💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › SWITCHES › pbx.txt captured on 2022-07-17 at 11:13:18.
⬅️ Previous capture (2022-06-12)
-=-=-=-=-=-=-
File: PBX'S & EXTENDERS
Read 31 times
PBX's (Private Branch Exchanges) and WATS
By Steve Dahl
Because of the danger of using a
blue box, many phreakers have turned
to MCI, sprint, and other SCC's in
order to get free calls. However, these
services are getting more and more
dangerous, and even the relatively
safe ones like metrofone and all-net
are beginning to trace and bust people
who fraudulantly use their services.
However, (luckily), there is another,
safer way. This is the local and WATS
PBX. If you have a modem or inte around with the menus for
other options.
--------------------------------------------------
Dunn and Bradstreet:
Do they know something that we don't?
by Tuc TucBBS & BIOC Agent 003
In issue #90, we explained how to use the
Dunn and Bradstreet system (Which is now known
as DunSprint). As usual, our information was
totally correct. A week after the issue was
mailed, a phellow phreak found out that a copy of
the issue had fell into the (lots of
PHUN!) There will at least 1 line
going out of the PBX to the telco set
up for outgoing calls only, and there
will also be at least one incoming line
to the switchboard. This is what we are
interested in. Some of the incoming
lines are always answered by the
switchboard operator, but some will be
answered by the PBX equipmemt. It will
usually answer with a dialtone, the
tone will sound different for different
systems. Some even answer with a
synthesized voice! (These are very hard
to find, though.) The ones which answer
with a dialtone are easy to find if
you have a modem or hardware device
which can "hear" what's going on on
the phone line.
To find these fun thingies, you
will have to write a scanner program
which will dial each number in a pre-
fix, either sequentially or in a random
order, it really doesn't matter, and
"listen" on the line for a constant
sound longer than the normal length of
a ring. This could be done manually
but it would take a hell of a long
time. Whenever the program finds a
number that makes a constant tone
longer than a ring, it should record
the number in an array or something.
Now, this number can be one of a few
things. A noisy answering machine, a
sprint, MCI, etc access node, a person
who yells in the fone, the tone side of
a loop (nice), possibly a carrier if
your modem can "hear" tones that high,
or, hopefully, a PBX line. All your
scanning should be done between 6 PM
and 7 AM because between 7 AM and 6 PM,
many of these numbers will be answered
by the switchboard operator. When you
are checking out your results the next
day and come accross a dialtone, enter
some touch-tone (TM) digits. Depending
on which type of PBX equipment and the
length of the codes, after 3-8 digits
it should either give a busy signal,
a "reeler tone" (high-low tone), or
hang up on you, or possibly tell you
you entered a bad code. Now it is time
to write a hacker for this PBX. If the
codes are 3 or 4 digits, there will
most likely only be one code, but if
they are 5 or more digits there may
be more than one. If there are 3 or 4,
your hacker should dial the access
number, wait for a dialtone, then dial
the digits and wait for a second,
then dial a "1" (the reason for this
will be explained shortly), and then
"listen" for a dialtone. This would
be a hacker for a system that gives
a reeler tone, listening for the dial-
tone and hearing it would really mean
the presence of the reeler tone and
mean that a bad code had been entered.
The reason 1 is entered is to "quiet"
the dialtone" If it was a good code,
1XX or 1XXX will be valid extentions
on practically all PBX's. If your
system gives a re-order or hangs up
after a bad code, forget the one and
just listen for a dialtone, this will
be a good code. If there are 3 or 4
digits, they should be tried sequen-
tiallly (becuase there will probably
only be one good one), if there are
more, take your pick between random and
sequental. Now, when you (finally!!)
get a good code, you will call the
number and enter the code and be
confronted with a second dialtone. THIS
IS THE EXACT SAME DIALTONE THAT ANYONE
WHO PICKS UP A PHONE IN THAT PBX SYSTEM
GETS. The reason this is important is
because if they want to make an out-
going call, they will usually pick up
the fone and dial 8, 9, or sometimes 7,
and get another dialtone and then make
their call, local or long distance. And
you can do the same thing right now!
These numbers also make a good tool to
avoid being traced on telenet, etc, it
will just be traced back to the
company which owns the PBX.
Now for some phun with the PBX you
have just broken into to. You can dial
all extentions directly on it (which
is what local PBX'S are primarially
used for legitimately, unless the com-
pany has OUTWATS lines.) The most
phun extention of all is the PA system.
On some of these, you can get on the
PA (intercom) and actutually talk over
it from your house! It can be on almost
any extention though, so you may have
to hunt for it. On some, 797 or 1234
used to work, but those have mostly
been eliminated, not due to phreakers
but because people inside the company
were figuring them out and using them!
Some PBX's don't even have security
codes, you can just call up and dial
9 and call wherever you want. On a few
that I know of you enter the number
and then the code. If you want to know
what these systems "sound" like, there
are files on this and other systems
with long lists of WATS PBX numbers.
The local ones are much safer to hack
though because you are not making a
whole bunch of 800 calls which tends
to get bell very pissed. Also, I have
actually found modems and other wierd
things on some exchanges of PBX's, it
might be worthwhile to scan the numbers
inside the PBX once to see what you
find.
An important safety note: if you
heavily abuse a TBX and make many
outgoing calls on it, after a few
weeks (or whenever their fone bIll
shows up!) it is a good idea to lay off
of it for a couple of months or so
because they could get a trace on it
easilly, just like 800's. They will
usually just change the code, though.
One more interesing note, I once
found a PBX which had a direct link-
up to sprint! So by dialing 8 I got
a line to sprint, no access codes,
just area code and number. It's phun
to phuck up sprint and have them not
know who the hell you are or where the
hell you are!!
If you have any comments, sug-
gestions, corrections, or questions,
leave e-mail to Steve Dahl on any major
phreak board, I will be happy to reply.
Steve Dahl
5/1/84
This phile is copyrighted 1984 by
Steve Dahl and is not to be re-posted
without the author's consent! And I'm
not kidding!!
[Courtesy of Sherwood Forest ][ - (914) 359-1517]
[1-34, Last=34, Quit=Q] Read File #