War Dialing

by VOM

Living in small towns most of my life it has been hard to find any information on phreaking and related topics.  So most, if not all, of what I have learned has been through trial and error and from a select few of other people I have met who share the same interests as I do - namely computers and phone systems.

Also, the town where I live owns the phone company.  It is a rare situation and not many other cities own a telco.  And up until about 1989 they hardly had any computerization at all and were still using very old equipment.

I had one telco person say there were still some mechanical switches in the CO.  I don't know if that was true or not, but with CityTel I would not discount it.  They completely upgraded their system in 1990 and everything is computerized now.

Years ago when I was still in high school, I read about a program that would dial numbers sequentially for some mundane purpose.  At the time I had just bought a 300 bps modem for an Atari computer I had and was intensely interested in finding computers that I could connect with.  Being in a small town in 1983 (under 3000 people), there was no BBS or anything local that I could dial into so everything was long distance.  Not knowing a thing about phreaking, I figured I could write my own program like the one I read about to dial everything in my prefix area and have it look for computers.

After about a week, I had a program in BASIC that worked and did what I wanted.  I could only dial at night since it was on my parents' line.  In about two days, the program found a number that answered with a modem.

All I got was a prompt ("login>") when I connected to my mystery number.  I tried to get in for a few days but I had no clue as to what it was asking for.

I was in the local library and looking at some computer books when I saw the same prompt in a book.  It was a UNIX machine apparently.  Well, after that I started to look for anything that was about UNIX.  I finally found an ID that got me in - UUCP I think it was.  I must say after that little hack I was hooked.  I wandered around that system for a few days and read anything I could on UNIX.  Eventually I found that the computer belonged to the local school board.  I told a friend in my computer lab at school what I had found and he went and blabbed it around and the next thing I know I was having a little chat with the principal and a few others from the school board.  Needless to say the powers that be freaked when they found what I had done.  They did a little audit on their system and found that I had logged in quite a few times over a few weeks.

I knew nothing about hacker ethics at the time, but all I wanted to do was learn about computers and other systems so I was careful not to damage their system.  I can say all the books and mags that I read helped out quite a bit.  I tried to explain that to them but they didn't listen and I was given one month's suspension and my parents were shocked that I could even do such a thing.  All my computer stuff was carted away in a box and I was not let near it for about two months.  Needless to say, I was kinda famous when I got back to school.

I moved away to a larger town of about 16,000 when I finished school and I did not really think about doing any hacking again until I read about the famous Clifford Stoll and his hunt for the German hacker.  By then, I had an old XT and a 286 and was using a comm program called Qmodem.  I wrote a script in Qmodem's script language that did what my old dialer program did for my Atari.

I found lots of computers over a period of about a week.  Lots were open systems with absolutely no security at all.  I guess no one thought about hackers and how unprotected their systems are.  Also I had learned more about computer systems and networks.  Some of the UNIX machines I was able to log into and gain root access almost right from the start.

As fate would have it, the first system I found was the local school board and I got system administrator access first try with "sysadmin".  No password on it at all.  I attempted to cover my tracks but did not do a very good job of it and they eventually took the system off line and changed the number.  I found it again about a month later and they had upgraded the machine quite a lot.  But I didn't do much with it as they were savvy to intruders.  But not enough... they still left the system wide open and I got root access almost right away.  That really amazed me.  After being hacked, they still left the system wide open.

I did find one interesting thing that to this day I don't know what exactly it was for.  I found a number that I could connect with and I was trying to get a prompt and suddenly some phone numbers appeared on the screen.  I decided to let it run for a while and see what else happened.  Over a period of about half an hour new phone numbers would suddenly show up on the screen.  One column always had one of four numbers in it and the second column was always a different one.  Eventually I figured out that it was something that the phone company had set up that recorded who was calling the police department, fire department, a shelter for battered women, and a small RCMP substation.  Nothing spectacular, but interesting nonetheless.

I found a computer that controlled a gas cardlock system where you had to use a punch-coded card to pump gas.  I wondered how to get into it as the prompt was "Password:".  The town is not that big so I drove around until I found the one I figured was the one.  I looked over the system where you inserted your card and saw a little plate on the side with a serial number.  Seeing that, I wrote down the five numbers and went home and called the system.  Not really thinking that the serial number was the password, I entered the five-digit serial number at the prompt and, bingo!  I was in.  I think it was mostly a fluke that I got in, but hey... a fluke is better than not getting in at all.  I found I could shut the pump down or give myself free gas if I wanted to, but was always afraid of getting caught.

After about three months of getting into every computer I could, I found I got kind of bored of it.  Also, this time I told only one other person about what I was doing, but it was a fellow who approached me with a number that he had found.  I thought of telling others but no one would have really understood anyway what motivated me to get into systems.  Mostly curiosity about other systems, how they work, and I guess the challenge of just doing it.

Another reason I stopped was the phone company upgraded their switch so people could have Caller ID and all the bells and whistles.  I'd still like to do it, but I don't know how much of an eye the phone company has on lines these days.  Before it was almost nil with the mechanical switches but now their switch is pretty good.

However, a few days ago I accidentally dialed a wrong number and got a computer tone.  My old hacker curiosity got the better of me and I dialed it again with my modem.  To my surprise it was the CityTel switching computer!  I got the prompt "Username>" with a banner saying city telephones so I'm assuming it's a VAX, but I'm not sure as I hung up fairly quickly and I don't know what they have for security.  Too bad... I'd like to see what they've got in there!

I've kind of grown out of it but still think about doing it now and again.  But to the point of why I'm mostly writing this.  I still have the old Qmodem script that scans prefixes and thought that others might want to use it as they see fit.  It's short, but it works well.  I don't know how any other scanners work but this is the one I made.  The only thing is you have to have Qmodem for it to work, but it is available in a test drive version probably on most BBSes.

The script is as follows:

;Autodialer Script for Qmodem.

assign 1 ATDT 
assign 9 0

display 'Autodialer Script for Qmodem.'
writeln ''
writeln ''
write 'Enter the three digit prefix: '
getn 2 4
writeln ''
write 'Now enter the four digit starting number: '
getn 3 4
writeln ''
write 'Enter filename to save numbers to: '
get 6 20
writeln ''
write 'Do you want to stop dialing at a certain number? (Y/N): '
inkey 4 1
writeln ''
if '$4' = 'n' go_dial
writeln ''
write 'Enter the number you wish to stop at: '
getn 5 4

turnon online

  displayln 'Now dialing $2-$3'
  pause 2000
  send '$1$2$3^M'

pause 25000 ; timing for how many rings. 25000 is for 20 seconds or about
            ; three or 4 rings.

if $offline add

gosub save
goto go_dial

  displayln 'No connection made with $2-$3'
  incr 3
  if '$3' > '$5' bye
goto go_dial

  displayln 'CONNECTED with $2-$3'
  incr 9
  writeln 'Hanging up modem.'
  writeln 'Writing number to disk.......'
  pause 3000
  openfile c:\$6 append
  writefile $2$3
  writeln 'Done.'
  pause 1000 
  incr 3

  writeln ''
  writeln 'You connected with $9 computers.'
  writeln ''
  writeln 'Terminating Program.'

Code: qmodem autodialer