100 lines
6.2 KiB
Plaintext
100 lines
6.2 KiB
Plaintext
|
|
|
|
PBX's (Private Branch Exchanges) and WATS
|
|
By Steve Dahl
|
|
|
|
Because of the danger of using a blue box, many phreakers have turned to MCI,
|
|
sprint, and other SCC's in order to get free calls. However, these services are
|
|
getting more and more dangerous, and even the relatively safe ones like
|
|
metrofone and all-net are beginning to trace and bust people who fraudulantly
|
|
use their services. However, (luckily), there is another, safer way. This is
|
|
the local and WATS PBX.
|
|
|
|
There will at least 1 line going out of the PBX to the telco set up for
|
|
outgoing calls only, and there will also be at least one incoming line to the
|
|
switchboard. This is what we are interested in. Some of the incoming lines are
|
|
always answered by the switchboard operator, but some will be answered by the
|
|
PBX equipmemt. It will usually answer with a dialtone, the tone will sound
|
|
different for different systems. Some even answer with a synthesized voice!
|
|
(These are very hard to find, though.) The ones which answer with a dialtone are
|
|
easy to find if you have a modem or hardware device which can "hear" what's
|
|
going on on the phone line.
|
|
|
|
To find these fun thingies, you will have to write a scanner program which
|
|
will dial each number in a pre- fix, either sequentially or in a random order,
|
|
it really doesn't matter, and "listen" on the line for a constant sound longer
|
|
than the normal length of a ring. This could be done manually but it would take
|
|
a hell of a long time. Whenever the program finds a number that makes a
|
|
constant tone longer than a ring, it should record the number in an array or
|
|
something. Now, this number can be one of a few things. A noisy answering
|
|
machine, a sprint, MCI, etc access node, a person who yells in the fone, the
|
|
tone side of a loop (nice), possibly a carrier if your modem can "hear" tones
|
|
that high, or, hopefully, a PBX line. All your scanning should be done between
|
|
6 PM and 7 AM because between 7 AM and 6 PM, many of these numbers will be
|
|
answered by the switchboard operator. When you are checking out your results
|
|
the next day and come accross a dialtone, enter some touch-tone (TM) digits.
|
|
Depending on which type of PBX equipment and the length of the codes, after 3-8
|
|
digits it should either give a busy signal, a "reeler tone" (high-low tone), or
|
|
hang up on you, or possibly tell you you entered a bad code. Now it is time to
|
|
write a hacker for this PBX. If the codes are 3 or 4 digits, there will most
|
|
likely only be one code, but if they are 5 or more digits there may be more than
|
|
one. If there are 3 or 4, your hacker should dial the access number, wait for a
|
|
dialtone, then dial the digits and wait for a second, then dial a "1" (the
|
|
reason for this will be explained shortly), and then "listen" for a dialtone.
|
|
This would be a hacker for a system that gives a reeler tone, listening for the
|
|
dial- tone and hearing it would really mean the presence of the reeler tone and
|
|
mean that a bad code had been entered. The reason 1 is entered is to "quiet"
|
|
the dialtone" If it was a good code, 1XX or 1XXX will be valid extentions on
|
|
practically all PBX's. If your system gives a re-order or hangs up after a bad
|
|
code, forget the one and just listen for a dialtone, this will be a good code.
|
|
If there are 3 or 4 digits, they should be tried sequen- tiallly (becuase there
|
|
will probably only be one good one), if there are more, take your pick between
|
|
random and sequental. Now, when you (finally!!) get a good code, you will call
|
|
the number and enter the code and be confronted with a second dialtone. THIS IS
|
|
THE EXACT SAME DIALTONE THAT ANYONE WHO PICKS UP A PHONE IN THAT PBX SYSTEM
|
|
GETS. The reason this is important is because if they want to make an out-
|
|
going call, they will usually pick up the fone and dial 8, 9, or sometimes 7,
|
|
and get another dialtone and then make their call, local or long distance. And
|
|
you can do the same thing right now! These numbers also make a good tool to
|
|
avoid being traced on telenet, etc, it will just be traced back to the company
|
|
which owns the PBX.
|
|
|
|
Now for some phun with the PBX you have just broken into to. You can dial all
|
|
extentions directly on it (which is what local PBX'S are primarially used for
|
|
legitimately, unless the com- pany has OUTWATS lines.) The most phun extention
|
|
of all is the PA system. On some of these, you can get on the PA (intercom) and
|
|
actutually talk over it from your house! It can be on almost any extention
|
|
though, so you may have to hunt for it. On some, 797 or 1234 used to work, but
|
|
those have mostly been eliminated, not due to phreakers but because people
|
|
inside the company were figuring them out and using them!
|
|
|
|
Some PBX's don't even have security codes, you can just call up and dial 9 and
|
|
call wherever you want. On a few that I know of you enter the number and then
|
|
the code. If you want to know what these systems "sound" like, there are files
|
|
on this and other systems with long lists of WATS PBX numbers. The local ones
|
|
are much safer to hack though because you are not making a whole bunch of 800
|
|
calls which tends to get bell very pissed. Also, I have actually found modems
|
|
and other wierd things on some exchanges of PBX's, it might be worthwhile to
|
|
scan the numbers inside the PBX once to see what you find.
|
|
|
|
An important safety note: if you heavily abuse a TBX and make many outgoing
|
|
calls on it, after a few weeks (or whenever their fone bIll shows up!) it is a
|
|
good idea to lay off of it for a couple of months or so because they could get a
|
|
trace on it easilly, just like 800's. They will usually just change the code,
|
|
though. One more interesing note, I once found a PBX which had a direct link-
|
|
up to sprint! So by dialing 8 I got a line to sprint, no access codes, just
|
|
area code and number. It's phun to phuck up sprint and have them not know who
|
|
the hell you are or where the hell you are!!
|
|
|
|
If you have any comments, suggestions, corrections, or questions, leave
|
|
e-mail to Steve Dahl on any major phreak board, I will be happy to reply.
|
|
|
|
|
|
Steve Dahl
|
|
5/1/84
|
|
|
|
This phile is copyrighted 1984 by Steve Dahl and is not to be re-posted
|
|
without the author's consent! And I'm not kidding!!
|
|
|
|
[Courtesy of Sherwood Forest ][ - (914) xxx-xxxx]
|