README for the Realitis PBX Brute Force OSL Guesser --------------------------------------------------- Keywords: PABX PBX password OSL Open System Lock guessing brute force realitis dx sdx (I guess this "readme" is version 1.00.) Before you go on: You need Perl and Expect to run the brute force guessing scripts. Realitis is the Operating System used by some Private Branch eXchanges or Private Automated Branch eXchanges (PBX/PABX) - notably those built by Siemens/Plessey. If you ever come across a telnet banner such as: TELNET MMI on ACI System (192.168.1.4) Unpublished work. Copyright Siemens GEC Communication Systems Limited. All rights reserved. Unpublished Work. Copyright Siemens GEC Communication Systems Limited. All rights reserved. DX SABF7831 39960.01 01.022 6.1.202 0001000 UK 09 18/11/98 A STANDBY C 164 09/03/05 19:40:26 OSL, PLEASE. S? You've reached such as system. The particular PABX above is in "standby" mode - indicated by "STANDBY" in the version string and the "S?" prompt. It's highly likely that there is a "live" one nearby. Anyway.. If you don't want to read on, but just want to bash away at the front door, you can start the BFG as follows: ./realitis-pbx-bfg.pl -s -t 192.168.1.4 -u 00 -l 00 But you're probably better off reading a little more. Basically, the system is waiting for your login credentials (which can be entered once you give the command "OSL" (Open System Lock) and hit Enter). The system then asks for the User ID (numeric 00 to 15), the Level of the user (numeric 00 to 15) and the Key (numeric, 10 digits). If a user is level 00, it has something close to superuser rights (but only close - many operations can't be completed over a network connection, they have to be entered on the secure terminal attached to the PABX). Luckily, there are some ways of obtaining the Key. One, rubberhosing, is not covered here. Neither is social engineering the telecoms engineer. The third option however, may be available to you. Chances are that if the system is accepting a telnet connection, it will likely accept an FTP connection too, with a banner such as this: Connected to 192.168.1.4 (192.168.1.4). 220 192.168.1.4 ACI FTP server (2.7) ready. As luck will have it, there is no default password or username, so any login with empty password will do: Name (192.168.1.4:torh): ftp 500 'AUTH SSL': command not understood. SSL not available 331 Guest login ok, send password. Password: 230 Guest login ok, access restrictions apply. Remote system type is pSOSytem. ftp> You should have full R/W access to the device, so be careful; it is likely you can cause a DoS the next time the system reboots if you delete the Operating Software (indicated by any file ending in .hrm). BTW, I'm interested in knowing what sort of CPU this device has; if anyone knows send me an email. The file that you may be interested in is the HIST.TXT file if it exists; this contains a log over many activities, including failed login attempts. Download the file and open it in a text editor (line entries are terminated by the 0x0d character). Lines of particular interest should be those that look something like this, especially if they contain the same 10 digit number in a row (but different leading numbers), e.g.: M 00 00 12/03/02 16:19 OSL 1 10 1204801248 M 00 00 12/03/02 16:19 OSL 2 10 1204801248 Chances are the person forgot to put in a two-digit number for their User ID, and that the Key is actually correct. Now that you may know the Key, run the BFG as so: $ ./realitis-pbx-bfg.pl -s -t 192.168.1.4 -k 1204801248 -s : "standby" (targeting a standby system, the prompt is different) -d : target -k : 10-digit key There is a lot of lameness to this code. But it was written in a haste! But something is better than nothing, right? Right. Anyway, as always, if you have any questions, email me - I may or may not be able to answer them.