STATION ID - 7047/3.12 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. .-. .-=-. .-. .-=-. .-. .-=-. .-. .-=-. .-. .-=-. .-. ( * -={{{*}}}=- * -={{{*}}}=- * -={{{*}}}=- * -={{{*}}}=- * -={{{*}}}=- * ) '-' '-=-' '-' '-=-' '-' '-=-' '-' '-=-' '-' '-=-' '-' LaTiTUde MeEtiNG PlaCE TeLEcOnfERncINg .-. .-=-. .-. .-=-. .-. .-=-. .-. .-=-. .-. .-=-. .-. ( * -={{{*}}}=- * -={{{*}}}=- * -={{{*}}}=- * -={{{*}}}=- * -={{{*}}}=- * ) '-' '-=-' '-' '-=-' '-' '-=-' '-' '-=-' '-' '-=-' '-' Aug'98 by Hybrid Disclaimer: Although I hate this part, this file is for informational purposes only. I will not be held responcable for your actions.... Here is an exert taken from an employee newsletter, advising employees of a certain company about thier newly brought MeetingPlace system: 'For your privacy and company security please do not use easy passwords like 12345. SINCE THE MEETINGPLACE SYSTEM ALLOWS YOU TO DIAL OUT, IN ORDER TO AVOID TOLL FRAUD IT IS CRITICAL THAT YOU CHANGE THE PASSWORD TO A NEW AND SECURE 6-11 DIGIT PASSWORD.' Intro: Meeting Place is a powerful teleconferencing system designed to accommodate up to 120 ports in any combination of simultaneous conference calls. Meeting Place is not generally available to the public, it is designed to be attached to eXtensions of corporations and companies that require a private teleconferencing system to communicate with other employees and associates. Meeting Place can also be found on some direct-dial 800 numbers. Unlike other teleconferencing systems such as AT&T's Conference service, Latitude Meeting Place is much more advanced, allowing multi-user configuration and automated user interfaces. In this phile I will cover all of the functions and features of Meeting Place, I will also describe how to 'hack' a Meeting Place system, and gain control of the user-interfaces, or profiles as they are more commonly called. But before I start I need to make it clear that if you fuck around with a MeeingPlace system, you are NOT messing with Bell or AT&T, Latitude MeetingPlace is designed to be installed on the premisis of a company that requires a Teleconference system, so their employees and clients can communicate more efectively.. If you over-use a system the administrator WILL find out. Unlike AT&T conf service, where they are used to illegal conf calls, a sysadmin of a meeting place belonging to some small corp is not going to take to kindly to 120 people sitting on his 800 line, taking up his ports. The MeetingPlace Hardware server costs around $30.000 dollars! Yes that's 30 thousand! So sysadmins do generally get VERY PISSED if they realise thier system is being used by un-autharised users... If you need to no more about MeetingPlace just visit Latitude's web site- www.latitude.com. Index: -The Server Stack -MeetingPlace Server Hardware -MeetingPlace Server Software -Digital Signal Processing, or DSP -MeetingPlace Server Notification Agent -Conference Scheduler -Meeting Notes -Voice Comments -e.Documents -Voice Processing Interface -System Services -MeetingPlace Conference Server Feature list, and optional features -Integrated Voice and Data Conferencing -How to find and 'Hack' a MeetingPlace Teleconferencing system -The dial-in interface -The user-profile interface -The Conference Menu options -Administrators Prompt Configuration Profile Interface -Administration and Maintenance of MeetingPlace -Further Notes and Conclusions Notes on The Server Stack: As a conference server, MeetingPlace establishes and co-ordinates multiple voice connections for a conference call. The conference server can support up to 120 ports in any combination of simultaneous conference calls. At the same time MeetingPlace's client/server architecture allows users to schedule meetings, access in-conference features, review previous meetings and attach and retrieve documents from their desktops. I will cover these lovely functions and features later. The server has 2 primary components: server hardware and server software. Notes on MeetingPlace Server Hardware: The MeetingPlace conference server hardware utilises components such as SCSI disk drives, EISA and MVIP buses and also a Pentium CPU. The system utilises a distributed processing architecture, multiple buses, DSP/RISC processing and a telephony grade power supply. The MeetingPlace conference server provides interfaces such as T1 Trunking, analogue POTS lines and Ethernet LAN connectivity so the whole system can be connected to existing voice and data networks, i.e., PBXs. MeetingPlace connects locally to a customer's PBX or directly to the telephone network as well as to the customer's local area network. As a conference server, MeetingPlace establishes and coordinates multiple voice connections for a conference call through the public switched telephone network. Users are able to access meeting features either through a touchtone interface available from any telephone or through the graphical user interface provided by MeetingTime, Latitude's Windows-based client software. Notes on MeetingPlace Server Software: The MeetingPlace Server software was coded in c++, and provides the conferencing capabilities of the system. The software is composed of several key modules: Digital Signal Processing: The system provides automatic gain control to amplify low-level speakers. The DSP algorithms detect and remove DTMF tones from the conference call as participants activate MeetingPlace functions,.. no more toners!. These algorithms also remove any call progress tones (e.g. busy and dial-tone) from the call. The DSP algorithms are so sensitive they remove constant noise sources (such as people whistling) from being injected to the meeting. The instant speaker algorithm recognises the current speakers and suppresses noise from all other locations. MeetingPlace Server Notification Agent: The SNA constantly monitors meeting activity and automatically notifies participants of meetings via specified fax, e-mail, outdial, or pager numbers. If specified participants may be notified in advance of the meeting by fax or email. At the time of the meeting, participants may be notified via pager or outdial. The system can also notify attendees when changes are made to previously scheduled meetings. Conference Scheduler: The conference Scheduler manages all of the resources of the system (conference ports, meeting IDs, recording space) such that all meetings can be held without conflict and that ports can be dynamically allocated to meetings. The scheduler is configured by the system manager and determines: how early participants may call into meetings, when participants are warned about meeting and time, how users can extend their call, and when reserved ports are released when no one shows up. MeetingNotes: Allows for the recording and storage of all relevant meeting materials: Voice comments: This software enables users to record meeting proceedings, record meeting agendas and attach voice comments when participants cannot attend a meeting. The system will provide up to 390 hours of voice storage. Electronic Documents: This software allows end users to attach files to a meeting for subsequent distribution. These files may include presentation slides, spreadsheets or word processing docs that will be reviewed during the meeting. Voice Processing Interface: This is the part of the system you will be interested in. A VPI, is a simple to use, DTMF tone driven interface where users can schedule, attend and manage their user profiles. The system has over 800 voice prompts and provides instructions to assist end users in all aspects of their meetings. System Services: An integrated SQL Database running on an OS will provide all system services. The internal voice file system is optimised for real-time use and fast response time. The built-in licence management controls simultaneous MeetingTime client software connections. An SNMP agent provides remote monitoring services compatible with the MIB II specifications. MeetingPlace Conference Server Feature List: (optional features) MeetingPlace Data Conference Option provides integrated multipoint data conference bridging for Microsoft NetMeeting and other T.120-compliant endpoints. MeetingPlace WebPublisher provides a web interface for scheduling, sharing of meeting materials and access to recordings. MeetingTime client software provides a Windoze or Mac graphical interface. MeetingNotes provides integrated recording, file attachment and voice comment capabilities. MeetingPlace Notification Option provides server software agent that proactively queues messages for delivery via email and Fax gateway products. MeetingPlace email gateway provides meeting scheduling and notification and distribution of meeting materials via cc:Mail, Lotus Notes, MS Mail, MS eXchange, and other MAPI-compliant and SMTP-based messaging systems. MeetingPlace Fax Gateway provides notification and distribution of meeting materials via fax. MeetingPlace FlexMenu provides customisable top-level menus for the DTMF interface. MeetingPlace SNMP provides remote monitoring capability from any SNMP management station. MeetingPlace Networked System provides hardware and software to network up to 8 MeetingPlace conference servers for centralised administration. Integrated Voice and Data conferencing: Working with MS NetMeeting or other data collaboration software, MeetingPlace can unify voice and data conferencing capabilities into a single meeting via phone and computer. MeetingPlace automatically brings together multiple call-in participants and performs robust, high-performance data conference bridging. Setting up a data conference is easy. When users set up a MeetingPlace conference, MeetingPlace automatically schedules the required voice and data resources. To attend the conference, users simply click 2 buttons on their web or MeetingTime client interfaces. Clicking the join voice conference button rings their phones and connects them to the voice conference. Clicking the join data conference connects them to the data conference for real-time application sharing or collaboration. Now enough of the bollocks, How to Find and 'Hack' a MeetingPlace bridging system: At the moment Latitude MeetingPlace systems are quite rare, but more and more companies are purchasing the equipment all of the time. If you live in the UK, like myself you could start scanning the 0800-96x-xxx, 0800-89x-xxx exchanges for PBXs and direct-dials into MeetingPlace. If you live in the US, just start scanning toll-free numbers. When you stumble upon a PBX, try dialling various eXtensions or even dial 0 for the PBX operator and bulshit him/her into giving you the eXtension of the conference bridge. You will know when you have found a MeetingPlace Conference Bridge, because when you dial into the 800 number/eXtension an automated generic Female voice will say: " Welcome to MeetingPlace. To attend a meeting press 1, to access your Profile press 2... " Here are the options you will be confronted with: Main Dial-In Menu: 1- Attend a meeting When you access this option you will be prompted to enter the meeting ID, in some cases a passcode is also required. You will then be prompted to record your name so other meeting participants know who you are when you enter the meeting. Tips: To find valid meeting IDs, that other people have set up, hit option 3 at the main dial-in menu (meeting notes) and just plug in random numbers or try things like 1234 etc. If you wish to remain anonymous, just hold down # when the system prompts you to record your name. If you hit #43 the second you enter a meeting, no one will be able to kick you. 2- Access your profile When you access this option you will be asked to enter your profile number. A profile number will give you access to multi-level user options, i.e.- Set meetings up, edit scheduled meetings, listen to recorded meetings and many other things. Generally on a large system employees will be given their own personal profile number so they can set up meetings when they want. Most profile numbers will be clustered together and will have a default passcode. What you are looking for is a profile that has no recorded name assigned to it. This can be achieved by scanning for valid profiles, when you have found a valid profile you will hear " You entered [Terry Fuckwitt], enter your passcode followed by the pound sign. " From here you scan up and down from the valid profile until you hear " You entered [xxxx], enter your passcode followed by the pound sign. " This is where the fun starts, you will have to guess the default passcode. The default passcode for all MeetingPlace systems is the same as the profile number, but on some systems the administrator (profile 0002) would have changed it, try things like 1234, 1111, 4321 etc., note: If the profile is 4 digits long it doesn't mean the passcode is. When you have guessed the default passcode you can access any unused profile on that system and set up teleconferences anytime you want. Profile Notes: Always remember to edit the meeting posting notes option so that meeting details are not automatically posted to other users on the system. Never over-use your profile, remember the system admin can see what profiles were used to set up meetings. Try to keep your profile anonymous by holding down # when it prompts you to record your name. Do not get greedy and take loads of profiles, you only need one- the admin will notice a rise in system use. 3- Review meeting recordings and meeting notes This option will allow you to listen to any recorded meeting, this can be useful when you are trying to learn more about the company that uses the specific MeetingPlace system. 9- Hear an overview of MeetingPlace functions and features This option will describe to you all of the functions and features of MeetingPlace- For the terminally stupid. Dictation of MeeingPlace Functions and Features: 2- Profile Main Menu: [1] Attend a meeting Prompts you to enter the meeting ID (You can attend a meeting via your profile number -not advisable) [2] Schedule, re-schedule or list meetings 1- Begin a meeting immediately (on some systems this is disabled) 1- Have an immediate meeting with restricted time and people 2- Have a longer immediate meeting with more time and people 2- Schedule a meeting for a future date or time (Remember not to schedule meetings to much in advance, and also bear in mind the time-zone the system is located) 3- Re-schedule, review or delete meetings (You cannot kill a meeting once it has started) 4- Get a list of the meetings you are invited to 1- Hear the list over the phone (This will give you a list of meetings that other people have set up via their profiles, it is * imperative that you disable the meeting notes posting option to prevent your meeting details from being posted to other profiles. On all systems the meeting posting notes option is activated) [3] Change profile settings or meeting preferences 1- Change profile settings 1- Change the passcode for your profile 2- Record a name for profile 3- Select a proficiency level of voice prompts 1- Un-abbreviated prompts 2- Abbreviated prompts 4- Enter your phone number (don't be stupid) 5- Enter your fax number (not advisable) 6- Change how you attend meetings 1- Dial into MeetingPlace 2- Have MeetingPlace call you at time of meeting (The system can phone/fax you and add you to a meeting you schedule - not advisable) 2- Change meeting preferences 1- Change entry and departure options 1- Change announced entry options 2- Change announced departure options 2- Change security options for all meetings you schedule 1- Change meeting passcode options 2- Change the screened entry option 3- Change meeting notes options 1- Change recording options * 2- Change meeting notes posting options 3- Record a team name [4] Review meeting recordings and meeting notes 1- Hear a meeting recording 1- Rewind 2- Pause 3- Fast forward *- Stop playback #- Continue playback 2- Hear a roll-call of meeting participants 5- Access meeting comments 1- Record a meeting comment 7- Get meeting info 1- Hear info about a recording *- Select a different meeting When inside a meeting all participents have access to many functions such as dial-out, break-out etc. Meeting Functions: #, [0] Reach assistance (will transfer you to the company operator) [1] Enter a break-out session (This will allow you to break out from the main meeting and talk privately with other participants, break out sessions can also be locked. The break out sessions range from 1-9) [2] Hear a roll-call of meeting participants 1- Get a list of all of the meeting participants (By accessing this option MeetingPlace will play back the recorded names of everyone on in the conference, and also who was last speaking) [3] Add someone to the conference (sometimes disabled by the administrator) 1- Dial a specific phone number #1- Add the called party to the meeting (They will be asked to record their name) #2- Disconnect the called party (they will be informaed they have been discconected) 2- Get all persons from a team (if other people have profiles they can be contacted by entering their profile number, if they have specified a phone number in their personal profile the system will call them and add them to the meeting) 3- Get all missing invitees (will call ALL profile users that your meeting details have been posted to. - not advisable) [4] Meeting admittance options 1- Lock/Unlock meeting 2- Admit the party requesting entry 3- Disconnect the last meeting entrant 4- Return to a lecture style meeting 5- Move all listeners to the waiting room *- Rejoin meeting (if you lock your meeting all people inside the meeting will be notified if someone requests entry to the meeting, you can either admit them entry or ignore their request, they will be forced to listen to extremely bad taste music until you admit them, remember someone has to stay in the main room to admit people if you activate this feature) [5] Mute your phone (this is very useful if there are alot of people in your meeting and some people have a bad line. This option will eliminate all line noise from your phone line, to undo this option and speak, just hit #5 again) [6] Recordings/Comments and other MeetingNotes options 1- Start/Stop recording (participants will be informed that the meeting is being recorded) 2- Hear meeting name 4- Record/Delete or listen to meeting messages 1- Record a meeting message for all participants to hear (This option can get extremely annoying if people keep recording meeting messages, to skip a lame meeting message just hit *) [7] Q&A Options (for a lecture style meeting) 1- Get in line to speak 4- Get your position in line (Q&A can be used when you have loads of people attending your meeting, 40 people all speaking at the same time can get a bit hairy) [8] Disabled (admin functions?) [9] Exit meeting and return to main menu [*] Rejoin the meeting Administration notes: On all systems there will be Administration Profiles, I have only managed to crack the following admin profile: Administrators Prompt Configuration Profile Menu: [9] System manager options 1- Listen to or record voice prompts (on the system I cracked prompts range between 3 - 1298) 1- Standard un-abbreviated prompts 2- Standard abbreviated 3- Listen to or record system prompts 4- Listen to or record custom prompts 5- Select a different prompt 2- Listen to or record flex menu prompts } On some systems 3- Test a flex menu application The administration profiles will have different purposes, some allowing the user to listen and delete meeting recordings, some will allow the user to edit the system prompts as dictated above. Theses profiles always range in the following order: 0001 - engineer 0002 - administrator (The admin profile will give you complete 0003 - ? control over the whole system, when an 0004 - ? administrator attends a meeting via his/her 0005 - ? profile they can do anything they want - i.e., if the dial-out feature is disabled they can dial out, they can also attend a meeting without being noticed, they can even mute/un-mute your phone. If an administrator attends a meeting the #2 roll call option is usually disabled. Basically if you can access the admin profile you effectively gain ''root'over the whole system) An admin profile is the ultimate thing to hack on a MeetingPlace system... If you own one of these (0002) you will own the WHOLE system... I have noticed in various conferences that if an admin attends through the admin profile they can drag people to break-out sessions etc, and even disable all of your tone controls and lock you in there! You know if an admin is present in a conf because they may mute your phone... When you try to unmute it it will just keep saying 'muted' all the time. Also if you get dissconnected and you wern't the last person in, the admin would have kicked you.. Final Notes: If you get the suspicion that the admin has found out about your confs, do yourself a favour.. Don't set anymore up! Let some other lamer do it. Remember that the admin gets a fax or email from the conf server EVERY time a conf is scheduled, even if you have disabled the meeting posting notes option. If you want your system to last a long time don't set to many up in any one week, limit how many people turn up on your confs and don't drop numbers on IRC. WARNING! The administrator can get ANYONES ANI if you dial in direct, don't be a fool... Use a bunch of PBX's to dial in, the last thing you wan't is a phone call from a pissed off system admin! If you can't get into a profile, just gatecrash someone elses meeting, ie- If you found a meeitng that was scheduled from 6pm - 8pm on a Friday night don't tell anyone about it, drop into the meeting 5 minutes before it starts Sit there throughout the whole legit meeting, when they have ALL left, lock the meeting, and tell whoever you want to attend the meeting... The meeting will autoexetend all weekend. I had a conf that lasted for 5 days! Final Tips on how to keep your system alive: - Whenever you get a profile always note down all of the other conf ID details other people have scheduled.. This will help you map out when the system is used. ie- If you want a long conference it is a good idea to schedule it when it appears that there is no-one else using the system. - Don't let other people take over the profiles. - Don't over-use 1 profile - Don't use your system to dial out - Don't schedule Meetings for excessive amounts of time -ie 24hrs, just schedule it for like 1hr, it will auto-extend for days! - NEVER drop into a legit conf and start hurling abuse at the attendess, they WILL tell the admin and passcode protect all their scheduled meetings. Anyway that's ya lot. You can now hold your own teleconferences for your own sinister purposes. I am currently working on a more detailed phile for MeetingPlace teleconferencing, watch this space. If anyone has anything to discuss about this phile and its contents email me at the following address: hybrid@darkcyde.org g0d@deathsdoor.com or leave me a voicemail... UK- 0800-962-481 hit 6 box 2007. US- 1-800-334-1017 hit 6 box 2007. Shouts :] The whole of DarkCYDE: PUBLiC_NUiSANCE - NitrousOxcyde - Red_LED - uV - r00fies - gr1p - SinTax - Barakis - Onion - VHF - DoeBoy - Mistress - Zomba - Red_Mist - AC-3 - Loco - FireStarter - Firestart - Elf - DownTime - Aqua - Zer0nine - Sil - Force - Chimmy - Dougal - Violator - Photek7 - TurboMan - AcidKill - Nommo - vLad - k-os - Hi-Tek - RepoMan - The whole of Twisted Nickel: Digital_Fokus - Zer0_Divide - Nothing - High_Voltage - SIM - Vile - DeadKirt Other shouts: UK-h, 9x, Seven7, C00lio- thanx for the info, ICBM, Asphyxia, R0xs, AT&T, Ironica, British Telescum. ;7) -Hybrid