Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: pwrscan2.txt

Power Scanning II: Power Carrier Scanning

                           Power Scanning II:

                         Power Carrier Scanning

                         (C) 1999 El Oscuro/250

        Intro - What is Carrier Scanning?

If you're interested in what this file has to say, you've probably seen
the 1983 movie "WarGames" starring the nerdy but clueless Matthew
Broderick and the lovely but clueless Ally Sheedy.  So you already know
what carrier scanning is, because Broderick had his 1970's-vintage Imsai
8080 doing a carrier scan in the movie.  For those of you who just
arrived from Mars and therefore haven't seen WarGames, a carrier scan is
what happens when you program your computer to call every phone number
in every telephone prefix in the city, and make a note of which numbers
are answered by computers. The process is sometimes called an exchange
scan, a modem scan, or even a WarGames scan.

Today, there are many freeware carrier scanning programs for all
platforms, and they are easy to find on the internet and on BBSes.

        Carrier Scanning Pitfalls

As you can imagine, carrier scanning has some unpleasant side effects.
For starters, you end up pranking nearly everyone in the city, including
emergency services, etc.  The phone companies have largely dealt with
carrier scanning by putting software into their switches that detects
sequential dialing from one number, e.g. 253-0001, 253-0002, 253-0003,
253-0004 etc.  Some telcos will cut off your line temporarily when they
detect this, others will send a security goon out to "persuade" you to
stop, still others will dispense with the pleasantries, cut off your
line permanently, and sick the police on your sorry ass.  That's no fun.
Your mileage may vary, but I can tell you for a fact that my local telco
makes some pretty heavy threats on you if you sequential-scan just a few
dozen numbers.

Another problem with carrier scanning is that it takes a *long* time.
When your scanner calls a number that has a modem on it, it has to wait
up to 20 seconds to get a connection, so *every* number takes 20
seconds.  That means you can only dial 3 numbers a minute, 180 numbers
an hour.  It would take 56 hours straight to do a whole exhange from
0000 to 9999!  Do you really want to tie up your phone line for two and
a half days?  I wouldn't.

So how does a would-be carrier scanner today deal with these seemingly
huge problems?

        Slow Bauds Mean Fast Connects!

Well, for starters, you can reduce the needed connect time to 10 or 15
seconds by simply doing your scanning with a modem set to 300 or 1200
baud.  Most modemers don't realize this, because they do all their
calling at 33.6k or 56k, but the slowest baud rates on the modem have
the fastest handshake and connect time!  Scanning at 300 baud won't even
add a noticeable overhead to the dialing process - you know, the time it
takes the modem to receive the "ATDT 253-7000" command or send back the
"NO CARRIER" message.  If you could reduce connect wait time from 20
seconds to 10 seconds, with maybe 2 seconds of overhead (modem reset,
etc) between calls, suddenly you can dial 5 numbers a minute instead of
3, a 66 percent improvement in efficiency!

        Many Hands Make Light Work!

Secondly, and I know I covered this a bit in Power Scanning I, it always
helps a lot to have a few friends in on the action to help out.  Get a
friend scanning with you - or a second computer on a second line in your
house - or multiple computers scanning through beige boxes on the
telephone snake cable running through your apartment building - and that
56 hour scan gets demolished in 28 hours, or 14, or 7, or 3 and a half.
I don't know why more people don't co-ordinate their efforts in
scanning; I guess there are too many egos these days.

        Don't Dial Listed Numbers!

I am about to explain a technique that simply wasn't available to
Matthew Broderick's WarGames character back in 1983.  This is made
possible by the widespread avilability of phone directories on CD-ROM.

In a traditional carrier scan, your program dials every possible number,
without regard to what may be on the other end.  But what if your
program already knew for certain that some numbers would NOT have
modems?  What if it didn't call those numbers?

The fact is, most modem numbers are unlisted!  The ones that *are*
listed, are in the phone book - you don't need a scanner to find them.
But the really good ones, the ones you want to find, are all unlisted.
They don't appear in your phone book, and more importantly they don't
appear on your phone listings CD-ROM!

Now, there are quite a few WarGames dialers that allow you to enter a
list of numbers not to call.  This feature is there so that you don't
end up calling your family and friends during scans of their prefixes.
But what if you could put every *listed* number in the prefix in that
do-not-dial list?  Well, what would happen is that you would eliminate
50 to 90 percent of the numbers from your scan - you would be left only
with not-in-service numbers and unlisted numbers!

So, run your listings CD's browser program, export the whole prefix
you want to scan to a text file, delete the names and addresses so you
have just a list of phone numbers.  Cut and paste this into your scanner
program (if you're running a Windows or Mac scanner) or import it into
your scanner's config file or do-not-dial list - read your scanner's
docs for how to do this, I'm not going to hold your hand THAT much.

This technique has a really great bonus - by eliminating known voice
numbers from your scan and by reducing overall the number of times you
dial, you greatly reduce your risk of drawing unwanted attention to your

        Skip Unassigned and Cellular/Pager Blocks

There's one variant on the previous technique that should also be
applied to any carrier scan.  Sometimes, in sparsely populated areas or
in brand-new prefixes, all the phone numbers fall into a block.  For
example, way out in Spidercrotch, Manitoba, you might find that there
are only lines assigned in the range 204-642-2000 to 204-642-4000, a
2000 number range.  Or the brand-new 410 prefix in Springfield may, at
this time, only have 1200 numbers assigned, from 410-1000 to 410-2200.
A quick look in a reverse directory will reveal these.  Consider the
probabilities before you add what appears to be an unassigned block to a
do-not-dial list. Is the prefix new?  Is it in a heavily populated area
or a rural one? If the prefix is old, and in a metropolitan area, then
any big gaps you find in the listings are probably dedicated assigned
blocks, full of unlisted numbers - prime scanning territory.  Or else
they're pagers or cellphones.  Give a few random numbers in those ranges
a call and see if you get a recording that tells you the range is for
pagers or cellphones.  If it is, or if the prefix is in a rural area,
then scanning them is an utter waste of time because you won't get any
carriers.  So consider nuking such blocks from your scan, and consider

        Other Tricks of the Trade

 o Set your modem's dial speed (the S11 register) to the lowest value
   possible.  Most modems have a minimum of 50ms, the phone system can
   keep up woth dialing as fast as 45ms.  You can save a little time
   each call this way, which really adds up over thousands of calls.
   Just put ATS11=50 in your initialization string.

 o If your phone company offers a "Do Not Disturb" line feature,
   activate it before you scan, and have your scanner program renew it
   periodically if it has a time limit.  That way any incoming calls
   will not disrupt your scan.  This is especially helpful if you're not
   using *67 to block your Caller ID, because a certain number of people
   will try to call you back.

 o Be paranoid and use *67, but remember that you do NOT need to wait
   for the stutter dial tone.  ATDT*672537000 works as well as
   ATDT*67w2537000 and is one or two seconds faster.  Again, this adds
   up massively over thousands of calls.  If *67 costs per-call then
   your phone company is in a minority of shitheads, and you should
   investigate the cost and possibility of a per-line Caller ID block
   before you scan - unless you want your phone bill to come in a crate
   instead of an envelope.

 o If you've recently performed a hand scan of a partial prefix (as in
   Power Scanning I), you need not bother re-scanning that range with
   your carrier scanner, as any carriers would have been noted in your
   hand scan.  Add all the numbers in that block to your do-not-dial
   list to save time.

 o This is the only thing for which I'm going to grab you by the collar
   and shake you until it sinks in: DO NOT SCAN WATS (800, 888, 877)
   exchanges with your computer, or at least not from a phone line which
   can be traced back to you or to someone you need to stay
   alive/free/sane.  If you knew how few consecutive 800 calls it takes
   to set off an audible alarm at your local RNCC, you'd never call an
   800 number again!

        The Impact of Power Scanning

Remember I said that a traditional scan using no special techniques
would take 56 hours to do a whole prefix?

By setting a 10 second connect time, a 12 second total dial cycle, that
56 hours falls to 33 hours and 30 minutes.

By getting a second computer on a second line helping out, that 33:30
drops to 16:45.

By getting a friend to help out on two lines, or two friends to help out
on one each, 16:45 becomes 8:23.

By eliminating an average 50 to 90 percent of numbers from the scan by
ignoring listed numbers and unassigned blocks, that 8:23 falls to 4:12
at worst, and as little as only 0:50 if the prefix is saturated with
mostly residential listed numbers!  At 50 minutes a prefix, you could
cover a small city completely in one evening (7 prefixes in 6 hours)!

How about scanning an entire area code?  It's not out of the question
with Power Scanning!  Get a couple of dozen accomplices and totally
blanket an area code in weeks.  2600 wouldn't have room to print the

That's a 93 to 99 percent reduction in scanning time overall, and yet
it's 100 percent as effective and thorough as the grueling 56 hour
nightmare that hackers used to deal with in days gone by!

        Carrier Scanning Pitfalls II

You'd never add 911 to your scan list, would you?  Well, most people
don't know this, but the 911 call center also has an unlisted 7-digit
number - an alias - that is the same as dialing 911!  It may be the
"old" police emergency number from before your area got 911 service, it
may be in a special exchange, or (and this is the case where I live) it
may be a normal phone number whose last 3 digits are 911 (e.g.
250-361-9911).  911 Service was introduced to my area the same year
(1988 for anyone who cares) that the 361 prefix was created, so its
location makes sense.

There are two things you MUST do to prevent your scanner calling 911,
before you start on any automated scan of unlisted numbers.

First, you MUST exclude the 911 alias from your scan.  If you have
Caller ID then this is easy, just dial 911 and hang up.  They will call
back to find out why you hung up.  Tell them you're sorry, your phone
has a panic button and you accidentally pressed it, and then when you're
off the phone take note of what appeared on your Caller ID box.  Or dial
*69 if you don't have Caller ID.  The number you get back must be added
to your exclude list.

The other thing you have to do is go to your local library and look in
an old phone book (every public library that has phone books keeps
obsolete ones).  Get one from before 911 was instroduced to your area,
and add all the emergency numbers - police, fire, ambulance - to your
exclude list.  Chances are even if you have had 911 service for 15 years
or more those numbers still work and are forwarded to... guess where.

If your computer dials a 911 alias during a scan, they will first
try to phone you back and failing that, a police cruiser will visit.
Not a desirable occurrence.  So make sure it doesn't happen!


There's no doubt that the Internet has killed BBSes and rearranged the
faces of online services like Compuserve and Prodigy.  But hosting
modems of various descriptions are still on the rise and will be for a
long time.  Look in the October 1998 issue of Scientific American for
Carolyn Meinel's article on hacking.  It has a great example of why we
scan.  A company whose entire presence was on the internet, could not
keep a hacker out because someone in the company had installed a
"backdoor" modem without permission, the hacker found it and used it to
remain online even when the whole company network had been severed from
the internet! So the choice is clear - hack with the internet alone and
be l33t or use *all* the tools at your disposal and get something done
instead.  Face it, the need for carrier scanning will remain as long as
there are dialup modems!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH