  
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* 
                The Offical Guide To Exchange Scanning 
                        By The Mob Boss 
*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* 
I. Introduction 

- What is Exchange Scanning? 

        This is something a lot of people haven't learned to use and enjoy. To 
be truthful I thought it was a complete thing of the past, a practice 
confined to the 80's and the movie WARGAMES. I quickly changed my mind 
about it after I started doing some scanning and started seeing 
results. To my suprise there aren't many texts on this topic so I 
decided this would be my fourth text in the h/p field. Simply put, 
exchange scanning, or wardialing, is the act of dialing all the numbers 
in an exchange in hopes of finding something hack/phreak worthy. For 
those who don't know, an exchange is the first three digits of a local 
number. 

Diagram A. 

(xxx)yyy-zzzz 
  |   |____ |______ 
Area Code  |       | 
        Exchange  Numbers from 0000 to 9999 

Thats a very simple break down of the numbering plan. Basically, if you 
wanted to scan your own exchange, considering your phone number is 
(718)555-1212, you would start dialing 555-0000 right up to 555-9999. 
Its not that hard at all. Exchange scanning can be done by one of two 
methods. One method is by using a program called a wardialer or 
demondialer. The other way and the only way I do it these days is by 
hand. Hand scanning is far more accurate than a wardialer program. 
Also, there are some legal aspects of wardialing to be consulted in the 
body of this text. Another thing I quickly found out was that a very 
popular DOS based wardialer Tonloc did not work well with my modem. 
From what people tell me, a nice old modem--a 2400 baud one--for 
instance, would do a lot better. If you think about it, that makes 
sense considering this program was not written with the newer 56k and 
V.90 modems in mind. If you do decide to use a program, I suggest that 
special care is taken, and I also recommend Tonloc. Think of exchange 
scanning as exploring; you are mapping uncharted territory. With 
patience, it can be valuable entertainment and a useful learning tool. 
Consider the fact that this was the ONLY way to get any systems to mess 
with. Back in the old days (pre-world wide web), it was something quite 
interesting to do. It has become pretty extinct simply because no one 
takes the time anymore to go for it. If anyone has ever seen the movie 
WARGAMES, where the hacker kid is looking for the computer number to 
some company, he uses a wardialer to attempt to find it. The important 
point they missed was how many other things you can find besides 
computers, and thats where things get interesting. 

What can we find by Exchange Scanning? 

        Now that I have piqued your interest, let me tell you about some of 
the strange and interesting stuff you can find. First and foremost, you 
will find computers. Sometimes a carrier will do nothing; other times 
you will get a login prompt, and then--if you're really 
priviledged--you may be in a system without even needing a password. 
Although I have never been so lucky to login password-free, I know 
people who have found such a carrier. Sometimes these systems are 
little stores or personal computers. If it is a store, then it is 
likely you will be staring at store records. If you do get that far, 
then I expect you will know to use your good judgment and ethics on 
what to do. Another thing you may find is telephone company test 
numbers. Now, of course, the telco doesn't want you to find these; 
nevertheless, when you do, it can be really fun. The most famous of 
test numbers is loops. These were used to test lines, but more 
importantly to us, it was used to talk to another person free of charge 
occasionally and anonymously, since neither one of you has to supply a 
number. Heres how it works: there are two numbers--something like 
555-9999 and 555-9998.  These are looped together and will pass sound 
if vulnerable. These were prime, back in the old days, but have become 
pretty rare since then. The telco caught on and put an end to it. Now, 
among test numbers, you will also find things like voice mail, 
answering machines, and PBX's (if you don't know what a PBX is, then 
you really need to find a text on it). These have remote access and as 
we all know anything with remote access is not 100% secure. These are 
just some of the things you will find. Being creative is the key, as 
always, so use your head and think of a new use for something. Thats 
what being a hacker and phreaker is all about. 

Legal Aspects 
  
 It seems you can't do anything these days without having some lousy bureaucrat making some kind of law which has the sole purpose to bother 
you. These laws seem so ridiculous, maybe because the people making 
them know nothing regarding computers or telecommunications, let alone 
the security of it. The point is, in some areas of the United States 
there are some laws regarding it. I won't go too far into this because 
I simply don't know the rules and regulations in every city and state. 
I know that in Connecticut, my current home, there are some laws on the 
books regarding scanning; from what my friend has told me about these, 
and I quote, "The laws are the equivalent of J-walking." I do not know 
how lenient your telco and judical system is in your area, but I would 
investigate it. If you don't get in trouble with the law you may be 
pissing off your local telco. They may even shut your phone line 
temporarily or permanently. If you're scared, then either don't scan or 
take the precautions that I will reccomend. At most, your only problem 
may be with angry call backs but with some simple techniques, even that 
could be eliminated. 
  

II. Exchange Scanning Explained 

Getting Started 

        First step is to figure out whether you want to have a program scan 
for you or whether you're going to scan by hand. Now, unless you're 
scanning for the sole purpose of finding carriers and you're not afraid 
of going toe to toe with the telco equipment looking to catch your ass 
(thank ESS for that), then by all means use Toneloc or some other 
program. Now if you wanna be a real man, go for hand scanning. This is 
how we begin. First thing to decide is whether we are going to scan 
local or toll-free numbers. Now if you scan locally, you are going to 
get plenty of pain-in-the-ass residential numbers with nothing 
interesting. Now, if you scan toll-free numbers late at night, it will 
be nothing more then ALL businesses with no one except the voice mail, 
computers, and PBX's picking up. The only problem is that systems on 
toll-free numbers are better protected and you will have to worry about 
ANI (Automatic Number Identification). Consider this Caller ID on 
steroids. Your precious *67 is useless with this. They have got your 
number either way. If you scan at night when 95% of the numbers have 
nobody answering the phone, then you will be fine scanning toll-free 
numbers. If you scan locally you may be able to hide your number a 
little better (*67), and you will also find things which are more 
vulnerable to cracking. My advice is  to try a little of each. To get 
started, get yourself a good pen, a pad, a decent phone, and a if you 
can get a hold of one, a tape recorder. Get comfortable and get ready 
for some scanning. Now, unless you have taken some heavy duty 
precautions, DO NOT ATTEMPT TO HACK ANYTHING FROM YOUR OWN LINE. You 
will get busted and do not come crying to me when you do. This is 
simply to get some numbers to hack later on when the correct 
precautions can be taken. Now I reccommend you scan in blocks of a 100; 
this can be done in about an hour or so, that is if you're not hacking 
anything heavily while doing this inital scan. If you stop and mess 
with systems on the way, then expect two hours. Like I was saying, make 
a list of all the numbers (or obtain one from my site under "Products") 
and then sit down, pick a number at random, and start scanning. Cross 
off the number as you go and make notes of anything you come across. 
The reason I say to make a list and pick randomly is because the telco 
is looking for sequential scanning. Doing it randomly will cover your 
ass a little bit better. 

Identifying Your Findings 

        Some of you may be asking, "How do I know when I have found 
something?" This is a question everyone asks when they start scanning, 
but the answer is fairly simple. You will slowly start to learn about 
each type of system from voice mail to answering machines and test 
numbers to PBXs. The key is using your head. When you call something 
up, play around with whatever it is. For instance, you call up some 
number and it says to leave a message. Now this could be a voice mail 
box or it can be an answering machine. We all know VMB's are more 
proffesional then an answering machine, not to mention have more 
options. Use that knowledge to come to a conclusion regarding the 
number. How was the clarity of the message? Did it have a menu? Did you 
get prompted for a login when you hit *, #, or 9? What happens when you 
press other keys? It's not that hard to figure out. Now lets say you 
come across a single long tone. How do you know if its a PBX or a test 
number or something? Well, hit differnet keys and see what happens. Did 
you happen to hit something and it dropped out to a fast busy signal or 
even a dial tone? Then you most likely came across a PBX which most of 
the time requires a passcode. The key to finding out what you have 
found is simply to attempt to learn about it. Its a puzzle and youre 
trying to solve it. I guess the best step to take is to read up about 
all these different things your finding. I couldn't possibly fit in a 
how-to on each system you will find, not to mention it would be 
pointless considering how many excellent voice mail and PBX texts are 
out there. If you really get interested in some kind of phone system, 
such as maybe a peice of voice mail software, go ahead and get a copy 
and try it out. Learning is the key here. One other thing a lot of 
people make a mistake about is telling the difference between a modem 
and a fax machine. What I did was call up my ISP's dialup on the phone 
and listened. Afterwards, I called up a fax number of some real-estate 
company and then listened to that. Once you compare them like that, you 
won't mistake them while scanning. As a last word on identifying 
things, I strongly suggest you go out on the net or BBS and get some 
texts on VMB's, answering machines, PBX's, and Loops. That should get 
you started and will help you on your way. The only way to get a real 
handle on this stuff is to get out there and try things out. By the 
way, here's a peice of advice for when you find something password 
protected. Make like an idiot and think what they would pick. Does 1234 
sound familiar ;) 
  

III. Avoiding Detection and Keeping Out Of Trouble 

Payphones 

        The first, most obvious protection method is to use a payphone. A 
telco owned one or a Cocot--its up to you. Now, this may not go to well 
if you are doing local numbers, since it costs 25 or 30 cents each time 
(unless of course you have a way around that). The best use for 
payphones is scanning toll-free numbers. Yes, this can be a pain in the 
ass, but if you're at one of the drive-up phones with a laptop and an 
accoustic coupler, then life could be peachy. I wouldn't stay there too 
long though, especially if its daylight out. But, it can be a 
interesting alternative to the usual scanning cliches. Feel free to use 
a program here and even hack PBXs and such too. It's not traceable to 
you, so why should you care. From what I know, as long as you don't 
open your mouth, there is no way you can get in trouble doing this. 

Calling Cards 
  
        Here's an idea that takes extra time, but is something that can be 
used to hide your number, though. Although I might suggest this more 
for actually hacking, your number can be hidden if you use a calling 
card with your scanning. For instance, if you wanted to scan some long 
distance exchange in another area code, you could do so. For some 
people, this is practical, but if you're not one that comes across a 
lot of calling cards, then this will be very costly to you and 
therefore unadvisable. 

Beige Boxing 
  
        This is most certainly is not for the weak hearted or absent minded, 
since it can be very risky. However, if you do get some kind of very 
easy chance to beige box off your neighbors, then by all means, scan 
your little heart out. Scan an exchange in China if you like; you're 
not paying the bill. Although that could be fun, if you scan all 
toll-free numbers, then this is something that can be used for a long, 
long time until the feds bust down your neighbors door and arrest them 
for screwing with the White House's Toll-Free number, of course. 

Net2Phone 

        This is one of the newer methods of protecting yourself, but something 
which can be very nice. Net2Phone is a company and program which allows 
you to make calls over the internet via your sound card. They want you 
to pay for long distance calls and things, but they don't care if you 
call toll-free numbers. In fact, you can open an account with all fake 
information and scan your heart out in either the 800, 888, or 877 
areas and their corresponding exchanges. They have not once bothered me 
and I have been scanning for months. This is a great free program and 
defeats the dreaded ANI without haste. In fact, your ANI will show up 
as 212-209-0000, I believe. You can get Net2Phone at www.net2phone.com. 
  
  

IV. Conclusion 

Common Sense 

        Unfortunately, common sense is not something I can teach so I leave 
this up to all of you up and coming hackers and phreakers to learn for 
yourself. What I will say does not only apply to scanning or even just 
h/p. It applies to everything. Some basic self discipline will keep you 
having fun and learning for a long time without the Gestapo--we know 
them as the authorities--bothering you. One big rule, which people 
don't get, is keeping your mouth shut. There is no reason to tell 
anyone anything. You don't have to deny you're a hacker. In fact, be 
proud, but don't write a goddamn map on how you do things and what you 
have done. This goes for on and off the net. If your talking to some 
jackass on IRC and he is saying something like, "Y0u a1n'T g0t n0 
5K177z y0, WhAt HaVe y0u 3v3r d0n3?", don't take the bait. You don't 
know who this guy is. All you know is that you're angry and you want to 
show off. You do that or you share a little too much, then you will get 
screwed. There are dozens of stories I have seen and heard that will 
prove that. Forget about those people. Another rule of self discipline 
is to use your instincts. It's a great thing being human since we have 
those dark, deep, animal-like instincts. Feel it when something is not 
right, when someone is watching, or something is going to happen. Use 
paranoia. Don't let it eat you up inside, either. Learn those rules and 
you will live a happier life. 

Final Thoughts 

        Now that you have learned a little bit about exchange scanning, then 
get out there and do it. Have some fun and learn about as many 
different PBXs, VMB's, and answering machines as you can. Soon, you'll 
be able to crack something in your sleep. You'll begin to see the same 
system again and you'll have the knowledge and power to say, "Hey! I 
know all about that system. Its a xxxx. Yeah, its default code is 
xxxx". When you get to that point, it feels really good. For those who 
didn't like this article or who already knew about exchange scanning, 
why did you read this far? Thats all for now. 
  

- The Mob Boss; http://mobboss.dragx.cx 
Voicemail and fax: 1-877-203-3043 

Co-Edited by DisEntry 
  

This has been a publication written by THE MOB BOSS, he is in no way 
responsible for the accuracy or results from the use of info in this 
article. Anything done is totally done at the users discretion. THE MOB 
BOSS in no way or form supports, aids, particapates in the act of 
criminal hacking or phreaking. Any ideas, beliefs, and information 
gathered in all publications published by THE MOB BOSS is strictly for 
informational purposes only. 
THE MOB BOSS copyright 1999 all rights reserved 
  
  
