-=:Introduction:=- Back, oh say five years ago, making long distance calls for free was a given. It was no problem to call up a BBS (even a lame one) and get from the message bases 4 or 5 different codes to make a call to the other side of the country for free. If there were no codes going around, there were always TeleNet and TymNet outdials. Today, it's a different story. It's now pretty much impossible to get an NUI for TymNet or TeleNet (SprintNet) unless you have an inside source. And with ANI, don't even bother extender hacking... UNLESS you know how to do it. Hopefully, this file will teach you how to do just that. I'm writing this file with the hope of reviving the lost art of extender/PBX hacking and ld for free. Part I is geared for the beginner who might not even know what an extender or a PBX is. Part II is my own personal theory (not necessarily SiC's opinion or the right one, for that matter) on how not to get caught. Part III is a list of actual extenders and PBXs to get you started. If you already know and understand extenders and PBXs, skip to part II of this file. Hell, if you're a stud, go to part III. ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û Û _-=>Part I<=-_ Û Û Û Û _-=>What the Hell's an Extender? What's a PBX?<=-_ Û Û Û ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ A PBX is not the same thing as an extender, although their names are often used interchangeably. An extender is usually owned by a long distance telephone company such as AT&T, MCI, Sprint, Cable & Wireless, or ITT although smaller companies do own extenders. Extenders are usually found in the 800 NPA or in the 950 exchange. The 950 exchange is a Specialized Common Carrier (SCC) used by long distance companies. Extenders can often be found in this exchange. It can be reached just as if you were making a regular local call. Dial 950-xxxx, and you will most likely get a recording. If you get a dialtone, you've found an extender. Carriers are sometimes found in the 950 exchange. The disadvantages to 950 numbers is that they ALL have the ability to trace and they are not a toll free call from a pay phone. (they're free from your house) The most widely used 950 extender is ITT's 950-0488. I will talk about 0488's later. Most of the extenders that you would want to hack on are 800 numbers that are property of a long distance company. Extenders are set up by the telco as a courtesy to its subscribers. An extender serves the same purpose as a calling card. It would be impractical for a person who travels a lot or who is off at a school to drop 10 quarters into a payphone every time he wants to make a long distance call. And some calling cards are a pain in the ass with all the carrier access codes that must be dialed. So to make things easier for their customers, long distance companies have set up extenders for their customers. The telco sends their subscriber a letter saying something to the effect of: Hello Mr. Wogonoppy! Thank you for choosing Cable and Wireless's new dial-from- anywhere plan. To make a call from any phone in the United States, dial 1-800-234-5678. At the tone dial 765432 (Your secret authorization code) from a touch tone phone. After the second tone, dial the area code and number that you are trying to reach (do not dial 1). The call will be added to your monthly long distance bill. Do not give your secret code to anyone! If you have any questions, you may contact customer service at 1-800-234-5679. Ok, the letter might not be that simple, but you get the jist of how it works. There are tons of extenders out there. So if you want ld for free, all you have to do is get someone else's authorization code on an extender! Before you worry about finding valid codes, you first have to find some extender dial ups. Ok, so how do you find the dial ups? Well, if you're a good social engineer you can always call up AT&T and say you're so and so who forgot the 800 number that you're supposed to call to enter you secret authorization code. If you sound like you're supposed to know the number, you just might get it. But don't get your hopes up. The most effective way to find extenders is to scan an 800 prefix. If you're sick of doing your homework, pick up the phone and dial 1-800-xxx-xxxx. Write down all the cool stuff you find. VMB systems, funny tones, numbers with a different ringback, anything out of the ordinary. If you dial a number and get a dialtone, it is most likely an extender. If you get a short beep and then silence, it could also be an extender. If you get a constant tone that stops when you enter a touchtone, such as Sprint's 800-877-8000, you most definitely have an extender. And if you get a prompt asking for either your authorization code or the number you are calling, you have probably found an extender. (duh) Write down any numbers that you think might be something good. Hell, if you dial 10 numbers a night, sooner or later you are likely to find a virgin extender. And if you get your other 6 friends to each do a separate 800 prefix, you're gonna get lots of extenders. Yeah, it's gonna take a while, but just think of all of the free and safe long distance calls you are going to be able to make! Well once you have the extender, play around with it so you can figure out its dialing format. There are basically two things you must determine before you can begin hacking. 1) Whether the extender wants the code or acn (area code and number) first. 2) How many digits are in the code. The extender is going to do you no good if you can't figure out the format. You could try 1,000,000 different codes on an extender and never get a good code if you think the format is code + acn and the format is really acn + code. You will never be able to use the extender to make a call if you can't figure out its format. Some systems will want a 7 digit code and then acn. Some systems will want the acn and then a 4 digit code. Some systems will want the code and destination number dialed successively with no pause. This is what you must determine before you can begin your hacking. Well how the hell are you going to do that? Some systems will give you instructions such as "Please enter your authorization code" or "Please enter the number you are calling". (AT&T SDN) Others will emit a dialtone or a beep tone and then be silent. The ones that give you no hints about the format for dialing are the ones that are gonna give you the most problems. So if you come across a vague extender, just use common sense. Pretend you're a legitimate customer with a card trying to remember how to make a long distance call. You dial an 800 number and it responds with a dialtone. You dial 6 digits. On the sixth one, you get a reorder (a quick busy signal) Well, you now know that this system wants a six digit code first. It can't want the acn first, as an acn is always 10 digits long. On another extender you dial 10 digits. After the tenth digit, you get another beep, or a second dialtone. This should tell you that the system wants the acn first, and then a code. Well, say you dial away and get no response from the system. Now just about the only thing you can do is listen to the error messages. Sometimes after you enter a bad code, you will hear something like "The 8 digit authorization code you entered is not valid. Please try again and dial your authorization code followed by the number you are trying to call." Sometimes this same thing happens if you just let the extender sit for a while. Ok, now for the infamous PBX. (Private Branch eXchange) A PBX can be manipulated in the same way as an extender. However, they are not designed specifically for people to place long distance calls from as extenders are. A PBX is pretty much a block of telephone numbers owned by a certain company. A PBX will sometimes have a different ringback than other numbers in the same prefix. To see what I mean, dial 203-599-7000. And then dial any other 599 number out of the 7xxx range. The 599-7000 has a different ringback than any other numbers in the prefix because it's a PBX. It is not a PBX in the sense that if you enter the right code you will get an outside line. It is my guess that this particular company has an internal extension system, ie every employee has a phone at their desk, but instead of dialing 599-7654 to reach another extension down the hall, all they have to do is dial "654". I would assume (and I don't know for sure) that in order for the people at this particular company to get an outside line to make an outgoing call, they must dial a "9" and then wait for an outside line before dialing. This is what makes it a PBX. You can tell when you've got a PBX if you have to dial another digit (commonly *, #, or 9) to get to an outgoing line. For example, on the PBXs that I have seen that are controlled by an IBM Rolm, the people within the company must dial 9 and then the number that they are calling. (On a Rolm, you can monitor individual trunks and watch calls being dialed in real time) Well, if a PBX is just a block of numbers for people within a company to make calls with, then how do people confuse extenders and PBXs? Well, some PBXs (and not all!) have a dial up line. Of course, this dial up is intended to be used by people who work for the company. If John Wogonoppy can't get all of his work done at the office and it has to be done by the next day, he's gonna take it home with him. He has to call his distributor in California to schedule a delivery. Well, it's not fair to him if he has to charge this business related phone call to his own home phone bill. So this is where the dial up line to the company PBX comes in. The company sets up an incoming line to their PBX that is known only to employees. So John calls this line and is connected to his company's PBX. He then enters an authorization code so that the company will know which of their employees made the call. After John enters this code, he hits a 9, #, or * to get an outside line. Once he has this outside line, he places the call just as he would from his desk at work and it will not cost him a cent. So you can see how people often confuse an extender with a PBX. They can be used to accomplish the same task. Pros and Cons of Extenders versus PBXs. A major disadvantage of extenders is that they are usually 800 numbers. Most (but not all!) 800 numbers have the ability to trace. Unlike extenders, PBXs can often be found in a prefix local to you. If you are lucky enough to find a local PBX, don't abuse it! Most likely, the PBX does not have the ability to trace. And you could probably sneak a few calls through it each month without being detected. Extenders can usually only make calls to the Untied States and Canada. I have never seen an extender (apart from one) that has the ability to call anything apart from normal area codes. PBXs (unless a call block is installed) can usually be used to reach just about anywhere. I have used a PBX set up at a college in Florida that would dial ANY TELEPHONE NUMBER IN THE WORLD (including 700's, 900's, and overseas). All you needed to do in order to get an outside line was to dial a "*" from the main prompt! This is not the norm, as most PBXs require at least a 4 digit code before you can even dial the 9, *, or # for the outside line. ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û Û _-=>Part II<=-_ Û Û Û Û _-=>Madrox's Theory On<=-_ Û Û Û Û _=:>Safe Extender and PBX Hacking<=-_ Û Û Û ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ A text file just wouldn't be a text file without an explanation of ANI, CAMA, or ESS. ANI, or Automatic Number Identification, is what gives ESS (Electronic Switching System, our switching system) the ability to instantly trace calls. The following are recorded on a tape in the Centralized Automated Message Accounting (CAMA) office for every call that is made under ESS: 1. The numbers of the calling and receiving parties 2. The time of call origination 3. Whether or not the called party answered 4. The time at which the caller hung up. So wrong numbers, toll-free numbers, and local calls are all recorded on the CAMA tape. This tape is then processed for billing purposes. Normally, all free calls (800's and local calls) are ignored. However, the billing equipment has been programmed to recognize many different types of unusual activity involving these free calls. CAMA has the ability to detect exchange scanning as well as extender hacking because it treats 4000 calls originating from a single trunk in a small period of time with the same time interval between each number as an error. So, to avoid detection by CAMA and your local CO (Central Office, or telco) you should limit your extender hacking and exchange scanning to 500-800 calls per night. To further reduce your chances of being detected by CAMA, it is advisable to hack during business hours. Because there are so many more calls being placed during business hours, your scanning will not be as obvious as it would at 4:00 AM. Now that you know how to avoid detection by your local CO, you must know how to avoid detection by the systems that you will be hacking on. Most extenders are now ANI protected. Because of this, you should always assume that each time you place a call to an extender or a PBX it has already received your ANI information and knows the number you are calling from. ANI information is normally disregarded unless the extender notices abnormal activity. Extenders are programmed to detect patterns, ie the same destination numbers being dialed with different codes, mono dialing (constant dialing at the same speed), and errors per minute/pattern failing. Most extenders have been programmed to detect patterns in the following areas: 1.) Codes dialed. Sequential code guesses are the biggest no-no. In other words, don't call up and enter 0000 for a code, then try 0001, then 0002, etc. That's the same as saying "Please send me a phone bill for extender hacking". 2.) Calling patterns. Say that on an average Sunday night an extender receives 2 calls between 3:00 AM and 4:00 AM. So on Sunday morning you hack on the extender all night long and place 100 calls in that one hour period. Your hacking is going to be noticed. It's safe to say that almost every extender is programmed to look for something like this. 3.) Touch tone spacing. Most people who use extenders will be manually entering their codes. So say you try to be slick and store 30 destination numbers in your memory dial. Great, but the phone dials each one with the same touch tone spacing. This is a major problem with extender hacking programs. Nobody can dial a phone making each digit exactly the same length with exactly the same spacing. And nobody is quick enough to dial a phone with only 40 ms between each touchtone (ats11=40). Extenders can detect extremely quick dialing as well as dialing that is too "perfect" to be done by a person. 4.) Pattern failing. If an extender gets a bad code attempt every 12 minutes and 29 seconds for five hours straight, you can bet that your ANI information has already been logged. I know this for a fact because this is what got me in trouble. I was using a program that rotated calls to 10 extenders so that each extender received only about 3 calls per hour. I thought I was safe because there were so few calls per hour, but a certain extender in the group that I was hacking on detected a break in attempt because it noticed that it was getting multiple bad code attempts with exactly the same time interval between them over a long period of time. The company (Telecom USA, part of MCI) said in their letter that their computers noticed numerous bad code attempts that were made a uniform time apart at all hours of the night. The moral of this story is to never use a code hacker that doesn't randomize time between calls. 5.) Destination numbers. Don't use the same destination numbers when using a code hacker. If you are hand hacking make sure that you use working numbers for your destination numbers. This will prevent your from confusing a bad code message with a recording saying "I'm sorry, but ..." It would make sense to me that some extenders would be programmed to look for calls to SprintNet and TymNet access ports. Why? Well, just about every extender hacker comes with a list of destination numbers that will emit a carrier 100% of the time. All you have to do to get a list of these numbers is call up Sprintnet, type "c phones", and you will get a listing of all the TymNet and Sprintnet access ports. And what do you think most code hackers use for their random destination numbers? These ports! And I'm sure this is common knowledge to long distance companies. So if someone had half a brain, they'd program their extenders to look for multiple calls to these TymNet and SprintNet ports. So if you're using an extender hacker, it would be a good idea to add at least a few destination numbers that are "more original". Multinode systems work the best as they will most likely not be busy. Compuserve ports are less widely known. Your lists of carriers that you have found by scanning local exchanges should work fine. Just modify the data file that contains the destination numbers. The key to safe extender hacking is to use complete randomization to prevent the extender from noticing any patterns. The ANI supported fraud protection of many extenders can be rendered useless by using a program that supports complete randomization. With complete randomization, ANI is another useless protection system carried by extenders. Hand hacking is the easiest way to ensure complete randomization. Basically, hand hacking is just calling up the extender, entering a random code, and then entering a destination number. Hand hacking is especially useful when you don't know the exact format of a code. If you fool around long enough with an extender, eventually something different will happen. This most likely means that you have found a good code, and thus figured out the format of the extender. Now that you know the format, you can let your code hacker take over and do the work for you. Also, without even trying, you will have randomized all of the things that an extender looks for. Obviously, it is possible to hand hack from a payphone. This is great for those times when you find a PBX with a 3 or 4 digit code and want to get the fucker. The most practical way to hack codes is with a code hacker for your computer. Unfortunately, this is also the most dangerous way. The code hackers I've seen for the IBM are fair at best. They all need more randomization, options, etc. A good code hacker supports random touch tone spacing, random time between attempts, templateable codes, variable time between code and destination number, has at least 500 random destinaion numbers, etc. You get the picture. Hopefully, one of SiC's future releases will be a code hacker that will change the entire IBM extender hacking scene. Ok, so once you've found some valid codes, what should you do to make sure you don't get caught? I've heard two theories about what should be done with valid codes. Some people say that you should keep your codes to yourself and never distribute them until you are done with them. The advantage to this is that you have a better chance of going undetected. However, if you are traced, there is a greater chance that you will receive a bill (as you are most likely the only one who is illegally using the extender) Some people say you should distribute your codes to everyone. If the telco learns that fifty people have used their extender to place illegal calls, it will not send them all bills. It might use one or two of them as a scapegoat and send them a bill. I know this for a fact because I used the old "102221 code" a couple of times and never got a bill. AmericA used it A LOT and got a bill. So why did he get one and I didn't? Well, to answer that question, keep in mind that when you are hacking codes you are not ripping off the long distance company! They are charging us outrageous rates for something that should be a free public service. They know they're not losing any business to people who make illegal calls through extenders because most people who illegally use extenders would not make the long distance call if they couldn't do it for free. So the telco's don't lose any business, and they know it. This is a major reason why telcos don't always bill people. It costs too much to pay a secretary to type up 50 letters, address them, mail them out, etc. So they just bill a few of the people who used the extender to get the message out to the others. This laziness on the part of the long distance company is why many people say that you should not hack on extenders that are property of your long distance company. If you have MCI, and you use an MCI extender, MCI can just conveniently add these calls to the end of your monthly phone bill. But if you have MCI and you hack on an AT&T extender, AT&T can't just annex their calls to the end of the MCI bill. They would have to send a separate letter which costs them some $$$. I have MCI and I was busted for one night on an MCI extender. But I have used hundreds, if not thousands (literally) of hours on AT&T and ITT extenders and never received a bill. Ok, so what about 950s? Anyone who has used a 950 extender knows that their connections are usually VERY clear which makes for excellent error-free data transfers. Some people say that you are going to get caught for sure if you use extenders in the 950 exchange. Well, this is not necessarily true. Although many people are busted on 950's, many use them and do not get caught. I have spent many many hours on 950-0488 and have never got in any trouble. In my opinion, that is the safest 950, although many people will tell you different. The 950 exchange was created for the long distance company's benefit so they could have the same dialup in all cities across the USA. For some reason, the long distance companies rejected the 950 prefix in favor of 1-800 numbers. 950s can trace your call before you even think about dialing one of them. But tracing only occurs on special occasions. The companies on 950's will only trace when the computer controlling the call sees that there is an unusually high number of calls to the extender on that particular day or detects one of the tell tale patterns of extender hacking that I mentioned above. People seem to think that if they get caught extender hacking that the feds will confiscate their whole house and then throw them in jail. It may be hard to believe, but MOST feds have better things to do. If you get caught hacking on an extender, you might get a phone call or a letter from the company telling you not to do it again. Long distance companies can bill you for the actual long distance calls. They can also bill you for each call that you make to their extender. Thankfully, this almost never happens. If you do get a bill, ignore it. There is a good possibility that if you don't keep calling the extender that billed you, you will hear nothing more from the telephone company. But if you get a second or third letter, it is a good idea to pay your bill to avoid pissing off the company even more. If for some reason, you are REALLY paranoid, there are some things that you can do. Take all your codes and copy them onto a small piece of paper. If you had them stored as a text file in your computer, erase it. Add digits to the codes to make them look like phone numbers. If the codes are 6 digits, add a 7th digit to the end and add a hyphen to make them look like phone numbers. Rewrite the new formatted codes onto a new piece of paper and hide it. Destroy the old one and hide the new. (Make the paper small enough to hide almost anywhere.) Now you don't have to worry about anything if for some ungodly reason the feds do decide to search your house. (Maybe if you accidentally hack on President Clinton's private extender and they think you are plotting to assasinate him or something.) BTW, Code hacking is a fedral offense. Destroy all old codes as soon as they go bad. Having over 15 codes that are dead now but were valid at one time is also a federal offense. It is a good idea to only use codes for 2-3 days after you hack them. It is best to hack during business hours on weekdays, or on holidays. Since more people are using their calling cards at this time, your calls are less likely to be noticed than at 4:00 AM. ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û Û _-=>Part III<=-_ Û Û Û Û _-=>The Good Stuff<=-_ Û Û Û Û _-=>Working Extender and PBX dialups<=-_ Û Û Û ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ I went through tons and tons of notes to compile this list. I was pissed because at least 50% of the extenders in my notes were no longer working numbers. So, for now here's 40 or so that are all working as of February 24, 1994. Code formats that are not enclosed in brackets are definite. (either I have found codes on this system using that format or it is possible to determine the format of the code from the system. Formats that are enclosed in brackets are not definite but are probably the right one. If I didn't write anything about the code format, then I have no clue. Note: All extenders that say SDN after them are AT&T SDN (Software Defined Network) extenders. Most SDN extenders usually have a 10 digit code with the format of 5031yxxxxx where y is 6, 7, or 8 (although it can be anything) and x is random. Assume this to be the format for all SDN extenders. However, some SDN extenders can have 5 or 6 digit codes. The only way to determine this for sure is to find valid codes on the system. 800-221-9600 800-225-5946 + 50316xxxxx + acn SDN 800-234-5095 + 13 digit code + acn 800-245-6332 + acn + 10 digit SDN code 800-274-4472 [+ 12 digit code + acn] 800-279-1119 [+ 4 digit code + acn] or 14 digit code + acn 800-288-2880 uhh, AT&T? 800-288-8845 7 digit code + acn 800-292-3044 [+ acn + 10 digit code] SDN 800-321-6902 + 3 digits + ? PBX 800-333-2321 probably a PBX 800-333-3425 [14 digit code + ? or 4 digit code + acn] 800-336-7800 + acn + 10 digit code SDN 800-366-4000 [+ 7 digits + acn] (Sprint) 800-367-6546 [6 digit code + acn] SDN supposedly easy to hack 800-433-4778 [+ acn + 10 digit code] SDN 800-445-0503 [+ 10 digit code + acn] SDN (503158xxxx) 800-456-1212 supposedly six digits + 1 + acn 800-456-2253 + 2 digits + ? (25 works) PBX 800-468-0234 [+ acn + 10 digit code] SDN 800-525-5445 + 5 digit code + ? A possible PBX 800-535-1922 [+ acn + 10 digit code] SDN 800-538-6423 4 digit code + ? This is most likely a PBX (not voice mail!) 800-638-2633 [7, 8, or 10 digit code + acn] SDN 800-648-5868 [+ acn + 10 digit code] SDN 800-727-0200 [+ 8 digit code + acn] 800-727-3333 [+ 14 digit code + acn] Gives fake carrier at bad code 800-776-9000 800-826-9885 6 digit code + acn 800-862-6233 + 12 digit code + acn 800-877-8000 + 0 + acn + 16 digit Sprint FON card 800-882-2255 + 6 digit code + acn (dangerous) 800-899-4480 [+ 8 digit code + 1 + acn] Cable & Wireless 800-899-9898 [+ 8 digit code + 1 + acn] Cable & Wireless 800-950-1022 + 0 + acn + 16 digit MCI calling card 800-999-7592 ITC Networks 950-1022 + 0 + acn + 16 digit MCI calling card (same as 800-950-1022) 950-1033 + 7 digit code + acn (Sprint) 950-0488 + 13 digit templated code + acn known 0488 templates: xxx921x648699 xxx158x864712 xxx779x274924 --Madrox[SiC] February 24, 1994-- .