[an error occurred while processing this directive] [an error occurred while processing this directive]
Power Scanning 1: Identifying Number Blocks
1999, 2000 El Oscuro
This file originated at www.artofhacking.com.
                           Power Scanning I:

                     Identifying And Hand Scanning
                         Telco Internal Blocks
                     Other Dedicated Number Blocks

               2nd Revision (C) 1999,2000 El Oscuro/250

        Introduction - Why Hand Scan?

Have you ever wanted to call up your local telco's business manager to
give him a piece of your mind?  Ever find yourself wading through a
voicemail system or on hold forever in the process?  Well, maybe you
need a direct line.  Wouldn't it be nice if that number was listed in
your phone book?  Well it isn't so don't bother looking.  You looked
anyway.  I told you so!

But of course, that's only the beginning of the vast range of unlisted
telephone company office numbers that most phreaks would love to have.
Test numbers, Accounting, Security, the RNCC, you name it - if it's in a
telco office you can bet it has a phone and a real phone number you can
dial from home.  And you can also be 99.44% sure that those numbers are
unlisted and generally considered privileged, inside information.  And
that's just the voice lines - what if you could locate your telco's
COSMOS system?  Or a 900 backdoor?  Or even a backdoor into a billing
system?  Wouldn't you want to take a run at hacking that baby?

So how _do_ you get a directory of internal telco numbers?

        The Perils of Trashing et al

In days past, we all just went trashing, rummaging through dumpsters
outside the phone company's offices and COs, looking for all kinds of
documents, including internal phone directories.  But today there are
some problems with trashing.  Aside from the obvious - it's messy and
risky, many trashbins are now behind razor-wire fences or under cameras,
making trashing at best an unlikely venture for most people.  And, on
top of that, not only are most internal telco directories incomplete
(usually only the most commonly called numbers are printed) but there's
a reason why they're in the dumpster - they're obsolete.  So your
trashed list is incomplete, inaccurate, smelly, and you had to risk life
and limb to get it.  Not appealing.

There are other ways as well, which I won't get into in this file -
social engineering, theft from offices and vehicles, shoulder surfing,
and so on.  They all have their problems.

And then there's scanning.  "Jeez, Oscuro" you're thinking, "you want me
to scan every prefix in the city, hundreds of thousands of numbers, by
hand, to find some office numbers?  That's a HUGE project!"  Well, that
would be too big a project for any one person, or for that matter any
one army to take on.  I wouldn't recommend a blunt brute force handscan
of anything.  Instead, I recommend Power Scanning.

        Power Scanning

Power Scanning is the art of reducing the number of phone numbers any
one phreak has to scan.  With power scanning, a single phreak can reduce
his necessity to scan from millions of numbers down to a few hundred.
With the help of friends, you can acquire a complete directory of a
block of numbers in a matter of hours or even minutes!

        Preparing a Power Hand Scan

Power Scanning first requires preparation, and in the case of a hand
scan, research.

To locate a block, you first need a phone book.  Look up your phone
company in the white pages - not the "how to contact us" pages at the
front, but by name in the white pages.  You will probably see a dozen or
more local phone numbers for different services and offices, including a
few 1-800 numbers.

Now take note of the local numbers.  Are they all in the same prefix?
Are they mostly in the same prefix?  Of the ones that are in the same
prefix, take note of the fourth digit of the phone number.  Is it the
same for all/most of them?  If so, the phone company has a block of
numbers set aside for their own use.

Let's say that these are the numbers you found listed in the phone book
(these are completely fictional but based loosely on what I found in my
local phone book):

                253-7000  Customer Service
                253-7110  Cellular & Pager Sales
                253-7460  Account Inquiries
                253-7333  Data Services
                253-7350  X.25 Network Help Desk
                253-7050  Employment
                253-7299  Downtown Phone Mart
                253-7295  Suburban Mall Phone Mart

Ignore any toll-free or out-of-town numbers you see among them.  Now, do
you see a pattern emerging here?  All the local numbers are in the 253
prefix, and all of them are in the range 253-7000 to 253-7460.  You can
be relatively sure that the block goes up to 253-7499, so there are
probably 500 numbers in the block.

Now we need to make sure that the block you have found is otherwise
uninhabited.  For this you need a reverse directory.  You can use the
one at your local library, or a telephone listings CD-ROM like Pro-CD,
or if you are lucky enough to live in a market served by Western Phone
Directories, you probably already have one tucked away in the middle of
your phone book.  I don't think that one of those online reverse
directories would be suitable because they aren't geared towards
spitting out whole blocks of numbers.

Look up the (suspected) block in the reverse directory.  You should find
most if not all of the numbers from the white pages there.  If the telco
has a dedicated block there, you won't find anything else in that block.
No businesses, no people's names, just the few phone company listings
you already saw in the white pages, and a few big gaps in between.  At
the end of the block, normal listings resume - 253-7500 might belong to
a real estate company, 253-7501 to little old Mrs. Wong on Oswego St.
And likewise, prior to the beginning of the block you should find lots
of normal listings.

If this is what you find in the reverse directory, you have a clearly
defined block of numbers to scan.  In our example, the block is from
253-7000 to 253-7499.

Now you've reduced your scan to 500 numbers, and with the help of four
friends, you only have to scan 100 numbers each.

        The Scan

Now all you have to do is start calling.  Your telco probably has
sequential dialing detectors working so scan randomly, e.g. 253-7015,
253-7235, 253-7116, etc.  Make a list of numbers and check off the ones
you've already scanned, and make a note of what's at each one.  Just
write down whatever the person (or answering machine) answering says
when they answer.  When you're done, enter the results into a text
editor, sort them by number (Hint: QEdit, DOS), incorporate your
friends' results, and *FOOM*, in a few hours you have an up to
date, accurate internal telco directory!

What's really cool about this is that because you enumerated the
directory yourself, you actually legally own the rights and copyright on
your list, and the phone company does not!  WIPO backfires!

This can be repeated for nearly any kind of dedicated block - banks,
large corporations, schools and colleges, nearly any large organization
has a PBX with extensions that map to real phone numbers, awaiting your
walking fingers.  For example, the Eaton's department store in
Vancouver, B.C., had a mostly unlisted block from 604-661-4400 to
604-661-4499.  But it's the local phone company, IMO, that has the most
interesting secret numbers waiting to be discovered!

        Perils and Pitfalls (not that they're serious...)

Of course, the main pitfall of this technique is being Caller ID'd or
ANI traced.  As phone companies cut costs, many offices that formerly
had ANI now only have Caller ID and can be *67 blocked, but security and
of course any lines direct to operators will always have ANI or some
other sort of unblockable calling number delivery.  So it's important to
scan from a phone you don't care about - payphones, enemies (Beige Box),
school, work, etc.  If you are patient you can spread your scanning out
over dozens of phones.

And of course, you can always say "What, this isn't Domino's Pizza?" to
everyone who answers... or just to the ones who answer with scary
greetings such as: "Telco Security, this call has been traced and is
being recorded!"  Telco employees get wrong-number calls too, after all.


Scanning has fallen out of favor in the last decade, for two reasons.
First, the phone companies have made it a lot more difficult to get away
with it.  And second, hacking doesn't seem to be the team effort
it once was - hackers are less willing to work together than they used
to be.  Everyone's got their own zine, everyone wants to be more 3l33t
than anyone else, and a task like brute force hand scanning is just too
daunting for someone, no matter how l33t, to take on alone.  But with
Power Scanning techniques, and a little ego forfeiture, a few hand
scanners working together can quickly gain an impressive and powerful
private phonebook that will serve them and their trading partners well
for a long time..........

In the next instalment, I will show how to use a listings CD-ROM to
perform Power Carrier Scans without annoying thousands of people, and
in the process reduce your scan time by up to 99 percent!

[an error occurred while processing this directive]

[an error occurred while processing this directive]