The LOD/H Technical Journal, Issue #4: File 07 of 10 The Trasher's Handbook to B.M.O.S.S. by Spherical Aberration INTRODUCTION: Those who have actually trashed at Bell Co. before know that finding an installation can be a pain. Most Telco buildings these days are un-marked, plain, and generally overlooked by the average person. The buildings were specifically made so that they WOULD be overlooked, concealing itself and its contents. Knowing where all Bell Co. installations are would be nice, and through the help of BMOSS we can find out where they ALL are. NOTE: It is possible to get locations from your city hall, just take a look at what property Bell Co. owns and locate it. However, there are few catches to this method. First, most cities charge you to find out who owns what property and there might be a waiting period of a few days. Second, not all Bell Co. property is owned by Bell Co. There are instances of Bell Co. renting a piece of property from a company and using the existing building, possibly with the leasing companies logo still on it. BMOSS stands for Building Maintenance Operations Service System. BMOSS provides computer support for daily building maintenance tasks. A comprehensive database helps users keep track of repair activities. Telco field mechanics logon everyday to do assorted field mechanic stuff. From BMOSS they can check on tasks needed to be done, send messages to users, charge various Telco installations for work, log time sheets, generate purchase orders, see where his buddies are eating lunch etc. BMOSSes are usually located in a BOCC (Building Operations Control Center) or in a REOC (Real Estate Operations Center). BMOSS is run under AT&T Unix System V and at some points is quite Unix-like. At each center is one PDP-11/44 or a PDP-11/84 mainframe that is the base of operations for that center and other installations supported by that BOCC/REOC. LOGGING ONTO BMOSS: Before logging on to BMOSS you must select the proper type of terminal emulation. BMOSS has 4 types of emulations available for all users. Users within the BOCC/REOC use either VT100 or VT220 compatible terminals, while other internal stations will use an LA120 printer terminal. Field Mechanics at a remote location use their typewriter like LA12 printer terminals. Identifying a BMOSS dialup is not that hard at all. After hitting a three [CR]'s the system will respond with something like this: (BEEP!) Good Morning (Depending on what time of day it is) BASE/OE - Fri 04/23/90 09:43:22 - Online 9 User ID? Password? Typically user IDs are the three initials of the field mechanics name. After inputting your ID you will be prompted with a Password? request. Passwords can be from 6 to 8 characters in length, including punctuation marks, the first letter must begin with an alphabet-letter or a number. They cannot contain spaces or the users first/middle/last name. Periodically the system will prompt the user for a new password. This period of time is usually set by the system administrator. I have found that the "WRK:A10" user ID or a variation of WRK:xxx where xxx is a alpha-numerical combination has worked excellent for me. I believe the WRK:xxx is some type of low-level account when field mechanics lose their current ID/PW combination. Initials also have been found on most of the systems, so a WRK:xxx and Initials brute-force attempt just may give you a working ID. IN BMOSS: Once penetrating initial security you are then prompted with BMOSS's FLD> main level identifier. This FLD> changes as you move from BMOSS's root to the various main BMOSS branches. Sometimes when you logon to BMOSS you will receive a memo saying, "NOTE - Check your office" at this time go to the Office and read the memos sent to you. Read THE OFFICE later in this article to learn how. BMOSS was designed with the average Joe in mind and is very logically laid out. BMOSS was modeled after UNIX's Tree-oriented structure. Here is a Tree of BMOSS's structure: BMOSS _____________|_____________ | | | | | | CON DAT ACT FOR BIL OFF Main Branches: CON- Control Functions (Sys Admin payroll/timesheet functions) DAT- Database Maintenance (What we are mainly concerned with) ACT- Field Activity (Handles field activities) FOR- Force Administration (Recording labor hrs for time sheets etc.) BIL- Bill Paying (Processing purchase orders, producing expense accts.) OFF- Electronic Office (Receive/Send Messages or Page users) Each main branch then branches off into its own specific commands. I will concentrate on the Database Maintenance functions since the other functions have little or no use to us. DATABASE MAINTENANCE: To haul in the mother lode you go into the Database Maintenance area from the root. This is accomplished by typing DAT in at the FLD> prompt. Now you should get a DAT> prompt meaning you are now in the Database Maintenance section. To get a listing of the available DAT commands type in 'SHO' which is short for SHOW. We are mainly concerned with the BLD (Building Master) function. Once the BLD function is selected you will be prompted for a sub-form. There are 7 sub-forms for the BLD function. BLD Sub-Forms: 1. GEN- General Background 2. OWN- Building Ownership (used for adding a new building to database) 3. LES- Lease Terms (used for adding a new building to database) 4. EMG- Emergency Data (contains Police and Fire Dept. that serve this location and their respective telephone numbers, and whether the location has backup power and fire-sprinklers etc.) 5. RES- Maintenance Responsibility (Maintenance entries for building) 6. WRD- Building Warden (Building Wardens number etc.) 7. NOT- General Notes (Notes about the particular building) 8. ACC- Accounting Distribution (Account for particular building) Accessing the above information is as easy as selection of the three letter identifier at the Sub-Form prompt. We are particularly concerned with the GEN (General Background) information. This function gives us the following data: 1. Building's Number 2. Building's Complete Address 3. Building's Name 4. Building's Sector (Bell informational purposes only) 5. Building's Zone (Bell informational purposes only) 6. Whether or not Bell owns the building. (A Y/N combination is usually shown here. Y meaning its is owned by Bellco, N meaning its not owned by Bellco.) 7. The building's group (One letter identifier) 8. The building's use. (Garage/Warehouse/Office etc.) 9. The kind of telephone equipment used in the building. (ESS1A etc.) 10. Whether or not Bell is Sub-leasing parts of the building. (Y/N identifier) 11. The number of floors in the building 12. The number of basements in the building (A number of 3 here would mean the building has 3 below ground level floors. 13. Whether or not the building has a cable vault. (Y/N identifier) 14. Gross Square footage of the building 15. The number of reserved parking spaces for the building. Once entering the DAT section and entering GEN as your sub-form selection you will be prompted for a building number. Random selection of building numbers is necessary because they vary from area to area. Once a legitimate building number is accessed the above information will be displayed. Ok, you now have the information you need, how do you get back to a previous directory or even log off ? That's quite easy. Typing in EXI (short for EXIT) will bring you back up to the root FLD> one directory at a time. For logging off the system you should hit EXI until you reach the FLD> root then BYE and you will get: BASE/OE - Fri 4/23/90 10:22:13 - Offline 9 Have a Good Morning OTHER FUNCTIONS: I have found the REPORTS function most helpful in finding other user IDs. To get a listing of the 20+ different types reports type 'HELP REPORT' at the FLD> prompt. We are particularly concerned with REPORT 41, the Estimated vs. Actual Hours Log. We bring this up by typing from the FLD: FLD> REPORT 41 04/02/90-04/06/90 You are inquiring for the estimated vs. actual hours time on a series of jobs from April 4th 1990 through April 6th 1990. The output then kicks out the hours and such. Every field mechanic that worked throughout those days will be displayed in- First name, Middle Initial, and Last Name totally spelled out for you. Another useful report is REPORT 90- Data Access Log. It is called up by typing: FLD> REPORT 90 Date Range? 04/06/90-04/08/90 The system then kicks out all users that used the SCOPE command on other users. The system prints out the users full name and actual USER ID and who the user scoped including the scoped-user's Social Security number. THE OFFICE: When you are prompted that you should check your messages you should do so immediately before any work is done in BMOSS. First you must go to your office which is done by selecting OFF from the FLD> identifier. Once this is done your FLD> prompt will change to a OFF> prompt. Typing HELP will give you the available HELP commands for the office. To check the messages type in: OFF> STATUS BMOSS will reply with the following: (example) Memo From User Subject Status -------------- ------------------ ---------------------- --- IPAAA 04/01/90 Wile E Coyote Current Task Info OUT BNAAA 04/02/90 Susie B Hott Last Saturday Night IN The user then sees he has a memo from his boss about his current tasks and a memo from his co-worker/seductress Susie B. Hott. Fuck his boss, he wants to read what Susie has to say. So you type in: OFF> PRINT BNAAA --- MEMO --- Date: 04/02/90 Time: 08:11 From: Susie B Hott To: Legion Of Doom Subject: Last Saturday Night LOD, I really enjoyed last saturday night. We must do it again. Give me a call soon, 555-WETT. ** Susie A useful command is a list of OFFICE users. This gives you another listing of user's Full-Name/ID combinations. Get this by typing: OFF> USERS It will then print out the users who are in the Electronic Office database. CONCLUSION: You can get HELP from anywhere just by typing HELP from the prompt. Or if you need specific information about a function type in HELP then the function name. Such as: FLD> HELP REPORT (This gives you options/help on the REPORT command) BMOSS can be used for a large amount of purposes for the hacker/trasher. Even though it doesn't have any really powerful commands to self-destruct the telephone company it can be used to access other building's trash, and other things that may interest you. ______________________ ( Spherical Aberration )