PBX's (Private Branch Exchanges) and WATS @ Matarese.com

Click here to find books related to 'telephony'.

PBX's (Private Branch Exchanges) and WATS By Steve Dahl Because of the danger of using a blue box, many phreakers have turned to MCI, sprint, and other SCC's in order to get free calls. However, these services are getting more and more dangerous, and even the relatively safe ones like metrofone and all-net are beginning to trace and bust people who fraudulantly use their services. However, (luckily), there is another, safer way. This is the local and WATS PBX. There will at least 1 line going out of the PBX to the telco set up for outgoing calls only, and there will also be at least one incoming line to the switchboard. This is what we are interested in. Some of the incoming lines are always answered by the switchboard operator, but some will be answered by the PBX equipmemt. It will usually answer with a dialtone, the tone will sound different for different systems. Some even answer with a synthesized voice! (These are very hard to find, though.) The ones which answer with a dialtone are easy to find if you have a modem or hardware device which can "hear" what's going on on the phone line. To find these fun thingies, you will have to write a scanner program which will dial each number in a pre- fix, either sequentially or in a random order, it really doesn't matter, and "listen" on the line for a constant sound longer than the normal length of a ring. This could be done manually but it would take a hell of a long time. Whenever the program finds a number that makes a constant tone longer than a ring, it should record the number in an array or something. Now, this number can be one of a few things. A noisy answering machine, a sprint, MCI, etc access node, a person who yells in the fone, the tone side of a loop (nice), possibly a carrier if your modem can "hear" tones that high, or, hopefully, a PBX line. All your scanning should be done between 6 PM and 7 AM because between 7 AM and 6 PM, many of these numbers will be answered by the switchboard operator. When you are checking out your results the next day and come accross a dialtone, enter some touch-tone (TM) digits. Depending on which type of PBX equipment and the length of the codes, after 3-8 digits it should either give a busy signal, a "reeler tone" (high-low tone), or hang up on you, or possibly tell you you entered a bad code. Now it is time to write a hacker for this PBX. If the codes are 3 or 4 digits, there will most likely only be one code, but if they are 5 or more digits there may be more than one. If there are 3 or 4, your hacker should dial the access number, wait for a dialtone, then dial the digits and wait for a second, then dial a "1" (the reason for this will be explained shortly), and then "listen" for a dialtone. This would be a hacker for a system that gives a reeler tone, listening for the dial- tone and hearing it would really mean the presence of the reeler tone and mean that a bad code had been entered. The reason 1 is entered is to "quiet" the dialtone" If it was a good code, 1XX or 1XXX will be valid extentions on practically all PBX's. If your system gives a re-order or hangs up after a bad code, forget the one and just listen for a dialtone, this will be a good code. If there are 3 or 4 digits, they should be tried sequen- tiallly (becuase there will probably only be one good one), if there are more, take your pick between random and sequental. Now, when you (finally!!) get a good code, you will call the number and enter the code and be confronted with a second dialtone. THIS IS THE EXACT SAME DIALTONE THAT ANYONE WHO PICKS UP A PHONE IN THAT PBX SYSTEM GETS. The reason this is important is because if they want to make an out- going call, they will usually pick up the fone and dial 8, 9, or sometimes 7, and get another dialtone and then make their call, local or long distance. And you can do the same thing right now! These numbers also make a good tool to avoid being traced on telenet, etc, it will just be traced back to the company which owns the PBX. Now for some phun with the PBX you have just broken into to. You can dial all extentions directly on it (which is what local PBX'S are primarially used for legitimately, unless the com- pany has OUTWATS lines.) The most phun extention of all is the PA system. On some of these, you can get on the PA (intercom) and actutually talk over it from your house! It can be on almost any extention though, so you may have to hunt for it. On some, 797 or 1234 used to work, but those have mostly been eliminated, not due to phreakers but because people inside the company were figuring them out and using them! Some PBX's don't even have security codes, you can just call up and dial 9 and call wherever you want. On a few that I know of you enter the number and then the code. If you want to know what these systems "sound" like, there are files on this and other systems with long lists of WATS PBX numbers. The local ones are much safer to hack though because you are not making a whole bunch of 800 calls which tends to get bell very pissed. Also, I have actually found modems and other wierd things on some exchanges of PBX's, it might be worthwhile to scan the numbers inside the PBX once to see what you find. An important safety note: if you heavily abuse a TBX and make many outgoing calls on it, after a few weeks (or whenever their fone bIll shows up!) it is a good idea to lay off of it for a couple of months or so because they could get a trace on it easilly, just like 800's. They will usually just change the code, though. One more interesing note, I once found a PBX which had a direct link- up to sprint! So by dialing 8 I got a line to sprint, no access codes, just area code and number. It's phun to phuck up sprint and have them not know who the hell you are or where the hell you are!! If you have any comments, suggestions, corrections, or questions, leave e-mail to Steve Dahl on any major phreak board, I will be happy to reply. Steve Dahl 5/1/84 This phile is copyrighted 1984 by Steve Dahl and is not to be re-posted without the author's consent! And I'm not kidding!! [Courtesy of Sherwood Forest ][ - (914) xxx-xxxx]

This page was created Wed Aug 11 23:33:43 EDT 1999
Using Linux version 2.0.32 on an i586

Main Page @ Matarese.com The Myth of the 2600Hz Detector @ Matarese.com Acquiring Account Information @ Matarese.com

Act2! by Symantec @ Matarese.com All hacks / Annoyance @ Matarese.com

Alt 2600 Group FAQ @ Matarese.com Hacking Angelfire @ Matarese.com

Anonymous E-Mail @ Matarese.com Anonymous FTP: Frequently Asked Questions (FAQ) @ Matarese.com

Maintaining Access - Implementing Backdoors @ Matarese.com How to Receive Banned Newsgroups FAQ @ Matarese.com

Hacking BBS's @ Matarese.com phreaking tutorial @ Matarese.com

The Bluebox @ Matarese.com List of Common Bugs @ Matarese.com

Things that go Bump on the Internet @ Matarese.com Hacking Calling Cards @ Matarese.com

Expanding the capacity of Caller ID Boxes @ Matarese.com What is Caller-ID? @ Matarese.com

Hacking Call Back Verify @ Matarese.com CULT OF THE DEAD COW @ Matarese.com

Cellular Roaming: The New Deals @ Matarese.com CELLULAR TELEPHONE PHREAKING PHILE SERIES @ Matarese.com