                                PBX SYSTEM TUTORIAL
        
                                    Steve Dahl
                                       AND
                                The Legion Of Doom!
                                     Present:
                                        
                           PBX's (Private Branch Exchanges)
                                  Local and WATS
      
     Because of the danger of using a blue box, many phreakers have
turned to MCI, Sprint, and other SCC's in order to get free calls.
However, these services are getting more and more dangerous, and even
the relatively safe ones like Metrofone and ALL-NET are beginning to
trace and bust people who fraudulantly use their services. However,
(luckily), there is another, safer way.  This is the local and WATS
PBX. If you have a modem or interface for your computer capable of
tone dialing, you can find and make good use of a great many of these
"useful" numbers. If you don't have the hardware, it is still
possible, although it would be a VERY tedious process.
        
     The PBX, or private branch exchange, is a private switchboard
set up in office buildings, hotels, etc. It allows people within the
PBX to dial other exchanges directly, to place out-going calls (what
we're interested in), and sometimes to transmit their voice over the
intercom system. There will at least 1 line going out of the PBX to
the telco set up for outgoing calls only, and there will also be at
least one incoming line to the switchboard. This is what we are
interested in. Some of the incoming lines are always answered by the
switchboard operator, but some will be answered by the PBX equipmemt.
It will usually answer with a dialtone, the tone will sound different
for different systems. Some even answer with a synthesized voice!
(These are very hard to find, though.) The ones which answer with a
dialtone are easy to find if you have a modem or hardware device
which can "hear" what's going on on the phone line.
        
     To find these fun thingies, you will have to write a scanner
program which will dial each number in a prefix, either sequentially
or in a random order, it really doesn't matter, and "listen" on the
line for a constant sound longer than the normal length of a ring.
This could be done manually but it would take a hell of a long time.
Whenever the program finds a number that makes a constant tone longer
than a ring, it should record the number in an array or something.
Now, this number can be one of a few things. A noisy answering
machine, a Sprint, MCI, etc access node, a person who yells in the
fone, the tone side of a loop (nice), possibly a carrier if your
modem can "hear" tones that high, or, hopefully, a PBX line. All your
scanning should be done between 6 PM and 7 AM because between 7 AM
and 6 PM, many of these numbers will be answered by the switchboard
operator. When you are checking out your results the next day and
come across a dialtone, enter some touch-tone (TM) digits. Depending
on which type of PBX equipment and the length of the codes, after 3-8
digits it should either give a busy signal, a "reeler tone" (high-low
tone), or hang up on you, or possibly tell you you entered a bad
code. Now it is time to write a hacker for this PBX. If the codes are
3 or 4 digits, there will most likely only be one code, but if they
are 5 or more digits there may be more than one. If there are 3 or 4,
your hacker should dial the access number, wait for a dialtone, then
dial the digits and wait for a second, then dial a "1" (the reason
for this will be explained shortly), and then "listen" for a
dialtone. This would be a hacker for a system that gives a reeler
tone, listening for the dial-tone and hearing it would really mean
the presence of the reeler tone and mean that a bad code had been
entered. The reason 1 is entered is to "quiet" the dialtone". If it
was a good code, 1XX or 1XXX will be valid extentions on practically
all PBX's. If your system gives a re-order or hangs up after a bad
code, forget the one and just listen for a dialtone, this will be a
good code. If there are 3 or 4 digits, they should be tried
sequentially (becuase there will probably only be one good one), if
there are more, take your pick between random and sequental. Now,
when you (finally!!) get a good code, you will call the number and
enter the code and be confronted with a second dialtone. THIS IS THE
EXACT SAME DIALTONE THAT ANYONE WHO PICKS UP A PHONE IN THAT PBX
SYSTEM GETS. The reason this is important is because if they want to
make an out-going call, they will usually pick up the fone and dial
8, 9, or sometimes 7, and get another dialtone and then make their
call, local or long distance. And you can do the same thing right
now! These numbers also make a good tool to avoid being traced on
Telenet, etc, it will just be traced back to the company which owns
the PBX.
        
     Now for some phun with the PBX you have just broken into to. You
can dial all extentions directly on it (which is what local PBX'S are
primarially used for legitimately, unless the company has OUTWATS
lines.)  The most phun extention of all is the PA system. On some of
these, you can get on the PA (intercom) and actutually talk over it
from your house! It can be on almost any extention though, so you may
have to hunt for it. On some, 797 or 1234 used to work, but those
have mostly been eliminated, not due to phreakers but because people
inside the company were figuring them out and using them!
        
     Some PBX's don't even have security codes, you can just call up
and dial 9 and call wherever you want. On a few that I know of you
enter the number and then the code. If you want to know what these
systems "sound" like, there are files on this and other systems with
long lists of WATS PBX numbers. The local ones are much safer to hack
though because you are not making a whole bunch of 800 calls which
tends to get bell very pissed. Also, I have actually found modems and
other wierd things on some exchanges of PBX's, it might be worthwhile
to scan the numbers inside the PBX once to see what you find.
        
     An important safety note: if you heavily abuse a PBX and make
many outgoing calls on it, after a few weeks (or whenever their fone
bill shows up!) it is a good idea to lay off of it for a couple of
months or so because they could get a trace on it easilly, just like
800's. They will usually just change the code, though.
        
    
                           Steve Dahl
                           5/1/84
        
This phile is copyrighted 1984 by LOD/PNET Telecommunications and
Steve Dahl and is not to be re-posted w/out the author's consent! (>



