Telenet Scanning by Doc Telecom (July 11, 1988)

**********************************************************************
* *
* TELENET SCANNING *
* *
* written by Doc Telecom on July 11, 1988 *
* *
**********************************************************************

Telenet is the largest Packet Switching network, that I know of at this
present time, I could waste valuable buffer space explaining what packet
switching is and what its uses are ect…so for more information read
“Packet Switching (tomorrow’s communications today) by Roy D. Rosner. It
is quite indepth and one of the books I cherish in my “legal” Telecomm
library.

DEFINITION of GTE TELENET : The packet switching subsidiary of General
Telephone and Electronics. It provides nationwide common user data
communications via packet switching

Information on GTE TELENET :
—————————-

The GTE Telenet commercial packet switched network was developed as a
commercial venture of many of the same principals who developed ARPANET.
GTE Telenet first became in 1979.

OPERATION :
————

Telenets network operation and internal protocals evolved from the ARPANET
experience , with additional cababilitys built into each of the switching
nodes. The network is mostly a ciruit bases packet switching protocol, that
does meet the requirments of the CCITT X.25 protocol at the user interface.
In addition, Telenet also provides customized user interfaces to meet the
need of the individual users. It also provides emulation interfaces.

USER ACCESS :
————-

User access to the network is through one of the three clases of telenet
central offices, such as the one in San Fran, support user access speeds up
to 56k bps is a Class I. Class II offices, such as the one in Spokane,Wa
provide connection speeds up to 9600 bps. Class III offices support rates
up to 1200 bps, such as the one in tucson,arizona. User access can be made
to Public Dialin ports, private dial in ports, or fixed ports dedicated full
time for a single user. Users can implement X.25 compatable software in
there host computer or they can just use the T-net provided interface
processors to provide network service. Terminal Clusters can be accessed to
the network very effciently by use of Telenet access controllers placed at
the customers residence or business,ect..

Telenet Dialups
—————

To find the local Telenet dialup for your area just call WATS to 800-TEL-ENET
and ask them for it but remember to watch out “Every thing you do on telenet
is saved on Mega tape for up to 5 years, and they have installed number
identification since December 1987,

WATS TELENET DIALUPS….

(800) 424-9494 300/1200 BPS
(800) 238-0631 2400 & MPE

These wats will change in aug. 88 so if you would like the new ones leave my
E-Mail on Lunitics Labs (415) 278-7421

What to do one you have your POTS dialup:
—————————————–

Remember to do any scanning on telenet you need a POTS dialup not a WATS,
the WATS dialup is mainly used for Telemail or GTE MAIL., or SPRINT HP’s
Call your local dial up and you should see something that says TELENET
617 18m, or whatevr…just hit a few times. and you should see
something that looks like this.

@

at the “@” prompt type in NPA XXX..for now just use your area code…

like this….( this is a Network User Address or NUA)

@ 415 333

it will then either connect you, or say “Collect Connection Refused”,
because you have not used an NUI, more on NUI’s later…

you will see one of the following :

1) call connected …. 2) Remote Procedure Error 11 b6
3) Remote Procedure Error 11 e2
4) Not Reachable 05 e6
5) not reachable 05 db
6) Not operating …. 7) illegal address 03 80
8) Busy 01 00 ….. 9) enhanced network services unavalible at this time please try again 05 d8
10) illegal address 03 ba
11) rejecting 00 7e
12) illegal address 03 42
13) remote procedure error 11 31
14) Refused collect connection 19 00 …..
15) not reachable 05 ed
16) not responding 0d f0

if the call is connected you will find an interesting computer system, or
whatever..

What is an NUI and how do you use it..
—————————————

An NUI or Network User Id is mostly used for connecting to things that give
you the “Refused collect connection” error. I always have an NUI in use when
I am scanning

at the @ promt type:

@ ID USERID

it will come up with a
PASS= promt, so then you enter the password I have a listing of about 80
or so NUI’s and they usually dont die , so here is a few….

ID SIMPCNOE
PASS= 071034

ID FINLAY
PASS= 004461

NUA listing of recent things Scanned by DOC telecom:
—————————————————-

NUA SYSTEM TYPE SPECIAL NOTES
————— ———————– ———————————-
804 35 ?
804 43 PRIME PRIMENET
303 38 PRIME PRIMENET 21.0.3.C1 SL
804 60 ?
713 436 CONNECTS
713 450 CONNECTS
713 454 CONNECTS
713 462 CONNECTS
713 431 CONNECTS
612 442 ?
415 333 AOS/VS 7.56
415 334 AOS/VS 7.56
206 20 HP 3000
206 30 HP 3000
206 32 VAX MICRO VMS V4.7
206 35 CONCURRECT COMPUTER CORP
206 38 AOS/VS 7.56
206 42 AOS/VS 7.56
206 44 AOS/VS 7.56
206 40 PRIME PRIMENET 20.2.4
206 53 CONNECTS
206 65 PRIME PRIMENET 20.1.1D OAD
206 72 DIFFRENT KINDS UNIV. OF WASHINGTON
212 137 PRIME PRIMENET 21.0.3.R7.PTC.3 NY60
909 46
303 65 COMPUTER SHARING SYSTEM
212 32 CIDIADVICE CENTER
303 23 PRIME
212 112 VM/370 ONLINE
212 131 VM/370 ONLINE
909 400
909 401
909 403
909 404
909 406
909 407
909 409
909 502
909 508 PRIME
909 600
909 615 PRIME
909 617 PRIME
212 20 “ENTER ID”
212 21 “ENTER ID”
909 810
909 800
909 801
909 802
909 805
909 811
909 815
909 818
909 819
415 37 HP 3000
617 622 UNIX MEDIA LABS…
214 71 PRIME PRIMENET FB.3.3 UUCB
212 146 OFFICE INFO SERVICE
415 20 DIALOG
213 35 MARKETRUN RESERCH AND SALES
909 95 PRIME TELENET NEWS SEWRVICE
305 22 HP 3000 CIERRA COMPUTER
201 25 DEC NJIT ELECTRONIC INFO EXCHANGE
515 30 LEXIS/NEXIS
201 67 WARNER BROTHERS SYSTEMS
201 68 WARNER BROTHERS SYSTEMS
212 28 OUTDIAL
909 12 PRIME
909 13 CONNECTS
909 51 CONNECTS
909 52 CONNECTS
909 54 CONNECTS
909 58 CONNECTS
909 26 PRIME
909 38
909 39 PRIME
909 49
909 55
909 777 CONNECTS
909 65
909 63
909 53
909 56
909 60
909 62

I hope this file is provided to be useful, until next time call with care.

Doc Telecom

Information on Telenet Scanning

TELENET SCANNING

Telenet is the largest Packet Switching network, that I know of at this
present time, I could waste valuable buffer space explaining what packet
switching is and what its uses are ect…so for more information read
“Packet Switching (tomorrow’s communications today) by Roy D. Rosner. It
is quite indepth and one of the books I cherish in my “legal” Telecomm
library.

DEFINITION of GTE TELENET : The packet switching subsidiary of General
Telephone and Electronics. It provides nationwide common user data
communications via packet switching

Information on GTE TELENET :
—————————-

The GTE Telenet commercial packet switched network was developed as a
commercial venture of many of the same principals who developed ARPANET.
GTE Telenet first became in 1979.

OPERATION :
————

Telenets network operation and internal protocals evolved from the ARPANET
experience , with additional cababilitys built into each of the switching nods.
The network is mostly a ciruit bases packet switching protocol, that does meet
the requirments of the CCITT X.25 protocol at the user interface. In addition,
Telenet also provides customized user interfaces to meet the need of the
individual users. It also provides emulation interfaces.

USER ACCESS :
————-

User access to the network is through one of the three clases of telenet
central offices, such as the one in San Fran, support user access speeds up to
56k bps is a Class I. Class II offices, such as the one in Spokane,Wa provide
connection speeds up to 9600 bps. Class III offices support rates up to 1200
bps, such as the one in tucson,arizona. User access can be made to Public
Dialin ports, private dial in ports, or fixed ports dedicated full time for a
single user. Users can implement X.25 compatable software in there host
computer or they can just use the T-net provided interface processors to
provide network service. Terminal Clusters can be accessed to the network very
effciently by use of Telenet access controllers placed at the customers
residece or business,ect..

Telenet Dialups
—————

To find the local Telenet dialup for your area just call WATS to 800-TEL-ENET
and ask them for it but remember to watch out “Every thing you do on telenet is
saved on Mega tape for up to 5 years, and they have installed number
identification since December 1987,

WATS TELENET DIALUPS….

(800) 424-9494 300/1200 BPS
(800) 238-0631 2400 & MPE

These wats will change in aug. 88 so if you would like the new ones leave my
E-Mail on Lunitics Labs (415) 278-7421

What to do one you have your POTS dialup:
—————————————–

Remember to do any scanning on telenet you need a POTS dialup not a WATS, the
WATS dialup is mainly used for Telemail or GTE MAIL., or SPRINT HP’s Call your
local dial up and you should see something that says TELENET 617 18m, or
whatevr…just hit a few times. and you should see something that looks
like this.

@

at the “@” prompt type in NPA XXX..for now just use your area code…

like this….( this is a Network User Address or NUA)

@ 415 333

it will then either connect you, or say “Collect Connection Refused”,
because you have not used an NUI, more on NUI’s later…

you will see one of the following :

1) call connected …. 2) Remote Procedure Error 11 b6
3) Remote Procedure Error 11 e2
4) Not Reachable 05 e6
5) not reachable 05 db
6) Not operating …. 7) illegal address 03 80
8) Busy 01 00 ….. 9) enhanced network services unavalible at this time please try again 05 d8
10) illegal address 03 ba
11) rejecting 00 7e
12) illegal address 03 42
13) remote procedure error 11 31
14) Refused collect connection 19 00 …..
15) not reachable 05 ed
16) not responding 0d f0

if the call is connected you will find an interesting computer system, or
whatever..

What is an NUI and how do you use it..
—————————————

An NUI or Network User Id is mostly used for connecting to things that give
you the “Refused collect connection” error. I always have an NUI in use when I
am scanning

at the @ promt type:

@ ID USERID

it will come up with a
PASS= promt, so then you enter the password I have a listing of about 80 or
so NUI’s and they usually dont die , so here is a few….

ID SIMPCNOE
PASS= 071034

ID FINLAY
PASS= 004461

NUA listing of recent things Scanned by DOC telecom:
—————————————————-

NUA SYSTEM TYPE SPECIAL NOTES
————— ———————– ———————————-
804 35 ?
804 43 PRIME PRIMENET
303 38 PRIME PRIMENET 21.0.3.C1 SL
804 60 ?
713 436 CONNECTS
713 450 CONNECTS
713 454 CONNECTS
713 462 CONNECTS
713 431 CONNECTS
612 442 ?
415 333 AOS/VS 7.56
415 334 AOS/VS 7.56
206 20 HP 3000
206 30 HP 3000
206 32 VAX MICRO VMS V4.7
206 35 CONCURRECT COMPUTER CORP
206 38 AOS/VS 7.56
206 42 AOS/VS 7.56
206 44 AOS/VS 7.56
206 40 PRIME PRIMENET 20.2.4
206 53 CONNECTS
206 65 PRIME PRIMENET 20.1.1D OAD
206 72 DIFFRENT KINDS UNIV. OF WASHINGTON
212 137 PRIME PRIMENET 21.0.3.R7.PTC.3 NY60
909 46
303 65 COMPUTER SHARING SYSTEM
212 32 CIDIADVICE CENTER
303 23 PRIME
212 112 VM/370 ONLINE
212 131 VM/370 ONLINE
909 400
909 401
909 403
909 404
909 406
909 407
909 409
909 502
909 508 PRIME
909 600
909 615 PRIME
909 617 PRIME
212 20 “ENTER ID”
212 21 “ENTER ID”
909 810
909 800
909 801
909 802
909 805
909 811
909 815
909 818
909 819
415 37 HP 3000
617 622 UNIX MEDIA LABS…
214 71 PRIME PRIMENET FB.3.3 UUCB
212 146 OFFICE INFO SERVICE
415 20 DIALOG
213 35 MARKETRUN RESERCH AND SALES
909 95 PRIME TELENET NEWS SEWRVICE
305 22 HP 3000 CIERRA COMPUTER
201 25 DEC NJIT ELECTRONIC INFO EXCHANGE
515 30 LEXIS/NEXIS
201 67 WARNER BROTHERS SYSTEMS
201 68 WARNER BROTHERS SYSTEMS
212 28 OUTDIAL
909 12 PRIME
909 13 CONNECTS
909 51 CONNECTS
909 52 CONNECTS
909 54 CONNECTS
909 58 CONNECTS
909 26 PRIME
909 38
909 39 PRIME
909 49
909 55
909 777 CONNECTS
909 65
909 63
909 53
909 56
909 60
909 62

Downloaded From P-80 Systems 304-744-2253

Telenet Scanning by Doc Telecom (July 11, 1988)

**********************************************************************
* *
* TELENET SCANNING *
* *
* written by Doc Telecom on July 11, 1988 *
* *
**********************************************************************

Telenet is the largest Packet Switching network, that I know of at this
present time, I could waste valuable buffer space explaining what packet
switching is and what its uses are ect…so for more information read
“Packet Switching (tomorrow’s communications today) by Roy D. Rosner. It
is quite indepth and one of the books I cherish in my “legal” Telecomm
library.

DEFINITION of GTE TELENET : The packet switching subsidiary of General
Telephone and Electronics. It provides nationwide common user data
communications via packet switching

Information on GTE TELENET :
—————————-

The GTE Telenet commercial packet switched network was developed as a
commercial venture of many of the same principals who developed ARPANET.
GTE Telenet first became in 1979.

OPERATION :
————

Telenets network operation and internal protocals evolved from the ARPANET
experience , with additional cababilitys built into each of the switching nods.
The network is mostly a ciruit bases packet switching protocol, that does meet
the requirments of the CCITT X.25 protocol at the user interface. In addition,
Telenet also provides customized user interfaces to meet the need of the
individual users. It also provides emulation interfaces.

USER ACCESS :
————-

User access to the network is through one of the three clases of telenet
central offices, such as the one in San Fran, support user access speeds up to
56k bps is a Class I. Class II offices, such as the one in Spokane,Wa provide
connection speeds up to 9600 bps. Class III offices support rates up to 1200
bps, such as the one in tucson,arizona. User access can be made to Public
Dialin ports, private dial in ports, or fixed ports dedicated full time for a
single user. Users can implement X.25 compatable software in there host computer
or they can just use the T-net provided interface processors to provide network
service. Terminal Clusters can be accessed to the network very effciently by use
of Telenet access controllers placed at the customers residece or business,
ect..

Telenet Dialups
—————

To find the local Telenet dialup for your area just call WATS to 800-TEL-ENET
and ask them for it but remember to watch out “Every thing you do on telenet is
saved on Mega tape for up to 5 years, and they have installed number
identification since December 1987,

WATS TELENET DIALUPS….

(800) 424-9494 300/1200 BPS
(800) 238-0631 2400 & MPE

These wats will change in aug. 88 so if you would like the new ones leave my
E-Mail on Lunitics Labs (415) 278-7421

What to do one you have your POTS dialup:
—————————————–

Remember to do any scanning on telenet you need a POTS dialup not a WATS, the
WATS dialup is mainly used for Telemail or GTE MAIL., or SPRINT HP’s
Call your local dial up and you should see something that says TELENET
617 18m, or whatevr…just hit a few times. and you should see something
that looks like this.

@

at the “@” prompt type in NPA XXX..for now just use your area code…

like this….( this is a Network User Address or NUA)

@ 415 333

it will then either connect you, or say “Collect Connection Refused”,
because you have not used an NUI, more on NUI’s later…

you will see one of the following :

1) call connected …. 2) Remote Procedure Error 11 b6
3) Remote Procedure Error 11 e2
4) Not Reachable 05 e6
5) not reachable 05 db
6) Not operating …. 7) illegal address 03 80
8) Busy 01 00 ….. 9) enhanced network services unavalible at this time please try again 05 d8
10) illegal address 03 ba
11) rejecting 00 7e
12) illegal address 03 42
13) remote procedure error 11 31
14) Refused collect connection 19 00 …..
15) not reachable 05 ed
16) not responding 0d f0

if the call is connected you will find an interesting computer system, or
whatever..

What is an NUI and how do you use it..
—————————————

An NUI or Network User Id is mostly used for connecting to things that give you
the “Refused collect connection” error. I always have an NUI in use when I am
scanning at the @ promt type:

@ ID USERID

it will come up with a
PASS= promt, so then you enter the password I have a listing of about 80 or
so NUI’s and they usually dont die , so here is a few….

ID SIMPCNOE
PASS= 071034

ID FINLAY
PASS= 004461

NUA listing of recent things Scanned by DOC telecom:
—————————————————-

NUA SYSTEM TYPE SPECIAL NOTES
————— ———————– ———————————-
804 35 ?
804 43 PRIME PRIMENET
303 38 PRIME PRIMENET 21.0.3.C1 SL
804 60 ?
713 436 CONNECTS
713 450 CONNECTS
713 454 CONNECTS
713 462 CONNECTS
713 431 CONNECTS
612 442 ?
415 333 AOS/VS 7.56
415 334 AOS/VS 7.56
206 20 HP 3000
206 30 HP 3000
206 32 VAX MICRO VMS V4.7
206 35 CONCURRECT COMPUTER CORP
206 38 AOS/VS 7.56
206 42 AOS/VS 7.56
206 44 AOS/VS 7.56
206 40 PRIME PRIMENET 20.2.4
206 53 CONNECTS
206 65 PRIME PRIMENET 20.1.1D OAD
206 72 DIFFRENT KINDS UNIV. OF WASHINGTON
212 137 PRIME PRIMENET 21.0.3.R7.PTC.3 NY60
909 46
303 65 COMPUTER SHARING SYSTEM
212 32 CIDIADVICE CENTER
303 23 PRIME
212 112 VM/370 ONLINE
212 131 VM/370 ONLINE
909 400
909 401
909 403
909 404
909 406
909 407
909 409
909 502
909 508 PRIME
909 600
909 615 PRIME
909 617 PRIME
212 20 “ENTER ID”
212 21 “ENTER ID”
909 810
909 800
909 801
909 802
909 805
909 811
909 815
909 818
909 819
415 37 HP 3000
617 622 UNIX MEDIA LABS…
214 71 PRIME PRIMENET FB.3.3 UUCB
212 146 OFFICE INFO SERVICE
415 20 DIALOG
213 35 MARKETRUN RESERCH AND SALES
909 95 PRIME TELENET NEWS SEWRVICE
305 22 HP 3000 CIERRA COMPUTER
201 25 DEC NJIT ELECTRONIC INFO EXCHANGE
515 30 LEXIS/NEXIS
201 67 WARNER BROTHERS SYSTEMS
201 68 WARNER BROTHERS SYSTEMS
212 28 OUTDIAL
909 12 PRIME
909 13 CONNECTS
909 51 CONNECTS
909 52 CONNECTS
909 54 CONNECTS
909 58 CONNECTS
909 26 PRIME
909 38
909 39 PRIME
909 49
909 55
909 777 CONNECTS
909 65
909 63
909 53
909 56
909 60
909 62

I hope this file is provided to be useful, ultil next time call with care.
Doc Telecom

Telecom Computer Security Bulletin: ItaPac, a Brief Introduction, by Blade Runner (August 11, 1988)

_______________________________________________________________________________

ItaPac – A Brief Introduction
Written by Blade Runner on 08/11/88

A Telecom Computer Security Bulletin File
_______________________________________________________________________________

Prologue
——–
This text will represent a very complete tutorial about a packet switching
network used in Italy: ItaPac. The purpose of this file is to supply very
interesting information to have secure use and VERY LONG ItaPac password
lifetime. It includes also a brief summary of what (shit) ItaPac is, techincal
terms, various news.

What’s ItaPac
————-
ItaPac is the Italian Packet Switched Network. The “packet” protocol is called
as it is because the data which travels through the network is assembled in
255 char groups (packets), with an address physically in the net towards which
data is sent at fixed time intervals. Packets can thus contain different
source data, and in this way they divide the cost of transmission and optimize
net traffic. All of which runs transparent to the users, which doesn’t remark
of commutation, and works in an apparent “real time”.

In order to support all available protocols, the Packet Switch needs gestional
software. As for definition, all terminals able to support the switching are
called PADs (packet assembly-disassembly) and work following the CCITT X.25
recommendations.

A PAD is very expensive to run. It is not the software or hardware that is so
expensive, but rather the continuous maintenance and supervision required to
keep the system running. Normally, most of the users prefer have the switching
handled by an ACP Server which makes his call and transforms the packet proto-
col from X.25 to an X.28 asycronous, that is compatable with the normal modems
that we use.

The user becomes like a DTE (Data Terminal Equipment), he connects to an ACP
(Adapter/Concentretor of Packets) and can operate in trasparency without
any kind of problems.

The user can login to a pad in either of two ways:

1) DIRECTLY: by dedicated wire installed by Italcable. The cost is higher,
but that guarantees a much higher transmission quality.

2) SWITCHED: by phone (switched line, not to be confused with ACP, even if
there are similarities); the cost is much lower, but the transmission
quality is unacceptable at times.

The direct X.28 user has his own network user address (NUA). Some users have
only one NUA while others have a multiplexed system. This system generally
consists of one NUA and a variable number of subaddresses. The actual number
of subaddresses depends on the number of doors he has into his pad.

The switched user (poor) can only call others DTE, but he cannot receive calls,
because he doesn’t a network user address. In effect the only address where he
can answer is that of the PAD on which he is logged on. Thus the DTE call from
a phone number (of home, office, etc), if he can receive calls from another
DTE, means that the hardware is able to scan the call, and we will all be in
the shit (sorry for the hard expression).

Taking apart the quality in trasmission, there is no difference between the two
X.28 types: both need a modem. The first, connected to a standard phone line,
and the second to dedicated one.

For the rest of this file we will talk about the X.28 terminals of the second
type: the dedicated ItaPac PADs.

The ACP at their time, are connected to NCP (Nodes of Commutation of Packets)
with transit functions or access for DTE X.25 and of local commutation. The
NCP are connected between them at high speed (64k/second), and ACP are conn-
ected to NCP at 9600 bit/second.

___________________________________________________________________________
| | | | | |
| User Class | Xmit Methods | Speeds | Protocols | Access Methods |
|______________|________________|__________|_____________|__________________|
| | | | | |
| Char by Char | Start/Stop | 300/1200 | X28 | Via Phone or |
| Terminal | Full/Half Dup. | baud | | Direct |
|______________|________________|__________|_____________|__________________|
| | | | | |
| Packet | HDLC | 2400 and | X25 | Direct |
| Terminals | Full Duplex | 9600 bps | | Only |
|______________|________________|__________|_____________|__________________|

The CCITT standard makes it possible to interface ItaPac with other networks
around the world. In effect, the NCPs are connected as big telephonic centers.
Anyway, it seems that all European traffic to the USA and other countries, such
as Australia, Argentina, Japan, etc, will transmit by the centers that are in
Paris, France. Maybe from Paris data is sent via satellite, but I don’t know.

NUIs, NUAs, and DNICs
———————
Well, when you connect to one of ItaPac’s entry points (of which there are 41
ACP sites on Italian terrain at 300/200 baud and full duplex (V21, V22)),
ItaPac responds:

ACP:** I T A P A C ** GENOVA 32 PORTA: 4

The above is an example of the herald for an entry node in Genoa. In the exam-
ple you can note that the number “32:” is really the node (the phone number you
have called). Larger cities generally have more than one node. The PORTA is
the port to the node (the physical entry point to the node). “PORTA: 4” means
that you are connected to the fourth port of this particular Genoa ItaPac node.
You can also see from the above example that there are 3 other people connected
to the same node as you. Every ItaPac node can support at greatest a finite
number of ports. If all the ports of a node are in use then the PAD will
reject all new DTE calls.

Frequently most (or all) of the ports until Friday night will not answer at
all. Until one logs you off you cannot enter a port that is in use. Very
often the first 2 or 3 ports will be busy from an internal console, or these
will be reserved as an “emergency lane” for internal-use-only. A good way to
use a free door is to send to people that are probably the callers an Urgent
Call Income (UCI; in the States it is known as a BVC — Busy Verification
Signal — AKA emergency interrupt). The you can redial the node. This time
ItaPac will answer. The message “Beware, please, Urgent Urban Call Incoming”
will appear on the screen. This will blow our friend from the port, thus
freeing it for our use. Eh eh. Now for some definitions.

1) NUI
2) NUA
3) CUG (optional)

NUI – Network User Identification: Nothing other than an ItaPac password.
Every time you call an NUA, ItaPac will charge the account of owner of the
password. Often NUIs are valid only for certain nodes. That is if the
contract signed with Italcable will allow a 300 baud at Genova on 2697, this
NUI will not work on the 2564 node. SYNTAX: the NUI must be preceded by
UPPERCASE “N” and finished by a minus “-“. The NUI MUST BE TYPED IN UPPERCASE.
Between “N” and “-” the NUI will not be displayed (echoed). You will obtain
only “N-” on display.

NUA-Network User Address: the physical address of a remote DTE. Similar to a
phone number, you understand. Must be typed without blank inside and soon
after the NUI (or a timeout will occur and ItaPac will hang up on you).

CUG – Close User Group: this is basically a high-security NUI. CUG stands for
Close User Group. CUG users have access to optional parameters that are used
for user recognition (and you know what that means). Having a CUG account is
very handy. CUG users have the ability to inibit hackers (after all, they are
there for network security, right?). There are less CUG users in Italy than
the USA and are generally rare (but I know of one). A typical example would
be the US Tymnet NUAs (03106nnnnnn). The PAS response will be ACP:CLR NA or
Call Not Accepted and shut down. Makes hacking on a CUG account a good way to
waste your time.

Now we will take a closer look at an ItaPac NUAs structure (the numbers are
examples only):

DCC NC
| __|
/ \|
12345678901234
\_ /
|
DNIC

DNIC = Data Network Identification Code; it contains the address of the country
to be called and the code for the network chosen. It is then divided into two
parts: DCC and NC.

DCC is the Data Country Code; a three digit number that is the phone prefix.
Every country has different one.

NC is the Network Code; a country can have more than one data network. In
Italy there is ONLY packet switched network, the code is “2” and it is Dardo.

Follow with: the prefix of the called city, the DTE number, an eventual suffix
that is the “phone particular” (max 4 digit).

Note: The DCC is used only to call outside. DCC must be preceded by a zero.
ItaPac, in this case, is different from other countries.

Let’s show a pratical example: The Cilea of Milan (Segrate).

The NUA is: 2220208
|||______ local address of DTE
||_______ 2 (02) = Milano
|________ NC: 2 = ItaPac

Now, another example: the Altos Unix (altger) in Munich, West Germany (note:
a favorite hangout of Xtension).

The NUA is: 026245890040004
|\ /|\_ _/|
| | | | |____ 40004: network address
| | | |_______ 5 8900: munich prefix
| | |__________ 4: DATEX-P (germany ItaPac)
| |____________ 262: DCC West Germany
|______________ foreign call

The NUA’s structure isn’t so all the time. NUAs can exist that don’t appear to
have countries or cities. This because the address is sent to an indicated ACP
that will provide the rerouting of the call. If the NCP has been instructed to
consider a certain address like another, the DTE can have a Rome NUA and be
located in Genoa. As call with the account to called…

It’s very important to be able to read an NUA. Many times you can find systems
like VAXs and UNIXs and some refer to not-interactive logins; NUAs are not
often completed. An NUA without a DNIC is like a phone number without an area
code: its meaning is nothing. Usually the system makes references to a subject
network, or it supplies other info in a less clear fashion. At this need I
will supply a very short list of world wide DNICs I’ve found (notice that they
are old hat, the new stuff is only for friends)…

Beware: many countries own more than one national network (GB, USA, etc) then
you will probably hear a thousand cries of “In USA where? On Tymnet, or
Autonet? or Telenet? or RCA? EtherNet?” And I can continue…

DNIC Network Name Country
_______________________________________________________________________________

2041 Datanet 1 Netherlands
2062 DCS Belgium
2080 Transpac France
2284 Telepac Switzerland
2322 Datex-P Austria
2329 Radaus Austria
2342 PSS UK
2382 Datapak Denmark
2402 Datapak Sweden
2405 Telepak Sweden
2442 Finpak Finland
2624 Datex-P West Germany
2704 Luxpac Luxembourg
2724 Eirpak Ireland
3020 Datapac Canada
3028 Infogram Canada
3103 ITT/UDTS USA
3106 Tymnet USA
3110 Telenet USA
3340 Telepac Mexico
3400 UDTS-Curacau Curacau
4251 Isranet Israel
4401 DDX-P Japan
4408 Venus-P Japan
4501 Dacom-Net South Korea
4542 Intelpak Singapore
5052 Austpac Australia
5053 Midas Australia
5252 Telepac Hong Kong
5301 Pacnet New Zealand
6550 Saponet South Africa
7240 Interdata Brazil
7241 Renpac Brazil
9000 Dialnet USA
7421 Dompac French Guiana

This list may be in the hands of hackers everywhere. And, because the bread
for a hacker is done with ItaPac’s floor, the minimum I suggest is to learn by
memory the main International DNICs. Not these for French Guiana, but the main
European and American ones.

Let’s return to ItaPac. When you are connected to a remote system, the network
sends an ACP: COM and it leaves the field and lets you join the host. To clear
call and return in command mode (the star “*” prompt) must make some diff-
erences.

1 – for the most part, the host leaves the possibility to user to talk with his
PAD, either to setup his parameters, close, reset or confirm the call. In
this case, often frequently, with the sequence CTRL-P ItaPac will reappear
with its “*” prompt and it accepts commands. Typing “CLR” ItaPac will
close the virtual call to host and answer “ACP: CLR CONF”.

2 – Some Hosts, usually those with internal PADs, won’t allow to ItaPac control
to the user. CTRL-P is not recognized, and the only way to logoff or catch
the control of the PAD is send a ten LONG-BREAK sequences. The BREAK, not
to be confused with CTRL-C, that is not in this site, is an INTERNAL signal
whic(BFs not an ASCII code. It is used by the communication program you
use to send that acknowledgment. If you don’t have the capability to send
BREAK (short or long); beware not to use these black holes from where the
only way to exit will be the physical disconnect from the PAD (ie, drop
carrier on the modem).

3 – The use of CLR is not correct and in most cases it will cause serious
problems to host machines. In effect, their software (or perhaps hardware)
is not able to translate correctly the loss of carrier and enters into a
“Wait-State Pending”, that will finish only before a well-defined interval.
In the mean time, this door is unavailable. Network administrators never
like CTRL-P CLR.

Network Signals, Profiles (Outline, Shapes, Sketch), Parameters
—————————————————————
A detailed description about all net signals, standard outlines and parameter
sets, is supplied from a “manual about ItaPac access from X28 start-stop
terminals”

This manual can easily be “thieved” at kermesses in Italcables stands, in more
desperate cases, you can ask that to your friends.

What is not written therein into from Italcable is the meaning about parameters
14,15,16,17,18,19. Official guide stops at the 13th. But command ^P PAR?
gives a full list with 19 entries! Now here are the descriptions:

14: Padding after Line feed (LF)
0 No padding inserted
1-15 When it is in the Data Transfer state, the pad inserts a time delay from
1 to 15 chars times the length after each LF that it inserts. The
normal setting is determined by the terminal in use.

15: Editing of data
This parameter and the following parameters (16, 17, and 18) determines
how editing of data is perfomed when the pad is in the Data Transfer
State
0 editing of data is not possible
1 Must be set to this value if the editing facility required

16: Charachter delete character
0 characted deletion is not possible
1-255 This is the IA5 decimal code of the choosen delete character. The
normal setting is 127 (for RUBOUT or DEL)

17: Buffer delete character
0 Buffer deletion is not possible
1-255 This is IA5 decimal code of the choosen buffer delete char. The normal
setting is 24 (CTRL-X) or (CAN)

18: Buffer display character
0 Buffer display is not possible
1-255 This is the IA5 decimal code of the choosen buffer display char. The
normal setting is 18 (CTRL-R) or (TAPE-ON)

Parameter 19 is unknown. One word about Delete. It’s possible to correct what
is typed in command mode via the DEL key. If you use the Backspace (ASCII 8)
key ItaPac will not accept corrections but it will translate these as true
chars.

PAD SPEED
———
If your modem will colloquiate with a PAD at a defined baud rate (300 or 1200,
full duplex) the packet transmission will slow in a drastic way the number of
incoming and outgoing characters from your DTE.

PADs send a continuous stream of clear-to-send and Ready-to-send signals that
are really macro rests between packets. At lower transmission speeds (ie, 300
baud) the switching does not feel right, but at 1200 it does. We have computed
that the speed of real transfers and receiving can, at maximum performance,
raise to 450 baud. It is slower when you transfer a file, when the PADs work
is very heavy. Via Xmodem, the PAD will try to destroy time-out signals, or
confuse all. Public computer systems such as Delphi know that also. If you
aren’t able to download correctly using the Xmodem protocol then that means
that only the remote host isn’t detecting the differences between packets
and asybchronous terminals.

The question is: will it happen only on ItaPac (not new) or is a common
problem to all NCPs?

“NC” Nights
———–
There are nights in which every address you call is “NC”. The Network Conges-
tion state is very frequent on ItaPac, and will disallow the use of the network
used from NCP. The causes are very mysterious. At night Firms aren’t using
ItaPac, and it seems the network is used only by hobbists. Then what? At the
Service center they negate all, but this is reality. ItaPac, at the end, is an
asshole.

It has very high rates but they will add a joke to the classical thief: some-
times it doesn’t work. How does it not work? Ha! To them everything is
always ok. And then someone will cry scandal if you try to bypass them!

NUIs USED
———
Usually, NUIs that are used (or had been used) are demo NUIs. It hasn’t an
account, and then -in theory- cannot exaust. Operators cannot ever notify
their use, because they don’t have a record of calls…If a demo NUI will die,
the cause can be one of only two:

1) ItaPac has changed codes due to normal administration

2) ItaPac was warning about the happening, or from their techician who had
noted abnormal traffic and has controlled, or from an external (a son of
a bitch spy!)

+2-15-87
+-+
| |
+–+ +–+
+–+ +–+
| |
| |
|_|
53ST6R

An historical NUA- it has been working for over 2 years, and for a SPY…

HOW GET AN NUI
————–
The more simple and safe method is to copy that from kermesses where Italcable,
or otherwise, use X.28 wires. The dedicated X28 DOESN’T NEED AN NUI because
they are directly connected.

Go near the operator and ask “That is a MODEM?”

Operator (if they have the time) will be moved to pity, in front of so much
ingnorance, and he feels so relaxed, types in his pw. You, with an optimum
eye, must read the keyboard and memorize the NUI. This is called shoulder
surfing.

It is well, in the case of big kermesses, to try to catch ANY booklet, agenda,
block notes left near terminals. If the stand is owned by Italcable, ALL you
can catch, must BE, without differences.

A new scanning technique, based on trying statistically calculated, is in exam
between DTE222. This technique may guarantee, if applied to a long scan time,
posithives results in NUI research. The minimum number of NUI tried cannot be
less than to 100,000 (1 hundred thousand), causing cost and time problems.

At large lines, that rule is like: a NUI generator will provide to create a
very likely NUI following the same criteria. A scanner will try all in an
automatic manner. It tries 8, then it uses a valid NUI to connect to 22000
(Echo pad), immediatly it logs off (CLR CONF), putting zero thanks to ACP:COM
the ACP:ERR ILL counter (how we know, to 10th ERR ILL the pad will logoff
physical call [hangs]). The 9th try is as security margin. Then the scanning
will restart. At 1200 baud – therefore – we had a 1400 hours tested NUI
average. This, is all talk! In addition, it seems that before 700 ERR ILL,
not looking counter reset, ItaPac will hang up. That will make it more diff-
icult for our computer; it araises at times (will redial number) and make the
search more expensive.

NETWORK SIGNALS
—————
Net can send several mesages:
– as answer to a command
– for his own decision
– following an action performed byt remote terminal

1. Errors messages

ERR CNA syntax of command is correct, but not allowed in this state
ERR ILL command is not syntactically correct or the hit is not recognized
ERR EXP timeout and command was not completed
ERR PNA the requested outline is not assigned yet

2. Logoff messages

CLR OCC the called number is busy
CLR NC Network congestion or temporaly failure of hardaware cannot allow new
calls
CLR INV Requested performance is not valid
CLR NA The calling number cannot have connection to DTE (ex: Close User
Group not compatable)
CLR ERR Call is hung for a local procedure error
CLR RPE Call is hung for a remote DTE error
CLR NP Called NUA is not assigned
CLR DER Called NUA is out of order
CLR PAD PAD has hung the call because he had received am invitation to
“clear” from DTE
CLR DTE Remote DTE hung call
CLR RNA Remote DTE cannot accept charged calls

3. Reset Messages

RESET DTE Remote has resetted virtual circuit
RESET RPE Call is putt in reset state for remote DTE error
RESET ERR Call is reset for a local error
RESET NC Call is hung for a network congestion

RATES AND DUTIES
—————-
For whoever wants to subscribe ItaPac, here are the rates. For whoever uses it
as Portoguese it might be interesting to have an idea about how much it costs
the real owner of an NUI. The, if you have one, don’t abuse and don’t tell it
to the four winds. Remember that real owner can, at any moment, change it!

BY X.28 Switched Phone
———————-
Class (baud) Lire/Month
300 12,150
1200 7,100

NUI duties: 7,200 / month

to these must be added:

modem duties
mail and telegraph duties
contributions and trafic (counter turns!)

The amount of the first two isn’t clearly specified on the rates-sheets, but it
is marked as:

Following the current rates. Last, is so divided: they will consider the
distance betweenyouser site and the centre of relhative area phone code.

X.25-X.28 Direct Connection
—————————
Class (baud) Lire/Month
300 108,000
1200 139,500
2400 208,800
4800 275,400
9600 311,400

To these must be added:

modem duties
duties foryouse of area to area circuitery
duties for new wires

Time rates for Ports Taken
————————–
class (baud) Lire/Minute (or fract)
300 13.50
1200 18.00

Time Rates
———-
6.80 Lire/minute or fraction

Volume rates
————
1.78 Lire/segment or fraction thereof (1 segment= 64 octets)

Rates to call
————-
30 lire / call

Addings per NUI
—————
7,200 / month

For time and volume rates there is a 30% discount from 9 PM to 8 AM every day,
including Saturday and non-working days

PVC Rates
———
54,000 Lire / Month

Class of Max Charge of line
—————————
9,000 * KB / Month

CUG

Master 56,700 Lire / Month
Users 900 Lire / Month

Payment to Called
—————–
8,100 / Month

Change Options Parms
——————–
45,000 Lire

Speed Class Change
——————
90,000 lire

Calls List
———-
Lire 30 each voice in list

International Trafic [The rates are in Gold Francs (GF)]

Europe
——
GF 0.107 / min or fraction thereof

Extra Europe
————
GF 0.3333 / min or fract (1)
GF 0.4 / min or fract (2)
GF 0.5 / min or fract (3)

(1) North America or Middle East directly connected to Italy
(2) Other countries out from Europe directly connected to Italy
(3) All others

In a few words, if you aren’t a Multinational Company, but an hobbist, you must
charge a 20 years money loan to be able to afford ItaPac.

The Network is also able to receive characters following international Alphabet
from CCITT No. 5 (IA5) with 1 or 2 stop bits and it will produce even chars
with the #2 stop bit. In the exchange of control chars between terminals and
net, ItaPac will translate characters dropping out the parity and send chars
with even parity. Characters are exchanged in transparent way to user regard-
ing parity and bits.

TO CONNECT VIA THE SWITCHED WAY
——————————-
1) Dial the ItaPac node phone number. Whoever doesn’t have an automatic modem
must switch to data within 10 seconds from the first ItaPac tone.

2) send two to build the phisycal connection (within 30 seconds)

3) ItaPac will send the network herald, ACP identification and entry port (as
explained)

4) At you’re request: enter the virtual call state by typing ACP: FREE

5) send call request by issuing the NUI, the NUA and the data field (max 12
characters optional). E.g: if the NUI is AAAAAA and the NUA is 2345678 you
must type: NAAAAAA-2345678 . The NUI is never echoed on screen. All
sequences must blank free and entered within 120 seconds from first keypress.
If you type a wrong NUI, net will answer ACP: ERR ILL. If you also need to
send a data string, (e.g. ABCD) send: NAAAAAA-2345678 D or P ABCD .
Typing ‘D’ before string the following data will be echoed, with ‘P’.

6) net give ACP: COM if call is done.

From this moment starts the data exchange phase and, until you disconnect, all
commands to the net must be preceded with the ^P sequence. If the call is not
correct, the net will answer by sending a disconnect signal to specify the
cause of it. After 10 times of unsuccessfully placed calls, the net will hang
up the carrier. If the call is possible, the NUA will receive an ACP: (caller
address) COM.

COMMANDS
——–
The following commands can be issued prior to having a connection, meanwhile
data transfer. In the last case, type a ^P before to exit data session (either
it’s considered as data itself). At end of command send . Beware that in
a start-stop terminals calls (X.28) commands must sent also from TH in packet
way, following X.29 procedures.

1) Virtual call state request:
STAT
will answer:
– if call is on : ACP: ENGAGED
– if call is off : ACP: FREE

2) Shape Choose

PROF
network will put on that (see later). At start the #3 is default outline.

3) Commands to send only during the data exchange (preceded by ^P)
reset request: ^P RESET
That command will cancel call followings data on line.

4) Interrupt send to remote DTE:
^P INT
This packet will go over travelling data. Then, the action taked by host
is software depending on.

THE EDITING FEATURE.

By the Editing Feature, you can delete a char or a line to make editing the PAD
provide buffered characters. The editing function is ever in use during X.28
and the ACP xmit. To have it meanwhile data transfer you must choose parm 15.
In this case, the user can choose between parms 16,17 and 18 the usable chars
to request editing function and he can, via par 19, editing signals send by
PAD.

1) Delete a char

To make the deletion of the last type character you must send parm 16 defines
the character (default DEL) before receving this char, the PAD will erase last
character in the editing buffer, and, if parm 16 is different from 0, it send
the signal about the erased char as said from par 19:

if parm 19 is set to 0, no signal sent
if parm 19 is set to 1, pad sent IA5 signal; this procedure is suggested
for printer like terminals
If parm 19 is set to 2, pad will sent a BS SP BS sequence of IA5. This
procedure will locate cursor at inserting point of new char and is
therefore suggested for video terminals.

2) Erase a line

To erase a line you must send the char set into parm 17 (def: CAN). Before
receving this character, the PAD will erase the buffer and, if parm 6 is set
to anything save 0, it will send the line deletion character, following par-
ameter 19:

if parm 19 is set to 0 : nothing sent
if parm 19 is set to 1 : pad send XXX
if parm 19 is set to 2 : pad will send SP BS SP of IA5 for a number times
as the number of chars in the buffer

3) Display a line

To obtain a line display you must send char defined by parm 12 (def: DC2).
Before receive this char pad will sent to terminal all chars stored in the
buffer.

_______________________________________________________________________________
$ 

The Complete Introductory Guide to Sprintnet and Similar Packet-Switched Networks by Doctor Dissector (April 22, 1990)

The THC Hack/Phreak Archives: PSNINTRO.DOC (842 lines)
Note: I did not write any of these textfiles. They are being posted from
the archive as a public service only – any copyrights belong to the
authors. See the footer for important information.
==========================================================================
% X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X %
X**=======================================================================**X
%!! Phreakers/Hackers/Anarchists !!%
X!! -++–++–++–++–++–++–++- !!X
%!! !!%
X!! THE COMPLETE INTRODUCTORY GUIDE TO SPRINTNET AND !!X
%!! SIMILAR PACKET SWITCHED NETWORKS !!%
X**=======================================================================**X
% X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X %
X**=======================================================================**X
%!! P/H/A – Written By Doctor Dissector On Sunday, April 22, 1990 – P/H/A !!%
X**=======================================================================**X
% X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X %

Part I: Disclaimer
——————
The sole purpose of this document is to educate. Neither the author nor
the sponsor group (Phreakers/Hackers/Anarchists) will be held responsible
for the reader’s actions before, during, and following exposure to this
document as well as the validity or accuracy of the information contained
within this document.

Part II: Introduction
———————
Packet switching networks can be said to be the most useful tool for both
the inexperienced and the experienced hack. When I first learned about
PSNs (SprintNet/Telenet in general), I discovered that there were not any
good “full length” introductions or guides to the use of these systems. In
effect, scrounging around for a small file here and another there was not
very productive in any sense. So, I decided to compile a “complete”
introduction and guide, as I know it, to the “world” of the packet switched
network. Enjoy!
Doctor Dissector – PHA

Part III: Table Of Contents
—————————
Part Description
—– ————————————————————-
I Disclaimer
II Introduction
III Table Of Contents
IV What Is A Packet Switched Network?
V Network Protocols
VI PAD Security
VII Connection To The SprintNet PAD
VIII X.121 International Address Format
IX Network User Identification
X Setting PAD ITI/X.3 Parameters
XI Disconnect Code Sequence
XII Misc Network Notes
XIII Appendix
XIV Conclusion And Closing Notes
XV Greets, Hellos, Etc….

Appendix Description
——– ———————————————————–
A Hunt/Confirm Sequence Codes
B PAD Command Summary
C ITI/X.3 Parameter Summaries
D International DNIC/PSN List
E Overseas PSNs Which Accept Collect Calls
F Network Protocol List
G Glossary

Part IV: What Is A Packet Switched Network?
——————————————-
A packet switched network can be accessed through any local POTS
dialup/port. Systems known as “hosts” on the PSN pay for connection to
the PSN depending on transmission speed and protocol type. PSNs offer
more efficient data transfer and less rates as compared to the typical
circuit switched call. Thus, to anyone who would be interested in
transferring large amounts of data over either the PSN or the circuit
system, the PSN would result in an increase of convenience due to the
reduction of data transmission error and cost.
Another feature of the PSN is the speed and data translation which
takes place between the PSN’s PAD (Packet Assembler/Disassembler) and
the host. For example, one could connect to the PSN’s PAD at 1200 bps
and the PAD could connect to the host system at 9600 bps and still
allow the user to receive error free transmission. This “flow control”
is done by the actual increase or decrease of the data packet between
the PAD and the user or the PAD and the host.
PSNs also have the ability to interconnect through special gateways
which might allow one user who dialed one PSN’s PAD and then connected
to another PSN’s PAD through a system which was accessible by the first.
Almost every PSN in the world can be accessed through gateways on one
PSN to another PSN, through subsequent gateways until the target PSN
is achived; of course, there are always exceptions, some private or
small data networks may not be reachable through gateways, these systems
can only be reached, usually, through direct dialins.
Some PSNs allow the caller to execute “collect calls” to host
systems which accept them, although the majority of the hosts on any
given PSN do not accept collect calls. To connect to a host system which
does not accept collect calls, one must possess a network user identifier
(NUI) or access to a private system on the PSN which accepts collect
calls and has the ability to access another PSN with its own identifier.
These will be discussed further into this document.

Part V: Network Protocols
————————-
The PSN utilizes several communications protocols similar to the
communications protocols used by typical asynchronous modems. However,
MOST PSNs utilize synchronous communications and the X type protocols
versus the typical modem’s asynchronous V protocols. As a result, the
PAD of any PSN also serves as a synchronous/asynchronous translator
between the synchronous netowrk and the asynchronous modem.
Most PSNs offer network speeds from snail’s pace baud rates of
300 bps (asynchronous) to the lightning of 48,000 bps (synchronous).
The most common data protocol used by PSNs today is the X.25 protocol,
thus if one were able to access a private PAD which offered support for
the X.25 protocol, one could access virtually any network user address
(NUA) from that PAD. SprintNet PADs support the X.25 protocol, so if
one had an NUI of sorts, one also could access any NUA from the SprintNet
PAD. See appendix F for a list of network protocols.

Part VI: PAD Security
———————
SprintNet PADs and most dialin PADs in general have no “immediate”
form of telephone security common within their systems. Plainly, SprintNet
and most PSN dialin PADs cannot trace on the fly, as they do not have
their own equiptment to trace incomming calls. HOWEVER, this does not
mean that they CANNOT trace; SprintNet can, and will, upon probable
cause, cooperate with the telco to trace calls. Notice that tracing
usually is premeditated and one-time abusers have a very slim chance
of being caught. Also note that most PAD activities are logged and if
abuse is suspected, the PSN owners would most likely suspect the abuser
as originating from the local area, since the POTS dialin/port is also
located in the same area.
Once online, security from “calling” hosts which do not accept collect
calls is enforced by the presence of the NUI. Without an NUI, one would
usually be stuck, only able to call systems accepting collect calls, sans
the use of another system’s NUI.
There is one more aspect of seucurity worth mentioning. Whenever a
packet of data is sent to a host system, a header of data is sent stating
where the originating “call” is being placed by. Thus, if you were
connecting to “312312” from your local POTS dialin/port that owned an
address of “20231H,” the system at 312312 would know the call was being
originated from 20231H. Once again, if someone were abusing any system on
the PSN and that system saved a log of the originating addresses accessing
that system, the owners of the abused system could easily determine which
POTS dialin/port number the abuser was using, and then inform the PSN
security of possible abuse in that dialin’s local area. Because of this
ability to “trace” the originating address, there is one way to foil this.
One could connect to another PAD, and then, from that PAD connect to
the target system. Thus, the POTS dialin/port address will be sent to
the connected PAD, and the connected PAD would intercept the POTS address
and send the connected PAD’s address to the target system instead of
the POTS address. SO, if the target system was abused and the owners
attempted to “trace” the originating address, they would receive the
address of the connected PAD. For example: you dial your local POTS
dialin/port which had an address of “71516G,” log into another PAD at
“415100,” connect from 415100 to “213213.” The system at 213213 if
“traced” would find that you were originating from 415100, not 71516G.
See how it works? Good… Notice that the system 213213 would still
know that you were originating from 71516G, but the folks you were
genuinely abusing wouldn’t know that!

Part VII: Connection To The SprintNet PAD
—————————————–
The following procedure outlines the methods used to connect to
and through the SprintNet PAD.

Step Procedures Network/Operator Response
—- ———- ————————-
1 Turn on your terminal. Make sure
it’s Online.

2 Dial your local SprintNet access
number.

3 For data sets Bell 103 & 113 type,
depress the DATA button.

4 Enter the hunt/confirm sequence
for your baud/parity type. For
E,7,1 1200/2400, type twice.
For hunt/confirm sequences, see
appendix A.

5 SprintNet will identify itself, TELENET
its port address, and then send 909 14B
a TERMINAL= prompt for terminal
identification. “D1” specifies TERMINAL=D1
dumb terminal.

6 NUI Input: After SprintNet gives
the “@” prompt, type “ID ;” and @ID ;ABCD
then your ID code, follwed by a PASSWORD=123456
. Then enter your password
followed by another . If you
don’t have an NUI, you can always
access systems which allow collect
calls.

7 At the “@” prompt, you can enter @02341123456790
the network user address (NUA) of
the desired host. If, during the
connection attempt wish to abort
the attempt, a BREAK signal will
bring you back to the “@” prompt.

8 SprintNet will respond with a (address) CONNECTED
connection message, or an error
message.

9 To disconnect from your computer, (address) DISCONNECTED
log off as usual. SprintNet will
send a disconnect message. To
disconnect off of a system without
logging off, typing “@” will
bring you back to the “@” prompt.

Part VIII: X.121 International Address Format
———————————————
Most PSNs around the world follow the X.121 format for access to both
domestic and international hosts. SprintNet does not require some parts
of the format for domestic connection, which will be discussed below.

+—————————————– Zero Handler For SprintNet
| (Formats The X.121 Address)
|
|
|
| +——————————— Data Network Identifier
| | Code (DNIC)
| |
| |
| | +————————- Area Code of Host
| | |
| | |
| | | +————— DTE Address of Host
| | | |
| | | |
| | | | +——– Port Address
| | | | |
| | | | |

|0| |DDDD| |AAA| |HHHHH| |PP|

|
+——- Optional ‘Subaddress’
Field for Packet Mode
DTE

For a complete list of DNICs/PSNs according to country, please see
appendix D.
On SprintNet, a “0” MUST lead the NUA, although on other PSNs, this
may not be necessary.
On SprintNet, the DNIC is defaulted to 3110. Any host entered at the
“@” prompt, if domestic to Telenet/USA, will not require the input of
zero handler or the 3110 DNIC. For example:

Domestic X.121 SprintNet Int’l
———- ————– —————
2129966622 31102129966622 031102129966622
212869 311021200869 0311021200869
21244 311021200044 0311021200044

Part IX: Network User Identification
————————————
Network user identifiers (NUIs) offer full SprintNet PAD use for
any distance or amount of time for any host accessible by the PAD in
question. Think of the NUI as a /<-/<00l Kode for calling long distance. Any systems that you call are logged, and each call is charged. At the end of the month, the owner of the NUI is billed. So, it is possible to hack out NUIs and use them, but like k0dez, abuse kills. NUIs can be entered into SprintNet in two ways. The first method is to type "ID ;xxxx" where xxxx can be from 4-? charachters in length, both alphabetic and numeric. Then, at the password prompt, enter a password. The second method for entering an NUI is in conjunction to the NUA you are accessing. The format is ",,” where at the “@”
prompt you would type the desired NUA, followed by a comma, then your
ID followed by a comma, and then your password. Your password will not
be echoed.

Part X: Setting PAD ITI/X.3 Parameters
————————————–
Online PAD parameter modification may be desired for certain
applications, connections, or data transfers. See appendix C for brief
summaries of these parameters. Modification of these parameters can be
done by the following procedure at the “@” prompt:

X.3 Parameters
————–
To display current parameters: “PAR?
The PAD will respond with: “PAR1:,2:,…”

To modify parameter(s): “SET? :,:,…”
The PAD will respond with: “PAR:,…”

ITI Parameters
————–
To display current parameters: “PAR? 0,,,…”
The PAD will respond with: “PAR:,:,…”

To modify parameter(s): “SET? 0:33,:,:,…”
The PAD will respond with: “PAR0:33,:,…”

Part XI: Disconnect Code Sequence
———————————
When disconnected off of any host on SprintNet, a disconnect coding
sequence with a string of data will be sent to your terminal. The
following is a translation format for the disconnect coding.

DISCONNECTED AA BB TT:TT:TT:TT CCC DD

Where:
is the NUA of the given host system.
AA is the clearing code.
BB is the diagnositc code.
TT:TT:TT:TT is the time spent on the host.
CCC is the number of frames received.
DD is the number of frames sent.

Part XII: Misc Network Notes
—————————-
Just a few things one might want to know when using PSNs:

1) When using/abusing a private PAD, try to use it after business
hours, as the operators will not tend to discover your presence
as quickly.

2) When hacking or abusing ANY system on ANY PSN, if anything seems
different or suspicious, logoff, disconnect, or HANG-UP
IMMEDIATELY! Much better SAFE than SORRY!

3) For a complete and updated list of POTS dialin/ports, dial the
IN-WATS number at 1-800-546-1000 or 1-800-546-2000, type “MAIL,”
and for user name and password, enter “PHONES.” You will be
diverted to the SprintNet dialing directory & a menu. From then on
you will have plenty of info about POTS dialins and port numbers.

4) For international information concerning SprintNet and other PSNs,
get to a SprintNet “@” prompt and type “MAIL.” Then, for the user
name, enter “INTL/ASSOCIATES.” For the password, type “INTL,” and
you will be diverted to the international information menu.

5) For even more info on SprintNet and PCP, the NUA for the PCP
support BBS is 311090900631 (909631 domestic).

6) Some 2400 bps and 2400+ bps PADs have problems recognizing 8,N,1
connections. Sometimes they only allow E,7,1 transmissions.
Experimentation or inquiry may yeild results. SprintNet’s customer
information line is at 1-800-336-0437, overseas is 1-703-689-6400.

7) PCP outdials and other outdial systems are abundant on the PSNs
throughout the world. If you have any NUAs to these or find any,
they utilize the typical Hayes AT command set, so they should be
easy to figure out. MOST of the time, they ONLY allow dialing of
local (to the oudial’s area code) numbers, but some have been known
to allow interstate and even international calls. Experimentation,
again, is always necessary.

8) Domestically, the “AAA” (Area Code) portion of the NUA is usually
the same as the area code (NPA) of the same calling area. However,
some area codes are shared on the network and some non-existant
area codes such as 909, 223, 224 and others contain hosts.

9) On any PAD, the data transmission rates may be slowed, due to the
assembley/disassembley time, called packet delay. Depending on which
system, baud, and transfer protocol used, pad delay can differ from
almost none to noticable fractions of seconds. PCP oudials are
notorious for LLOONNGG pad delays….

Part XIII: Appendix
——————-
Appendix A: Hunt/Confirm Sequence Codes
=======================================
Bits Stop Parity Modem Baud Duplex Sequence
—- —- —— ———- —— ——–
7 1 EVEN 300-1200 FULL
7 1 EVEN 300-1200 HALF ;
7 1 EVEN 2400 FULL @
7 1 EVEN 2400 HALF @;
8 1 NONE 300-1200 FULL D
8 1 NONE 300-1200 HALF H
8 1 NONE 2400 FULL @D
8 1 NONE 2400 HALF @H

At BPS speeds 2400+, wait 1/2 a second BEFORE and AFTER the
“@” sign in the sequence above.

Appendix B: PAD Command Summary
===============================
The following is a list of commands usable from the “@” prompt on the
SprintNet PSN.

Command Description
———– ————————————————————-
Connects to the host specified by that NUA.
C Connects to the host specified by that NUA.
STAT Displays the network port address (NUA of the port).
FULL Sets duplex to full.
HALF Sets duplex to half.
DTAPE Prepares the PSN for bulk file transfers.
CONT Continues the current connected session/connect attempt.
BYE Aborts connect attempt/disconnects from current session.
D Aborts connect attempt/disconnects from current session.
HANGUP Logs you off from the SprintNet PAD.
TERM Changes the terminal specification to that of .
MAIL Request connection to SprintNet Telemail.
TELEMAIL Request connection to SprintNet Telemail.
ID ; Enter NUI, is your ID. This is followed by a PASSWORD
prompt. Password will not be echoed.
TEST CHAR Test if you are receiving garbled output. If so, adjust
parity or data bits, and then try again. If errors persist,
be sure to complain to SprintNet customer service!
TEST ECHO Test if your input is being garbled by Telenet. Similar
otherwise as TEST CHAR.

Appendix C: ITI/X.3 Parameter Summaries
=======================================
Para- Para-
meter Description (Default Value) meter Description (Default Value)
—– ————————— —– —————————
1 Line feed Insertion (0) 31+ Interrupt Character (0)
2 Network Message Display (0) 32 Automatic Hang-up (0)
3 Echo (1) 33+ Flush Output (0)
4 Echo Mask (163) 34 Transmit on Timers (1)
5 Transmit Mask (2) 35 Idle Timer (80)
6* Buffer Size (0) 36 Interval Timer (0)
7* Command Mask (127) 37 Network Usage Display (0)
8* Command Mask (3) 38 Carriage Return PAD (Variable)
9 Carriage Return PAD (Fixed) 39 Padding Options (1)
10 Linefeed Padding 40 Insert on Break (0)

11 Tab Padding 41 PAD-Terminal Flow Control (0)
12 Line Width 42 PAD-Terminal XON Character (17)
13 Page Length (0) 43 PAD-Terminal XOFF Character (19)
14 Line Folding (1) 44* Generate Break (INV)
15 Page Wait (0) 45* APP on Break (0)
16 Interrupt on Break (0) 46 Input Unlock Option (0)
17 Break Code (0) 47 Input Unlock Timer (0)
18 NVT Options (0) 48 Input Unlock Character (0)
19 Initial Keyboard State (0) 49 Output Lock Option (2)
20 Half/Full Duplex 50 Output Lock Timer (10)

21 Real Character Code 51 Output Lock Option (0)
22 Printer Style 53* Break Options (0)
23 Terminal Type 54 Terminal-PAD Flow Control (0)
24 Permanent Terminal (0) 55 Terminal-PAD XON Character (17)
25 Manual or Auto Connect (0) 56 Terminal-PAD XOFF Character (19)
26 Rate 57 Connection Mode (2)
27 Delete Character (127) 58 Escape to Command Mode (1)
28 Cancel Character (24) 59* Flush Output on Break (0)
29 Display Character (18) 60 Delayed Echo
30+ Abort Output Character (0) 63 Eight-bit Transparency (1)
64+ Early ACK (0)
65 More-Data Bit Generation (3)
66 Defer Processing of User (0)
67 ESP Packetizing Option (0)
68 Escape Sequence Timer (0)
69 Escape Sequence Maximum Length (0)
70 Escape Sequence Initiator (0)
71 Parameter Reset on Disconnect (0)

Note: – All Telenet Parameters must follow the National Option Marker
(Parameter 0, value ’21’ Hex) in PAD Messages.
– Parameters marked with “*” should not be used.
– Parameters marked with “+” should be used with caution.

Appendix D: International DNIC/PSN List
=======================================
Note: This is not a complete list!

COUNTRY NETWORK DNIC
——- ——- —-
ALASKA ALASCOM 3135
ANTIGUA ANTIGUA 3443
ARGENTINA ARPAC 7220
ARGENTINA ARPAC 7222
AUSTRIA DATEX-P 2322
AUSTRIA RA 2329
AUSTRALIA AUSPAC 5052
AUSTRALIA MIDAS 5053
BAHAMAS BATELCO 3640
BAHRAIN IDAS 4263
BARBADOS IDAS 3423
BELGIUM DCS 2062
BELGIUM DCS-TELEX 2068
BELGIUM DCS-PSTN 2069
BERMUDA IPSD 3503
BRAZIL INTERDATA 7240
BRAZIL RENPAC 7241
BRAZIL RENPAC 7249
BRAZIL RENPAC 7248
CAMEROON CAMPAC 6242
CANADA DATAPAC 3020
CANADA GLOBEDAT 3025
CANADA CNCP 3028
CANADA TYMNET CANADA 3106
CAYMAN ISLANDS IDAS 3463
CHILE ENTEL 7302
CHILE ENTEL 3104
CHINA PTELCOM 4600
COLUMBIA DAPAQ 3107
COSTA RICA RACSADATOS 7120
COSTA RICA RACSAPAC 7122
COSTA RICA RACSAPAC 7128
COSTA RICA RACSAPAC 7129
COTE D’IVOIRE SYTRANPAC 6122
DENMARK DATAPAK 2382
DEMMARK DATAPAK 2383
DOMINICAN REPUBLIC UDTS 3700
EGYPT ARENTO 6020
FINLAND FINNPAK 2442
FRANCE TRANSPAC 2080
FRANCE N.T.I. 2081
FRANCE TRANSPAC 9330
FRANCE TRANSPAC 9331
FRANCE TRANSPAC 9332
FRANCE TRANSPAC 9333
FRANCE TRANSPAC 9334
FRANCE TRANSPAC 9335
FRANCE TRANSPAC 9336
FRANCE TRANSPAC 9337
FRANCE TRANSPAC 9338
FRANCE TRANSPAC 9339
FRENCH ANTILLES DOMPAC 3400
FRENCH GUYANA DOMPAC 7420
GABON GABONPAC 6282
GERMANY DATEX-P 2624
GREECE HELPAK 2022
GREENLAND DATAPAK 2901
GUAM LSDS-RCA 5350
GUATEMALA GUATEL 7040
HONDURAS HONDUTEL 7080
HONG KONG IDAS 4542
HONG KONG DATAPAK 4545
HUNGARY DATEXL 2160
HUNGARY DATEXL 2161
ICELAND ICEPAC 2740
INDONESIA SKDP 5101
IRELAND IPSS (EIRE) 2721
IRELAND EIREPAC 2724
ISRAEL ISRANET 4251
ITALY DARDO 2222
ITALY ITAPAC 2227
IVORY COAST SYTRANPAC 6122
JAMAICA JAMINTEL 3380
JAPAN DDX-P 4401
JAPAN VENUS-P 4408
JAPAN NISNET 4406
JAPAN NI+CI 4410
KUWAIT 4263
LEBANON SODETEL 4155
LUXEMBOURG LUXPAC 2704
LUXEMBOURG PSTN 2709
MALAYSIA MAYPAC 5021
MAURITIUS MAURIDATA 6170
MEXICO TELEPAC 3340
NETHERLANDS DATANET-1 2040
NETHERLANDS DATANET-1 2041
NETHERLANDS DABAS 2044
NETHERLANDS DATANET 2049
NETHERLANDS/ANTILLES UDTS ITT 3620
NETHERLANDS/MARIANAS PCINET 5351
NEW CALEDONIA TOMPAC NC 5460
NEW ZEALAND PACNET 5301
NORWAY DATAPAK 2422
PANAMA INTELPAQ 7141
PANAMA INTELPAQ 7142
PHILIPPINES CAPWIRE 5151
PHILIPPINES PHILCOM RCA 5152
PHILIPPINES GMCR 5154
PHILIPPINES ETPI-2 5156
POLYNESIA TOMPAC 5470
PORTUGAL TELEPAC 2680
PORTUGAL SABD 2682
PUERTO RICO UDTS- PDIA 3301
PUERTO RICO UDTS- I 3300
QATAR DOHPAC 4271
REUNION ISLAND DOMPAC 6470
SAN MARINO X-NET 2922
SAUDI ARABIA BAHNET 4263
SINGAPORE TELEPAC 5252
SINGAPORE TELEPAC 5258
SOUTH AFRICA SAPONET 6550
SOUTH AFRICA SAPONET 6559
SOUTH KOREA DACOM-NET 4501
SOUTH KOREA DNS 4503
SPAIN TIDA 2141
SPAIN IBERPAK 2145
SWEDEN TELEPAK 2405
SWEDEN DATAPAK 2402
SWITZERLAND TELEPAC 2284
SWITZERLAND DATALINK 2289
TAHITI TOMPAC 5470
TAIWAN UDAS 4877
TAIWAN PACNET 4872
THAILAND IDAR 5200
TORTOLA 3483
TRINIDAD TEXTET 3740
TRINIDAD DATANETT 3745
TUNISIA RED25 6050
TURKEY TURPAC 2862
TURKS BWI 3763
UNITED ARAB EMIRATES EMDAN 4241
UNITED ARAB EMIRATES TELEX 4243
UNITED ARAB EMIRATES TEDAS 4310
UNITED KINGDOM IPSS 2341
UNITED KINGDOM PSS 2342
UNITED KINGDOM MPDS MERCURY 2350
UNITED KINGDOM PSS MERCURY 2352
U.S.S.R. IASNET 2502
UNITED STATES OF AMERICA TELENET 3110
UNITED STATES OF AMERICA TYMNET 3106
U.S. VIRGIN ISLANDS

Telenet Scanning

                                TELENET SCANNING

    Telenet is the largest Packet Switching network, that I know of at this
 present time, I could waste valuable buffer space explaining what packet
 switching is and what its uses are ect...so for more information read
 "Packet Switching (tomorrow's communications today) by Roy D. Rosner. It
 is quite indepth and one of the books I cherish in my "legal" Telecomm
 library.

 DEFINITION of GTE TELENET : The packet switching subsidiary of General
 Telephone and Electronics. It provides nationwide common user data
 communications via packet switching

 Information on GTE TELENET :
 ----------------------------

 The GTE Telenet commercial packet switched network was developed as a
commercial venture of many of the same principals who developed ARPANET.
GTE Telenet first became in 1979.

 OPERATION :
 ------------

 Telenets network operation and internal protocals evolved from the ARPANET
experience , with additional cababilitys built into each of the switching nods.
The network is mostly a ciruit bases packet switching protocol, that does meet
the requirments of the CCITT X.25 protocol at the user interface. In addition,
Telenet also provides customized user interfaces to meet the need of the
individual users.  It also provides emulation interfaces.

 USER ACCESS :
 -------------

 User access to the network is through one of the three clases of telenet
central offices, such as the one in San Fran, support user access speeds up to
56k bps is a Class I. Class II offices, such as the one in Spokane,Wa provide
connection speeds up to 9600 bps. Class III offices support rates up to 1200
bps, such as the one in tucson,arizona. User access can be made to   Public
Dialin ports, private dial in ports, or fixed ports dedicated full time for a
single user. Users can implement X.25 compatable software in there host
computer or they can just use the T-net provided interface processors to
provide network service. Terminal Clusters can be accessed to the network very
effciently by use of Telenet access controllers placed at the customers
residece or business,ect..

 Telenet Dialups
 ---------------

 To find the local Telenet dialup for your area just call WATS to 800-TEL-ENET
and ask them for it but remember to watch out "Every thing you do on telenet is
saved on Mega tape for up to 5 years, and they have installed number
identification since December 1987,

 WATS TELENET DIALUPS....

 (800) 424-9494 300/1200 BPS
 (800) 238-0631 2400 & MPE

 These wats will change in aug. 88 so if you would like the new ones leave my
E-Mail on Lunitics Labs (415) 278-7421

 What to do one you have your POTS dialup:
 -----------------------------------------

 Remember to do any scanning on telenet you need a POTS dialup not a WATS, the
WATS dialup is mainly used for Telemail or GTE MAIL., or SPRINT HP's Call your
local dial up and you should see something that says TELENET 617 18m, or
whatevr...just hit <REt> a few times. and you should see something that looks
like this.

 @

at the "@" prompt type in NPA XXX..for now just use your area code...

like this....( this is a Network User Address  or NUA)

@ 415 333

 it will then either connect you, or say "Collect Connection Refused",
because you have not used an NUI, more on NUI's later...

 you will see one of the following :

 1) call connected .... <this is what you want>
 2) Remote Procedure Error  11 b6
 3) Remote Procedure Error  11 e2
 4) Not Reachable  05 e6
 5) not reachable  05 db
 6) Not operating ....  <try later>
 7) illegal address  03 80
 8) Busy  01 00 ..... <try later>
 9) enhanced network services unavalible at this time please try again 05 d8
10) illegal address  03 ba
11) rejecting        00 7e
12) illegal address  03 42
13) remote procedure error  11 31
14) Refused collect connection 19 00 ..... <use NUI>
15) not reachable  05 ed
16) not responding 0d f0

if the call is connected you will find an interesting computer system, or
whatever..

 What is an NUI and how do you use it..
 ---------------------------------------

 An NUI or Network User Id is mostly used for connecting to things that give
you the "Refused collect connection" error. I always have an NUI in use when I
am scanning

 at the @ promt type:

 @ ID USERID

 it will come up with a
   PASS= promt, so then  you enter the password I have a listing of about 80 or
so NUI's and they usually dont die , so here is a few....

 ID  SIMPCNOE
 PASS= 071034

 ID FINLAY
 PASS= 004461

 NUA listing of recent things Scanned by DOC telecom:
 ----------------------------------------------------

 NUA              SYSTEM TYPE            SPECIAL NOTES
--------------- -----------------------  ----------------------------------
 804 35           ?
 804 43           PRIME                    PRIMENET
 303 38           PRIME                    PRIMENET 21.0.3.C1 SL
 804 60           ?
 713 436                                   CONNECTS
 713 450                                   CONNECTS
 713 454                                   CONNECTS
 713 462                                   CONNECTS
 713 431                                   CONNECTS
 612 442         ?
 415 333         AOS/VS 7.56
 415 334         AOS/VS 7.56
 206 20          HP 3000
 206 30          HP 3000
 206 32          VAX                       MICRO VMS V4.7
 206 35                                    CONCURRECT COMPUTER CORP
 206 38          AOS/VS 7.56
 206 42          AOS/VS 7.56
 206 44          AOS/VS 7.56
 206 40          PRIME                     PRIMENET 20.2.4
 206 53                                    CONNECTS
 206 65          PRIME                     PRIMENET 20.1.1D OAD
 206 72          DIFFRENT KINDS            UNIV. OF WASHINGTON
 212 137         PRIME                     PRIMENET 21.0.3.R7.PTC.3 NY60
 909 46
 303 65                                    COMPUTER SHARING SYSTEM
 212 32                                    CIDIADVICE CENTER
 303 23          PRIME
 212 112                                   VM/370 ONLINE
 212 131                                   VM/370 ONLINE
 909 400
 909 401
 909 403
 909 404
 909 406
 909 407
 909 409
 909 502
 909 508         PRIME
 909 600
 909 615         PRIME
 909 617         PRIME
 212 20                                    "ENTER ID"
 212 21                                    "ENTER ID"
 909 810
 909 800
 909 801
 909 802
 909 805
 909 811
 909 815
 909 818
 909 819
 415 37           HP 3000
 617 622          UNIX                      MEDIA LABS...<didnt scan this>
 214 71           PRIME                     PRIMENET FB.3.3 UUCB
 212 146                                    OFFICE INFO SERVICE
 415 20                                     DIALOG
 213 35                                     MARKETRUN RESERCH AND SALES
 909 95           PRIME                     TELENET NEWS SEWRVICE
 305 22           HP 3000                   CIERRA COMPUTER
 201 25           DEC                       NJIT ELECTRONIC INFO EXCHANGE
 515 30                                     LEXIS/NEXIS
 201 67                                     WARNER BROTHERS SYSTEMS
 201 68                                     WARNER BROTHERS SYSTEMS
 212 28           OUTDIAL
 909 12           PRIME
 909 13                                     CONNECTS
 909 51                                     CONNECTS
 909 52                                     CONNECTS
 909 54                                     CONNECTS
 909 58                                     CONNECTS
 909 26           PRIME
 909 38
 909 39           PRIME
 909 49
 909 55
 909 777                                    CONNECTS
 909 65
 909 63
 909 53
 909 56
 909 60
 909 62