The year is 1997. It is 2 AM on a Tuesday. You have a Pentium II, a 33.6k modem, a phone line that your parents have specifically told you not to tie up, and a copy of ToneLoc that you downloaded from a BBS whose name you've already forgotten. The pizza is cold. You don't care. The computer is dialing its four hundred and seventeenth number of the evening, and somewhere in the 312 area code, a modem is about to scream back at you.
Congratulations. You are now conducting unauthorized penetration testing on corporate America, and you don't even know what the phrase "penetration testing" means yet.
The WarGames Thesis: Art Imitating Life Imitating Stupidity
If you want to understand war dialing, you have to start with WarGames — the 1983 Matthew Broderick film in which a teenager accidentally nearly causes World War III by dialing through an area code looking for game servers and instead finding NORAD's nuclear launch computer. The movie was supposed to be a cautionary tale. The hacker community received it as a tutorial.
The concept was simple enough that it required no advanced technical knowledge: phone lines connected to computers. Those computers sometimes answered. If you dialed enough numbers, you'd find them. Early phreaks had been doing this manually for years, methodically working through exchanges and logging results in spiral notebooks. The innovation that ToneLoc and its predecessor, the imaginatively named ToneLoc (the program was named after the rapper, because of course it was), brought to the table was automation.
ToneLoc, written by Minor Threat and Mucho Maas and released around 1992, was a DOS program that would dial a user-defined range of phone numbers, listen for carrier tones indicating a modem or PBX system, and log the results. You could set it running before you went to sleep and wake up to a text file full of interesting numbers. It was, functionally, a search engine for the telephone network — one that operated entirely without the knowledge or consent of the people it was indexing.
The Basement Operation: A Technical Breakdown for People Who Miss DOS
The actual mechanics of a war dialing session in the late 90s required a specific constellation of hardware and tolerance for tedium. You needed a modem — ideally one with a speaker you could turn down, because your parents did not want to hear three hundred modem handshakes at 2 AM. You needed a phone line, which in most households meant either a dedicated line (luxury), a second line your parents used for the internet (risky), or the family voice line (catastrophically risky). You needed ToneLoc or its Windows-era successor THC-SCAN. And you needed a target range.
The target range was where the strategy came in. Serious war dialers didn't just spray random numbers — they researched. They looked up area codes for corporate headquarters. They targeted exchanges known to house business districts. They cross-referenced with phone books, with information from social engineering calls, with tips traded on IRC in channels where the topic was always something aggressively vague like "#phreaking" or "#2600."
A good night's scanning might turn up a dozen interesting numbers: a fax machine (boring), a modem that connected but required credentials (promising), a PBX system with a default password (jackpot), or occasionally something genuinely alarming — a system that connected and immediately dropped you into a command prompt with no authentication whatsoever. That last category happened more often than any Fortune 500 security team would have been comfortable admitting.
What They Actually Found (Or: Corporate America's Dirty Laundry)
Here's the thing about war dialing that gets lost when people reduce it to "teenagers messing around with phones": the vulnerabilities being discovered were real, significant, and almost entirely the result of corporate negligence rather than sophisticated hacking.
PBX systems — Private Branch Exchanges, the telephone switching equipment that large companies used to manage internal calls — were a particular goldmine of terrible security. These systems often shipped with default passwords that IT departments never changed. Some of them had voicemail systems accessible from external lines. Some of them had features that allowed outbound long-distance calling that, if accessed without authorization, would show up on the company's phone bill as thousands of dollars in calls to the Philippines.
This was not theoretical. Toll fraud via compromised PBX systems was costing American businesses an estimated $4 billion annually by the mid-1990s, according to figures that the telecom industry preferred to discuss quietly. Some of that fraud was sophisticated organized crime. Some of it was teenagers in Ohio who'd found an unsecured DISA port and decided to call their IRC friends in Europe for free.
Beyond PBX systems, war dialers regularly stumbled across:
- Industrial control systems with external modems for remote maintenance, connected to absolutely nothing resembling security
- University systems running outdated Unix variants with known exploits
- Hospital billing systems (this one, in retrospect, should have caused more alarm than it did)
- Law enforcement databases in smaller jurisdictions that had set up dial-in access and then apparently forgotten about it
- An absolutely staggering number of systems running PC Anywhere with no password
The Legal Gray Zone That Nobody Wanted to Examine Too Closely
The Computer Fraud and Abuse Act of 1986 made unauthorized access to computer systems a federal crime, but the legal status of simply dialing phone numbers and listening for modem tones existed in a genuinely ambiguous space for most of the 90s. You weren't accessing anything. You were just... calling. The fact that you were doing it systematically, to thousands of numbers, with software, while logging the results for later exploitation, was the part that prosecutors would eventually argue crossed the line.
The hacker community's response to this legal ambiguity was essentially to pretend it didn't exist. The 2600 community — named for the Hz tone that had unlocked AT&T's long-distance network for phreaks a generation earlier — published war dialing techniques openly in their magazine and at their quarterly meetups. The argument, which was more philosophically interesting than legally defensible, was that identifying security vulnerabilities was a public service, and that corporations who left modems connected to critical systems with no authentication were the actual bad actors in the story.
This argument would eventually evolve into the modern penetration testing industry, where companies pay professionals significant amounts of money to do exactly what ToneLoc-equipped teenagers were doing for free in 1997. The teenagers did not receive retroactive consulting fees.
The Successor State: From ToneLoc to Shodan
War dialing as a practice didn't die — it migrated. As the internet ate the telephone network, the interesting systems stopped answering modems and started answering TCP connections. The methodology shifted from dialing phone numbers to scanning IP ranges, and the tools evolved accordingly: SATAN, then Nmap, then eventually Shodan — the search engine for internet-connected devices that is basically ToneLoc for the modern internet, built by a guy named John Matherly who definitely understood the lineage.
Shodan indexes everything from webcams to industrial control systems to medical devices, and it is completely legal to use, which tells you something about how much the conversation around this kind of reconnaissance has changed since the days when a teenager in a basement could get a visit from the Secret Service for running a phone scan.
The teenagers who ran ToneLoc in the late 90s were, in the most charitable reading, performing an informal security audit of American corporate infrastructure and finding it catastrophically wanting. In the least charitable reading, they were committing federal crimes for the hell of it. Both readings are probably accurate. The important thing is that the pizza was cold and the modem kept dialing and somewhere in the 312, a PBX system was waiting to make someone's night very interesting.
THC-SCAN and ToneLoc are still out there, floating around archive sites, waiting for someone to fire up DOSBox and explain to their router what the 90s felt like. Don't actually do this. But also: you'd be amazed what's still out there.
