Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: dc_ukbeg.txt

Beginners Freephone Phreaking in the UK


 - by uV & Senor Cardini - 

DISCLAIMER (All the information in this file is for educational purposes only. No-one involved in 
the compilation of this file would suggest using it for any purposes leagal/illegal whatsoever. In 
fact it might all be complete bollocks for all we know etc) 

!! Loadsa phun to be had on freephone numbers !! 

Freefone phreaking is calling freephone (0500/0800) numbers and using the interesting systems that 
are often on the other end. This often means accessing company's phone system to obtain free calls 
or services. I will cover the three main areas:- VMB Hacking, Dial-Outs and Conference System abuse. 

There are countless other systems on 0800's that are not covered here. 


You need to scan a lot of 0800/0500 numbers to find useful numbers. You can't use a scanning program 
like Toneloc here as you are not looking for a modem carrier signal. This means dialling hundreds of 
numbers by hand. Apparently BT are able to detect mass 0800 scanning done from your home phone but I 
know lots of people who have called 1000's and never heard a peep. Still a phone box is better if 
you're paranoid. 

You may reach foreign systems on UK 0800 numbers. The 0800 89XXXX range is full of these as is the 
0800 9XXXX range. These are also referred to as Country Direct numbers (check out the back of you BT 
Book). These are cool as you may get access to systems in that country. USA numbers a great because 
the US has loads more conferences, loops and PBX's than we do and lots of these are on the WWW. 

Companies are getting wise to abuse of their systems. Certain numbers are always getting hacked and 
are now completely blocked. It might be worth avoiding the 0800 89xxxx range for this reason 0500 
numbers don't get anywhere near as much attention...:-) 

So choose the range of numbers you are going to scan and get going. Make a note of what you find and 
what time you dialled. It is best to dial out of hours for whatever country the line terminates in. 
Otherwise a lot of numbers will be picked up by a human. You are looking for dial-tones, other tones 
and automated attendants, mail-boxes etc. 

Getting in: Let's say you have the number of an American company on a 0800 89XXXX. This might answer 
as "Welcome to ABC company voice-mail system, if you know the number of the person you want to reach 
dial it now. If you have a mail-box on the system press 9. If you want to reach assistance dial 0 or 
stay on the line`. Listen to the whole message - there may be other options. If you get no options 
try the * or # keys or combinations of these with numbers like 1,8 or 9. This may throw you into the 
voice mail. You may have to leave a message and then try to break out. 

Get a range: Try dialling some extensions and get an idea of the range of numbers accepted. You are 
starting to map the system. Some extensions (often at the end of the allowable range or a one off 
number like 2000, 4444 etc.) will have an out-dial on it. 

**The Systems** 


This is accessing voice-mail systems and using the features to your own ends. You  can set up your 
own free voice-mail box or listen to confidential messages etc. This is obviously boring after the 
first few times. The real interest comes when there is an out-dial, conference box or whatever on 
the system that is only accessible by valid mailbox owners. This centres around the fact that most 
VMB passwords are either the same as the box number (Box=3300, PW=3300), a crappy default (1234), 
easy to remember/guess (1111, 1234 etc.) or similar (box number+0). When you enter the voice-mail 
system it will often tell you what make it is Meridian, Octel, Norstar or whatever. This obviously 
helps a lot, although particularly sad individuals will come to recognise them by the prompts 
anyway. You really need to try all these numbers and map out systems for yourself to get a good idea 
of what's out there. 

There are loads of texts specific VMB brands. I reckon Meridian are the easiest to hack (pass-code 
is the box number as default and they have an excellent help facility - press the * key). I will 
only touch on Meridian systems to give you an idea of how they work. A lot of the points are 
relevant to other systems. 

Meridian Voice-mail:- I suggest you read Coldfire's text on Meridians. I won't go into details as he 
does it well and I don't want to quote it word for word. I will therefore cover the practical 
hacking aspects I will assume you will go get that text! 

Ok here are a few of the more essential ones 
*8 is mailbox commands 
*7 is message commands 
*81 is login 
011 is name-directory 
011# is dial any number/extension - depends on whether you're logged in/masks etc(see below) 
*80 is mailbox features - options here to allow to to change the number that is dialled when 0 is 
pressed (normally the opertator) - has some potential... 

Lets say you called a company, pressed * and got "Hello, you have reached the voice-mail system. If 
you have a mailbox on the system press pound(#), or if you wish to reach someone and know the 4 
digit extension please dial it now" If you press # you get "Meridian Mail. Mailbox?" - this is 
expecting a 4 digit code+# and a 4 digit-pass-code+#. Unfortunately you have no idea of the 
allowable codes. They could be random or more likely within a certain range. 3000 is normally a good 
shot BUT seeing as the login sequence will only let you know whether you have got BOTH codes correct 
you'll have a hard time hacking it. Go back to the original prompt and try some extension numbers 
until you get one or two that work. 

Seeing as the box numbers are always the same as the extension numbers so now you know some valid 
box numbers or better still the range of valid box numbers. Ideally you want unused boxes in their 
default state. These unused extension/boxes don't have a "Hi leave a message for John Smith here" on 
them. Depending where you are in the system. Dialling 011 will put you through to a directory system 
where you can dial in a name using the number/letter combinations on you telephone keypad. Try SMITH 
or JONES, you should get a few numbers this way. 

Once you have valid boxes you need the pass-codes, so go to the login (*81) and try the default 
pass-code, i.e. the box number itself. Empty boxes are more likely to work in this way, failing that 
try some 1234, 1111 sequences (good for thick giggly admin department boxes :)). You should be able 
to get at least one box this way. You will have noticed that 3 unsuccessful pass-code tries will 
throw you out. With one valid box you can get around this. Try 2 boxes then log into your valid box, 
now try two more and so on until you get more boxes. As long as you enter one valid code combination 
in 3 you are fine. This is the sort of feature that most systems have and makes hacking them much 

To see if you have an out-dial here enter 09+number to dial+# if it dials you have got one (remember 
to work out what country your system is in first though). Which brings us on to.... 


This is basically dialling into a company's phone system (PBX), gaining access and dialling out. The 
net result is that you only pay for the call to the company. If this is an 0800 number then you 
don't pay anything. There are two ways you might come across out-dials. 

1.  Straight-forward PBX extenders 

Background:- A company wants it's sales staff to be able to call internationally from home for free 
so they set up an 0800 PBX extender. This allows the person to dial free to the company number and 
then out to the desired destination (on the company bill). They work mostly like this: you dial a 
certain number and get another dialling-tone, another sort of tone or even a voice-prompt ("enter 
your 4 digit ID" etc.). An incorrect tone will often give a two-tone alarm signal (don't worry it is 
just an audible prompt). Once you enter the correct code (normally plus a #) you may get another 
dial-tone which you can use as if dialling from you own phone. You may have to enter 9 or 0 or 
similar to get a line. You may need to add a # to the end of the number. 

Hacking them:- These are only easy to hack if the code is something stupid like 1111, 2222, 1234 
etc., +# which it often is. The first thing you need to know is the length of the code. You may be 
able to get this by entering in the numbers very slowly and listening. After the correct number of 
digits there may be the alarm tone or a soft click. If not you have to assume it is 4 or less. If it 
is not you are going to have a hell of a job cracking it anyway! Try the common defaults as 
described and any other easy-to-remember numbers. You may notice that it bleeps you out after only 2 
numbers when say entering 12 but after 4 numbers when trying 4567. This may be a clue to the start 
of the sequence. If you have a group of bored, nerdy friends (you may be a student for example.;-)) 
you can split up the 9999 possible combinations between you. This should only take 10 of you a 
couple of hours. The speed of these things is often dependant on how many tries a system lets you 
have before throwing you out. 
Another way is to use a PBX Hacker program which I won't go into except to say that they come with 
their own documentation, they don't often work unless you know the exact format of the switch (PBX) 
and can't be used from phone boxes (can you explain 9999 calls to the same number?!) 

2.  "Hidden" PBX's. 

Background:- Most larger companies have their own PBX systems with 0800 access numbers. Some of them 
will intentionally want people to be able to dial though them, others just don't know it can be done 
or have configured them incorrectly. Their out-dial may be on a certain extension or hidden behind a 
VMB (See the VMB section on Meridians) 

Hacking them:- This can be as easy as ringing the sales line 0800 of some company, asking for 
another dept, say accounts, asking to be put though to the operator and saying "Hi I'm Dave from 
accounts, I can't seem to get an outside line. Could you dial this number for me?" - this may or may 
not work!. There are a number of ways depending on the make of the system and the way it is 
configured. I can't give you a sure-fire way on all systems. You may just be able to dial 9+the- 
number-you-want+# or 09+.... Etc. You may have to try every extension until you get a tone. You may 
have to hack the systems admin. box first to change some options. You may have to hack a certain 
box. Meridian systems often allow 09+number+# but only after you have logged in successfully to a 
mail-box. There may be calling masks set up by the administrator which restrict outgoing calls to 
nil or a limited range (e.g. local calls or free-fone calls only). So (on most Meridians for 
example) having a valid box/code is not always enough. However, you may be able to fool the mask on 
a UK system by entering 141 in front of the number you want as the system is often checking for 
zeros. Keep trying different 0800 numbers until you find systems that you can hack. ANY fool can 
hack a Meridian. You will find some with out-dials once you have, you have got your phree calls 
without any fancy kit. 

*What is the real number?** 

Although you may be dialling an 0800 number you can be sure that there is a normal number like 01454 
654312 or whatever linked to it. If you dial 17070 (in BT areas) from your out-dial it will tell you 
what number you are really at. If this doesn't work dial your own number and do a 1471 job on it. 
This means that if you want to pretend to be someone else or specifically to pretend to be from that 
company you can! All but a really determined trace will do is show up the wrong number. 

*Linking them up* 

Linking up your out-dials will extend their usefulness. If you have an 0800 out-dial that terminates 
in the USA thus allowing dialling to US numbers you can use it to dial 1-800 numbers which are the 
yank equivalent of our 0800 numbers. Americans are way ahead in the use of mail/switching systems 
and there are out-dials, conferences etc. abound. 

*Keeping hold of them* 

Using out-dials is obviously illegal. Not only are you gaining unauthorised access to a system (i.e. 
hacking) but you are stealing call credit from the company. BT and the company have a vested 
interest in stopping you or catching you. Here are some guidelines: 

I. The first rule is do not give the numbers/codes out to anyone else. As soon as you do you can be 
sure that they will too and so on, and so on. At least one of these people will be a twat, use it to 
call Mexican sex-lines for 4 hours at 2am on a Sunday. It will either get closed down or they will 
set up a trace. 
II. Use them wisely. As with all crime, you should be fine unless you get noticed. So if you call 
numbers that are likely to be called from that company, are of a normal length, during normal times 
etc. you are unlikely to raise any eyebrows. 
III. Linking out-dials up makes tracing your call much harder, especially if you cross international 
boundaries. This will often throw the phone companies systems and can make prosecution harder. The 
most likely way of tracing calls is going to be from the point which you 1st call in at. Seeing as 
you are only making freefone calls from that point it will not be showing up in any bills. They are 
not losing and are not monitoring. Should the second company notice they will trace it back to the 
first company. Do this through 3 or 4 and things start looking good for you! 
IV. Try not to use them from home 
V. Don't stay on for long. Using one out-dial to acess the Intenet for hours at a time  is one way 
of getting noticed. 
VI. Be paranoid. No matter how careful you are being, there may be others using the same out-dial 
recklessly. You could get caught in the same net. It is a good idea to tell you call recipient to 
have a cover story ready in case they are called to see who called them at a certain time. "Oh yeah, 
I have been getting odd calls, some time they just don't speak to I just leave the receiver off the 
hook and come back to it in an hour" or "Fuck off you running-dog capitalist pig I don't have to 
tell you anything". 

For spending hours talking to your geeky phrekin' mates you really need to start accessing 
conference systems. These are basically systems which join multiple lines together so all parties 
can speak to each other real-time. Those shite Partyline things are basically fucking expensive 
conferences (although now they are not allowed to even be real-time!). There are two general ways of 
accessing conferences. 

1.  Social Engineering/Carding 

This is a piece of piss. Ring up your directory enquiries or look on the Internet for 
teleconferencing numbers. A good way of accessing these things is to call the USA through one of 
your US-terminating out-dials. This allows you access to the many US based conferencing companies as 
well as hiding your phone number. You need some information before you call. Get some US names and 
addresses - check out the Internet. People often put such info. at the bottom of their newsgroup 
postings. The name, address, zip code and telephone number must match. Basically just ing them up 
and ask to set up a conference. The conversation will go something like this:- 
TC "Hello thank you for choosing XYX Teleconferencing Ltd, how may I help you?" 
You "Hi I would like to set up a conference please" 
TC "Sure when would you like it for?" 
You "in about 15 minutes" 
TC "How long for and for how many people sir?" 
You "4 hours and for twenty people please" 
TC "What is your company name, your name and address please" 
You "3M corporation, John Mackenzie, 1020 Slow St, Happy Valley. Minesota Zip code 12232" 
TC "Was that Mackintosh" - (how!?) 
You "No that MACKENZIE" 
TC "Sorry about that" 
You "No problem, it's a bad line" - probably because you're calling through 16 extenders! 
TC "And what's the billing number" 
You "that's 1-513-2344-3434" 
TC "Fine that has been set up - please dial 1-800-854-8554 to access your conference. The conference 
number will be 54334. What would you like for your pass-code?" 
You "Err 8232 please. Oh by the way, I have some people accessing the conference from the UK. What 
number do they need to dial?" 
TC "That will be 0800-756-3333" 
You "Thanks" 

Now you and your mates can call the relevant access numbers and enter the codes and get chatting. 
This works virtually every time with most of these companies - think about it, how the fuck are they 
supposed to find out who is vaild or not from that info. You can even get cheeky and use someone's 
account. Try calling AT&T teleconferencing and saying you are John Doe from some big company" Try 
anything you like. Remember they really don't know who you are. 

Some companies allow billing to a credit card. You can generate these pretty easily using 
CreditMaster and use them. This however does tend to carry a heavy penalty and also fucks over some 
poor unsuspecting member of the public (if that bothers you) Anyway there's no need. 

2.  Company Conferencing Systems 

Companies having realised how handy but expensive teleconferencing is have set up their own 
conference boxes. 

The most common one in the USA is Meeting Place. You will find these on the end of 0800 numbers or 
on extensions of Octel VM systems systems (try spelling MEETING into the directory to find the 
extension or just get scanning). They welcome you with "Welcome to Meeting Place. To attend a 
meeting press 1. To access your profile press 2 etc" What you need is a valid profile number. These 
a 3-17 digits but generally are between 4 and 6. You just have to keep trying until you find one. 
(There are default profiles on 0001, 0002 and 0003) The pass-code may be something like 123456. Once 
you are on these you can set up conferences when ever you like for loads of people. You can lock the 
session, form splinter sessions and boot people out like IRC. You don't need to know too much more 
as they are voice-prompt city. However there are some important features which stop you from getting 
noticed  - the exact layout of Meeting place is in another text file, cryptically entitled 
"Phreaking Conferences with Meeting Place". 

See ya 

uV and Senor Cardini 

Shouts to Darkcyde Communications + Hybrid + Public Nuisance + Nitrous Oxide 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH