Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: sic-pbxs.txt

Madrox's guide to... Extender and PBX hacking


Back, oh say five years ago, making long distance calls for free was a
given. It was no problem to call up a BBS (even a lame one) and get from the
message bases 4 or 5 different codes to make a call to the other side of the
country for free. If there were no codes going around, there were always
TeleNet and TymNet outdials. Today, it's a different story. It's now pretty
much impossible to get an NUI for TymNet or TeleNet (SprintNet) unless you
have an inside source. And with ANI, don't even bother extender hacking...
UNLESS you know how to do it.

Hopefully, this file will teach you how to do just that. I'm writing this
file with the hope of reviving the lost art of extender/PBX hacking and ld
for free. Part I is geared for the beginner who might not even know what an
extender or a PBX is. Part II is my own personal theory (not necessarily
SiC's opinion or the right one, for that matter) on how not to get caught.
Part III is a list of actual extenders and PBXs to get you started. If you
already know and understand extenders and PBXs, skip to part II of this
file. Hell, if you're a stud, go to part III.

 Û                                                                          Û
 Û                              _-=>Part I<=-_                              Û
 Û                                                                          Û
 Û            _-=>What the Hell's an Extender? What's a PBX?<=-_            Û
 Û                                                                          Û

A PBX is not the same thing as an extender, although their names are often
used interchangeably. An extender is usually owned by a long distance
telephone company such as AT&T, MCI, Sprint, Cable & Wireless, or ITT
although smaller companies do own extenders. Extenders are usually found in
the 800 NPA or in the 950 exchange. The 950 exchange is a Specialized Common
Carrier (SCC) used by long distance companies. Extenders can often be found
in this exchange. It can be reached just as if you were making a regular
local call. Dial 950-xxxx, and you will most likely get a recording. If you
get a dialtone, you've found an extender. Carriers are sometimes found in
the 950 exchange. The disadvantages to 950 numbers is that they ALL have the
ability to trace and they are not a toll free call from a pay phone.
(they're free from your house) The most widely used 950 extender is ITT's
950-0488. I will talk about 0488's later.

Most of the extenders that you would want to hack on are 800 numbers that
are property of a long distance company. Extenders are set up by the telco
as a courtesy to its subscribers. An extender serves the same purpose as a
calling card. It would be impractical for a person who travels a lot or who
is off at a school to drop 10 quarters into a payphone every time he wants
to make a long distance call. And some calling cards are a pain in the ass
with all the carrier access codes that must be dialed. So to make things
easier for their customers, long distance companies have set up extenders
for their customers. The telco sends their subscriber a letter saying
something to the effect of:

    Hello Mr. Wogonoppy!

        Thank you for choosing Cable and Wireless's new dial-from-
        anywhere plan. To make a call from any phone in the United
        States, dial 1-800-234-5678. At the tone dial 765432 (Your
        secret authorization code) from a touch tone phone. After
        the second tone, dial the area code and number that you are
        trying to reach (do not dial 1). The call will be added to
        your monthly long distance bill. Do not give your secret
        code to anyone! If you have any questions, you may contact
        customer service at 1-800-234-5679.

Ok, the letter might not be that simple, but you get the jist of how it
works. There are tons of extenders out there. So if you want ld for free,
all you have to do is get someone else's authorization code on an extender!

Before you worry about finding valid codes, you first have to find some
extender dial ups. Ok, so how do you find the dial ups? Well, if you're a
good social engineer you can always call up AT&T and say you're so and so
who forgot the 800 number that you're supposed to call to enter you secret
authorization code. If you sound like you're supposed to know the number,
you just might get it. But don't get your hopes up.

The most effective way to find extenders is to scan an 800 prefix. If you're
sick of doing your homework, pick up the phone and dial 1-800-xxx-xxxx.
Write down all the cool stuff you find. VMB systems, funny tones, numbers
with a different ringback, anything out of the ordinary. If you dial a
number and get a dialtone, it is most likely an extender. If you get a short
beep and then silence, it could also be an extender. If you get a constant
tone that stops when you enter a touchtone, such as Sprint's 800-877-8000,
you most definitely have an extender. And if you get a prompt asking for
either your authorization code or the number you are calling, you have
probably found an extender. (duh)

Write down any numbers that you think might be something good. Hell, if you
dial 10 numbers a night, sooner or later you are likely to find a virgin
extender. And if you get your other 6 friends to each do a separate 800
prefix, you're gonna get lots of extenders. Yeah, it's gonna take a while,
but just think of all of the free and safe long distance calls you are going
to be able to make!

Well once you have the extender, play around with it so you can figure out
its dialing format. There are basically two things you must determine before
you can begin hacking.

1) Whether the extender wants the code or acn (area code and number) first.
2) How many digits are in the code.

The extender is going to do you no good if you can't figure out the format.
You could try 1,000,000 different codes on an extender and never get a good
code if you think the format is code + acn and the format is really acn +
code. You will never be able to use the extender to make a call if you can't
figure out its format. Some systems will want a 7 digit code and then acn.
Some systems will want the acn and then a 4 digit code. Some systems will
want the code and destination number dialed successively with no pause. This
is what you must determine before you can begin your hacking.

Well how the hell are you going to do that? Some systems will give you
instructions such as "Please enter your authorization code" or "Please enter
the number you are calling". (AT&T SDN) Others will emit a dialtone or a
beep tone and then be silent. The ones that give you no hints about the
format for dialing are the ones that are gonna give you the most problems.
So if you come across a vague extender, just use common sense. Pretend
you're a legitimate customer with a card trying to remember how to make a
long distance call.

You dial an 800 number and it responds with a dialtone. You dial 6 digits.
On the sixth one, you get a reorder (a quick busy signal) Well, you now know
that this system wants a six digit code first. It can't want the acn first,
as an acn is always 10 digits long. On another extender you dial 10 digits.
After the tenth digit, you get another beep, or a second dialtone. This
should tell you that the system wants the acn first, and then a code.

Well, say you dial away and get no response from the system. Now just about
the only thing you can do is listen to the error messages. Sometimes after
you enter a bad code, you will hear something like "The 8 digit
authorization code you entered is not valid. Please try again and dial your
authorization code followed by the number you are trying to call." Sometimes
this same thing happens if you just let the extender sit for a while.

Ok, now for the infamous PBX. (Private Branch eXchange)

A PBX can be manipulated in the same way as an extender. However, they are
not designed specifically for people to place long distance calls from as
extenders are.

A PBX is pretty much a block of telephone numbers owned by a certain
company. A PBX will sometimes have a different ringback than other numbers
in the same prefix. To see what I mean, dial 203-599-7000. And then dial any
other 599 number out of the 7xxx range. The 599-7000 has a different
ringback than any other numbers in the prefix because it's a PBX. It is not
a PBX in the sense that if you enter the right code you will get an outside
line. It is my guess that this particular company has an internal extension
system, ie every employee has a phone at their desk, but instead of dialing
599-7654 to reach another extension down the hall, all they have to do is
dial "654". I would assume (and I don't know for sure) that in order for the
people at this particular company to get an outside line to make an outgoing
call, they must dial a "9" and then wait for an outside line before dialing.
This is what makes it a PBX.

You can tell when you've got a PBX if you have to dial another digit
(commonly *, #, or 9) to get to an outgoing line. For example, on the PBXs
that I have seen that are controlled by an IBM Rolm, the people within the
company must dial 9 and then the number that they are calling. (On a Rolm,
you can monitor individual trunks and watch calls being dialed in real time)

Well, if a PBX is just a block of numbers for people within a company to
make calls with, then how do people confuse extenders and PBXs? Well, some
PBXs (and not all!) have a dial up line. Of course, this dial up is intended
to be used by people who work for the company. If John Wogonoppy can't get
all of his work done at the office and it has to be done by the next day,
he's gonna take it home with him. He has to call his distributor in
California to schedule a delivery. Well, it's not fair to him if he has to
charge this business related phone call to his own home phone bill. So this
is where the dial up line to the company PBX comes in. The company sets up
an incoming line to their PBX that is known only to employees. So John calls
this line and is connected to his company's PBX. He then enters an
authorization code so that the company will know which of their employees
made the call. After John enters this code, he hits a 9, #, or * to get an
outside line. Once he has this outside line, he places the call just as he
would from his desk at work and it will not cost him a cent. So you can see
how people often confuse an extender with a PBX. They can be used to
accomplish the same task.

Pros and Cons of Extenders versus PBXs.

A major disadvantage of extenders is that they are usually 800 numbers. Most
(but not all!) 800 numbers have the ability to trace. Unlike extenders, PBXs
can often be found in a prefix local to you. If you are lucky enough to find
a local PBX, don't abuse it! Most likely, the PBX does not have the ability
to trace. And you could probably sneak a few calls through it each month
without being detected.

Extenders can usually only make calls to the Untied States and Canada. I
have never seen an extender (apart from one) that has the ability to call
anything apart from normal area codes. PBXs (unless a call block is
installed) can usually be used to reach just about anywhere. I have used a
PBX set up at a college in Florida that would dial ANY TELEPHONE NUMBER IN
THE WORLD (including 700's, 900's, and overseas). All you needed to do in
order to get an outside line was to dial a "*" from the main prompt! This is
not the norm, as most PBXs require at least a 4 digit code before you can
even dial the 9, *, or # for the outside line.

 Û                                                                          Û
 Û                              _-=>Part II<=-_                             Û
 Û                                                                          Û
 Û                          _-=>Madrox's Theory On<=-_                      Û
 Û                                                                          Û
 Û                   _=:>Safe Extender and PBX Hacking<=-_                  Û
 Û                                                                          Û

A text file just wouldn't be a text file without an explanation of ANI,
CAMA, or ESS. ANI, or Automatic Number Identification, is what gives ESS
(Electronic Switching System, our switching system) the ability to instantly
trace calls. The following are recorded on a tape in the Centralized
Automated Message Accounting (CAMA) office for every call that is made under

   1. The numbers of the calling and receiving parties
   2. The time of call origination
   3. Whether or not the called party answered
   4. The time at which the caller hung up.

So wrong numbers, toll-free numbers, and local calls are all recorded on the
CAMA tape. This tape is then processed for billing purposes. Normally, all
free calls (800's and local calls) are ignored. However, the billing
equipment has been programmed to recognize many different types of unusual
activity involving these free calls. CAMA has the ability to detect exchange
scanning as well as extender hacking because it treats 4000 calls
originating from a single trunk in a small period of time with the same time
interval between each number as an error. So, to avoid detection by CAMA and
your local CO (Central Office, or telco) you should limit your extender
hacking and exchange scanning to 500-800 calls per night. To further reduce
your chances of being detected by CAMA, it is advisable to hack during
business hours. Because there are so many more calls being placed during
business hours, your scanning will not be as obvious as it would at 4:00 AM.

Now that you know how to avoid detection by your local CO, you must know how
to avoid detection by the systems that you will be hacking on. Most
extenders are now ANI protected. Because of this, you should always assume
that each time you place a call to an extender or a PBX it has already
received your ANI information and knows the number you are calling from. ANI
information is normally disregarded unless the extender notices abnormal
activity. Extenders are programmed to detect patterns, ie the same
destination numbers being dialed with different codes, mono dialing
(constant dialing at the same speed), and errors per minute/pattern failing.
Most extenders have been programmed to detect patterns in the following

1.) Codes dialed. Sequential code guesses are the biggest no-no. In other
words, don't call up and enter 0000 for a code, then try 0001, then 0002,
etc. That's the same as saying "Please send me a phone bill for extender

2.) Calling patterns. Say that on an average Sunday night an extender
receives 2 calls between 3:00 AM and 4:00 AM. So on Sunday morning you hack
on the extender all night long and place 100 calls in that one hour period.
Your hacking is going to be noticed. It's safe to say that almost every
extender is programmed to look for something like this.

3.) Touch tone spacing. Most people who use extenders will be manually
entering their codes. So say you try to be slick and store 30 destination
numbers in your memory dial. Great, but the phone dials each one with the
same touch tone spacing. This is a major problem with extender hacking
programs. Nobody can dial a phone making each digit exactly the same length
with exactly the same spacing. And nobody is quick enough to dial a phone
with only 40 ms between each touchtone (ats11=40). Extenders can detect
extremely quick dialing as well as dialing that is too "perfect" to be done
by a person.

4.) Pattern failing. If an extender gets a bad code attempt every 12 minutes
and 29 seconds for five hours straight, you can bet that your ANI
information has already been logged. I know this for a fact because this is
what got me in trouble. I was using a program that rotated calls to 10
extenders so that each extender received only about 3 calls per hour. I
thought I was safe because there were so few calls per hour, but a certain
extender in the group that I was hacking on detected a break in attempt
because it noticed that it was getting multiple bad code attempts with
exactly the same time interval between them over a long period of time. The
company (Telecom USA, part of MCI) said in their letter that their computers
noticed numerous bad code attempts that were made a uniform time apart at
all hours of the night. The moral of this story is to never use a code
hacker that doesn't randomize time between calls.

5.) Destination numbers. Don't use the same destination numbers when using a
code hacker. If you are hand hacking make sure that you use working numbers
for your destination numbers. This will prevent your from confusing a bad
code message with a recording saying "I'm sorry, but ..." It would make
sense to me that some extenders would be programmed to look for calls to
SprintNet and TymNet access ports. Why? Well, just about every extender
hacker comes with a list of destination numbers that will emit a carrier
100% of the time. All you have to do to get a list of these numbers is call
up Sprintnet, type "c phones", and you will get a listing of all the TymNet
and Sprintnet access ports. And what do you think most code hackers use for
their random destination numbers? These ports! And I'm sure this is common
knowledge to long distance companies. So if someone had half a brain, they'd
program their extenders to look for multiple calls to these TymNet and
SprintNet ports. So if you're using an extender hacker, it would be a good
idea to add at least a few destination numbers that are "more original".
Multinode systems work the best as they will most likely not be busy.
Compuserve ports are less widely known. Your lists of carriers that you have
found by scanning local exchanges should work fine. Just modify the data
file that contains the destination numbers.

The key to safe extender hacking is to use complete randomization to prevent
the extender from noticing any patterns. The ANI supported fraud protection
of many extenders can be rendered useless by using a program that supports
complete randomization. With complete randomization, ANI is another useless
protection system carried by extenders.

Hand hacking is the easiest way to ensure complete randomization. Basically,
hand hacking is just calling up the extender, entering a random code, and
then entering a destination number. Hand hacking is especially useful when
you don't know the exact format of a code. If you fool around long enough
with an extender, eventually something different will happen. This most
likely means that you have found a good code, and thus figured out the
format of the extender. Now that you know the format, you can let your code
hacker take over and do the work for you. Also, without even trying, you
will have randomized all of the things that an extender looks for.
Obviously, it is possible to hand hack from a payphone. This is great for
those times when you find a PBX with a 3 or 4 digit code and want to get the

The most practical way to hack codes is with a code hacker for your
computer. Unfortunately, this is also the most dangerous way. The code
hackers I've seen for the IBM are fair at best. They all need more
randomization, options, etc. A good code hacker supports random touch tone
spacing, random time between attempts, templateable codes, variable time
between code and destination number, has at least 500 random destinaion
numbers, etc. You get the picture. Hopefully, one of SiC's future releases
will be a code hacker that will change the entire IBM extender hacking

Ok, so once you've found some valid codes, what should you do to make sure
you don't get caught? I've heard two theories about what should be done with
valid codes. Some people say that you should keep your codes to yourself and
never distribute them until you are done with them. The advantage to this is
that you have a better chance of going undetected. However, if you are
traced, there is a greater chance that you will receive a bill (as you are
most likely the only one who is illegally using the extender)

Some people say you should distribute your codes to everyone. If the telco
learns that fifty people have used their extender to place illegal calls, it
will not send them all bills. It might use one or two of them as a scapegoat
and send them a bill. I know this for a fact because I used the old "102221
code" a couple of times and never got a bill. AmericA used it A LOT and got
a bill. So why did he get one and I didn't? Well, to answer that question,
keep in mind that when you are hacking codes you are not ripping off the
long distance company! They are charging us outrageous rates for something
that should be a free public service. They know they're not losing any
business to people who make illegal calls through extenders because most
people who illegally use extenders would not make the long distance call if
they couldn't do it for free. So the telco's don't lose any business, and
they know it. This is a major reason why telcos don't always bill people. It
costs too much to pay a secretary to type up 50 letters, address them, mail
them out, etc. So they just bill a few of the people who used the extender
to get the message out to the others.

This laziness on the part of the long distance company is why many people
say that you should not hack on extenders that are property of your long
distance company. If you have MCI, and you use an MCI extender, MCI can just
conveniently add these calls to the end of your monthly phone bill. But if
you have MCI and you hack on an AT&T extender, AT&T can't just annex their
calls to the end of the MCI bill. They would have to send a separate letter
which costs them some $$$. I have MCI and I was busted for one night on an
MCI extender. But I have used hundreds, if not thousands (literally) of
hours on AT&T and ITT extenders and never received a bill.

Ok, so what about 950s? Anyone who has used a 950 extender knows that their
connections are usually VERY clear which makes for excellent error-free data
transfers. Some people say that you are going to get caught for sure if you
use extenders in the 950 exchange. Well, this is not necessarily true.
Although many people are busted on 950's, many use them and do not get
caught. I have spent many many hours on 950-0488 and have never got in any
trouble. In my opinion, that is the safest 950, although many people will
tell you different. The 950 exchange was created for the long distance
company's benefit so they could have the same dialup in all cities across
the USA. For some reason, the long distance companies rejected the 950
prefix in favor of 1-800 numbers. 950s can trace your call before you even
think about dialing one of them. But tracing only occurs on special
occasions. The companies on 950's will only trace when the computer
controlling the call sees that there is an unusually high number of calls to
the extender on that particular day or detects one of the tell tale patterns
of extender hacking that I mentioned above.

People seem to think that if they get caught extender hacking that the feds
will confiscate their whole house and then throw them in jail. It may be
hard to believe, but MOST feds have better things to do. If you get caught
hacking on an extender, you might get a phone call or a letter from the
company telling you not to do it again. Long distance companies can bill you
for the actual long distance calls. They can also bill you for each call
that you make to their extender. Thankfully, this almost never happens. If
you do get a bill, ignore it. There is a good possibility that if you don't
keep calling the extender that billed you, you will hear nothing more from
the telephone company. But if you get a second or third letter, it is a good
idea to pay your bill to avoid pissing off the company even more.

If for some reason, you are REALLY paranoid, there are some things that you
can do. Take all your codes and copy them onto a small piece of paper. If
you had them stored as a text file in your computer, erase it. Add digits to
the codes to make them look like phone numbers. If the codes are 6 digits,
add a 7th digit to the end and add a hyphen to make them look like phone
numbers. Rewrite the new formatted codes onto a new piece of paper and hide
it. Destroy the old one and hide the new. (Make the paper small enough to
hide almost anywhere.) Now you don't have to worry about anything if for
some ungodly reason the feds do decide to search your house. (Maybe if you
accidentally hack on President Clinton's private extender and they think you
are plotting to assasinate him or something.)

BTW, Code hacking is a fedral offense. Destroy all old codes as soon as they
go bad.  Having over 15 codes that are dead now but were valid at one time
is also a federal offense. It is a good idea to only use codes for 2-3 days
after you hack them. It is best to hack during business hours on weekdays,
or on holidays. Since more people are using their calling cards at this
time, your calls are less likely to be noticed than at 4:00 AM.

  Û                                                                          Û
  Û                              _-=>Part III<=-_                            Û
  Û                                                                          Û
  Û                           _-=>The Good Stuff<=-_                         Û
  Û                                                                          Û
  Û                 _-=>Working Extender and PBX dialups<=-_                 Û
  Û                                                                          Û

I went through tons and tons of notes to compile this list. I was pissed
because at least 50% of the extenders in my notes were no longer working
numbers. So, for now here's 40 or so that are all working as of February 24,

Code formats that are not enclosed in brackets are definite. (either I have
found codes on this system using that format or it is possible to determine
the format of the code from the system. Formats that are enclosed in
brackets are not definite but are probably the right one. If I didn't write
anything about the code format, then I have no clue.

Note: All extenders that say SDN after them are AT&T SDN (Software Defined
Network) extenders. Most SDN extenders usually have a 10 digit code with the
format of 5031yxxxxx where y is 6, 7, or 8 (although it can be anything) and
x is random. Assume this to be the format for all SDN extenders. However,
some SDN extenders can have 5 or 6 digit codes. The only way to determine
this for sure is to find valid codes on the system.

800-225-5946 + 50316xxxxx + acn SDN
800-234-5095 + 13 digit code + acn
800-245-6332 + acn + 10 digit SDN code
800-274-4472 [+ 12 digit code + acn]
800-279-1119 [+ 4 digit code + acn] or 14 digit code + acn
800-288-2880 uhh, AT&T?
800-288-8845 7 digit code + acn
800-292-3044 [+ acn + 10 digit code] SDN
800-321-6902 + 3 digits + ? PBX
800-333-2321 probably a PBX
800-333-3425 [14 digit code + ? or 4 digit code + acn]
800-336-7800 + acn + 10 digit code SDN
800-366-4000 [+ 7 digits + acn] (Sprint)
800-367-6546 [6 digit code + acn] SDN supposedly easy to hack
800-433-4778 [+ acn + 10 digit code] SDN
800-445-0503 [+ 10 digit code + acn] SDN (503158xxxx)
800-456-1212 supposedly six digits + 1 + acn
800-456-2253 + 2 digits + ? (25 works) PBX
800-468-0234 [+ acn + 10 digit code] SDN
800-525-5445 + 5 digit code + ? A possible PBX
800-535-1922 [+ acn + 10 digit code] SDN
800-538-6423 4 digit code + ? This is most likely a PBX (not voice mail!)
800-638-2633 [7, 8, or 10 digit code + acn] SDN
800-648-5868 [+ acn + 10 digit code] SDN
800-727-0200 [+ 8 digit code + acn]
800-727-3333 [+ 14 digit code + acn] Gives fake carrier at bad code
800-826-9885 6 digit code + acn
800-862-6233 + 12 digit code + acn
800-877-8000 + 0 + acn + 16 digit Sprint FON card
800-882-2255 + 6 digit code + acn (dangerous)
800-899-4480 [+ 8 digit code + 1 + acn] Cable & Wireless
800-899-9898 [+ 8 digit code + 1 + acn] Cable & Wireless
800-950-1022 + 0 + acn + 16 digit MCI calling card
800-999-7592 ITC Networks
950-1022 + 0 + acn + 16 digit MCI calling card (same as 800-950-1022)
950-1033 + 7 digit code + acn (Sprint)
950-0488 + 13 digit templated code + acn
known 0488 templates: xxx921x648699

--Madrox[SiC] February 24, 1994--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH