TUCoPS :: Phreaking General Information :: scanpbx.txt

Scanning PBX's

                             - Scanning PBX's -
                      - Written by Anonymous Author -

   The Author of this article has now left the scene, and would like to
   sever all ties with it. Given this, this article has now become the
   intellectual property of NeuroCactus (with the author's consent). Nuff
   Said.

   What is a PBX?
   --------------
   A PBX comes in many varieties. There are ones with codes, ones without
   codes. There are automated front ends on some of them, and some are
   just a back door into a companies phone system.

   There are two ways to hack a PBX. The first is to dial into it by modem
   and re-program them. The other way is to brute force them by dialling
   into the front-end. I will mainly deal with hacking the front end.

   When you dial a front-end of a PBX, you'll either get some variant of a
   dial-tone, or something like 'Please enter the extension number and
   press pound'.

   Code based PBX's
   ----------------
   A code-based PBX is normally one where you dial a number, get a
   dial-tone, then dial a code of a specific length (normally 4-6 digits).
   Then you dial the number you want and bingo! If you want more info on
   this type of PBX, check out a code-hacking proggy such as CodeTheif.
   Automated front ends Again, rather basic. All you need do with these is
   scan out all the extensions on it. Also, try combinations including *,
   # & 0 first. You'll be looking for voice-mail, dial tones & carriers.
   If you get a carrier, it may just be a dial-in to hack the PBX using
   your modem. This is common for PBX's such as IBM's ROLM and Nortel's
   MERIDIAN, as well as ASPEN's that are connected to a switch (PBX).

   Back door, front-ends (BDFE)
   ----------------------------
   Ok, this brings me to the main part of this file. Back-door type PBX's,
   with a dial-tone based front-end. These are the type I love, and you
   can find all sorts of shit on them. Hacking a BDFE PBX requires a
   brute-force method of hacking them, that is, dialling them repetitively
   belting different combinations of DTMF (touch-tones) at them each time
   you ring. On BDFE PBX's, there are certain messages you get from 'em,
   in the form of tones, such as a ring or busy tone. This can vary
   greatly but on the majority of them, it is rather straight forward.

   Usually, when you pick up the phone, and start dialling, you will get a
   'busy' tone if you stop dialling before you give the exchange enough
   digits. Well, this is also the case with a BDFE PBX. If you haven't
   dialled enough digits, you'll get (after a pause) a busy signal. Again,
   when you pick up the phone normally, and dial a disconnected number,
   you get a message saying that the number is wrong. Well, this is also
   the case with BDFE PBX's, except instead of the message, you normally
   get an error tone, normally something like <bing><bong><bing><bong>....
   There are other things you can get on a BDFE PBX. Things such as a
   dial-tone (no shit) on an  extension. When you get a dial-tone, it can
   be one of 3 things: loopback, sub-PBX or fake.

   A loopback dialtone will loopback to the beginning again, so say you
   rung a PBX and dialled *0 to get a loopback dialtone. At the second
   dialtone you can again dial *0 to get the same dialtone again.
   ad-finitum. The dialtone on a loopback is normally the same as the
   original dialtone, but don't take that literally - there are always
   exceptions to the rule.

   A sub-PBX dialtone  could be one of two things again. It could be a
   code-based PBX, or it could be yet another BDFE PBX.

   A fake dialtone won't accept tones at all. I am yet to discover what
   the deep and inner meaning behind these are, other than pointless.
   (any suggestions are welcome).

   Ok, now you got the basics, lets got to the important bit.

   Scanning/Hacking BDFE PBX's
   ---------------------------

   This normally takes fucking ages. Bad luck, you wanna phreak right? To
   hack a BDFE PBX, I suggest you find a good text editor that makes good
   use of the enter, tab and cursor keys. MS-DOS Editor I have found also
   need a phone  with big buttons, a comfortable handset and at least one
   programmable  memory button. Program the number of the BDFE PBX into
   the memory button, along with a code if it costs money to call it.

   Now, what your going to need to do is dial the PBX over and over again,
   trying patterns of numbers, incriminated slightly each time you call.
   The best way for me to explain this is with a case study. Ok, we've
   got an imaginary PBX, with the phone number 1-800-IMA-HACKER
   (Compliments of *****). Ok dial the number, you get a dialtone. hit 0.
   You get an error tone. Write this down, eg:
   -- SCAN.TXT --  0  err
   ----

   Hang up & ring back. This time hit a 9. nothing happens, silence. Hit
   another number, 0. You get an error. so...
   -- SCAN.TXT --   0  err
                    9; 0  err
   ----

   Ok, where gonna check out the rest of the 9X range. Ring back, belt 9,
   then another number, 9. you get an  error. so...
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
   ----

   Ring back, belt 9, 1. error.
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
   ----

   Ring back, belt 9, 2. it start's ringing. Joe Blow picks up the phone.
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2  Joe Blow's Extension
   ----

   Ring back, belt 9, 3. error.
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2  Joe Blow's Extension
                       3  err
   ----

   Ring back, belt 9, 4. Nothing but silence. After a while you get a busy
   so it wants another dig it. so...
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2  Joe Blow's Extension
                       3  err
                       4;
   ----

   Notice the semi-colons? They mean there are more digits needed. Ring
   back, belt 9, 4, 0. Dialtone.
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2  Joe Blow's Extension
                       3  err
                       4; 0  Dialtone
   ----

   Ok, while your still on the phone, belt another tone at it. Nothing
   happens, the dialtone still remains, belt lots a tones. Nothing.
   Obviously a dead tone. lets skip the 9, 4, X bit for now and continue
   onto 9, 5.
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2  Joe Blow's Extension
                       3  err
                       4; 0  Dead Dial
   ----

   Ring back, belt 9, 5. Dialtone. so...
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1 err
                       2  Joe Blow's Extension
                       3  err
                       4; 0  Dead Dial
                       5 Dial
   ----

   belt 0. error. so...
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2  Joe Blow's Extension
                       3  err
                       4; 0 Dead Dial
                       5; 0 err
   ----

   Ring back, belt 9, 5, 9. 0. Error again. Seems similar to the first
   dialtone. Ringback, try Joe Blows extension. so belt 9, 5, 9, 5 for a
   dialtone, then hit 9, 5, 9, 2. You get Joe Blow. So...
   -- SCAN.TXT --   0  err
                    9; 0  err
                       9  err
                       1  err
                       2 Joe Blow's Extension
                       3  err
                       4; 0  Dead Dial
                       5; 0  err
                          9  loopback
   ----

   Get the picture? I'll finish off the scan list.
   -- SCAN.TXT --   0  err
                    9; 0  err
                    .  9  err
                    .  1  err
                    .  2  Joe Blow's Extension
                    .  3  err
                    .  4; 0  Dead Dial
                    .  .  9  err
                    .  .  1  err
                    .  .  2  err
                    .  .  3  err
                    .  .  4; 0  Dead Dial
                    .  .     9  dialout (accepts 1-800-XXX-XXX only)
                    .  .     1  err
                    .  .     2  err
                    .  .     3  err
                    .  .     4  err
                    .  .     5  err
                    .  .     6  err
                    .  .     7  err
                    .  .     8  err
                    .  .     *  busy
                    .  .     #  busy
                    .  5  err
                    .  6  err
                    .  7  err
                    .  8  err
                    .  *  err
                    .  #  err
                    .     5; 0  err
                    .        9  loopback
                    .        1  err
                    .        2  err
                    .        3  operator
                    .        4  operator
                    .        5  err
                    .        6  operator
                    .        7  err
                    .        8  err
                    .        *  busy
                    .        #  busy
                    .     6; 0  err
                    .        9; 0; 0; (Dial 6-900-XXX-XXX for 1-900-XXX-XXX)
                    .        .  9  err
                    .        .  1  err
                    .        .  2  err
                    .        .  3  err
                    .        .  4  err
                    .        .  5  err
                    .        .  6  err
                    .        .  7  err
                    .        .  8  err
                    .        .  *  busy
                    .        .  #  busy
                    .        .     9  err
                    .        .     1  err
                    .        .     2  err
                    .        .     3  err
                    .        .     4  err
                    .        .     5  err
                    .        .     6  err
                    .        .     7  err
                    .        .     8  err
                    .        .     *  busy
                    .        .     #  busy
                    .        1  err
                    .        2  err
                    .        3  err
                    .        4  err
                    .        5  err
                    .        6  err
                    .        7  err
                    .        8  err
                    .        *  busy
                    .        #  busy
                    .     7  err
                    .     8  'Please enter the mail-box number, and press
                    .        hash'. Voicemail system, default=1234.
                    .     *; Dial tone
                    .        0  err
                    .        9  err
                    .        1; 0 err
                    .        .  9 err
                    .        .  1; 0  err
                    .        .     9  err
                    .        .     1; 0  err
                    .        .        9  err
                    .        .        1  Modem - Looks like PBX dial-in
                    .        .        2  err
                    .        .        3  err
                    .        .        4  err
                    .        .        5  err
                    .        .        6  err
                    .        .        7  err
                    .        .        8  err
                    .        .        *  err
                    .        .        #  err
                    .        .     2  err
                    .        .     3  err
                    .        .     4  err
                    .        .     5  err
                    .        .     6  err
                    .        .     7  err
                    .        .     8  err
                    .        .     *  busy
                    .        .     #  busy
                    .        .  2  err
                    .        .  3  err
                    .        .  4  err
                    .        .  5  err
                    .        .  6  err
                    .        .  7  err
                    .        .  8  err
                    .        .  *  busy
                    .        .  #  busy
                    .        2  err
                    .        3  err
                    .        4  err
                    .        5  err
                    .        6  err
                    .        7  err
                    .        8  err
                    .        *  busy
                    .        #  busy
                    .     #  Operator
                    1  err
                    2  err
                    3  err
                    4  'Please enter the mailbox number, and press hash'
                       - Voicemail
                    5  err
                    6  err
                    7  err
                    8  err
                    *  Operator
                    #  Operator
   ----

   Ok, so this PBX has now been scanned out. Here's a list of what was
   found. Dial For

       92       Joe Blow's Extension
       94       Fake/Dead Dialtone
       9440     Fake/Dead Dialtone
       9449     Dialout to 1-800-XXX-XXX
       959      Loopback to beginning
       953      Operator/Switch Board
       954      Operator/Switch Board
       956      Operator/Switch Board
       96900... For 1-900-XXX-XXX
       98       For Voicemail - Default = 1234
       9*,1111  For PBX Dial-In
       9#       Operator/Switch Board
       4        For Voicemail - Default = 1234
       *        Operator
       #        Operator

   It's as simple as that. Oh, and use common sense when doing this shit,
   that way, you'll find a hell of a lot more.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH