toll fraud 1

[robskate88]

Hi all, I have just been asked to perform a security audit on an bc10 and bc11 pabx. I normally work with nortels so I now have two weeks too do a crash course in the ericson md110 commands. If anyone can help with the print commands for the following topics it would make me a very happy man.
1. DISA and Authcodes, and the calling restrictions on disa lines.
2. Calling restrictions on extensions, and a print out of all extensions
3. Default passwords. I will need to check that the factory passwords have been changed. So far I know of the level 7 login, MDUSER HELP, any others??
4. Also if anyone knows any vunrabilities please let me know.
Anyone know where to get a command manual for a bc10 or 11?
Thanks

 

[Isinor]

Hi Rob,

The commands are not that hard but interpreting the results might be

To print the DISA info...
NADAP:NUMYP=DI;
AUCOP:AUTH=ALL;
EXCCP:CAT=xxx; CAT's will be listed in the AUCOP print.
NADAP:NUMTYP=CD;

The MD110 uses allowed numbers list to control ‘TOLL Fraud’, up to 15 different types are permitted, they are called TCD Cats 00-14.

In the NADAP:NUMTP=CD; print, the 'TCD Cat' is called just 'CAT' and does not have a preceding 0.

The Common CAT, TRAF values for Digits 3&4 are the 'TCD Cat Night', and 5&6 are for 'TCD Cat Day'.

E.g. TRAF=xx0103xx The DAY TCD CAT is 03 in the NADAP print it would be listed as 3, on the left would be the number allowed to be dialled.

To print basic extension info…
EXDDPIR=ALL;
KSDDPIR=ALL;
ITDAPIR=ALL;

Note that if an extension does not have a CAT value use command EXCAPIR=xxx; or KSCAPIR=xxx;

To print IP, DECT etc…
GEDIPIR=ALL;
GESPP:CSP=xxx; The previous print will list CSPs
Not that a CSP has a TRAF value but this time digits 5&6 are Night and 7&8 are Day..!

This should get you started…


Regards
Isinor

 

[LordOfTheLIMS]

Hi Rob,
After performing a similar function across a 20+ network connected MD110 Network the question is how deep do you want to go and are you looking at security or toll fraud as well?

A Good Starting Point would be to check the following:
DISA = is it required
How many phones are on ECF at the end of the day = amazing how many people get their friends to ring a local number to get them on their mobile!
Group hunts and ACD's that divert external - Who use's them and are they required?
LCR Tables - Any holes?
Passwords and Logons - User accounts used in conjunction with command logging gives accountablity for who has made what programming changes.
Passwords on RDA Modems with recommendation to also change modem numbers.

More In Depth:
If Networked PABX's can someone dial what restrictions are placed on the routes, e.g. can you just dial from building to building or can you offnet from someone else's PABX.

Voicemail - Major toll fraud cases have been reported when mailbox pin numbers are left at the default pin (usually 0000) a hacker can then access the administrator's mailbox from a dialling in with a default code and set up mailboxes with call lists to dial international numbers!

And the list goes on.................

Hope this is of some help!

Cheers,

King Of The RFEXI!!! ;p

 

[Hitechbuzz]

Hi robskate88
We have a DISA circuit but I keep a tight eye on it as it can be a security hole I only allow it to terminate on extensions these start with "8" or speed dials which I have set up starting with "3" even then there are those who call extensions and get a mate to transfer them out. Run a report for Greater than x$ &/or longer than x minutes. Check your Telcos bill as very long calls greater than 10 hours " May NOT show up" in your call accounting package. They are sent from the MD110 as increaments of 95959 and as "D0" (D zero) calls. We are working on these calls to show correctly in "TABS" but are not there yet.
A question for Our RESET King you state

How many phones are on ECF at the end of the day = amazing how many people get their friends to ring a local number to get them on their mobile!
I will believe you but how do you pick these ones up. Is there an easy way? I would be interested.

Many thanks to all Brian

 

[LordOfTheLIMS]

Brian,

Bit of process, but if you perform an EXDDP and a KSDDP copy these printouts into Excel and then modify the printout to create a SUSIP script for each individual phone (as && is not accepted) then create a batch file (with a capture file) to log onto the MD to send the file in afterhours. In the morning drop the capture file into Excel and do a search for phones on ECF. Once a list is compiled verify the usuage from your call accounting program to catch the abusers.

Cheers,

KingofdaRFEXI

 

[robskate88]

HI thank you all for your help. Does anyone know where I can obtain the documentation for a md110.
King Of The RFEXI, your right about voice mail, the last audit I did was on a fujitsu 9600 using "Active Voice" for voice mail. The "Hackers" used the default admin mail box to reconfigure the system and over a 3 month period made $190,000 worth of calls to pay per minute numbers in Lodon. Is there a default admin mailbox for md110 voicemail?

 

[LordOfTheLIMS]

Robskate88,

Haven't dealt much with the internal Intergrated MD110 voicemail, but definitely CPS (CallXpress) and Teleware do have default psw. With CPS I don't think you can change the default password to be anything other then 0000, but with Teleware you can set the system default Password to whatever you like as a security measure to stop hackers from hitting mailboxes with basic pins.

KingofdaRFEXI