*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* The Offical Guide To Exchange Scanning By The Mob Boss *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* I. Introduction - What is Exchange Scanning? This is something a lot of people haven't learned to use and enjoy. To be truthful I thought it was a complete thing of the past, a practice confined to the 80's and the movie WARGAMES. I quickly changed my mind about it after I started doing some scanning and started seeing results. To my suprise there aren't many texts on this topic so I decided this would be my fourth text in the h/p field. Simply put, exchange scanning, or wardialing, is the act of dialing all the numbers in an exchange in hopes of finding something hack/phreak worthy. For those who don't know, an exchange is the first three digits of a local number. Diagram A. (xxx)yyy-zzzz | |____ |______ Area Code | | Exchange Numbers from 0000 to 9999 Thats a very simple break down of the numbering plan. Basically, if you wanted to scan your own exchange, considering your phone number is (718)555-1212, you would start dialing 555-0000 right up to 555-9999. Its not that hard at all. Exchange scanning can be done by one of two methods. One method is by using a program called a wardialer or demondialer. The other way and the only way I do it these days is by hand. Hand scanning is far more accurate than a wardialer program. Also, there are some legal aspects of wardialing to be consulted in the body of this text. Another thing I quickly found out was that a very popular DOS based wardialer Tonloc did not work well with my modem. >From what people tell me, a nice old modem--a 2400 baud one--for instance, would do a lot better. If you think about it, that makes sense considering this program was not written with the newer 56k and V.90 modems in mind. If you do decide to use a program, I suggest that special care is taken, and I also recommend Tonloc. Think of exchange scanning as exploring; you are mapping uncharted territory. With patience, it can be valuable entertainment and a useful learning tool. Consider the fact that this was the ONLY way to get any systems to mess with. Back in the old days (pre-world wide web), it was something quite interesting to do. It has become pretty extinct simply because no one takes the time anymore to go for it. If anyone has ever seen the movie WARGAMES, where the hacker kid is looking for the computer number to some company, he uses a wardialer to attempt to find it. The important point they missed was how many other things you can find besides computers, and thats where things get interesting. What can we find by Exchange Scanning? Now that I have piqued your interest, let me tell you about some of the strange and interesting stuff you can find. First and foremost, you will find computers. Sometimes a carrier will do nothing; other times you will get a login prompt, and then--if you're really priviledged--you may be in a system without even needing a password. Although I have never been so lucky to login password-free, I know people who have found such a carrier. Sometimes these systems are little stores or personal computers. If it is a store, then it is likely you will be staring at store records. If you do get that far, then I expect you will know to use your good judgment and ethics on what to do. Another thing you may find is telephone company test numbers. Now, of course, the telco doesn't want you to find these; nevertheless, when you do, it can be really fun. The most famous of test numbers is loops. These were used to test lines, but more importantly to us, it was used to talk to another person free of charge occasionally and anonymously, since neither one of you has to supply a number. Heres how it works: there are two numbers--something like 555-9999 and 555-9998. These are looped together and will pass sound if vulnerable. These were prime, back in the old days, but have become pretty rare since then. The telco caught on and put an end to it. Now, among test numbers, you will also find things like voice mail, answering machines, and PBX's (if you don't know what a PBX is, then you really need to find a text on it). These have remote access and as we all know anything with remote access is not 100% secure. These are just some of the things you will find. Being creative is the key, as always, so use your head and think of a new use for something. Thats what being a hacker and phreaker is all about. Legal Aspects It seems you can't do anything these days without having some lousy bureaucrat making some kind of law which has the sole purpose to bother you. These laws seem so ridiculous, maybe because the people making them know nothing regarding computers or telecommunications, let alone the security of it. The point is, in some areas of the United States there are some laws regarding it. I won't go too far into this because I simply don't know the rules and regulations in every city and state. I know that in Connecticut, my current home, there are some laws on the books regarding scanning; from what my friend has told me about these, and I quote, "The laws are the equivalent of J-walking." I do not know how lenient your telco and judical system is in your area, but I would investigate it. If you don't get in trouble with the law you may be pissing off your local telco. They may even shut your phone line temporarily or permanently. If you're scared, then either don't scan or take the precautions that I will reccomend. At most, your only problem may be with angry call backs but with some simple techniques, even that could be eliminated. II. Exchange Scanning Explained Getting Started First step is to figure out whether you want to have a program scan for you or whether you're going to scan by hand. Now, unless you're scanning for the sole purpose of finding carriers and you're not afraid of going toe to toe with the telco equipment looking to catch your ass (thank ESS for that), then by all means use Toneloc or some other program. Now if you wanna be a real man, go for hand scanning. This is how we begin. First thing to decide is whether we are going to scan local or toll-free numbers. Now if you scan locally, you are going to get plenty of pain-in-the-ass residential numbers with nothing interesting. Now, if you scan toll-free numbers late at night, it will be nothing more then ALL businesses with no one except the voice mail, computers, and PBX's picking up. The only problem is that systems on toll-free numbers are better protected and you will have to worry about ANI (Automatic Number Identification). Consider this Caller ID on steroids. Your precious *67 is useless with this. They have got your number either way. If you scan at night when 95% of the numbers have nobody answering the phone, then you will be fine scanning toll-free numbers. If you scan locally you may be able to hide your number a little better (*67), and you will also find things which are more vulnerable to cracking. My advice is to try a little of each. To get started, get yourself a good pen, a pad, a decent phone, and a if you can get a hold of one, a tape recorder. Get comfortable and get ready for some scanning. Now, unless you have taken some heavy duty precautions, DO NOT ATTEMPT TO HACK ANYTHING FROM YOUR OWN LINE. You will get busted and do not come crying to me when you do. This is simply to get some numbers to hack later on when the correct precautions can be taken. Now I reccommend you scan in blocks of a 100; this can be done in about an hour or so, that is if you're not hacking anything heavily while doing this inital scan. If you stop and mess with systems on the way, then expect two hours. Like I was saying, make a list of all the numbers (or obtain one from my site under "Products") and then sit down, pick a number at random, and start scanning. Cross off the number as you go and make notes of anything you come across. The reason I say to make a list and pick randomly is because the telco is looking for sequential scanning. Doing it randomly will cover your ass a little bit better. Identifying Your Findings Some of you may be asking, "How do I know when I have found something?" This is a question everyone asks when they start scanning, but the answer is fairly simple. You will slowly start to learn about each type of system from voice mail to answering machines and test numbers to PBXs. The key is using your head. When you call something up, play around with whatever it is. For instance, you call up some number and it says to leave a message. Now this could be a voice mail box or it can be an answering machine. We all know VMB's are more proffesional then an answering machine, not to mention have more options. Use that knowledge to come to a conclusion regarding the number. How was the clarity of the message? Did it have a menu? Did you get prompted for a login when you hit *, #, or 9? What happens when you press other keys? It's not that hard to figure out. Now lets say you come across a single long tone. How do you know if its a PBX or a test number or something? Well, hit differnet keys and see what happens. Did you happen to hit something and it dropped out to a fast busy signal or even a dial tone? Then you most likely came across a PBX which most of the time requires a passcode. The key to finding out what you have found is simply to attempt to learn about it. Its a puzzle and youre trying to solve it. I guess the best step to take is to read up about all these different things your finding. I couldn't possibly fit in a how-to on each system you will find, not to mention it would be pointless considering how many excellent voice mail and PBX texts are out there. If you really get interested in some kind of phone system, such as maybe a peice of voice mail software, go ahead and get a copy and try it out. Learning is the key here. One other thing a lot of people make a mistake about is telling the difference between a modem and a fax machine. What I did was call up my ISP's dialup on the phone and listened. Afterwards, I called up a fax number of some real-estate company and then listened to that. Once you compare them like that, you won't mistake them while scanning. As a last word on identifying things, I strongly suggest you go out on the net or BBS and get some texts on VMB's, answering machines, PBX's, and Loops. That should get you started and will help you on your way. The only way to get a real handle on this stuff is to get out there and try things out. By the way, here's a peice of advice for when you find something password protected. Make like an idiot and think what they would pick. Does 1234 sound familiar ;) III. Avoiding Detection and Keeping Out Of Trouble Payphones The first, most obvious protection method is to use a payphone. A telco owned one or a Cocot--its up to you. Now, this may not go to well if you are doing local numbers, since it costs 25 or 30 cents each time (unless of course you have a way around that). The best use for payphones is scanning toll-free numbers. Yes, this can be a pain in the ass, but if you're at one of the drive-up phones with a laptop and an accoustic coupler, then life could be peachy. I wouldn't stay there too long though, especially if its daylight out. But, it can be a interesting alternative to the usual scanning cliches. Feel free to use a program here and even hack PBXs and such too. It's not traceable to you, so why should you care. From what I know, as long as you don't open your mouth, there is no way you can get in trouble doing this. Calling Cards Here's an idea that takes extra time, but is something that can be used to hide your number, though. Although I might suggest this more for actually hacking, your number can be hidden if you use a calling card with your scanning. For instance, if you wanted to scan some long distance exchange in another area code, you could do so. For some people, this is practical, but if you're not one that comes across a lot of calling cards, then this will be very costly to you and therefore unadvisable. Beige Boxing This is most certainly is not for the weak hearted or absent minded, since it can be very risky. However, if you do get some kind of very easy chance to beige box off your neighbors, then by all means, scan your little heart out. Scan an exchange in China if you like; you're not paying the bill. Although that could be fun, if you scan all toll-free numbers, then this is something that can be used for a long, long time until the feds bust down your neighbors door and arrest them for screwing with the White House's Toll-Free number, of course. Net2Phone This is one of the newer methods of protecting yourself, but something which can be very nice. Net2Phone is a company and program which allows you to make calls over the internet via your sound card. They want you to pay for long distance calls and things, but they don't care if you call toll-free numbers. In fact, you can open an account with all fake information and scan your heart out in either the 800, 888, or 877 areas and their corresponding exchanges. They have not once bothered me and I have been scanning for months. This is a great free program and defeats the dreaded ANI without haste. In fact, your ANI will show up as 212-209-0000, I believe. You can get Net2Phone at www.net2phone.com. IV. Conclusion Common Sense Unfortunately, common sense is not something I can teach so I leave this up to all of you up and coming hackers and phreakers to learn for yourself. What I will say does not only apply to scanning or even just h/p. It applies to everything. Some basic self discipline will keep you having fun and learning for a long time without the Gestapo--we know them as the authorities--bothering you. One big rule, which people don't get, is keeping your mouth shut. There is no reason to tell anyone anything. You don't have to deny you're a hacker. In fact, be proud, but don't write a goddamn map on how you do things and what you have done. This goes for on and off the net. If your talking to some jackass on IRC and he is saying something like, "Y0u a1n'T g0t n0 5K177z y0, WhAt HaVe y0u 3v3r d0n3?", don't take the bait. You don't know who this guy is. All you know is that you're angry and you want to show off. You do that or you share a little too much, then you will get screwed. There are dozens of stories I have seen and heard that will prove that. Forget about those people. Another rule of self discipline is to use your instincts. It's a great thing being human since we have those dark, deep, animal-like instincts. Feel it when something is not right, when someone is watching, or something is going to happen. Use paranoia. Don't let it eat you up inside, either. Learn those rules and you will live a happier life. Final Thoughts Now that you have learned a little bit about exchange scanning, then get out there and do it. Have some fun and learn about as many different PBXs, VMB's, and answering machines as you can. Soon, you'll be able to crack something in your sleep. You'll begin to see the same system again and you'll have the knowledge and power to say, "Hey! I know all about that system. Its a xxxx. Yeah, its default code is xxxx". When you get to that point, it feels really good. For those who didn't like this article or who already knew about exchange scanning, why did you read this far? Thats all for now. By The Mob Boss; http://mobboss.dragx.cx Co-Edited by DisEntry This has been a publication written by THE MOB BOSS, he is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, particapates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS is strictly for informational purposes only. THE MOB BOSS copyright 1999 all rights reserved