First Glance: Hacking a PBX
Based on a brief how-to by Bungalow Bill
President/Founder, the Center for the Study of Viral Pathology
Edited by: The DiaLeR
Danger looms for the modern phreaker looking for ways to exploit telephony for the purpose of making free calls. The casual phreaker has been nullified while only the highly skilled phreaking engineer is still able to safely and successfully operate. For you to get started or take the next step in renewing your interest in phreaking, examination of the PBX (Private Branch Exchange) is a direct root to success.
A PBX quite simply is a company owned service that allows people, such as company employees with the correct code, to call Long Distance. These PBX’s generally do not contain anything like ANI, or tracing methods, so they are more the likely safe as opposed to hacking codes..
PBX’s serve other purposes such as allowing intra-building paging and PA system use. Finding the codes to access the PA system can be a lot of fun. An anonymous voice declares “everyone gets a raise and the next week paid vacation” over a company PA system during office hours while management scrambles to figure out what is going on!
Some business owner’s pay a flat fee for their PBX because of the sheer volume of legitimate calls made on the service by employees. This is great for the PBX hacker, because this means they are less likely to be caught or have any CLID or ANI services on the line.
Finding a PBX is not really all that difficult. There are some standard methods, and software to automate the task. Special purpose “war dialers” exist to aid in acquiring numbers for PBX systems by detecting the PBX tones. The software is not necessary and I will demonstrate a manual method, which has been very good to me.
Go grab a Newsweek, Time, or some other popular periodical. Flip through it, and make a list of the 800 numbers belonging to large companies, such as banks, law firms, or hospitals. Don’t put down the ones that advertise being open 24 hours. You can also use the phone book for this, and I also know that there is The 800 Phone Book, which is a listing of the 800 numbers for companies, so if you feel like shelling out a few bucks for it, that’s approved. Now, once you have a list of the numbers, wait until late in the evening, I do it around 11 pm, so that even if the number is in California, they’ll probably be closed, but the later, the better.
Start at the top of the list, and dial. If you here a single tone, or an oscillating combination of two tones, put a check next to the number on your paper. Hang up. Repeat for the next number. If you get a recorded message, which sounds like a Voice Mail service, wait and see if it says something
like, “If you have a mailbox on this system, please press pound (#).” Press # and check what that does, because some companies hide the PBX behind a control command like that.
Now go back to the top of your list, and dial the first number with a check next to it. When you hear the tone, pound out the *, #, and 9 keys. If you suddenly get a dial tone, put a mark next to the number, and also put the combination of what keys you pressed to get it. Do that for each number on the list.
Ok, now go back to the first number where you got a dial tone. Dial it again, and type in the sequence you used before. When you have a dial tone, dial 1-800-692-6447 (1-800-my-ani-is. ANI is Automatic Number Identification). You will hear a recording which says, “Your ANI is: (XXX)XXX-XXXX. If it gives the number of the phone you are on, cross that PBX off your list. But if it gives you a number other than your number, you’re all set. Put that number in a new list, along with the digits you used to get a dial tone.
If, at some point, a recording at the PBX number asks for a code that means that the program is protected with a code. Software exists to allow you to brute force these codes. Other times PBX manufactures set a default that is often neglected. If you can identify the PBX manufacturer you can often search the web for a PDF manual, which supplies a default code.
This is a first step to understanding how to exploit and penetrate PBX systems. With this in your head, you have the basic understanding to not only get hands-on, but also find software and tools to advance your success.
-The DiaLeR