// Exchange Scanning Part Two // // by decoder // // http://www.oldskoolphreak.com Intro: ------ In the months that have passed since my first article on exchange scanning, I have been approached by many people asking for more tips and tricks that I use while scanning. I finally have come up with enough good material to warrant a follow-up to the original article. Think of this as a supplemental release, as well as a chance for me to correct some errors I made. There are also a few things that I forgot to mention originally, as well as some important updates. Maybe one day I will compile both articles, along with some other info and numbers, and create one big definitive guide, but I'm still a lazy fuck, so don't hold your breath... anyway, enj0y! Tips & Tricks: -------------- One thing that has caused concern among people is the random callback. When you dial hundreds of phone numbers, without blocking your caller id, you are bound to have concerned citizens call you back. I read a paper once on paranoia and caller id concerning this very topic, and let me tell you, it was extremely disconcerting. There is a certain segment of the population that believes when they receive a mysterious phone call, it is part of some conspiratorial plot against them. These humans are known as "morons." My father is one of these people. I remember many years ago, he received a page. The number that was displayed on the pager was that of a payphone somewhere. He immediatley blamed me for this mysterious page he recieved in the wee hours of the morning, and he accused me of being out somewhere after curfew. When I reminded him that he was, indeed, an idiot, and I was asleep in bed at the time, he actually uttered these words to me; "How did they get my pager number?" I was completely dumbfounded as to how to react to this statement. What the fuck do you mean, how did they get YOUR phone number? They didn't know it was YOU...it's called dialing a WRONG number. This moronic, self-important way of thinking is what you must keep in mind when dialing blocks of numbers. Thses people live among us, my friends, and trust me, it is not pretty. There are two easy solutions to this problem. The first, and most obvious one, is to block your caller id when scanning. You can use Per-Call Blocking, by dialing *67 before each call, or if you wish to save some dialing time, simply subscribe to All-Call Blocking. I can't understand why everyone doesn't already have this service. After all, it's free (at least it is in Verizon Country), and it makes sense to have it, Just in case you forget to press *67. Another less practical option is to build yourself a box that will dial *67 for you each time your phone goes off-hook. The problem with this is that it will also dial *67 each time you pick up an incoming call, which might annoy your callers. Also, why build a box when you can subscribe to a free service that will do the same thing? But, for those interested in building such a device, think of the Telezapper. When you have a Telezapper on your line, whenever the phone goes off hook, it plays Special Information Tones, or SIT. Building a box on this premise, but for dialing *67 instead of playing SIT tones shouldn't be that hard, albiet relatively useless. Now, there are a few things that I feel the need to mention about exchange scanning. The first is that it is always a good idea to let a number ring at least ten times. I realize that it is quite tedious, especially when you find a block that is filled with ringouts, but it is very important. I have found that in Verizon land, many employee voicemail numbers don't pick up until the about seven rings. I have also, on rare occasion found very odd things after ten or even twelve rings! The point is, if it's ringing, be patient...there may be a cool prize waiting if you give it time. I also must stress that reorders and busy signals, as well as ringouts, are pretty useful to have, so always keep a detailed record of your scan. When I type up my scans, the only numbers I leave out are the ones that play the default error message, which is the one that you would hear on any vacant number. Everything else you find, make a note of it. Next time someone asks for your phone number and you don't want to give it to them, give them a number in your area, or any area, that is always busy, or one that rings forever. It's a better idea than just giving them a random number that you make up on the spot. Always have that fake number ready! Another way to have some creative fun when scanning exchanges is to use a prepaid phone card. If you don't have long distance on your line this can be especially useful. When scanning the 00xx or 99xx blocks of an exchange, most of the numbers in there are cool error messages, which are free to call. They do not supervise, therefore you dont pay. It's amazing how many people forget that you don't get charged to call an error message, whether it is a local or a long distance call. When you use a phone card to scan these ranges, no credit will be taken off of the card, unless you hit a number that supervises, so you can scan all day and night and not have to worry about charges ony our bill or your ANI being passed. There are a million and one different phone cards, so you must choose one specifically for this purpose. The most important thing being a card with NO connection fees! When you scan these ranges, you are going to run into some milliwatts, carriers and employee numbers...all of which supervise. You don't want a buck taken off your card because you got deafened by a milliwatt. It's also very convenient if you can find a card that will let you make unlimited non-connecting calls in one session. Most cards only allow three to six failed calling attempts before forcing you to disconnect and redial the access number and PIN. Scanning with a phone cards is also a good idea for those worried about the legalities of scanning. If you're worried about the telco seeing that you like to dial hundreds of sequential numbers, by diverting through the phone card, you are giving yourself a bit of extra, added protection. Toll-Free Telco Exchanges: -------------------------- On the topic of things that I neglected to mention in the original article, one subject immediatly comes to mind... Verizons 890 exchange here in New York. This is a toll-free exchange (not NPA), in which there are various offices such as repair, and a few other interesting things. You can dial this exchange from outside of the area by preceding it with any New York area code. While, according to the Verizon Directory, this is a toll-free exchange, if you are calling from outside of New York, you may get charged for the call at your normal long distance rates, but I'm not quite sure. It may still be free, who the hell knows? Here are some 890 numbers for your phreaking enjoyment! 890-1590 Residential Service (English) 890-2005 Residential Service (Spanish) 890-1776 Residential service (Korean) 890-1755 Residential Service (Russian) 890-6611 Repair 890-0200 Business Service (orders & product info.) 890-1400 Business Service (billing questions) 890-7711 Business Repair 890-0550 Center for Customers with Disabilities (V/TTY) 890-1900 Verizon Call Block Test Line (to test caller id blocking) 890-8248 Bell Atlantic Call Block Test Line BellSouth also has a similar exchange, 780. It can be reached from any state in BellSouth territory, but not from anywhere else. I also believe that you must have BellSouth service in order to reach it, unlike Verizon's 890, which be reached from any phone, anywhere. This lack of accessability has left me with little knowledge pertaining to the 780 exchange. I encourage everyone in BellSouth territory to scan out this exchange and see what lies hidden. There may be some very interesting numbers, although us Northerners wont be able to call them. And, of course, everyone should play around in the New York's 890 exchange, just remember, it's Verizon... they are probably logging your ANI. While on the topic of telco exchanges... in the original article I briefly touched on the 959 exchange. I had stated that it was owned by AT&T, but this is not the case. What led me to belive that it was operated or owned by AT&T, is that weird things happen when you dial numbers in the 959 exchange through AT&T's network. Usually you hear milliwatts and other tones in the 959-1xx0 range. You can reach these numbers by using an AT&T PICC, such as 10-10-288. Most of the numbers in the 1xx0 range are constant across NPA's, for example, 1000 and 1500 are usually milliwatts, no matter what NPA you choose. One new trick I have been informed of is that the 69xx range, specifically up to 6920, is very interesting, indeed. There are all sorts of cool AT&T 4ESS error messages in this range, and they are different depending on what NPA you choose to scan. At the end of the error massage, you will hear the office code. My area is 104t (White Plains, NY). I also had stated that these 959 numbers did not exist in New York. It turns out that they do, although for some reason, you cannot reach the 4ESS error recordings in your own area, so I can't dial them in my own area code, but I can reach the recordings in 212. Just remember, in order to reach these numbers you must use AT&T's network, and, as I have stated earlier, these are error recordings... you cannot be charged for calling them, so don't be hesitant to use AT&T's PICC to dial them, it's free. Info on Your Exchange: ---------------------- When I wrote the first article, the most popular website where you could obtain information about your exchange was telcodata.us. I had included that site as an indispensable source, but unfortunatly, telcodata is no more. It was a sad day, indeed, when the news of telcodata's demise first hit, but there is no need to worry about it anymore. There is a brand to site where one can obtain info about their exchange and switch. It was created by ntheory and the URL is ( http://entanglement.net/~ntheory/phreaking/NPA.php ). Not only does this site have all the information from NANPA and DSLreports, but it will soon to become a database for everyones exchange scans! What is being planned is a database of exchange scans, submitted by anyone who wants to help out. So everyone who reads this article and does some scanning, submit your work to ntheory, (ntheory@binrev.com) and your scans can be added to the NPA.php site. Anytime someone looks up the exchange that you scanned, they will know what lies hidden in there. I, for one, think this is the most elite idea ever! This site should bring exchang scanning to an entirely new level... a central database which acts as a telephone directory... not for customers phone numbers, but for all the numbers that are important to phreakers. Some Numbers: ------------- This article would't be complete without a few numbers. Once again, I have some numbers from scans I have done around the country, and if you look around in these exchanges, you are sure to find a bunch of cool stuff. 609-729-9928 [sit] we're sorry, the long distance company you have selected is unable to complete your call at this time. please try your call again later, thank you. 856-767-9975 the person you are calling is busy, please try your call again later. 206-343-0011 [sit] this call requires a coin deposit. please hang up momentarilly, then redial your call by first depositing the local rate posted on the instruction card, or dial zero for the operator. 516-378-9932 milliwatt (1004 hz. tone) 845-735-9988 if you need to report a police, fire or medical emergency, hang up, regain dial tone and dial 911. all other calls from this line are restricted. if you wish to discuss your telephone bill, please call your local telephone provider. If you wish to establish telephone service, call the provider of your choice. 541-967-0010 the business telephone number you have dialed is experiencing a temporary service problem. it has been reported to us west communications who is checking into the cause of the touble. we are sorry for the inconvenience, please try your call again later. 631-473-9902 DATU (default system passcode) 914-664-9958 [sit] we're sorry, when you dial zero for calls within your area code, you now must dial zero plus your area code, then the telephone number. please hang up and try your call again. sh0uts: dual for always putting my texts up on OSP, Strom Carlson for hooking me up with all the 959 and 4ESS info, and ntheory for giving us all npa.php.