|
Power Scanning II: Power Carrier Scanning (C) 1999 El Oscuro/250 Intro - What is Carrier Scanning? If you're interested in what this file has to say, you've probably seen the 1983 movie "WarGames" starring the nerdy but clueless Matthew Broderick and the lovely but clueless Ally Sheedy. So you already know what carrier scanning is, because Broderick had his 1970's-vintage Imsai 8080 doing a carrier scan in the movie. For those of you who just arrived from Mars and therefore haven't seen WarGames, a carrier scan is what happens when you program your computer to call every phone number in every telephone prefix in the city, and make a note of which numbers are answered by computers. The process is sometimes called an exchange scan, a modem scan, or even a WarGames scan. Today, there are many freeware carrier scanning programs for all platforms, and they are easy to find on the internet and on BBSes. Carrier Scanning Pitfalls As you can imagine, carrier scanning has some unpleasant side effects. For starters, you end up pranking nearly everyone in the city, including emergency services, etc. The phone companies have largely dealt with carrier scanning by putting software into their switches that detects sequential dialing from one number, e.g. 253-0001, 253-0002, 253-0003, 253-0004 etc. Some telcos will cut off your line temporarily when they detect this, others will send a security goon out to "persuade" you to stop, still others will dispense with the pleasantries, cut off your line permanently, and sick the police on your sorry ass. That's no fun. Your mileage may vary, but I can tell you for a fact that my local telco makes some pretty heavy threats on you if you sequential-scan just a few dozen numbers. Another problem with carrier scanning is that it takes a *long* time. When your scanner calls a number that has a modem on it, it has to wait up to 20 seconds to get a connection, so *every* number takes 20 seconds. That means you can only dial 3 numbers a minute, 180 numbers an hour. It would take 56 hours straight to do a whole exhange from 0000 to 9999! Do you really want to tie up your phone line for two and a half days? I wouldn't. So how does a would-be carrier scanner today deal with these seemingly huge problems? Slow Bauds Mean Fast Connects! Well, for starters, you can reduce the needed connect time to 10 or 15 seconds by simply doing your scanning with a modem set to 300 or 1200 baud. Most modemers don't realize this, because they do all their calling at 33.6k or 56k, but the slowest baud rates on the modem have the fastest handshake and connect time! Scanning at 300 baud won't even add a noticeable overhead to the dialing process - you know, the time it takes the modem to receive the "ATDT 253-7000" command or send back the "NO CARRIER" message. If you could reduce connect wait time from 20 seconds to 10 seconds, with maybe 2 seconds of overhead (modem reset, etc) between calls, suddenly you can dial 5 numbers a minute instead of 3, a 66 percent improvement in efficiency! Many Hands Make Light Work! Secondly, and I know I covered this a bit in Power Scanning I, it always helps a lot to have a few friends in on the action to help out. Get a friend scanning with you - or a second computer on a second line in your house - or multiple computers scanning through beige boxes on the telephone snake cable running through your apartment building - and that 56 hour scan gets demolished in 28 hours, or 14, or 7, or 3 and a half. I don't know why more people don't co-ordinate their efforts in scanning; I guess there are too many egos these days. Don't Dial Listed Numbers! I am about to explain a technique that simply wasn't available to Matthew Broderick's WarGames character back in 1983. This is made possible by the widespread avilability of phone directories on CD-ROM. In a traditional carrier scan, your program dials every possible number, without regard to what may be on the other end. But what if your program already knew for certain that some numbers would NOT have modems? What if it didn't call those numbers? The fact is, most modem numbers are unlisted! The ones that *are* listed, are in the phone book - you don't need a scanner to find them. But the really good ones, the ones you want to find, are all unlisted. They don't appear in your phone book, and more importantly they don't appear on your phone listings CD-ROM! Now, there are quite a few WarGames dialers that allow you to enter a list of numbers not to call. This feature is there so that you don't end up calling your family and friends during scans of their prefixes. But what if you could put every *listed* number in the prefix in that do-not-dial list? Well, what would happen is that you would eliminate 50 to 90 percent of the numbers from your scan - you would be left only with not-in-service numbers and unlisted numbers! So, run your listings CD's browser program, export the whole prefix you want to scan to a text file, delete the names and addresses so you have just a list of phone numbers. Cut and paste this into your scanner program (if you're running a Windows or Mac scanner) or import it into your scanner's config file or do-not-dial list - read your scanner's docs for how to do this, I'm not going to hold your hand THAT much. This technique has a really great bonus - by eliminating known voice numbers from your scan and by reducing overall the number of times you dial, you greatly reduce your risk of drawing unwanted attention to your project! Skip Unassigned and Cellular/Pager Blocks There's one variant on the previous technique that should also be applied to any carrier scan. Sometimes, in sparsely populated areas or in brand-new prefixes, all the phone numbers fall into a block. For example, way out in Spidercrotch, Manitoba, you might find that there are only lines assigned in the range 204-642-2000 to 204-642-4000, a 2000 number range. Or the brand-new 410 prefix in Springfield may, at this time, only have 1200 numbers assigned, from 410-1000 to 410-2200. A quick look in a reverse directory will reveal these. Consider the probabilities before you add what appears to be an unassigned block to a do-not-dial list. Is the prefix new? Is it in a heavily populated area or a rural one? If the prefix is old, and in a metropolitan area, then any big gaps you find in the listings are probably dedicated assigned blocks, full of unlisted numbers - prime scanning territory. Or else they're pagers or cellphones. Give a few random numbers in those ranges a call and see if you get a recording that tells you the range is for pagers or cellphones. If it is, or if the prefix is in a rural area, then scanning them is an utter waste of time because you won't get any carriers. So consider nuking such blocks from your scan, and consider thoughtfully. Other Tricks of the Trade o Set your modem's dial speed (the S11 register) to the lowest value possible. Most modems have a minimum of 50ms, the phone system can keep up woth dialing as fast as 45ms. You can save a little time each call this way, which really adds up over thousands of calls. Just put ATS11=50 in your initialization string. o If your phone company offers a "Do Not Disturb" line feature, activate it before you scan, and have your scanner program renew it periodically if it has a time limit. That way any incoming calls will not disrupt your scan. This is especially helpful if you're not using *67 to block your Caller ID, because a certain number of people will try to call you back. o Be paranoid and use *67, but remember that you do NOT need to wait for the stutter dial tone. ATDT*672537000 works as well as ATDT*67w2537000 and is one or two seconds faster. Again, this adds up massively over thousands of calls. If *67 costs per-call then your phone company is in a minority of shitheads, and you should investigate the cost and possibility of a per-line Caller ID block before you scan - unless you want your phone bill to come in a crate instead of an envelope. o If you've recently performed a hand scan of a partial prefix (as in Power Scanning I), you need not bother re-scanning that range with your carrier scanner, as any carriers would have been noted in your hand scan. Add all the numbers in that block to your do-not-dial list to save time. o This is the only thing for which I'm going to grab you by the collar and shake you until it sinks in: DO NOT SCAN WATS (800, 888, 877) exchanges with your computer, or at least not from a phone line which can be traced back to you or to someone you need to stay alive/free/sane. If you knew how few consecutive 800 calls it takes to set off an audible alarm at your local RNCC, you'd never call an 800 number again! The Impact of Power Scanning Remember I said that a traditional scan using no special techniques would take 56 hours to do a whole prefix? By setting a 10 second connect time, a 12 second total dial cycle, that 56 hours falls to 33 hours and 30 minutes. By getting a second computer on a second line helping out, that 33:30 drops to 16:45. By getting a friend to help out on two lines, or two friends to help out on one each, 16:45 becomes 8:23. By eliminating an average 50 to 90 percent of numbers from the scan by ignoring listed numbers and unassigned blocks, that 8:23 falls to 4:12 at worst, and as little as only 0:50 if the prefix is saturated with mostly residential listed numbers! At 50 minutes a prefix, you could cover a small city completely in one evening (7 prefixes in 6 hours)! How about scanning an entire area code? It's not out of the question with Power Scanning! Get a couple of dozen accomplices and totally blanket an area code in weeks. 2600 wouldn't have room to print the results! That's a 93 to 99 percent reduction in scanning time overall, and yet it's 100 percent as effective and thorough as the grueling 56 hour nightmare that hackers used to deal with in days gone by! Carrier Scanning Pitfalls II You'd never add 911 to your scan list, would you? Well, most people don't know this, but the 911 call center also has an unlisted 7-digit number - an alias - that is the same as dialing 911! It may be the "old" police emergency number from before your area got 911 service, it may be in a special exchange, or (and this is the case where I live) it may be a normal phone number whose last 3 digits are 911 (e.g. 250-361-9911). 911 Service was introduced to my area the same year (1988 for anyone who cares) that the 361 prefix was created, so its location makes sense. There are two things you MUST do to prevent your scanner calling 911, before you start on any automated scan of unlisted numbers. First, you MUST exclude the 911 alias from your scan. If you have Caller ID then this is easy, just dial 911 and hang up. They will call back to find out why you hung up. Tell them you're sorry, your phone has a panic button and you accidentally pressed it, and then when you're off the phone take note of what appeared on your Caller ID box. Or dial *69 if you don't have Caller ID. The number you get back must be added to your exclude list. The other thing you have to do is go to your local library and look in an old phone book (every public library that has phone books keeps obsolete ones). Get one from before 911 was instroduced to your area, and add all the emergency numbers - police, fire, ambulance - to your exclude list. Chances are even if you have had 911 service for 15 years or more those numbers still work and are forwarded to... guess where. If your computer dials a 911 alias during a scan, they will first try to phone you back and failing that, a police cruiser will visit. Not a desirable occurrence. So make sure it doesn't happen! Conclusion There's no doubt that the Internet has killed BBSes and rearranged the faces of online services like Compuserve and Prodigy. But hosting modems of various descriptions are still on the rise and will be for a long time. Look in the October 1998 issue of Scientific American for Carolyn Meinel's article on hacking. It has a great example of why we scan. A company whose entire presence was on the internet, could not keep a hacker out because someone in the company had installed a "backdoor" modem without permission, the hacker found it and used it to remain online even when the whole company network had been severed from the internet! So the choice is clear - hack with the internet alone and be l33t or use *all* the tools at your disposal and get something done instead. Face it, the need for carrier scanning will remain as long as there are dialup modems!