Please consider a donation to the Higher Intellect project. See or the Donate to Higher Intellect page for more info.

The Offical Guide To Exchange Scanning

From Higher Intellect Vintage Wiki
Jump to navigation Jump to search
                The Offical Guide To Exchange Scanning
                        By The Mob Boss

I. Introduction

- What is Exchange Scanning?

        This is something a lot of people haven't learned to use and enjoy. To
be truthful I thought it was a complete thing of the past, a practice
confined to the 80's and the movie WARGAMES. I quickly changed my mind
about it after I started doing some scanning and started seeing
results. To my suprise there aren't many texts on this topic so I
decided this would be my fourth text in the h/p field. Simply put,
exchange scanning, or wardialing, is the act of dialing all the numbers
in an exchange in hopes of finding something hack/phreak worthy. For
those who don't know, an exchange is the first three digits of a local

Diagram A.

  |   |____ |______
Area Code  |       |
        Exchange  Numbers from 0000 to 9999

Thats a very simple break down of the numbering plan. Basically, if you
wanted to scan your own exchange, considering your phone number is
(718)555-1212, you would start dialing 555-0000 right up to 555-9999.
Its not that hard at all. Exchange scanning can be done by one of two
methods. One method is by using a program called a wardialer or
demondialer. The other way and the only way I do it these days is by
hand. Hand scanning is far more accurate than a wardialer program.
Also, there are some legal aspects of wardialing to be consulted in the
body of this text. Another thing I quickly found out was that a very
popular DOS based wardialer Tonloc did not work well with my modem.
>From what people tell me, a nice old modem--a 2400 baud one--for
instance, would do a lot better. If you think about it, that makes
sense considering this program was not written with the newer 56k and
V.90 modems in mind. If you do decide to use a program, I suggest that
special care is taken, and I also recommend Tonloc. Think of exchange
scanning as exploring; you are mapping uncharted territory. With
patience, it can be valuable entertainment and a useful learning tool.
Consider the fact that this was the ONLY way to get any systems to mess
with. Back in the old days (pre-world wide web), it was something quite
interesting to do. It has become pretty extinct simply because no one
takes the time anymore to go for it. If anyone has ever seen the movie
WARGAMES, where the hacker kid is looking for the computer number to
some company, he uses a wardialer to attempt to find it. The important
point they missed was how many other things you can find besides
computers, and thats where things get interesting.

What can we find by Exchange Scanning?

        Now that I have piqued your interest, let me tell you about some of
the strange and interesting stuff you can find. First and foremost, you
will find computers. Sometimes a carrier will do nothing; other times
you will get a login prompt, and then--if you're really
priviledged--you may be in a system without even needing a password.
Although I have never been so lucky to login password-free, I know
people who have found such a carrier. Sometimes these systems are
little stores or personal computers. If it is a store, then it is
likely you will be staring at store records. If you do get that far,
then I expect you will know to use your good judgment and ethics on
what to do. Another thing you may find is telephone company test
numbers. Now, of course, the telco doesn't want you to find these;
nevertheless, when you do, it can be really fun. The most famous of
test numbers is loops. These were used to test lines, but more
importantly to us, it was used to talk to another person free of charge
occasionally and anonymously, since neither one of you has to supply a
number. Heres how it works: there are two numbers--something like
555-9999 and 555-9998.  These are looped together and will pass sound
if vulnerable. These were prime, back in the old days, but have become
pretty rare since then. The telco caught on and put an end to it. Now,
among test numbers, you will also find things like voice mail,
answering machines, and PBX's (if you don't know what a PBX is, then
you really need to find a text on it). These have remote access and as
we all know anything with remote access is not 100% secure. These are
just some of the things you will find. Being creative is the key, as
always, so use your head and think of a new use for something. Thats
what being a hacker and phreaker is all about.

Legal Aspects
	It seems you can't do anything these days without having some lousy bureaucrat making some kind of law which has the sole purpose to bother
you. These laws seem so ridiculous, maybe because the people making
them know nothing regarding computers or telecommunications, let alone
the security of it. The point is, in some areas of the United States
there are some laws regarding it. I won't go too far into this because
I simply don't know the rules and regulations in every city and state.
I know that in Connecticut, my current home, there are some laws on the
books regarding scanning; from what my friend has told me about these,
and I quote, "The laws are the equivalent of J-walking." I do not know
how lenient your telco and judical system is in your area, but I would
investigate it. If you don't get in trouble with the law you may be
pissing off your local telco. They may even shut your phone line
temporarily or permanently. If you're scared, then either don't scan or
take the precautions that I will reccomend. At most, your only problem
may be with angry call backs but with some simple techniques, even that
could be eliminated.

II. Exchange Scanning Explained

Getting Started

        First step is to figure out whether you want to have a program scan
for you or whether you're going to scan by hand. Now, unless you're
scanning for the sole purpose of finding carriers and you're not afraid
of going toe to toe with the telco equipment looking to catch your ass
(thank ESS for that), then by all means use Toneloc or some other
program. Now if you wanna be a real man, go for hand scanning. This is
how we begin. First thing to decide is whether we are going to scan
local or toll-free numbers. Now if you scan locally, you are going to
get plenty of pain-in-the-ass residential numbers with nothing
interesting. Now, if you scan toll-free numbers late at night, it will
be nothing more then ALL businesses with no one except the voice mail,
computers, and PBX's picking up. The only problem is that systems on
toll-free numbers are better protected and you will have to worry about
ANI (Automatic Number Identification). Consider this Caller ID on
steroids. Your precious *67 is useless with this. They have got your
number either way. If you scan at night when 95% of the numbers have
nobody answering the phone, then you will be fine scanning toll-free
numbers. If you scan locally you may be able to hide your number a
little better (*67), and you will also find things which are more
vulnerable to cracking. My advice is  to try a little of each. To get
started, get yourself a good pen, a pad, a decent phone, and a if you
can get a hold of one, a tape recorder. Get comfortable and get ready
for some scanning. Now, unless you have taken some heavy duty
will get busted and do not come crying to me when you do. This is
simply to get some numbers to hack later on when the correct
precautions can be taken. Now I reccommend you scan in blocks of a 100;
this can be done in about an hour or so, that is if you're not hacking
anything heavily while doing this inital scan. If you stop and mess
with systems on the way, then expect two hours. Like I was saying, make
a list of all the numbers (or obtain one from my site under "Products")
and then sit down, pick a number at random, and start scanning. Cross
off the number as you go and make notes of anything you come across.
The reason I say to make a list and pick randomly is because the telco
is looking for sequential scanning. Doing it randomly will cover your
ass a little bit better.

Identifying Your Findings

        Some of you may be asking, "How do I know when I have found
something?" This is a question everyone asks when they start scanning,
but the answer is fairly simple. You will slowly start to learn about
each type of system from voice mail to answering machines and test
numbers to PBXs. The key is using your head. When you call something
up, play around with whatever it is. For instance, you call up some
number and it says to leave a message. Now this could be a voice mail
box or it can be an answering machine. We all know VMB's are more
proffesional then an answering machine, not to mention have more
options. Use that knowledge to come to a conclusion regarding the
number. How was the clarity of the message? Did it have a menu? Did you
get prompted for a login when you hit *, #, or 9? What happens when you
press other keys? It's not that hard to figure out. Now lets say you
come across a single long tone. How do you know if its a PBX or a test
number or something? Well, hit differnet keys and see what happens. Did
you happen to hit something and it dropped out to a fast busy signal or
even a dial tone? Then you most likely came across a PBX which most of
the time requires a passcode. The key to finding out what you have
found is simply to attempt to learn about it. Its a puzzle and youre
trying to solve it. I guess the best step to take is to read up about
all these different things your finding. I couldn't possibly fit in a
how-to on each system you will find, not to mention it would be
pointless considering how many excellent voice mail and PBX texts are
out there. If you really get interested in some kind of phone system,
such as maybe a peice of voice mail software, go ahead and get a copy
and try it out. Learning is the key here. One other thing a lot of
people make a mistake about is telling the difference between a modem
and a fax machine. What I did was call up my ISP's dialup on the phone
and listened. Afterwards, I called up a fax number of some real-estate
company and then listened to that. Once you compare them like that, you
won't mistake them while scanning. As a last word on identifying
things, I strongly suggest you go out on the net or BBS and get some
texts on VMB's, answering machines, PBX's, and Loops. That should get
you started and will help you on your way. The only way to get a real
handle on this stuff is to get out there and try things out. By the
way, here's a peice of advice for when you find something password
protected. Make like an idiot and think what they would pick. Does 1234
sound familiar ;)

III. Avoiding Detection and Keeping Out Of Trouble


        The first, most obvious protection method is to use a payphone. A
telco owned one or a Cocot--its up to you. Now, this may not go to well
if you are doing local numbers, since it costs 25 or 30 cents each time
(unless of course you have a way around that). The best use for
payphones is scanning toll-free numbers. Yes, this can be a pain in the
ass, but if you're at one of the drive-up phones with a laptop and an
accoustic coupler, then life could be peachy. I wouldn't stay there too
long though, especially if its daylight out. But, it can be a
interesting alternative to the usual scanning cliches. Feel free to use
a program here and even hack PBXs and such too. It's not traceable to
you, so why should you care. From what I know, as long as you don't
open your mouth, there is no way you can get in trouble doing this.

Calling Cards
        Here's an idea that takes extra time, but is something that can be
used to hide your number, though. Although I might suggest this more
for actually hacking, your number can be hidden if you use a calling
card with your scanning. For instance, if you wanted to scan some long
distance exchange in another area code, you could do so. For some
people, this is practical, but if you're not one that comes across a
lot of calling cards, then this will be very costly to you and
therefore unadvisable.

Beige Boxing
        This is most certainly is not for the weak hearted or absent minded,
since it can be very risky. However, if you do get some kind of very
easy chance to beige box off your neighbors, then by all means, scan
your little heart out. Scan an exchange in China if you like; you're
not paying the bill. Although that could be fun, if you scan all
toll-free numbers, then this is something that can be used for a long,
long time until the feds bust down your neighbors door and arrest them
for screwing with the White House's Toll-Free number, of course.


        This is one of the newer methods of protecting yourself, but something
which can be very nice. Net2Phone is a company and program which allows
you to make calls over the internet via your sound card. They want you
to pay for long distance calls and things, but they don't care if you
call toll-free numbers. In fact, you can open an account with all fake
information and scan your heart out in either the 800, 888, or 877
areas and their corresponding exchanges. They have not once bothered me
and I have been scanning for months. This is a great free program and
defeats the dreaded ANI without haste. In fact, your ANI will show up
as 212-209-0000, I believe. You can get Net2Phone at

IV. Conclusion

Common Sense

        Unfortunately, common sense is not something I can teach so I leave
this up to all of you up and coming hackers and phreakers to learn for
yourself. What I will say does not only apply to scanning or even just
h/p. It applies to everything. Some basic self discipline will keep you
having fun and learning for a long time without the Gestapo--we know
them as the authorities--bothering you. One big rule, which people
don't get, is keeping your mouth shut. There is no reason to tell
anyone anything. You don't have to deny you're a hacker. In fact, be
proud, but don't write a goddamn map on how you do things and what you
have done. This goes for on and off the net. If your talking to some
jackass on IRC and he is saying something like, "Y0u a1n'T g0t n0
5K177z y0, WhAt HaVe y0u 3v3r d0n3?", don't take the bait. You don't
know who this guy is. All you know is that you're angry and you want to
show off. You do that or you share a little too much, then you will get
screwed. There are dozens of stories I have seen and heard that will
prove that. Forget about those people. Another rule of self discipline
is to use your instincts. It's a great thing being human since we have
those dark, deep, animal-like instincts. Feel it when something is not
right, when someone is watching, or something is going to happen. Use
paranoia. Don't let it eat you up inside, either. Learn those rules and
you will live a happier life.

Final Thoughts

        Now that you have learned a little bit about exchange scanning, then
get out there and do it. Have some fun and learn about as many
different PBXs, VMB's, and answering machines as you can. Soon, you'll
be able to crack something in your sleep. You'll begin to see the same
system again and you'll have the knowledge and power to say, "Hey! I
know all about that system. Its a xxxx. Yeah, its default code is
xxxx". When you get to that point, it feels really good. For those who
didn't like this article or who already knew about exchange scanning,
why did you read this far? Thats all for now.

By The Mob Boss;
Co-Edited by DisEntry

This has been a publication written by THE MOB BOSS, he is in no way
responsible for the accuracy or results from the use of info in this
article. Anything done is totally done at the users discretion. THE MOB
BOSS in no way or form supports, aids, particapates in the act of
criminal hacking or phreaking. Any ideas, beliefs, and information
gathered in all publications published by THE MOB BOSS is strictly for
informational purposes only.   
THE MOB BOSS copyright 1999 all rights reserved