STATION ID - 7047/3.12 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. [PRIVATE BRANCH EXCHANGES] History Provided by Hazzmat Afterword by Substance A note from the authors: The purpose of this file is to hopefully lessen the seeminglessly repetitive questions on irc like "d00d how do i hack a PBX?", and "What is a PBX". We realize we have already released a tfile on PBXs but this one is way better. Skim the file if it seems lame dont read it, but I believe even the most eleet hacker could learn something. The beginning is technical information on PBXs the end is how to use them to your benefit. What you do with the information gathered in this tfile is your responsibility, blah blah. AN OVERVIEW (by: hazzmat) Acronymns used: PBX: Private Branch Exchange PBAX: Private Automatic Exchange MDF: Main Distribution Frame TSU: Tone Sender Unit TRU: Tone Receiver Unit SMDR: Station Message Detail Recording ISDN: Intergrated Services Digital Network T-#: T carrier DS#: Digital Service # ACN: Area Code Number A private branch exchange is an owned or leased voice switching system serving a commercial organization and is usually located on that organization's premises. PBXs provide telecommunications services on college campus's, hospitals, businesses and government agencies. A PBX is basically its own central office and handles services for the internal network of wherever it is ran. It handles many similar things that a Central Office handles for the public telephone network. An attendant can be present or it can be run automatically. The PBX is the brain of the private telephone network it is on. It can allow or disallow certain services such as restricting dialing out of the network. This can include blocking long distance calling, blocking out certain area codes or prefixes. A PBX also monitors and can produce detailed reports including the levels of activity, calls made from a specific extension, breaking it down to the time, length, total cost, cost per minute, average call length and can also produce bills per department of their call usage if necessary. After the invention of the telephone the number of people making calls grew so rapidly that there was a need to connect, or switch parties to their destinations. The inventor of the first multiple switchboard was Leroy B. Firman an American in 1879. Since there became such a large volume of calls, businesses lacked a way to switch calls using single or multiple lines to any number of telephones in the company. PBX is also known as PBAX, which the European manufactures added the A for "automatic" part to represent the unassisted switching. The earlier version of the PBX was a devised used for connected and switching callers. The call would be routed either directly to an extension or to a console manned by a person. When the call arrived the attendant answered it, determined who it was for and then connected the parties. They attendant would tell the PBX to hold it while calling the receiving party to verify that they were available and then signal to the PBX to connect the call to the extension. Since then the PBX has rapidly changed. The old technology became unsuitable because of the explosion of telephone usage. Today, a modern PBX is a specialized computer. The operating systems software is what makes this computer a PBX. The applications running on this system will determine how it operates. Physical components such as telephones and modem equipment are the "eyes and ears" of the PBX. Lines and trunks are the most elementary PBX input/output ports. Through time the term line has also evolved to mean station, the telephone itself. A large amount of lines carrying a certain amount of call traffic is supported by a smaller number of trunks, which connect the PBX to network resources. The percentages of trunks to lines are about ten to thirty percent. A PBX can contain thousands of different computer cards each designed for a specific function. The cards are inserted into bus slots, which are built in into the system board itself. The slots have built in pre wired configurations that are connected to the CPU. Since the bus slots and the wiring are pre configured this makes it crucial that the right card is in the respected slot. The casing or frame that contains the PBX components is called a chassis. There are other chassis that allow for a technician to wire the connections between the slots allowing for greater flexibility. The design of the PBX will determine where the CPU will be located which could be on a card or built right into the system. The CPU must supply switched connectivity between the various cards that reside on the PBX. There are nine major cards that are used to work directly with the switch. The line filter unit is used to reduce and possibly eliminate any line noise that is on the circuit. This will be used in anything that goes in or comes out of the switch. It is used to ensure that the highest quality of data is sent to and from the CPU. DS1 interface cards are used for T-1 circuits. The T-1 can be broken up or used in many different combinations of channels depending on how the technician chooses to wire it and services needed. Analog trunk line interface cards are used to connect the Amphenol connector to the switch CPU. The Amphenol connector is also known as RJ21 connectors. This is a 25-pair cable that is the end of the circuit that the Phone Company is responsible for. This can also be used to take lines out of the PBX and then connect them to the MDF which is the switching room. The TSU is used to route touch-tone digits to specific circuits on the interface cards. A station can use one TSU for multiple circuits so there is not an even balance of TSU's to line ports. The TRU is used to interpret touch-tone data on a specific interface card. This performs the reverse operation that the TSU performs and also does not have a ratio of line ports. The ring generator sends the ring voltage which is 20Hz, 90volts down the telephone line circuit to register a complete circuit is being attempted. The designated telephone receives the tone that makes the telephone ring. If the phone is answered then the circuit is completed. The station line cards have a wide variety of features and many configurations. These are not limited to analog transmission and can handle digital and some even will support ISDN functions. These cards can support between eight and twelve telephone ports on each. I/O cards make it possible for the system to work. Without them the system would be useless. They make it possible to generate reports and to collect data for the telemanagement system and to transmit information. Station line protectors protect against electrical spikes such as lightning. There are black and red protectors. The black protector is for standard circuits and the red is used for special circuits. A PBX can offer a variety of services and features. There is call forwarding, call holding, conference calling, voice mail, ability to connect dictation equipment, least-cost routing ensure that long distance calls are routed over the least cost communication service, paging people throughout a facility, speed calling for often used numbers, SMDR to provide cost accounting information, non blocking switching, ability to change a telephone number using software instead of having to rewire, automatic call back, simultaneous transmission of voice and data, format and protocol conversion interconnecting of many different types of computers and vendors, authorization codes providing security, and connection of high speed outgoing circuits such as a T-1. Because of the popularity of the PBX system, there is a vast amount of companies that manufacture PBXs. The concept is there however each companies product will differ in many ways. Some of the major ones are AT&T, NEC, ROLM, MITEL, Fujitsu and Northern Telecom. Most PBX's are digital now and there are even some that are using the different wireless technologies. The demand for better phone networks is increased daily. Since the birth of the telephone we have seen many advances in the telephony world. We will continue to see an advancement of PBX systems and technology. How you can benefit from them ;) (get used to putting ATS11=40 in your init string. It speeds dialing) Thank you hazzmat for that very informational text on PBX's (i hope you get an A ;). keep in mind I am not a c0de kiddie, i could really care less about free calls. Free Calls grow on trees. I am not writing this to get a whole slew of newbies in trouble. That is not my intention. I want the public to be informed on how to hack pbx's now a days. Actually not that much has changed. But if you have a few minutes, I can share with you my ideas on how to hack them, and what ive learned about not getting caught. The main thing you want to keep in mind is, you want a Toll Free PBX, so you can call it from payphones and talk away, free of charge. The best way ive found to get them is to use Toneloc [or your favorite scanner] to scan for tones. Pick a prefix you think will be decent. When I pick i prefix I usually try even numbers, like (800)828 or (800) 424 but it doesnt really matter. What toneloc is doing when you scan for tones is, it puts the regular dial string with a W; after it. [ ie; ATDT1-800-343-2334 W; ] try this in any terminal program to see if your modem can scan for PBX's ATDT950-1022 W; What 950-1022 is, is MCIs PBX system [this is a local call]. You do NOT want to hack this. especially from home. Many old school hackers have gone down for it. But calling it once to test out your modem will be no problem.. So if all goes well after you type that and wait a few seconds you should see OK If you see OK after the PBX gave a tone you know your modem will scan for PBX's. If you see NO CARRIER give it another shot make sure you have your modem speaker on and you can hear when the pbx answers. If you still cant get it to say OK then try a different modem. I am going to assume to got it to work ok. Once you have a found.log file with a few pbx's in them its time for the hack. Dont be stupid. Do not call ANY of those pbx's in the found.log from home {again}. You already called it once [with your computer] that was enuf, your ANI has already been logged by the company you called, but its no big deal you havent done anything wrong!@ Print out the found.log and goto a payphone. Make sure you have a pen. Call the 1st one on the list. You really want to do this as fast as possible unless your in east bumfuck and have all day to waste. [hey, some ppl do ;] When you hear the familiar tone the 1st thing going thru your mind should be, "I want to find out how many digits this code is". Most of the time this can be figured out by hitting 9 how many times you can hit it before you get another tone or a message comes on saying invalid code. The best numbers to try 1st are: 9 wait a few seconds, see if you get another tone. This can be one of my favorites. Sometimes you will immediatly get an unrestricted dialtone. try 1+acn see if it goes thru try hitting 9# if that doesnt work try 8# and so on. its worth a shot What you are really trying to get is a dialtone or a different tone then the one that answered. When you hear the different tone, you can pretty much guess you have an unrestricted dialtone. If these first few methods didnt work [dont get discouraged they probably wont, most companies are getting smarter] Then you want to move on to the brute force method. Once you have established how many digits the pin you are looking for is [we are going to say this PBX is a 4 digit pin, because after it answers if you hit 4444 an operator comes on and says you have entered an invalid code] You get your pen and paper ready and write down something similiar to this: 0000 2222 4321 5000 7000 1000 2345 4000 5111 7111 1111 3000 4444 5678 7777 [see a pattern developing?] 1234 3333 4567 6666 8888 Keep on calling back and trying the next code on the list. Those are just a few common ones for a 4 digit pin. I didnt list them all i think you can figure it out. try 9999 of course, it is usually a popular one ;> If none of the codes work that you would think are the most moronic you have to spend some time calling and entering #'s in sequentially. Eventually you will get it. If you are attempting this method use it on a 3 digit code pbx. 4 digit could take you forever w/o a computer. If you find that a PBX has an 8 digit code or more. You have 3 options 1) Say fuck that PBX there is millions out there waiting for me 2) Hack it from home with your computer and get caught [bad choice] 3) Setup toneloc to hack it with a laptop from a junction box ^ dont bother you will probably end up losing your laptop So what im basically saying is stick with the 3 and 4 digit code PBX's They are MUCH easier to gain access to. Move on down the list until you have circled the ones you want to try and hack. Dont spend too much time on one pbx unless you only have a few there. If for some reason an operator comes on, hang up dont mess with her. Call the PBX back at a later date and retry. Also some PBXs you will call and get a voice operator. Look at the time your computer found it, call back at that time, alot of PBX's have hours and will only work after the company is closed. Once you have access to the PBX [if it is local setup an 800/888 to it , dont give it out to everyone. That is the quickest way to see one die. Keep it to yourself, never use it from home [i mean NEVER] and try to use 1010x codes before you call LD with it. [This should put all your LD calls on a separate bill from the main companies hopefully extending the life of your PBX] in anycase I think you can figure it out from here. I hope this clears up some questions. l8z shouts to: #416 #hemp #138 #x25 and of course #9x