Power Scanning I: Identifying And Hand Scanning Telco Internal Blocks and Other Dedicated Number Blocks 2nd Revision (C) 1999,2000 El Oscuro/250 Introduction - Why Hand Scan? Have you ever wanted to call up your local telco's business manager to give him a piece of your mind? Ever find yourself wading through a voicemail system or on hold forever in the process? Well, maybe you need a direct line. Wouldn't it be nice if that number was listed in your phone book? Well it isn't so don't bother looking. You looked anyway. I told you so! But of course, that's only the beginning of the vast range of unlisted telephone company office numbers that most phreaks would love to have. Test numbers, Accounting, Security, the RNCC, you name it - if it's in a telco office you can bet it has a phone and a real phone number you can dial from home. And you can also be 99.44% sure that those numbers are unlisted and generally considered privileged, inside information. And that's just the voice lines - what if you could locate your telco's COSMOS system? Or a 900 backdoor? Or even a backdoor into a billing system? Wouldn't you want to take a run at hacking that baby? So how _do_ you get a directory of internal telco numbers? The Perils of Trashing et al In days past, we all just went trashing, rummaging through dumpsters outside the phone company's offices and COs, looking for all kinds of documents, including internal phone directories. But today there are some problems with trashing. Aside from the obvious - it's messy and risky, many trashbins are now behind razor-wire fences or under cameras, making trashing at best an unlikely venture for most people. And, on top of that, not only are most internal telco directories incomplete (usually only the most commonly called numbers are printed) but there's a reason why they're in the dumpster - they're obsolete. So your trashed list is incomplete, inaccurate, smelly, and you had to risk life and limb to get it. Not appealing. There are other ways as well, which I won't get into in this file - social engineering, theft from offices and vehicles, shoulder surfing, and so on. They all have their problems. And then there's scanning. "Jeez, Oscuro" you're thinking, "you want me to scan every prefix in the city, hundreds of thousands of numbers, by hand, to find some office numbers? That's a HUGE project!" Well, that would be too big a project for any one person, or for that matter any one army to take on. I wouldn't recommend a blunt brute force handscan of anything. Instead, I recommend Power Scanning. Power Scanning Power Scanning is the art of reducing the number of phone numbers any one phreak has to scan. With power scanning, a single phreak can reduce his necessity to scan from millions of numbers down to a few hundred. With the help of friends, you can acquire a complete directory of a block of numbers in a matter of hours or even minutes! Preparing a Power Hand Scan Power Scanning first requires preparation, and in the case of a hand scan, research. To locate a block, you first need a phone book. Look up your phone company in the white pages - not the "how to contact us" pages at the front, but by name in the white pages. You will probably see a dozen or more local phone numbers for different services and offices, including a few 1-800 numbers. Now take note of the local numbers. Are they all in the same prefix? Are they mostly in the same prefix? Of the ones that are in the same prefix, take note of the fourth digit of the phone number. Is it the same for all/most of them? If so, the phone company has a block of numbers set aside for their own use. Let's say that these are the numbers you found listed in the phone book (these are completely fictional but based loosely on what I found in my local phone book): 253-7000 Customer Service 253-7110 Cellular & Pager Sales 253-7460 Account Inquiries 253-7333 Data Services 253-7350 X.25 Network Help Desk 253-7050 Employment 253-7299 Downtown Phone Mart 253-7295 Suburban Mall Phone Mart Ignore any toll-free or out-of-town numbers you see among them. Now, do you see a pattern emerging here? All the local numbers are in the 253 prefix, and all of them are in the range 253-7000 to 253-7460. You can be relatively sure that the block goes up to 253-7499, so there are probably 500 numbers in the block. Now we need to make sure that the block you have found is otherwise uninhabited. For this you need a reverse directory. You can use the one at your local library, or a telephone listings CD-ROM like Pro-CD, or if you are lucky enough to live in a market served by Western Phone Directories, you probably already have one tucked away in the middle of your phone book. I don't think that one of those online reverse directories would be suitable because they aren't geared towards spitting out whole blocks of numbers. Look up the (suspected) block in the reverse directory. You should find most if not all of the numbers from the white pages there. If the telco has a dedicated block there, you won't find anything else in that block. No businesses, no people's names, just the few phone company listings you already saw in the white pages, and a few big gaps in between. At the end of the block, normal listings resume - 253-7500 might belong to a real estate company, 253-7501 to little old Mrs. Wong on Oswego St. And likewise, prior to the beginning of the block you should find lots of normal listings. If this is what you find in the reverse directory, you have a clearly defined block of numbers to scan. In our example, the block is from 253-7000 to 253-7499. Now you've reduced your scan to 500 numbers, and with the help of four friends, you only have to scan 100 numbers each. The Scan Now all you have to do is start calling. Your telco probably has sequential dialing detectors working so scan randomly, e.g. 253-7015, 253-7235, 253-7116, etc. Make a list of numbers and check off the ones you've already scanned, and make a note of what's at each one. Just write down whatever the person (or answering machine) answering says when they answer. When you're done, enter the results into a text editor, sort them by number (Hint: QEdit, DOS), incorporate your friends' results, and *FOOM*, in a few hours you have an up to date, accurate internal telco directory! What's really cool about this is that because you enumerated the directory yourself, you actually legally own the rights and copyright on your list, and the phone company does not! WIPO backfires! This can be repeated for nearly any kind of dedicated block - banks, large corporations, schools and colleges, nearly any large organization has a PBX with extensions that map to real phone numbers, awaiting your walking fingers. For example, the Eaton's department store in Vancouver, B.C., had a mostly unlisted block from 604-661-4400 to 604-661-4499. But it's the local phone company, IMO, that has the most interesting secret numbers waiting to be discovered! Perils and Pitfalls (not that they're serious...) Of course, the main pitfall of this technique is being Caller ID'd or ANI traced. As phone companies cut costs, many offices that formerly had ANI now only have Caller ID and can be *67 blocked, but security and of course any lines direct to operators will always have ANI or some other sort of unblockable calling number delivery. So it's important to scan from a phone you don't care about - payphones, enemies (Beige Box), school, work, etc. If you are patient you can spread your scanning out over dozens of phones. And of course, you can always say "What, this isn't Domino's Pizza?" to everyone who answers... or just to the ones who answer with scary greetings such as: "Telco Security, this call has been traced and is being recorded!" Telco employees get wrong-number calls too, after all. Conclusion Scanning has fallen out of favor in the last decade, for two reasons. First, the phone companies have made it a lot more difficult to get away with it. And second, hacking doesn't seem to be the team effort it once was - hackers are less willing to work together than they used to be. Everyone's got their own zine, everyone wants to be more 3l33t than anyone else, and a task like brute force hand scanning is just too daunting for someone, no matter how l33t, to take on alone. But with Power Scanning techniques, and a little ego forfeiture, a few hand scanners working together can quickly gain an impressive and powerful private phonebook that will serve them and their trading partners well for a long time.......... In the next instalment, I will show how to use a listings CD-ROM to perform Power Carrier Scans without annoying thousands of people, and in the process reduce your scan time by up to 99 percent!