***********************************************************************
*** Contemporary Telnet I : blakboot
http://napalm.firest0rm.org/
***********************************************************************
Introduction
-------------
Security awareness and exploitation is a fast game on the
Internet.
Staying on top, whether it be for intrusion or consultation,
requires
onerous research; research that never ends. Before I came into
this
scene, most of my experience came from esoteric networks, BBSing,
wardialing spoils, et cetera. Regardless, nothing has sharpened
my
knowledge and awareness of computer systems more than this vast
network
of hustle and bustle. If we could look back in in time, what
wonders;
what system vulnerabilities would we laugh about? If we could
step back
in time a bit, what things could we get into? What industries
never
quite caught up with the future, and what would their ignorance
allow us
to plunder?
Please excuse me, I have left out a lot of information for sake
of time
(our favorite editor wants results), and file size. There will be
an
article forthcoming that will cover much more on contemporary
usage. This
is a primer.
[ Yeah, working under a pseudo-deadline sucks, eh? Turns out that
we're
already over my target per-issue size even without this article,
but
that's ok. I'm confident that this is quality. {kynik} ]
Enter Telnet
-------------
Telnet, commercially known as Sprintnet, but forever referred to
as
otherwise, is an X.25 network. Dialups nationwide are still
active, and
systems still lie sparsely about it. Herein I have provided a
working scan
script, and some of the spoils from that.
- What systems can you find on Telnet?
This isn't a definitive list by far, but what I've been: VMS,
Primenet,
assorted unix clones, Lantronix type deals, arbitrary systems/databases.
- How do you get on Telnet?
Anyone with basic telecommunications knowledge doesn't have to
read
this. First, get a terminal emulator. These programs allow you to
receive
relatively protocol-free data. It's nothing like your damned PPP/SLIP
connection; raw data (with the exception of emulation) is
displayed from
the remote computer. I suggest Telemate, Telix; anything but
hyperterminal.
For the connection to be possible and coherent, set your baud
rate to
1200bps (some dialups support 14.4) and data bits to 7. Most
connections
to remote computers are 8 bits, although X.25 networks are an
exception.
You should know that the possible combination of 8 bits is 256;
it means
that on an 8 bit connection, we can take advantage of 256
characters.
Telenet can only send and receive data consisting of one of the
127
bytes, combinations of 7 bits.
[ Correct me if I'm wrong here, but won't most modern modems auto-set
their baud rate depending on how the dialup handshakes? {kynik} ]
[ We'd like to think so. Some old modems don't like to talk to
newer ones
though. Backwards combatibility. And besides, it can't hurt. {ajax}
]
With that said, know that if you want to transfer binary files
over
Telenet, you have to use the kermit protocol, because zmodem,
ymodem,
xmodem, etc. are 8 bit protocols. Kermit is a slow bastard and
time has
blessed us with its death in modern file transfers. My suggestion
for
transfering files over a 7 bit connection is to use uuencoding (unix
to
unix encoding). This will break down those extended ascii
characters
into plaintext, and then all you have to do is uudecode on the
remote
system.
Once you've configured your terminal program with the two
specifications above, it's time to connect to Telenet. The toll
free
Telenet dialup is 1-800-546-2000.
[ When dialed from some area codes, you may receive a message
saying "You
have entered a number that can not be reached within your calling
area."
then a unique number code, in my case "47530" I don't
exactly know what
the numbers there stand for, but it is interesting that it looks
quite
like a zip code :-/ {Reverse Corruption} ]
Once you've connected, press enter two times; it will ask you for
what
type of terminal to use. Just type in D1, vt100, whatever. From
here,
you've a @ prompt. To get your local dialup, type "mail".
It'll enter a
login procedure. Use the login/password: phones/phones; this will
execute
a script which allows you to list all local dialups.
- Connecting to computers
This is easy, and the article shouldn't cover it, although I'm
going
to get past it, and open up into more dynamic aspects of the
network in
Contemporary Telenet II.
From the @ prompt, you can connect to systems hosted by sprintnet,
and other X.25 networks. To connect to a system on the current
network,
just type the NUA (Network User Address); if you want to connect
to a
computer on another network, you'll have to provide a DNIC. (Data
Network
Idenification Code). An NUA consists of two things. An NPA (area
code)
and an address, which can be any floating point number greater
than 1
(there's a limit - that i do not know). Decimal places of an NUA
usually
indicate something similar to ports in TCP/IP.
So, if I wanted to connect to a system in Tallahassee, FL. An
example
session would be something like:
@ c 90423
904 23 CONNECTED
Username:
To disconnect from the system or interrupt a pending connection,
press
@ followed by a carriage return; complete the disconnect by
typing D from
your pad.
Now, if you wanted to connect to a system on Tymnet (another X.25
network), you would type an NUA something like:
@ c 0310690423
Where 03106 is your DNIC, 904 the area code, 23 the address. Easy
pie.
Here's the NUA scanner script. It's for Telemate (IMO, one of the
best
emulators), and you need TMS.EXE, the script compiler. I also
highly
recommend this scripting language; I learned it in under 30min
and it's
quite useful, taking the hassle out of communication routines.
The scanner works well on my dialup, though I suspect the
different
nodes sometimes will act strangely; causing the scanner to get
off beat.
That's just speculation though; I believe I'd gotten all the bugs
out.
it's sensitive and will reconnect to telenet with the smallest
signs of
what it suspects as a frozen node; and so, sometimes it
disconnects
unnecessarily. Please excuse that. Otherwise, it's sleek and
records
connections better than the old NUA Attacker program by Docter
Dissector,
which was good, but somewhere along the line Telenet return
messages may
have changed, causing NUAA to record unwanted connection attempts.
If I
remember correctly, it would record network congestion (which you
will
get frequently these days).
; NUA SCANNER v1.0 : TMscript
; Compiled & tested w/ Telemate v4.20
; Blakboot [FS] '00
; BUG:
; Only in applied scan mode, it doesn't increment the NUA
; when the pad freezes on a pending connection.
integer nua,dialtelenet,t1,t2,cw,npa,max,pending,float,c,aspm,odata,obaud
string telenet,past,present,tmp1,tmp2,filename,i
; ---- configuration ----
filename = "C:\TERMINAL\SCAN\N.TXT"; Full path
telenet = "1-800-546-2000" ; You can add any prefixes
you want
npa = 305 ; Area code and
nua = 22 ; NUA to scan
max = 1000 ; NUA to stop at
cw = 10 ; Time in seconds to wait for connect
aspm = 0 ; Applied Scan Mode [1/0]
;-------------------------
procedure esc
inputch i
if success
if i="^["
print "^M^MTerminating scan."
close
put "@"
put "hang"
hangup
set baud,obaud
set data,odata
stop
endif
endif
endproc
query data,odata
query baud,obaud
set baud,1200
set data,7
put "ats11=40"
delay 5
clear text
print "Press escape at any time to terminate the scan."
print "Opening NUA log file: ",filename
append filename
if not success
print "Error opening ",filename,"^MTerminating
script."
stop
endif
date tmp2
time past
strset tmp1,"-",1,79
write
write "Scan session started on ",tmp2,", ",past
if aspm
write "* Applied Scanning."
endif
write "NPA/NUA: ",npa,nua," - ", npa,max
write tmp1
print "Dialing Telenet..."
repeat
repeat
dialtelenet=0
put "atdt",telenet
time past
prob=0
while not connected
esc
time present
substr present,4,5,tmp1
substr past,4,5,tmp2
atoi tmp1,t1
atoi tmp2,t2
waitfor "busy","no carrier","voice",1
if found
prob=1
exit
endif
if (t1-t2)>= 2
prob=1
exit
endif
endwhile
if prob
print "^M^MRedialing..."
put "^M~~"
endif
until not prob
delay 20
put "^M^MD1"
delay 20
clear com
repeat
esc
itoa npa,tmp1
itoa nua,tmp2
concat tmp1,tmp2
clear com
if c
concat tmp1, "."
itoa float, tmp2
concat tmp1, tmp2
endif
put tmp1
waitfor " connected","not","dis","81","00","BB","D4",cw
if not found
clear com
put "@"
waitfor "telenet","@",5
if not found
dialtelenet=1
errmsg="Node froze."
exit
else
clear com
put "d"
waitfor "@",10
if not found
dialtelenet=1
errmsg="Node froze when trying to abort."
exit
endif
endif
else
clear com
switch found
case 1:
clear com
if c
write " ",
endif
write tmp1
close
append filename
delay 10
put "@"
put "d"
if aspm
if not c
float=0
cw=cw+10
c=1
endif
endif
waitfor "disconnected",5
case 5:
endswitch
if not found=1 ; if not connected
waitfor "@",5
endif
clear com
if not found ; found could = "@",
dialtelenet=1
t1=nua
if c
nua=nua+float
endif
print "PENDING: ",pending," NUA: ",nua,"
T1: ",t1
if pending=nua
nua=nua+1
else
pending=nua
endif
nua=t1
errmsg="Node froze when pending another connection"
exit
endif
clear com
endif
if c
if float=9
c=0
cw=cw-10
nua=nua+1
float=0
else
float=float+1
endif
else
nua=nua+1
endif
until nua>max
print errmsg
print "Reconnecting to Telenet..."
hangup
until not dialtelenet
; [SNIP--end of code]
Here are some scan results. No commenting 'cus I was lazy; this
is
basically just some spoil I'm grabbing out of my archive. These
are not
very old. Maybe a few months.
NPA/NUA: 30556 - 3051000
-------------------------------------------------------------------------------
30559
30559.1
30559.2
30559.3
30559.4
30559.5
30559.6
30559.7
30559.8
30559.9
NPA/NUA: 7160 - 7167000
-------------------------------------------------------------------------------
71623
71623.1
71623.2
71623.3
71623.4
71623.5
71623.6
71623.7
71623.8
71623.9
71625
71625.1
71625.2
71625.3
71625.4
71625.5
71625.6
71625.7
71625.8
71625.9