Posted to Alt.2600 on Aug 04. 2002 How to get into the Tell-Me network. (1-800-555-tell) This is a representation of someone's thoughts. Thoughts cannot be owned by another person. Use this thought as you see fit, it is yours to duplicate or use as you please. By Archangel There has been a lot of controversy surrounding this subject as of late, regarding hacking challenges, personalities, even whether I am the "real" Archangel. I assure you, dear reader, that I am, and I do not intend to address any other subject in this text, other than my experiences with the Tell-Me system. What is the Tell-Me system? TellMe is a high-tech voice activated phone site with internet connectivity, and even a voice activated browser. It is the ultimate goal of TellMe to have the whole of the internet voice activated. The system is quite sophisticated by today's standards, though I'm sure that tomorrow's readers will find the efforts to be quite primative to say the least. A free phone call gives the listener access to news, sports, weather, etc. Even movie listings. Other areas provide for private announcements, or even voice activated web-sites. In other words, it is now possible, through TellMe, to dial a phone number, and listen to a website. Any *ENGLISH* speaking country. Tell me is a subsidiary of CNET, a giant (at the time of this writing) on the internet. Why did I decide to hack Tell-Me? I first became interested in TellMe about a year ago, because at that time TellMe offered free long distance phone calls to anywhere in the world. TellMe had a lot of services which any hacker worth his salt would fall over himself, just to drool at, such as anonymous internet. As I began learning my way around the system, I wanted to know more. As I began to explore, I noticed various security holes, did not exploit them, but DID take note of them. Eventually, after about a year, I had a decent list of possible security holes, and decided one day to see If there were any unforseen roadblocks to checking out and examining one small part of the system. How was the first hack of TellMe performed? It was very easy. It was so safe that I did it from my house. I opened an account and had The Baron Harkonnen type in a password to see if I could hack in. Nobody would bust me for hacking into my own account, and if there was trouble, I could say that I forgot my password. What security flaws were exploited? Well, I guess it's nut-cutting time. TellMe has a VERY SERIOUS security flaw which can allow unauthorized access to the system within a matter of hours. As I tried to hack into my own account, I realized that TellMe announcements only have a 4 digit numeric password. In other words: You are using your telephone keypad. Here's what you do: You dial 1-800-555-tell. You will get an automated banner-ad followed by a menu discribing various TellMe features. You must say the word "Announcements", or dial "198" on the keypad. This will take you to the announcements area. Once in the announcements area, you will need to punch in the announcement number, which is a seven digit number assigned to you by the TellMe computer. You can type in any announcement number you wish. I typed in my own, as this was an experiment to see if I could hack in and change my own announcement. The computer says "Ok, here is your announcement." Then I heard a recording of The Baron Telling what a whimp I am. This was followed by the computer saying: Please type in another announcement number, or say "Main Menu" to continue. If you are the announcement manager, please use you telephone keypad to enter your password to edit the announcement. If you remain silent, the computer will say: "Please enter your 4 digit password." FOUR DIGITS????? Were they serious? Now here's the kicker: TELLME WON'T DISCONNECT YOU IF YOU FAIL 3 TIMES IN A ROW!!! Yes, ladies and gentlement, keep trying to your heart's content. No penalties. Obviously a Brute Force hack was in order. Keep in mind that this is not a telnet situation. This deal is LIVE over the telephone, and you are punching in numbers on your telephone keypad. I handled it by dusting off a *VERY* old wardialer. The newer ones try to do your thinking for you. They won't dial unless they hear dialtones, or insist on seven/eleven digit numbers, etc. The first few dialers I tried couldn't do the job, but I found a really old one that would dial sequenced numbers of any length, separated by a pause of any length I chose. I set the dialer to attempt *EVERY* four digit number, with a half-second pause between attempts. You can also do this by scripting your dial-up program. I sat on an extention line, due to the limitations of the dialer, and listened to it punching in access codes. When it succeeded, I could pause the wardialer program. I would be able to look at the screen, and see what the last couple of attempted numbers were, manually dial them in, and gain access. I know there are easier methods, but this is what I did. The Baron had mercifully chosen a low number, and I was in, changing the message in about ten minutes. I then tried two other *SAFE* messages, that I would not get in trouble for, if changed. I gained access, respectively, in 45 and 90 minutes (More or less). My math told me that the maximum time to Brute Force a TellMe announcement was about three hours. Is that it? No, while having the ability to change any announcement may be a lot of fun, there is a far more intersting hack that you can do on TellMe. Remember how when you first sign on, you have to say "announcements"? Try saying the word "Extensions". You may be quite surprised at what you find. What are Tell-Me extensions? Tell-Me extensions are that part of the Tellme network, which they have offered to the world to produce the voice activated web pages. Here is what you do. Say "Extensions" You will be taken to the extensions area, and asked to punch in an extension number. This is a five digit number. It was time again for my ancient wardialer to do it's stuff. (Once again, no penalty for incorrect guesses!) I let it dial away, here is what I have found, SO FAR: What did you find? First off, it is important at this point to mention that the TellMe experiment does not seem to be working. Gone are the free long distance phone calls (you had to say "phone booth"), the entire shopping area, and most of the extensions created by individual developers. TellMe is a dying concern as far as I can tell, perhaps they were ahead of their time. Most of the extensions are empty. The only extensions still operating, are some Die-hard developers, and (This is important later) TellMe's *own* extensions. Apparently, the idea was to use the extension number as a kind of password, as there is no directory, and one must already know the extension number in order to gain access. I checked into The San Remo hotel here in Las Vegas, under my girlfriend's name, and spent the night hacking. Here's what I have come up with so far: Extension 76255: This leads to a very bizarre game of Rock/Paper/Scissors. It is one of the wierdest things that I have ever come across in all my days. I HIGHLY suggest you try it. It is like some whiney hillbilly guy...well see fer yerself! The combination 11111 produces this: A gypsy with an eight ball. You ask it questions, and it gives you answers. There are no disclaimers, so I guess this is the real deal! Saying "quit" or "Stop" won't help you. Just shut the hell up, and it will kick you back into regular Tell-Me. Extension 33333 produces the words "HELLO WORLD" - Is that it? No. This is the serious stuff. Extension 34118 produces a directory of TellMe's offices, with the regular phone numbers. Most of the worthy extensions consisted of foul language, so anyone under 18 should stop reading now... Use the letters on your telephone keypad, and you will get some very intersting results. These are five letter words corresponding to the numbers on your phone. CUNTS - Produces a string of numbers of unknown meaning. Just a long string of a computer voice saying "one, five, seven, three, twelve, eighty-eight" etc. I'll figure out what that means later. TITTY - This produces a fax tone, as opposed to a computer tone. I didn't mess with it. PENIS - This produces a verbal message about the sendmail system. HOLES - This is the Quote of the Day. BOOBS - This has to do with HTTP protocols. SHIT0 - This is a directory of phone lines in the TellMe system. FUCK0 - This is a very interesting directory of phone lines in the TellMe system. Two of the lines appear to be trusted lines, providing a computer tone which I used to log on. There was a first time user option, which gave me a manager's account. (Do they have hundreds of managers?) What can it do? I was able to delete my own account and bring it back. I didn't fuck with anyone elses account. My goal is not to destroy, but to learn. PISS0 - As above, the TellMe system addresses me with a choice of talking to a live person, or an automated directory of phone lines. I'm amazed this is all behind a five digit password. Damn0 - Yet another directory of trusted phone lines. This one, however askes you for another password right up front, so I'm assuming this is a more security sensative area! Pussy - A discription of how to configure a TellMe webpage. Cum69 - Advice on proper password generation. (hahahahahahahahahaha!!!!) EATME - Computer tone leading to nowhere. I have not finished checking out TellMe. I got myself all involved in the politics of alt.2600, and unfortunately have not yet completed my work. I never gained root access. There is much, much, more exploring to do on Tell-Me, so you can expect a followup on this text later. It is the old-school hacker way to send the sysop a little note outlining any security holes found. Not to break old hacker tradition, I will send TellMe a copy of this text-file, immediately after I have posted it here. The TellMe security protocols are pathetic. This is the EASIEST HACK ever posted to alt.2600 Archangel (The Teflon Con) Wrath of God Hand Delivered