully you have heard it elsewhere as well), hacking is about exploration and learning. You learn little from getting root, over and over on the same network. Even if you are writing the exploits, there are only so many variations on the same themes, and you are knee deep in redundancy. True learning can only take place in unfamiliar territory. On the net, people get to a certain level and then plateau, trying to hold on to the power they have gained, without using their drive to move on to new horizons. I realize this is a bit of a generalization, but I am certain that if you think about it, you will find it to be true. I am not trying to become some psycho anti-Internet wacko, as the net is a very powerful medium, and without it, TFC probably would not be read in Europe, South America, and the Orient. What I am saying is that sitting around, trying to build your 'elite quotient' does not make you a hacker, and I don't care how long you've been around. It's akin to selling out, and it's disgusting. If you are new, try to get into hacking local systems, it's more gratifying, and you will find lots of surprises. Grab a copy of Toneloc, pick an exchange with a lot of businesses in it, and start scanning. If you are not new, think about what it is you are doing, and what hacking is about. It's not a power trip, it's not living on IRC acting cool, it's not getting root on system after system after system. Obviously this does not apply to some of my readers, but for those of you who find yourselves in the category I have laid out above, get with the program, get with your local scene, and quit being a poser. As always, it is Time For a Change, and I will no longer be publishing bug lists or Internet specific information (unless it is new stuff which has not been written on before). I like to go against the grain, not follow the herd. Ghost in the Machine -0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0=-0= Time For a Change presents The Use and Abuse of Rolm PhoneMail by Ghost in the Machine [TYM] -=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0-=0 INTRODUCTION ------------ Siemens Rolm, Intl. makes among other things, Rolm PhoneMail software. It is basically just Voice Mail software. Although it is set up to be interfaced easily with the Rolm CBX, which will be covered in some detail in a later file. Phonemails are very common, and although I am not certain that dialups are necessary to their operation, I do know that they are all over the place. When I first encountered these machines, I scoured the earth looking for drops of information regarding them, and came up with nothing. No article (seemingly) has ever been published regarding the workings of Rolm PM, so ridiculous as it may seem in 1997, this is likely the first article ever written on them. The only article I found that even mentioned them was in an issue of Phrack from 1986, and it generalized for about 1 paragraph. IDENTIFICATION AND ENTRY ------------------------ Depending on whether you find the Rolm or IBM release. The login screen will differ slightly. The version also has something to do with it. However, this is what you will see most of the time: For Rolm (Below 6.0): ROLM PhoneMail 9252 9254 Microcode Version 5.2 Copyright (C) ROLM Systems 1991 All Rights Reserved. PM Login> For Rolm (6.0 to current) Login: For IBM: IBM PhoneMail 9252 9254 Microcode (C) Copyright International Business Machines Corp. 1989 All Rights Reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. PM Login> In any case, whatever the prompt. PhoneMail has a unique error from the login prompt. Illegal Input. It will give you this error if you enter ANYTHING besides a valid username on the system. This is an easy way to identify a PM system if you encounter one with a modified prompt. Once you enter a valid username you will get: PM Password> There are 3 levels of access. There will always be only 3 accounts on the system. The names can be changed, but they are normally: sysadmin - Highest level. Can perform system configuration, add boxes, modify all aspects of PM, etc. tech - Middle level. Can perform many maintainance functions, sometimes including adding boxes. poll - Low level. Normally can only view reports, etc. Some (very) common passwords are: sysadmin sysadmin poll poll or tech tech tech I have found that these work on about 40-50% of PM systems encountered. In many cases, even if these defaults don't work, the passwords are easily guessable. There are a couple of true system backdoors that i won't list here because 80% of my access has been gained with these, and they are not widely publicized. I want to spread awareness of PM systems without having to sacrifice the majority of my access. However, if you have a bit of motivation and a brain, they are not terribly hard to figure out. Unless you get sysadmin access from the start, you will begin at a prompt without a session: PM Action> or under 6.0+ Action: (or something similar. Entering a '?' will give you the following menu.) The following commands are valid: Activate - Activate the session Broadcast - Broadcast a message to all terminals Connect - Invoke the subsystem Terminate - Terminate the session List - List all open sessions Logout - Terminate all sessions and log off. Login - Logout and login again. Display - Display sessions status on a site. Activate - Activates a suspended session. Broadcast - You figure it out. Don't use it. Connect - On a multi-node system, you can use the and to connect to a specific node. Connect by itself will connect you to the default node. Terminate - Kills a suspended session. List - Shows all active sessions (yours and others) Logout - Go back to login prompt. Login - When passed an argument, will log in as Display - Shows all sessions with a status list. There is also commonly found a Techview on/off switch on this menu, i have played with it much, and have never figured out what it is for. If you know, mail me, i would love to be filled in. Once you are in, everything is fairly self explanatory. Anywhere you get stuck you can hit ? for a menu. Also Ctrl-X serves as a break key in PM, so if you can't seem to exit from an external program, or wish to interrupt something, that is what you want to use. THINGS TO DO ------------ I should begin by saying that if you don't have the voice mail dialup number most of this information will be useless to you unless you just want to get on and explore/play around with the PhoneMail system itself. If you have the voice mail dialup, you can (with SA access) add mailboxes and mod their features etc. Unfortunately, outcalling is simply a one number dial from a certain class of service, so making a diverter under PM is not possible, but I am sure you can see some obvious uses for outcalling. 1. Enabling Outcalling(OC). First, you need to check to see if outcalling is enabled on the system. To do this, use SysParameters - List (Note, all commands in PM are single strings, any command lists that are here with multiple words are to be executed singly). In the 'Enable Outcalling?' field, if it is flagged FALSE, you need to use SysParameters - Modify to turn it on. 2. Add/Modify Class of Service(COS) if necessary. If you had to add OC, chances are good that there is not currently a class of service with OC enabled. The box you create must be in a COS flagged to include OC. You can either modify an existing class of service to include OC (Not Recommended) or create a new COS with whatever you want in it. To modify an existing COS use ClassOfService - Modify, and enable all of the OC flags. To add one, use ClassOfService - Add. You can also add features to your COS that other ones may not have, such as calling a specified number when a message is received, etc. 3. Add a mailbox. Use Profile - Add to create a mailbox. Be sure to add the COS you created or modified (if applicable). There are a lot of other things you can do on the system, but i will leave that to be discovered. This covers the main points of what most people will want to do. Following is a glossary of commonly encountered SA functions and menu/report examples. FUNCTION LIST WITH EXAMPLES --------------------------- There are a lot of different configurations, and many external programs. I am not going to spend a lot of time going into infrequently encountered extras. This is a list of the most commonly found functions Specify a function - ActivatePM AssignClasses BackupDataBase BackupNames CallProcessing ClassOfService DeactivatePM DList FFormat LogOff MonitorLogon NodeParameters OCConfigAndTest OCMessageLog Profile Reports Status SysParameters SysStatistics Function: ActivatePM - This will activate the PhoneMail system if it is currently deactivated. AssignClasses - External program to assign COS to each user in the database. Only local non-Call Processing users are assigned classes. BackupDataBase - Create a backup of the customer database on HD or floppies. BackupNames - Copies name header information for all subscribers to a floppy/floppies. CallProcessing - An external program to create and maintain Mailbox Profiles. Typical Menu: ======== Call Processing Setup Menu ======== A - Add Call Processing Mailbox Profile L - List Call Processing Mailbox Profile M - Modify Call Processing Mailbox Profile D - Delete Call Processing Mailbox Profile S - Show Call Processing Mailbox Profiles E - Expand Call Processing Paths C - Check Call Processing Consistency R - Reports for Call Processing F - Finished (return to SA mode) Add - Add a call processing mailbox Example: Mailbox extn []: 399 Path Name []: WERD Mailbox Name []: HAXOR Call processing mailbox type (? for help) [Listen Only]: ? Please enter: (LO) Listen Only (LR) Lis/Resp (M) Menu Call processing mailbox type (? for help) [Listen Only]: ? m Enable password [False]: False Entry point [False]: False Number of times to play greeting [2]: 2 Greeting replay time (secs) [5]: 5 Time out transfer type (? for help) [Hangup]: ? Please enter: (C) CallProcessing Extn (P) Phone Extn (S) Subscriber Profile (NE) Name or Extn transfer (NO) Name only transfer (EO) Extn only transfer (D) Direct Access (G) Guest Access (H) Hangup Time out transfer type (? for help) [Hangup]: h Play hang up prompt [True]: True Min Sub Password Len [0]: 0 Max Access Attempts [5]: 5 Attempt Threshold [0]: 0 Direct access password (numeric) [######]: ### Key 0 transfer type (? for help) [Unused]: ? Please enter: (C) CallProcessing Extn (P) Phone Extn (S) Subscriber Profile (NE) Name or Extn transfer (NO) Name only transfer (EO) Extn only transfer (D) Direct Access (G) Guest Access (U) Unused Key 0 transfer type (? for help) [Unused]: c Transfer extn []: 399 Key 1 transfer type (? for help) [Unused]: p Transfer extn []: 399 Key 2 transfer type (? for help) [Unused]: s Transfer extn []: 399 Key 3 transfer type (? for help) [Unused]: ne Confirm transfer? [True]: 3 True Play Intro Prompt? [True]: True Key 4 transfer type (? for help) [Unused]: no Confirm transfer? [True]: True Play Intro Prompt? [True]: True Key 5 transfer type (? for help) [Unused]: eo Confirm transfer? [True]: True Play Intro Prompt? [True]: True Key 6 transfer type (? for help) [Unused]: d Key 7 transfer type (? for help) [Unused]: g Key 8 transfer type (? for help) [Unused]: u Key 9 transfer type (? for help) [Unused]: u ChannelTrace - Lists the current state of each channel. Continously updates until interrupted. ClassOfService - There are several actions available for ClassOfService: Add All Copy Delete List Modify Add - Add a class of service profile. Example follows: Class Number : 9 Class Name : (Default = ): KILLERS Max Number Msgs : (Default = 10): 50 Max Future Dlv Msgs : (Default = 5): Max Msg Length : (Default = 200): 600 Max Number Greetings: (Default = 1): Int/External Pair? : (Default = TRUE): Max Greeting Length : (Default = 200): 600 Sub Recorded Names? : (Default = TRUE): Min Sub Password Len: (Default = 0): 5 Max Access Attempts : (Default = 5): 1 Attempt Threshold : (Default = 0): Send Broadcast? : (Default = FALSE): TRUE Receive Broadcast? : (Default = TRUE): Max Num PDLs Allowed: (Default = 5): LDN Exped Dl Enable : (Default = FALSE): LDN Normal Dl Enable: (Default = TRUE): Host Link Subscriber: (Default = FALSE): Enable Outcalling? : (Default = FALSE): TRUE Xfer From Outcall? : (Default = FALSE): TRUE OC Restriction Table: (Default = 0): Min Outcall Freq : (Default = 0): RNA Retry Freq : (Default = 15): Busy Retry Freq : (Default = 5): Max Num RNA Retries : (Default = 3): Max Num Busy Retries: (Default = 5): Paging Lang String : (Default = 0): Pager Terminal Num : (Default = ): If you wish to exit, type ";". First Field of Form: Class Name : (Previous = KILLERS): ; All - List classes of service. COS is a predefined class with specific priveleges and access. The information displayed is not terribly useful and can be found along with more useful information using: Report - COSAttributes - All Report is covered in greater detail below. A typical display for ClassOfService follows: Class Number Class Name ------------ ---------- 1: 0 2: 1 ADMIN 3: 2 STAFF 4: 3 EXEC Copy - Copy existing COS attributes to another COS. Delete - Delete an existing COS. List - List a specific COS attributes. Example follows. Class Number: 9 Class Number 9 Class Name KILLERS Max Number Msgs 50 Max Future Dlv Msgs 5 Max Msg Length 600 Max Number Greetings 1 Int/External Pair? TRUE Max Greeting Length 600 Sub Recorded Names? TRUE Min Sub Password Len 5 Max Access Attempts 1 Attempt Threshold 0 Send Broadcast? TRUE Receive Broadcast? TRUE Max Num PDLs Allowed 5 LDN Exped Dl Enable FALSE LDN Normal Dl Enable TRUE Host Link Subscriber FALSE Enable Outcalling? TRUE Xfer From Outcall? TRUE OC Restriction Table 0 Min Outcall Freq 0 RNA Retry Freq 15 Busy Retry Freq 5 Max Num RNA Retries 3 Max Num Busy Retries 5 Paging Lang String 0 Pager Terminal Num Modify - Modify COS attributes. ConfigPhoneMail - Assigns numbers to nodes, builds multi-node PM systems, etc. DeactivatePM - Turn off PM system. DON'T USE THIS UNLESS YOU ARE VERY SURE OF WHAT YOU ARE DOING! Calls will no longer be taken by the PM if it is deactivated. DList - Show distribution lists. FFormat - Format a floppy disk. The single most useless command for a remote user. LogOff - Quit session and go to session manager menu. MonitorLogon - Monitor users logging in to PM. MonitorTapLink - Shows tap traffic on CBX integrated systems. Continues to update until interrupted. NodeParameters - List Modify This displays useful information regarding the system you are on. It includes such interesting tidbits as SA mailbox, System ID, and other main system mailboxes. It also tells whether ANI is active, which alone can tell you a good deal about the company which owns the machine. OCConfigAndTest - Utility to configure and test all outcalling related parameters. OCMessageLog - Outcalling message report. Profile - Add All Clear Delete Fix List Modify Purge Displays all users on the system with node (if applicable) extension and group/COS name. Reports - Display reports. Here is a typical menu of report types: Specify a report - AccessFailures Billing CallActivity CallLength Channel COSAttributes COSSubscriber Disk MsgAge MsgLength MsgRetention MsgStatus NameReport Outcalling PersDLists PersGrtgs PWChange SubAccess SubMsgs SubReport for the sake of brevity, completely useless reports will not be detailed. Most reports will have options for All, Group, and Individual. AccessFailures - Displays failed access attempts. ALL failed access attempts are logged, so if you are into VMB hacking and you want to hack PM boxes, divert, divert, divert. You can either specify to report all failures occuring after a given date, or simply hit enter to view all failed access attempts. An example follows: Invalid Access Attempt Report Name Exten Failed attempt time Caller ________________________ ________ _________________________ _________ JOE BOB SMITH 301 Fri Nov 22, 1996 8:58 AM 500 ELITE HAXOR 302 Mon Jun 24, 1996 12:01 AM 314 FUCK STAIN 303 Tue Oct 18, 1996 1:39 PM 320 Billing - Displays detailed information about one or more subscriber profiles. including such things as the number of messages sent and the amount of time each subscriber has been connected to PM. Example follows: Subscriber / Category Units Price Extended Price __________ ________ _____ _____ ______________ ELITE HAXOR Connect Time Into PM 4839 4839 4840 Connect Time Out of PM 0 0 1 Messages Sent 1478 1478 1479 Messages Len (Min) 950 950 951 Avg Retention Hrs 6 6 7 Network Exped. Msgs Sent 0 0 0 Network Exped. Msgs Len (Min) 0 0 0 Network Normal Msgs Sent 0 0 0 Network Normal Msgs Len (Min) 0 0 0 Subscriber Total Price: 7273 Subscriber Total Extended Price: 7278 CallActivity - Displays call activity by the hour, with averages. Example follows: Call Activity Report From: Mon Jul 23, 1990 11:00 PM To: Tue Dec 10, 1996 11:00 PM Time # Direct # Forward # Total % Total ____ ________ _________ _______ _______ 7 AM 13967 22683 36650 5 8 AM 37241 59395 96636 15 9 AM 38502 10372 48874 7 10 AM 38545 11445 49990 8 11 AM 34777 8584 43361 6 12 Noon 28913 9248 38161 5 1 PM 41308 20232 61540 10 2 PM 43733 15497 59230 9 3 PM 37772 9205 46977 6 4 PM 34365 639 35004 6 5 PM 19276 53950 73226 10 6 PM 7427 26969 34396 6 OffHrs 18741 33959 52700 7 Peak Hour 8 AM Total Calls 676745 Avg calls/day/subscriber 3 CallLength - Displays information regarding average call length. Example follows: Call Length Report From: Mon Jul 23, 1990 11:00 PM To: Tue Dec 10, 1996 11:00 PM Time # Direct # Forward # Total % Total ____ ________ _________ _______ _______ 0 - 30 s 26622 29604 56226 16 30 - 60 s 54787 34998 89785 26 60 - 90 s 49961 55884 105845 31 90 -120 s 24840 16850 41690 11 2 - 4 m 32063 13361 45424 13 > 4 m 9686 409 10095 3 Most frequent length 60 - 90 s Average length (Seconds) 2300 Total connect time (Minutes) 819857 Avg connect time/day/sub (Minutes) 4 Channel - Displays average channel utilization by hour. Example follows: Channel Usage Report From: Mon Jul 10, 1990 11:00 PM To: Tue Dec 2, 1996 11:00 PM Time % Busy % Utilization ____ ______ _____________ 7 AM 0 4 8 AM 0 12 9 AM 0 13 10 AM 0 13 11 AM 0 12 12 Noon 0 11 1 PM 0 14 2 PM 0 14 3 PM 0 12 4 PM 0 11 5 PM 0 8 6 PM 0 4 OffHrs 0 1 Number of seconds all channels were busy 516152 Number of times all channels were busy 55356 Average % utilization over day 10 COSAttributes - Displays all information about existing classes of service COS Attributes Report Max Max Max Max Int/ Max Sub Min Attempts: Broadcast: Max Class Num Futr Msg Num Ext Grtg Rec Sub Max Num Num Msg Msg Len Grtg Pair Len Name Pwd Acc Thrsh Send Rcv PDL's ---------------------------------------------------------------------------- 0 10 5 200 1 T 200 T 0 5 0 F T 5 1 400 5 200 1 T 200 T 0 5 0 F T 5 2 40 5 200 3 T 200 T 4 5 3 T T 5 3 20 5 200 3 T 200 T 4 5 3 F T 5 Network Xfer Min Retry Max Num Page Class Delivery: Host Out from Rstr Outc Freq: Retries: Lang Paging Term Num Immed Norm Link Call Outc Tbl Freq RNA Bsy RNA Bsy Str Number ------------------------------------------------------------------------------- 0 F T F F F 0 0 15 5 3 5 0 1 F T F F F 0 0 15 5 3 5 0 2 F T F F F 0 0 15 5 3 5 0 3 F T F T T 0 0 15 5 3 5 0 COSSubscriber - Displays information on one or more class of service with subscriber information. Example follows: COS Subscriber Report From: -- Statistics not cleared -- To: Wed Dec 3, 1996 12:00 AM Class Number : 1 Class Name : Subscriber Name Node Extension Group Name --------------- ---- --------- ---------- ELITE HAXOR 1 302 EXEC Disk - Displays a disk usage log in daily format. Example follows: Disk Usage Report Day Peak % full ___ ___________ 1 19 2 19 3 20 4 19 5 18 6 19 7 19 8 19 9 19 10 18 11 18 12 17 13 17 14 16 15 18 16 18 17 18 18 17 19 18 20 18 21 18 22 18 23 18 24 18 25 18 26 19 27 19 28 18 29 19 30 19 31 19 Average percent full 18 Peak % full 20 Day of peak 3 Number of Hours > 90% full 0 Number of Times > 90% full 0 Number of Hours 80-90% full 0 Number of Times 80-90% full 0 MsgAge - Shows average message age, and number of old messages. Message Age Report Subscriber / Last Access Time # Old Msgs # Minutes __________ ________________ ___________ _________ ELITE HAXOR 6 3 Wed Dec 3, 1996 12:02 PM NameReport - Displays records in the name database. Unrecorded names only (y/n)? n Subscriber Name Report Exten Name Node # of sec # chars unique name ________________ ________________________ ____ ________ ___________________ 302 ELITE HAXOR 1 2 3 Outcalling - Displays outcalling statistics, by subscriber or group. Outcalling Report From: -- Statistics not cleared -- To: Wed Dec 3, 1996 2:51 PM Num Num Total Avg Succ UnSuc Connect Connect Name Extension Node Calls Calls Time Time ---- --------- ---- ----- ----- ------- ------- ELITE HAXOR 302 1 47 0 4700 100 PWChange - Displays the last time a subscriber or a subset of subscribers changed their password. Enter Old Password Age (in days): Password Change Report To: Wed Dec 03, 1996 2:57 PM Name Extn Node Date last password change PW Age ________________________ ________ ____ ___________________________ _______ ELITE HAXOR 302 1 Mon Oct 31, 1994 7:21 AM 765 SubAccess - Displays subscriber access activity. Subscriber Access Activity Report From: Fri Oct 28, 1994 11:14 PM To: Wed Dec 11, 1996 2:00 PM Subscriber / Last Access # Accesses Access Min __________ ___________ __________ __________ ELITE HAXOR 92 83 Tue Dec 3, 1996 10:09 AM Sa - Goes into SysAdmin mode from Tech. Like su for PhoneMail. Status - List Displays a brief blurb of useless information. The only possibly useful bit of info would be that it displays whether or not PM is currently active. However, any functions that requre PM to be active will also tell you if you attempt to run them while the system is deactivated. SysParameters - List Displays and/or modifies main system configuration. This is where system passwords are defined, as well as outcalling features, and tons of other stuff. Modify Edit system parameters. SysStatistics - Clear This will clear the system statistics log. This is useful if you have enabled outcalling on a system that doesn't normally support it. As having lots of Outcalling stats appear in a log is generally considered to be in bad taste. List This will display a lot of junk, such as hourly and daily statistics on disk use, busy channel, etc. SystemStatus - Displays current state of PM system and channel information. TALog - Lists TA error log. Basically, all problems in the system that should be fixed. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time for a Change presents Lexis-Nexis internals. by Ghost in the Machine [TYM] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- INTRODUCTION ------------ Lexis-Nexis is a combination legal and business research database. As such, it has many uses for all kinds of businesses, not to mention hackers. In this file I will shed some light on not only what lexis-nexis can and cannot do, but also explain the basics of how to move around and get things done. There seem to be a lot of misconceptions about l-n, so I hope to shatter the illusions with the truth. ACCESS AND ENTRY ---------------- First off, Lexis-Nexis has dialups, if you know of a company that uses them, you might be able to social engineer the dialup number from the geeks at l-n customer service. If you have a lot of free time, you could scan every exchange on the switch which serves their local business office. If neither of these appeals to you, then you are in luck. Lexis-Nexis is also on the net. All you need to do is telnet in and you are all set. telnet> o image.lexis-nexis.com Trying 192.73.216.85 ... Connected to image.lexis-nexis.com. Escape character is '^]'. Trying 39991420010002...Open Please transmit your terminal TYPE abbreviation. (Abbreviations begin with a PERIOD -- Call Customer Service for assistance) Here you would enter .vt100 or whatever your terminal of preference is. L-N does not have a very large selection from what I've seen, so it's best to go with something standard. That completed, you get a screen which ends with: WELCOME TO LEXIS AND NEXIS. LEXIS and NEXIS will be available until 2:00 A.M. Eastern Time. Please type your personal identification number (7 characters) and press the TRANSMIT key. Here is the fun part. Lexis-Nexis is easy to get into if you have a little patience (or are sniffing one of their customers), They have PIN codes of exactly 7 digits, alpha-numeric, not case sensitive. That is all you need to get in. No passwords or other such nonsense. Granted, that still leaves a LOT of possible PINs, but L-N's customer base grows incredibly by the day, so it shouldn't take too long to guess a valid PIN if you are patient. Once you are in, you will get the following screen: Please enter the number of the option desired. PREFERRED PRICING OPTIONS 1 LEXIS (R) ONLY 2 News - All Files 3 Public Records Per Agreement 4 Company/Industry Info ALTERNATE PRICING OPTION 5 ALL SERVICES - PAY AS YOU GO To end your session, press the SIGN OFF key. To return to this option menu during your research session, enter .CM For further explanation, press the H key and then the ENTER key. The best choice until you are more familiar with L-N is to pick 5, since you will have access to all the libraries from there. LIBRARIES --------- Once you get to the library screen, you can do whatever you want. Here is what it looks like: Please TRANSMIT the NAME (only one) of the library you want to search. - For more information about a library, TRANSMIT its page (PG) number. - To see a list of additional libraries, press the NEXT PAGE key. NAME PG NAME PG NAME PG NAME PG NAME PG NAME PG DNAME PG ----------- Types ----------- ---------- Topics ---------- - Int'l - General Public BUSFIN 2 Intellect Medical ASIAPC 5 -- News - - Legal - Records CMPCOM 2 Property GENMED 15 CANADA 20 NEWS 1 CODES 7 ALLREC 6 ENERGY 10 COPYRT 9 EMBASE 15 DUTCH 5 REGNWS 1 LAWREV 12 ASSETS 6 ENTERT 2 PATENT 13 MEDLNE 15 EUROPE 5 TOPNWS 1 LEGNEW 1 DOCKET 6 ENVIRN 10 TRDMRK 14 GERMAN 5 MEGA 7 FINDER 6 GEODEM 10 Political MDEAFR 5 INSOLV 6 INSURE 11 - Legal - APOLIT 4 NSAMER 5 Financial INCORP 6 MARKET 1 BANKNG 8 CMPGN 4 UK 19 ACCTG 3 LEXPAT 6 MKTRES 1 FEDSEC 11 EXEC 4 UKCURR 19 COMPNY 3 LIENS 6 PEOPLE 2 GENFED 7 LEGIS 4 WORLD 5 INVEST 3 VERDCT 6 SPORTS 2 HOTTOP 7 TXTLNE 19 NAARS 3 TRANS 14 LABOR 12 -- Tax -- Assists QUOTE 3 Reference PUBCON 13 FEDTAX 11 EASY 15 D&B 3 BUSREF 2 STATES 7 STTAX 13 GUIDE 15 BLMBRG 3 LEXREF 12 PRACT 15 MARHUB 12 TERMS 15 CATLOG 15 Now I am not going to cover most of the libraries, although most of them are useful to anyone, I am going to focus on the one thing that I assume most most hackers will be interested in. The skip-tracing database. Lexis-Nexis 'People Finder' database can be found under library section 6. NAME LIBRARY NAME LIBRARY ALLREC Combined State Public Records LEXDOC Type LEXDOC and TRANSMIT to ASSETS Property and deed transfer order hardcopy public records records from selected documents and searches counties/states. nationwide from LEXIS Document DOCKET Bankruptcy, Civil, Criminal & Services. Judgment Index Filings LEXPAT U.S. Patents in full text & FINDER People and Business Locator Patent Classification Info Files LIENS UCC, Judgment and Lien INSOLV United States Bankruptcy Court Filings from selected Filings from all 50 states states and the District of Columbia VERDCT Verdict and Settlement INCORP Corporate Info, LTP and DBA Publications Filings from selected states From here, type FINDER to get to the submenu for People Finder. ------------------------- F I N D E R L I B R A R Y ---------------------- ----------- PEOPLE LOCATOR ------------ ---------- BUSINESS LOCATOR ---------- P-TRAK 1 Nationwide file - 300 B-FIND 1 Nationwide file of US and million records with Canadian Public and Private previous addresses and Companies alias names --------- PROFESSIONAL LOCATOR ------- CALIC 2 CA Professional Licenses P-FIND 1 Nationwide group file - FLLIC 2 FL Professional Licenses white pages and household ILLIC 2 IL Professional Licenses information (xxFIND for MILIC 2 MI Professional Licenses individual state files) NJLIC 2 NJ Professional Licenses PALIC 2 PA Professional Licenses DCEASE 1 Nationwide file containing VALIC 2 VA Professional Licenses Social Security Death WILIC 2 WI Professional Licenses Master File ----------- DRIVER LICENSES ---------- FLDL 2 FL Driver Licenses ------------- INDIVIDUAL STATE PERSON LOCATOR FILES ------------------ ALFIND 3 Alabama IDFIND 3 Idaho MSFIND 3 Mississippi AKFIND 3 Alaska ILFIND 3 Illinois MOFIND 3 Missouri AZFIND 3 Arizona INFIND 3 Indiana MTFIND 4 Montana ARFIND 3 Arkansas IAFIND 3 Iowa NEFIND 4 Nebraska CAFIND 3 California KSFIND 3 Kansas NVFIND 4 Nevada COFIND 3 Colorado KYFIND 3 Kentucky NHFIND 4 New Hampshire CTFIND 3 Connecticut LAFIND 3 Louisiana NJFIND 4 New Jersey DEFIND 3 Delaware MEFIND 3 Maine NMFIND 4 New Mexico DCFIND 3 D.C. MDFIND 3 Maryland NYFIND 4 New York FLFIND 3 Florida MAFIND 3 Massachusetts NCFIND 4 North Carolina GAFIND 3 Georgia MIFIND 3 Michigan NDFIND 4 North Dakota HIFIND 3 Hawaii MNFIND 3 Minnesota OHFIND 4 Ohio ------------- INDIVIDUAL STATE PERSON LOCATOR FILES ------------------ OKFIND 4 Oklahoma UTFIND 4 Utah ORFIND 4 Oregon VTFIND 4 Vermont PAFIND 4 Pennsylvania VAFIND 4 Virginia RIFIND 4 Rhode Island WAFIND 4 Washington SCFIND 4 South Carolina WVFIND 4 West Virginia SDFIND 4 South Dakota WIFIND 4 Wisconsin TNFIND 4 Tennessee WYFIND 4 Wyoming TXFIND 4 Texas From this you can (by typing in the library name) jump to libraries to search for people by state, across the US, or if your target is unlucky enough (or you are lucky enough for that matter) to live in florida, all you need is a name to pull their DMV records, and get everything from current address to SSN and birthdate. Pretty cool, but it would be nice if they added the databases from other states as well. Here is a list of the available libraries: Guide (GUIDE) LEXIS(R) Private Database Services Demonstration (CUSTOM) Practice (PRACT(R)) Terms (TERMS) ASSOCIATED PRESS POLITICAL SERVICE Associated Press Political (APOLIT) THE LEXIS(R) COUNTRY INFORMATION(tm) SERVICE Asia/Pacific Rim (ASIAPC) Dutch (DUTCH) Europe (EUROPE) Mideast/Africa (MDEAFR) World (WORLD) THE LEXIS(R) FINANCIAL INFORMATIONT SERVICE Analysts Research (INVEST) Company (COMPNY) Dun & Bradstreet (D&B) Investext(R) (see Analysts Research) Quote (QUOTE) THE LEXIS(R) PUBLIC RECORDS ONLINE SERVICE Assets (ASSETS) Bankruptcy Filings (INSOLV) Corporation Information (INCORP(R)) Filings, Civil and Criminal (see Docket) Liens (LIENS) Locator (FINDER) Property Records (see Assets) State Public Records (ALLREC) Verdicts (VERDCT) THE LEXIS(R) SERVICE Accounting, Tax and Financial (ACCTG) Admiralty (ADMRTY) Alabama (ALA) Alaska (ALAS) Alternative Dispute Resolution and Mediation (ADR) American Bar Association (ABA) American Law Reports (ALR) Arkansas (ARK) Australia (AUST) Banking, (BANKNG) Bankruptcy (BKRTCY) Bureau of National Affairs, Inc. The (BNA) California (CAL) Canada (CANADA) Career (CAREER) Citations (CITES) Codes (CODES) Colorado (COLO) Commonwealth Cases (COMCAS) Communications (FEDCOM) Connecticut (CONN) Continuing Legal Education (CLE) Copyright Law (COPYRT) Criminal Law (CRIME) Delaware (DEL) District of Columbia (DC) Easy Search(tm) (EASY) Employment Law (EMPLOY) Energy (ENERGY) English General (ENGGEN) Environmental Law (ENVIRN) Estate (ESTATE) Ethics (ETHICS) European Communities (EURCOM) Family Law (FAMILY) Federal Bankruptcy (see Bankruptcy) Federal Communications (see Communications) Federal Labor (see Labor) Federal Public Contracts (PUBCON) Federal Tax (FEDTAX) Federal Trade Regulation (see Trade Regulation) Federal Transportation (see Transportation) Florida (FLA) French Case Interpretations (REVUES) French International (INTNAT) French Laws and Regulations (LOIREG) French News (PRESSE) French Private Cases (PRIVE) French Public Cases (PUBLIC) General Federal (GENFED) Georgia (GA) Germany (GERMAN) Hawaii (HAW) Health Law (HEALTH) Hong Kong/China (HKCHNA) Idaho (IDA) Illinois (ILL) Immigration (IMMIG) Indiana (IND) Insurance (INSURE) International (see French International) International Law (INTLAW) International Trade (ITRADE) Iowa (IOWA) Ireland (IRELND) Kansas (KAN) Kentucky (KY) Labor (LABOR) Law Reviews (LAWREV) Legal Reference (LEXREF) Louisiana (LA) Malaysia (MALAY) Martindale-Hubbell(R) Law Directory, The (MARHUB) Maryland (MD) Massachusetts (MASS) MEGA(tm) (MEGA) Mergers and Acquisitions (M&A) Mexico (MEXICO) Michigan (MICH) Military Justice (MILTRY) Minnesota (MINN) Mississippi (MISS) Missouri (MO) Montana (MONT) Nebraska (NEB) Nevada (NEV) New Hampshire (NH) New Mexico (NM) New York (NY) New Zealand (NZ) North Carolina (NC) North Dakota (ND) Northern Ireland (NILAW) Ohio (OHIO) Oklahoma (OKLA) Oregon (ORE) Patent Law (PATENT) Patent and Trademark Office (LEXPAT(R)) Pennsylvania (PA) Pensions and Benefits (PENBEN) Philippines (PHLIPP) Private Cases (see French Private Cases) Public Health and Welfare (PUBHW) Puerto Rico (PR) Real Estate (REALTY) Research Institute of America Tax (TAXRIA) Rhode Island (RI) Scotland (SCOT) Securities (see Federal Securities and State Securities) Secondary Source (2NDARY) Singapore (SING) South Africa (SAFRCA) South Carolina (SC) South Dakota (SD) State Securities (STSEC) State Tax (STTAX) States (STATES) Tax (see Federal Tax and State Tax) Tax Analysts Publications (TAXANA) Texas (TEX) TextlineSM (TXTLNE) Torts (TORTS) Trade Regulation (TRADE) Trademark and Unfair Competition Law (TRDMRK) Transportation (TRANS) Trust (see Estate) Uniform Commercial Code (UCC) United Kingdom/British Isles (UK) United Kingdom Current Awareness Law (UKCUR) United Kingdom Law Journal (UKJNL) United Kingdom Tax (UKTAX) United States Patent and Trademark Office (see Patent and Trademark Office) Utah (UTAH) Vermont (VT) Virginia (VA) Washington (WASH) West Virginia (WVA) Wisconsin (WISC) Wyoming (WYO) THE MEDIS(R) SERVICE EMBASE (EMBASE) General Medical (GENMED) Medical (see General Medical) Medliner (MEDLNE) THE NATIONAL AUTOMATED ACCOUNTING RESEARCH SYSTEM (NAARS) SERVICE Accounting Information (NAARS) THE NEXIS(R) SERVICE Business & Finance (BUSFIN) Business Reference (BUSREF) Campaign News (CMPGN) Computers and Communications (CMPCOM) Entertainment (ENTERT) Executive Branch (EXEC) General News (see News and Business) Geodemographics (GEODEM) Legal News (LEGNEW) Legislation (LEGIS) Markets and Industry (MARKET) Market Research (MKTRES) News (NEWS) People (PEOPLE) Sports (SPORTS) Top News (TOPNWS) COMMANDS -------- FUNCTION COMMAND Change file .cf Change library .cl Change menu .cm CITES assistant .ca New search .ns Return to Easy SearchTM screen .easy Sign off .so Viewing Formats CITE .ci FULL .fu SEGMTS .se LEAD .le SuperKWIC(tm) N1 .sk VAR KWIC .vk VAR KWIC with 1-999 words .vk # 2 Reviewing Results Next page of current document .np Skip 1-999 pages forward .np # 2 Previous page of current document .pp Skip 1-999 pages backward .pp # 2 First page of current document .fp Next document .nd Skip 1-999 documents forward .nd # 2 Previous document .pd Display first document retrieved .fd Display different level 1-255 .dl # 2 Sort documents (not available in all files) s Display resume options screen resume Move down through large segment .dwn Move up through large segment .up Rank documents .rank Access or exit the browse feature b Refining Results Modify search m Enter FOCUS(tm) feature .fo Exit FOCUS feature .ef Exit MORE .em Display Commands Display LINK(tm) markers .linkon Erase LINK markers .linkoff Turn display commands on .con .kon Turn display commands off .coff .koff Printing Go docs .gd Print displayed screen .sp PRINT DOC .pr Print now .pn Print LEAD paragraph .le,p Print manager .pm Using Select Service Functions Enter select service .ss Exit select service .es Finding Online Information Help h Time (elapsed time in t current research session) Number of screens in current document format p Display current search request r Client screen c Display cost estimate screen .cost ECLIPSE(tm) Save search sav Recall search rec Store search request in LOG .keep Display LOG .log Delete contents of LOG .delall FREESTYLET Commands Switch to FREESTYLE feature .fr Switch to Boolean .bool Display WHERE screen .where Display WHY screen .why SuperKWIC display format 1 .sk SEARCHING --------- Another great thing about L-N is the way the searches can be handled. Whenever you do a .ns look to the bottom to see if it says Boolean, if it does, use .fr to switch it to freestyle. Boolean is too restrictive, and freestyle is the absolute opposite. Since Lexis-Nexis already has on-line searching help, I won't bother to go into great detail about how to use the searches. Simply choose 15 from the main library menu and there are lots of help files. SUMMARY ------- In closing, Lexis-Nexis is one of the more powerful databases available, mainly because of the diversity of information that can be accessed from a single source. I hope this file helps you in your quest for information. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time for a Change presents Inside Tracer L/Tracer 100 Systems by Silicon [TYM] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- INTRODUCTION ------------ Tracer is a powerful computer system which can control a number of electronically controlled devices. This can include anything from lights, air conditioners, electronic doors, heaters. This is building automation with remote dialup. This file will inform you of the capabilities and security of tracer/tracer-l up through version 15.2. One thing I thought should be noted for this file is that this system controls real things in the real world. Abuse of this system could result in injury of innocent people. Tracer is not a toy, it was designed to be a tool to make building management more efficient. Abuse of this system will result in loss of dialups, loss of dialup features, and modification of logging options. This is a cool system, don't ruin it with stupidity and immaturity. I didn't write this file for people to learn how to be destructive, i wrote it for people to learn about technology. TRACER SYSTEMS -------------- There is a set of commands which are global throughout the system. These are: A = Acknowledge M = Menu (or return to previous menu, VERY USEFUL) L = List options S = Select, usually in format of