***********************************************************************
*** Contemporary Telnet I : blakboot
http://napalm.firest0rm.org/ ***********************************************************************

Introduction
-------------

Security awareness and exploitation is a fast game on the Internet.
Staying on top, whether it be for intrusion or consultation, requires
onerous research; research that never ends. Before I came into this
scene, most of my experience came from esoteric networks, BBSing,
wardialing spoils, et cetera. Regardless, nothing has sharpened my
knowledge and awareness of computer systems more than this vast network
of hustle and bustle. If we could look back in in time, what wonders;
what system vulnerabilities would we laugh about? If we could step back
in time a bit, what things could we get into? What industries never
quite caught up with the future, and what would their ignorance allow us
to plunder?

Please excuse me, I have left out a lot of information for sake of time
(our favorite editor wants results), and file size. There will be an
article forthcoming that will cover much more on contemporary usage. This
is a primer.

[ Yeah, working under a pseudo-deadline sucks, eh? Turns out that we're
already over my target per-issue size even without this article, but
that's ok. I'm confident that this is quality. {kynik} ]

Enter Telnet
-------------

Telnet, commercially known as Sprintnet, but forever referred to as
otherwise, is an X.25 network. Dialups nationwide are still active, and
systems still lie sparsely about it. Herein I have provided a working scan
script, and some of the spoils from that.


- What systems can you find on Telnet?

This isn't a definitive list by far, but what I've been: VMS, Primenet,
assorted unix clones, Lantronix type deals, arbitrary systems/databases.

- How do you get on Telnet?

Anyone with basic telecommunications knowledge doesn't have to read
this. First, get a terminal emulator. These programs allow you to receive
relatively protocol-free data. It's nothing like your damned PPP/SLIP
connection; raw data (with the exception of emulation) is displayed from
the remote computer. I suggest Telemate, Telix; anything but
hyperterminal.

For the connection to be possible and coherent, set your baud rate to
1200bps (some dialups support 14.4) and data bits to 7. Most connections
to remote computers are 8 bits, although X.25 networks are an exception.
You should know that the possible combination of 8 bits is 256; it means
that on an 8 bit connection, we can take advantage of 256 characters.
Telenet can only send and receive data consisting of one of the 127
bytes, combinations of 7 bits.

[ Correct me if I'm wrong here, but won't most modern modems auto-set
their baud rate depending on how the dialup handshakes? {kynik} ]

[ We'd like to think so. Some old modems don't like to talk to newer ones
though. Backwards combatibility. And besides, it can't hurt. {ajax} ]

With that said, know that if you want to transfer binary files over
Telenet, you have to use the kermit protocol, because zmodem, ymodem,
xmodem, etc. are 8 bit protocols. Kermit is a slow bastard and time has
blessed us with its death in modern file transfers. My suggestion for
transfering files over a 7 bit connection is to use uuencoding (unix to
unix encoding). This will break down those extended ascii characters
into plaintext, and then all you have to do is uudecode on the remote
system.

Once you've configured your terminal program with the two
specifications above, it's time to connect to Telenet. The toll free
Telenet dialup is 1-800-546-2000.

[ When dialed from some area codes, you may receive a message saying "You
have entered a number that can not be reached within your calling area."
then a unique number code, in my case "47530" I don't exactly know what
the numbers there stand for, but it is interesting that it looks quite
like a zip code :-/ {Reverse Corruption} ]

Once you've connected, press enter two times; it will ask you for what
type of terminal to use. Just type in D1, vt100, whatever. From here,
you've a @ prompt. To get your local dialup, type "mail". It'll enter a
login procedure. Use the login/password: phones/phones; this will execute
a script which allows you to list all local dialups.

- Connecting to computers

This is easy, and the article shouldn't cover it, although I'm going
to get past it, and open up into more dynamic aspects of the network in
Contemporary Telenet II.

From the @ prompt, you can connect to systems hosted by sprintnet,
and other X.25 networks. To connect to a system on the current network,
just type the NUA (Network User Address); if you want to connect to a
computer on another network, you'll have to provide a DNIC. (Data Network
Idenification Code). An NUA consists of two things. An NPA (area code)
and an address, which can be any floating point number greater than 1
(there's a limit - that i do not know). Decimal places of an NUA usually
indicate something similar to ports in TCP/IP.

So, if I wanted to connect to a system in Tallahassee, FL. An example
session would be something like:

@ c 90423

904 23 CONNECTED

Username:

To disconnect from the system or interrupt a pending connection, press
@ followed by a carriage return; complete the disconnect by typing D from
your pad.

Now, if you wanted to connect to a system on Tymnet (another X.25
network), you would type an NUA something like:

@ c 0310690423

Where 03106 is your DNIC, 904 the area code, 23 the address. Easy pie.


Here's the NUA scanner script. It's for Telemate (IMO, one of the best
emulators), and you need TMS.EXE, the script compiler. I also highly
recommend this scripting language; I learned it in under 30min and it's
quite useful, taking the hassle out of communication routines.

The scanner works well on my dialup, though I suspect the different
nodes sometimes will act strangely; causing the scanner to get off beat.
That's just speculation though; I believe I'd gotten all the bugs out.
it's sensitive and will reconnect to telenet with the smallest signs of
what it suspects as a frozen node; and so, sometimes it disconnects
unnecessarily. Please excuse that. Otherwise, it's sleek and records
connections better than the old NUA Attacker program by Docter Dissector,
which was good, but somewhere along the line Telenet return messages may
have changed, causing NUAA to record unwanted connection attempts. If I
remember correctly, it would record network congestion (which you will
get frequently these days).

; NUA SCANNER v1.0 : TMscript
; Compiled & tested w/ Telemate v4.20
; Blakboot [FS] '00
; BUG:
; Only in applied scan mode, it doesn't increment the NUA
; when the pad freezes on a pending connection.

integer nua,dialtelenet,t1,t2,cw,npa,max,pending,float,c,aspm,odata,obaud
string telenet,past,present,tmp1,tmp2,filename,i

; ---- configuration ----
filename = "C:\TERMINAL\SCAN\N.TXT"; Full path
telenet = "1-800-546-2000" ; You can add any prefixes you want
npa = 305 ; Area code and
nua = 22 ; NUA to scan
max = 1000 ; NUA to stop at
cw = 10 ; Time in seconds to wait for connect
aspm = 0 ; Applied Scan Mode [1/0]
;-------------------------

procedure esc
inputch i
if success
if i="^["
print "^M^MTerminating scan."
close
put "@"
put "hang"
hangup
set baud,obaud
set data,odata
stop
endif
endif
endproc


query data,odata
query baud,obaud
set baud,1200
set data,7
put "ats11=40"
delay 5

clear text
print "Press escape at any time to terminate the scan."
print "Opening NUA log file: ",filename
append filename
if not success
print "Error opening ",filename,"^MTerminating script."
stop
endif

date tmp2
time past
strset tmp1,"-",1,79
write
write "Scan session started on ",tmp2,", ",past
if aspm
write "* Applied Scanning."
endif
write "NPA/NUA: ",npa,nua," - ", npa,max
write tmp1

print "Dialing Telenet..."
repeat
repeat
dialtelenet=0
put "atdt",telenet
time past
prob=0
while not connected
esc
time present
substr present,4,5,tmp1
substr past,4,5,tmp2
atoi tmp1,t1
atoi tmp2,t2
waitfor "busy","no carrier","voice",1
if found
prob=1
exit
endif
if (t1-t2)>= 2
prob=1
exit
endif
endwhile
if prob
print "^M^MRedialing..."
put "^M~~"
endif
until not prob
delay 20
put "^M^MD1"
delay 20
clear com
repeat
esc
itoa npa,tmp1
itoa nua,tmp2
concat tmp1,tmp2
clear com
if c
concat tmp1, "."
itoa float, tmp2
concat tmp1, tmp2
endif
put tmp1
waitfor " connected","not","dis","81","00","BB","D4",cw
if not found
clear com
put "@"
waitfor "telenet","@",5
if not found
dialtelenet=1
errmsg="Node froze."
exit
else
clear com
put "d"
waitfor "@",10
if not found
dialtelenet=1
errmsg="Node froze when trying to abort."
exit
endif
endif
else
clear com
switch found
case 1:
clear com
if c
write " ",
endif
write tmp1
close
append filename
delay 10
put "@"
put "d"
if aspm
if not c
float=0
cw=cw+10
c=1
endif
endif
waitfor "disconnected",5
case 5:
endswitch

if not found=1 ; if not connected
waitfor "@",5
endif
clear com

if not found ; found could = "@",
dialtelenet=1
t1=nua
if c
nua=nua+float
endif
print "PENDING: ",pending," NUA: ",nua," T1: ",t1
if pending=nua
nua=nua+1
else
pending=nua
endif
nua=t1
errmsg="Node froze when pending another connection"
exit
endif

clear com
endif
if c
if float=9
c=0
cw=cw-10
nua=nua+1
float=0
else
float=float+1
endif
else
nua=nua+1
endif
until nua>max
print errmsg
print "Reconnecting to Telenet..."
hangup
until not dialtelenet


; [SNIP--end of code]

Here are some scan results. No commenting 'cus I was lazy; this is
basically just some spoil I'm grabbing out of my archive. These are not
very old. Maybe a few months.

NPA/NUA: 30556 - 3051000
-------------------------------------------------------------------------------
30559
30559.1
30559.2
30559.3
30559.4
30559.5
30559.6
30559.7
30559.8
30559.9

NPA/NUA: 7160 - 7167000
-------------------------------------------------------------------------------
71623
71623.1
71623.2
71623.3
71623.4
71623.5
71623.6
71623.7
71623.8
71623.9
71625
71625.1
71625.2
71625.3
71625.4
71625.5
71625.6
71625.7
71625.8
71625.9