TUCoPS :: Phreaking General Information :: pbxhack.txt

How to hack a PBX, by Bungalow Bill

       President/Founder, the Center for the Study of Viral Pathology

Ok, as phreaking continues to become more of a hazard, safer ways of 
obtaining free calls are highly sought after. A while back, a friend of 
mine gave me a PBX, and it has lasted ever since. But the more I used it, 
the more I wanted others, just in case the other went down. Therefore, I 
created my own method for finding, hacking, and using various other PBX's 
(Private Branch eXchanges).

A PBX quite simply, is a company owned service that allows employee's or 
anyone with the correct code, to call Long Distance and speak with others 
as far away as China. These PBX's generally do not contain anything like 
ANI, or tracing methods, so they are more the likely safer then hacking 

PBX's serve other purposes such as to allow intra-building paging and PA 
system use.  Finding the codes to access the PA system can be fun/useful 
too.  Some owner's pay a flat fee for the PBX because of the sheer number 
of legitimate calls made on the services by employees.  This is great for 
the PBX hacker, because this means they are less likely to be caught or 
have any
CLID or ANI services on the line.

Finding a PBX is not really all that hard. There are a few methods, and I 
suppose you could completely automate it, but you'd need a program that 
looks for the PBX tones, and I've never seen one before. Here's the 
method I use. Go grab a Newsweek, Time, or some other popular periodical. 
Flip through it, and make a list of the 800 numbers belonging to large 
companies, such as banks, law firms, or hospitals. Don't put down the 
ones that advertise being open 24 hours. You can also use the phone book 
for this, and I also know that there is The 800 Phone Book, which is a 
listing of the 800 numbers for companies, so if you feel like shelling 
out a few bucks for it, that's approved. Now, once you have a list of the 
numbers, wait until late in the evening, I do it around 11 pm, so that 
even if the number is in California, they'll probably be closed, but the 
later, the better.

Start at the top of the list, and dial. If you here a single tone, or an 
oscilating combination of two tones, put a check next to the number on 
your paper. Hang up. Repeat for the next number. If you get a recorded 
message which sounds like a Voice Mail service, wait and see if it says 
something like, "If you have a mailbox on this system, please press pound 
(#)." Press # and check what that does, because some companies hide the 
PBX behind a control command like that.

Now go back to the top of your list, and dial the first number with a 
check next to it. When you hear the tone, pound out the *, #, and 9 keys. 
If you suddenly get a dial tone, put a mark next to the number, and also 
put the combination of what keys you pressed to get it. Do that for each 
number on the list.

Ok, now go back to the first number where you got a dial tone. Dial it 
again, and type in the sequence you used before. When you have a dial 
tone, dial 1-800-692-6447 (1-800-my-ani-is. ANI is Automatic Number 
Identification). You will hear a recording which says, "Your ANI is: 
(XXX)XXX-XXXX. If it gives your home phone number, cross that PBX off 
your list. But if it gives you a number other than your home number, 
you're all set. Put that number in a new list, along with the digits you 
used to get a dial tone.

If, at some point, a recording at the PBX number asks for a code, that 
means that the program is protected with a code. We are currently in the 
process of writing a program that will scan 800 numbers for PBX tones, 
and will also crack the codes for you. Watch our file base for it, it 
should be finished soon.

Here is a list of PBX's that I know work. The ones with nothing after 
them are ones where you simply type * 9, # 9, or just plain 9 to get a 
dial tone. Ones with a number of digits after them, thats the number of 
digits in the code (code unknown). And the ones with a few numbers after 
them, those are the access codes. I dialed all of them after 11 pm EST, 
so they might give you an operator if you dial earlier than that. Enjoy!

1-800-221-5430                         1-800-843-0698  9 digits
1-800-221-5665                         1-800-682-4000  6 digits
1-800-221-5670                         1-800-654-8494  6 digits
1-800-221-8190  4 digits           1-800-641-4713
1-800-223-7854                         1-800-638-6402
1-800-243-7650  6 digits           1-800-637-4663
1-800-255-2255                         1-800-621-1703
1-800-321-0327  4 digits           1-800-621-1506
1-800-321-0424                         1-800-547-6754  6 digits
1-800-321-0845  6 digits           1-800-547-6017
1-800-323-4313                         1-800-547-1784
1-800-327-0005                         1-800-543-7168  8 digits
1-800-327-0326  4444-9           1-800-527-3511  8 digits
1-800-327-2703                         1-800-553-8432
1-800-327-6713  4 digits           1-800-424-9826
1-800-327-9136  4 digits           1-800-521-8400  8 digits
1-800-327-9895  7 digits           1-800-368-4222
1-800-328-1224  088759           1-800-368-5963
1-800-331-4100                         1-800-356-0001 
1-800-343-1319                         1-800-343-1844  4 digits
1-800-348-1800                         1-800-245-4890  4 digits
1-800-328-7112  4 digits           1-800-227-3414  4 digits
1-800-462-6471  5 digits           1-800-322-1415  6 digits
1-800-521-1674  4 digits           1-800-327-2731  6 digits
1-800-252-5879  8 digits           1-800-345-0008  7 digits
1-800-245-7508  5 digits           1-800-526-5305  8 digits
1-800-323-3027  6 digits           1-800-242-1122
1-800-621-4611                         1-800-325-3075
1-800-336-6000                         1-800-221-1950
1-800-323-8126                         1-800-325-7227

