- Scanning PBX's -
- Written by Anonymous Author -
The Author of this article has now left the scene, and would like to
sever all ties with it. Given this, this article has now become the
intellectual property of NeuroCactus (with the author's consent). Nuff
Said.
What is a PBX?
--------------
A PBX comes in many varieties. There are ones with codes, ones without
codes. There are automated front ends on some of them, and some are
just a back door into a companies phone system.
There are two ways to hack a PBX. The first is to dial into it by modem
and re-program them. The other way is to brute force them by dialling
into the front-end. I will mainly deal with hacking the front end.
When you dial a front-end of a PBX, you'll either get some variant of a
dial-tone, or something like 'Please enter the extension number and
press pound'.
Code based PBX's
----------------
A code-based PBX is normally one where you dial a number, get a
dial-tone, then dial a code of a specific length (normally 4-6 digits).
Then you dial the number you want and bingo! If you want more info on
this type of PBX, check out a code-hacking proggy such as CodeTheif.
Automated front ends Again, rather basic. All you need do with these is
scan out all the extensions on it. Also, try combinations including *,
# & 0 first. You'll be looking for voice-mail, dial tones & carriers.
If you get a carrier, it may just be a dial-in to hack the PBX using
your modem. This is common for PBX's such as IBM's ROLM and Nortel's
MERIDIAN, as well as ASPEN's that are connected to a switch (PBX).
Back door, front-ends (BDFE)
----------------------------
Ok, this brings me to the main part of this file. Back-door type PBX's,
with a dial-tone based front-end. These are the type I love, and you
can find all sorts of shit on them. Hacking a BDFE PBX requires a
brute-force method of hacking them, that is, dialling them repetitively
belting different combinations of DTMF (touch-tones) at them each time
you ring. On BDFE PBX's, there are certain messages you get from 'em,
in the form of tones, such as a ring or busy tone. This can vary
greatly but on the majority of them, it is rather straight forward.
Usually, when you pick up the phone, and start dialling, you will get a
'busy' tone if you stop dialling before you give the exchange enough
digits. Well, this is also the case with a BDFE PBX. If you haven't
dialled enough digits, you'll get (after a pause) a busy signal. Again,
when you pick up the phone normally, and dial a disconnected number,
you get a message saying that the number is wrong. Well, this is also
the case with BDFE PBX's, except instead of the message, you normally
get an error tone, normally something like <bing><bong><bing><bong>....
There are other things you can get on a BDFE PBX. Things such as a
dial-tone (no shit) on an extension. When you get a dial-tone, it can
be one of 3 things: loopback, sub-PBX or fake.
A loopback dialtone will loopback to the beginning again, so say you
rung a PBX and dialled *0 to get a loopback dialtone. At the second
dialtone you can again dial *0 to get the same dialtone again.
ad-finitum. The dialtone on a loopback is normally the same as the
original dialtone, but don't take that literally - there are always
exceptions to the rule.
A sub-PBX dialtone could be one of two things again. It could be a
code-based PBX, or it could be yet another BDFE PBX.
A fake dialtone won't accept tones at all. I am yet to discover what
the deep and inner meaning behind these are, other than pointless.
(any suggestions are welcome).
Ok, now you got the basics, lets got to the important bit.
Scanning/Hacking BDFE PBX's
---------------------------
This normally takes fucking ages. Bad luck, you wanna phreak right? To
hack a BDFE PBX, I suggest you find a good text editor that makes good
use of the enter, tab and cursor keys. MS-DOS Editor I have found also
need a phone with big buttons, a comfortable handset and at least one
programmable memory button. Program the number of the BDFE PBX into
the memory button, along with a code if it costs money to call it.
Now, what your going to need to do is dial the PBX over and over again,
trying patterns of numbers, incriminated slightly each time you call.
The best way for me to explain this is with a case study. Ok, we've
got an imaginary PBX, with the phone number 1-800-IMA-HACKER
(Compliments of *****). Ok dial the number, you get a dialtone. hit 0.
You get an error tone. Write this down, eg:
-- SCAN.TXT -- 0 err
----
Hang up & ring back. This time hit a 9. nothing happens, silence. Hit
another number, 0. You get an error. so...
-- SCAN.TXT -- 0 err
9; 0 err
----
Ok, where gonna check out the rest of the 9X range. Ring back, belt 9,
then another number, 9. you get an error. so...
-- SCAN.TXT -- 0 err
9; 0 err
9 err
----
Ring back, belt 9, 1. error.
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
----
Ring back, belt 9, 2. it start's ringing. Joe Blow picks up the phone.
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
----
Ring back, belt 9, 3. error.
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
----
Ring back, belt 9, 4. Nothing but silence. After a while you get a busy
so it wants another dig it. so...
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
4;
----
Notice the semi-colons? They mean there are more digits needed. Ring
back, belt 9, 4, 0. Dialtone.
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
4; 0 Dialtone
----
Ok, while your still on the phone, belt another tone at it. Nothing
happens, the dialtone still remains, belt lots a tones. Nothing.
Obviously a dead tone. lets skip the 9, 4, X bit for now and continue
onto 9, 5.
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
4; 0 Dead Dial
----
Ring back, belt 9, 5. Dialtone. so...
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
4; 0 Dead Dial
5 Dial
----
belt 0. error. so...
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
4; 0 Dead Dial
5; 0 err
----
Ring back, belt 9, 5, 9. 0. Error again. Seems similar to the first
dialtone. Ringback, try Joe Blows extension. so belt 9, 5, 9, 5 for a
dialtone, then hit 9, 5, 9, 2. You get Joe Blow. So...
-- SCAN.TXT -- 0 err
9; 0 err
9 err
1 err
2 Joe Blow's Extension
3 err
4; 0 Dead Dial
5; 0 err
9 loopback
----
Get the picture? I'll finish off the scan list.
-- SCAN.TXT -- 0 err
9; 0 err
. 9 err
. 1 err
. 2 Joe Blow's Extension
. 3 err
. 4; 0 Dead Dial
. . 9 err
. . 1 err
. . 2 err
. . 3 err
. . 4; 0 Dead Dial
. . 9 dialout (accepts 1-800-XXX-XXX only)
. . 1 err
. . 2 err
. . 3 err
. . 4 err
. . 5 err
. . 6 err
. . 7 err
. . 8 err
. . * busy
. . # busy
. 5 err
. 6 err
. 7 err
. 8 err
. * err
. # err
. 5; 0 err
. 9 loopback
. 1 err
. 2 err
. 3 operator
. 4 operator
. 5 err
. 6 operator
. 7 err
. 8 err
. * busy
. # busy
. 6; 0 err
. 9; 0; 0; (Dial 6-900-XXX-XXX for 1-900-XXX-XXX)
. . 9 err
. . 1 err
. . 2 err
. . 3 err
. . 4 err
. . 5 err
. . 6 err
. . 7 err
. . 8 err
. . * busy
. . # busy
. . 9 err
. . 1 err
. . 2 err
. . 3 err
. . 4 err
. . 5 err
. . 6 err
. . 7 err
. . 8 err
. . * busy
. . # busy
. 1 err
. 2 err
. 3 err
. 4 err
. 5 err
. 6 err
. 7 err
. 8 err
. * busy
. # busy
. 7 err
. 8 'Please enter the mail-box number, and press
. hash'. Voicemail system, default=1234.
. *; Dial tone
. 0 err
. 9 err
. 1; 0 err
. . 9 err
. . 1; 0 err
. . 9 err
. . 1; 0 err
. . 9 err
. . 1 Modem - Looks like PBX dial-in
. . 2 err
. . 3 err
. . 4 err
. . 5 err
. . 6 err
. . 7 err
. . 8 err
. . * err
. . # err
. . 2 err
. . 3 err
. . 4 err
. . 5 err
. . 6 err
. . 7 err
. . 8 err
. . * busy
. . # busy
. . 2 err
. . 3 err
. . 4 err
. . 5 err
. . 6 err
. . 7 err
. . 8 err
. . * busy
. . # busy
. 2 err
. 3 err
. 4 err
. 5 err
. 6 err
. 7 err
. 8 err
. * busy
. # busy
. # Operator
1 err
2 err
3 err
4 'Please enter the mailbox number, and press hash'
- Voicemail
5 err
6 err
7 err
8 err
* Operator
# Operator
----
Ok, so this PBX has now been scanned out. Here's a list of what was
found. Dial For
92 Joe Blow's Extension
94 Fake/Dead Dialtone
9440 Fake/Dead Dialtone
9449 Dialout to 1-800-XXX-XXX
959 Loopback to beginning
953 Operator/Switch Board
954 Operator/Switch Board
956 Operator/Switch Board
96900... For 1-900-XXX-XXX
98 For Voicemail - Default = 1234
9*,1111 For PBX Dial-In
9# Operator/Switch Board
4 For Voicemail - Default = 1234
* Operator
# Operator
It's as simple as that. Oh, and use common sense when doing this shit,
that way, you'll find a hell of a lot more.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
