The way I usually poke at hotel PBXes is pretty simple. First, figure out how they want you to dial rooms. For example, if they're all three digits and they want you to dial the room numbers, just avoid 1xx and 2xx. There's also usually a dedicated hundred block for hotel staff and attendants. There's always the chance there might be something interesting in there, but I usually look at everything else first. The great thing about PBXes is the dialplan is so plainly laid out. If a block of numbers is vacant, you can figure that out right away.
As for identifying what it is, the most straightforward way is to just head down to the lobby and look at the attendant's phone. More often then not, it's some proprietary set from the PBX manufacturer instead of some generic phone. The rest is just kind of an educated guess based on how the PBX behaves. Avaya, Nortel, and NEC are pretty popular for hotel stuff.
Most of the PBXes with hospitality features will have feature codes specific to maids. Nothing too complicated, just codes to let everyone know they've cleaned the room. If you scan *xx codes, just be prepared for a dirty room .
EDIT: One other thing I forgot to mention - you might be tempted to try dialing 9+1167 onto an outbound trunk to fool the PBX. That would be a good idea, but it's a pretty popular idea to translate 9+11anything as 9+911. So, well, don't. There's easier ways to do this.
For example, the cause code 866-202-9985 sends back will have about a 50-50 chance of making a DMS-100 reset back to dialtone depending on some difference between switch hardware. It seems to change between whatever the DMS-100 equivalent to a register sender is, so try it at least five or so times if you're just getting a reorder. If it does work, you're in the clear for pretty much anything, even Millenniums; the switch won't make a battery drop happen when it resets.
Edited by ThoughtPhreaker, 03 May 2014 - 10:30 PM.