Telecom Computer Security Bulletin: ItaPac, a Brief Introduction, by Blade Runner (August 11, 1988)

_______________________________________________________________________________

ItaPac – A Brief Introduction
Written by Blade Runner on 08/11/88

A Telecom Computer Security Bulletin File
_______________________________________________________________________________

Prologue
——–
This text will represent a very complete tutorial about a packet switching
network used in Italy: ItaPac. The purpose of this file is to supply very
interesting information to have secure use and VERY LONG ItaPac password
lifetime. It includes also a brief summary of what (shit) ItaPac is, techincal
terms, various news.

What’s ItaPac
————-
ItaPac is the Italian Packet Switched Network. The “packet” protocol is called
as it is because the data which travels through the network is assembled in
255 char groups (packets), with an address physically in the net towards which
data is sent at fixed time intervals. Packets can thus contain different
source data, and in this way they divide the cost of transmission and optimize
net traffic. All of which runs transparent to the users, which doesn’t remark
of commutation, and works in an apparent “real time”.

In order to support all available protocols, the Packet Switch needs gestional
software. As for definition, all terminals able to support the switching are
called PADs (packet assembly-disassembly) and work following the CCITT X.25
recommendations.

A PAD is very expensive to run. It is not the software or hardware that is so
expensive, but rather the continuous maintenance and supervision required to
keep the system running. Normally, most of the users prefer have the switching
handled by an ACP Server which makes his call and transforms the packet proto-
col from X.25 to an X.28 asycronous, that is compatable with the normal modems
that we use.

The user becomes like a DTE (Data Terminal Equipment), he connects to an ACP
(Adapter/Concentretor of Packets) and can operate in trasparency without
any kind of problems.

The user can login to a pad in either of two ways:

1) DIRECTLY: by dedicated wire installed by Italcable. The cost is higher,
but that guarantees a much higher transmission quality.

2) SWITCHED: by phone (switched line, not to be confused with ACP, even if
there are similarities); the cost is much lower, but the transmission
quality is unacceptable at times.

The direct X.28 user has his own network user address (NUA). Some users have
only one NUA while others have a multiplexed system. This system generally
consists of one NUA and a variable number of subaddresses. The actual number
of subaddresses depends on the number of doors he has into his pad.

The switched user (poor) can only call others DTE, but he cannot receive calls,
because he doesn’t a network user address. In effect the only address where he
can answer is that of the PAD on which he is logged on. Thus the DTE call from
a phone number (of home, office, etc), if he can receive calls from another
DTE, means that the hardware is able to scan the call, and we will all be in
the shit (sorry for the hard expression).

Taking apart the quality in trasmission, there is no difference between the two
X.28 types: both need a modem. The first, connected to a standard phone line,
and the second to dedicated one.

For the rest of this file we will talk about the X.28 terminals of the second
type: the dedicated ItaPac PADs.

The ACP at their time, are connected to NCP (Nodes of Commutation of Packets)
with transit functions or access for DTE X.25 and of local commutation. The
NCP are connected between them at high speed (64k/second), and ACP are conn-
ected to NCP at 9600 bit/second.

___________________________________________________________________________
| | | | | |
| User Class | Xmit Methods | Speeds | Protocols | Access Methods |
|______________|________________|__________|_____________|__________________|
| | | | | |
| Char by Char | Start/Stop | 300/1200 | X28 | Via Phone or |
| Terminal | Full/Half Dup. | baud | | Direct |
|______________|________________|__________|_____________|__________________|
| | | | | |
| Packet | HDLC | 2400 and | X25 | Direct |
| Terminals | Full Duplex | 9600 bps | | Only |
|______________|________________|__________|_____________|__________________|

The CCITT standard makes it possible to interface ItaPac with other networks
around the world. In effect, the NCPs are connected as big telephonic centers.
Anyway, it seems that all European traffic to the USA and other countries, such
as Australia, Argentina, Japan, etc, will transmit by the centers that are in
Paris, France. Maybe from Paris data is sent via satellite, but I don’t know.

NUIs, NUAs, and DNICs
———————
Well, when you connect to one of ItaPac’s entry points (of which there are 41
ACP sites on Italian terrain at 300/200 baud and full duplex (V21, V22)),
ItaPac responds:

ACP:** I T A P A C ** GENOVA 32 PORTA: 4

The above is an example of the herald for an entry node in Genoa. In the exam-
ple you can note that the number “32:” is really the node (the phone number you
have called). Larger cities generally have more than one node. The PORTA is
the port to the node (the physical entry point to the node). “PORTA: 4” means
that you are connected to the fourth port of this particular Genoa ItaPac node.
You can also see from the above example that there are 3 other people connected
to the same node as you. Every ItaPac node can support at greatest a finite
number of ports. If all the ports of a node are in use then the PAD will
reject all new DTE calls.

Frequently most (or all) of the ports until Friday night will not answer at
all. Until one logs you off you cannot enter a port that is in use. Very
often the first 2 or 3 ports will be busy from an internal console, or these
will be reserved as an “emergency lane” for internal-use-only. A good way to
use a free door is to send to people that are probably the callers an Urgent
Call Income (UCI; in the States it is known as a BVC — Busy Verification
Signal — AKA emergency interrupt). The you can redial the node. This time
ItaPac will answer. The message “Beware, please, Urgent Urban Call Incoming”
will appear on the screen. This will blow our friend from the port, thus
freeing it for our use. Eh eh. Now for some definitions.

1) NUI
2) NUA
3) CUG (optional)

NUI – Network User Identification: Nothing other than an ItaPac password.
Every time you call an NUA, ItaPac will charge the account of owner of the
password. Often NUIs are valid only for certain nodes. That is if the
contract signed with Italcable will allow a 300 baud at Genova on 2697, this
NUI will not work on the 2564 node. SYNTAX: the NUI must be preceded by
UPPERCASE “N” and finished by a minus “-“. The NUI MUST BE TYPED IN UPPERCASE.
Between “N” and “-” the NUI will not be displayed (echoed). You will obtain
only “N-” on display.

NUA-Network User Address: the physical address of a remote DTE. Similar to a
phone number, you understand. Must be typed without blank inside and soon
after the NUI (or a timeout will occur and ItaPac will hang up on you).

CUG – Close User Group: this is basically a high-security NUI. CUG stands for
Close User Group. CUG users have access to optional parameters that are used
for user recognition (and you know what that means). Having a CUG account is
very handy. CUG users have the ability to inibit hackers (after all, they are
there for network security, right?). There are less CUG users in Italy than
the USA and are generally rare (but I know of one). A typical example would
be the US Tymnet NUAs (03106nnnnnn). The PAS response will be ACP:CLR NA or
Call Not Accepted and shut down. Makes hacking on a CUG account a good way to
waste your time.

Now we will take a closer look at an ItaPac NUAs structure (the numbers are
examples only):

DCC NC
| __|
/ \|
12345678901234
\_ /
|
DNIC

DNIC = Data Network Identification Code; it contains the address of the country
to be called and the code for the network chosen. It is then divided into two
parts: DCC and NC.

DCC is the Data Country Code; a three digit number that is the phone prefix.
Every country has different one.

NC is the Network Code; a country can have more than one data network. In
Italy there is ONLY packet switched network, the code is “2” and it is Dardo.

Follow with: the prefix of the called city, the DTE number, an eventual suffix
that is the “phone particular” (max 4 digit).

Note: The DCC is used only to call outside. DCC must be preceded by a zero.
ItaPac, in this case, is different from other countries.

Let’s show a pratical example: The Cilea of Milan (Segrate).

The NUA is: 2220208
|||______ local address of DTE
||_______ 2 (02) = Milano
|________ NC: 2 = ItaPac

Now, another example: the Altos Unix (altger) in Munich, West Germany (note:
a favorite hangout of Xtension).

The NUA is: 026245890040004
|\ /|\_ _/|
| | | | |____ 40004: network address
| | | |_______ 5 8900: munich prefix
| | |__________ 4: DATEX-P (germany ItaPac)
| |____________ 262: DCC West Germany
|______________ foreign call

The NUA’s structure isn’t so all the time. NUAs can exist that don’t appear to
have countries or cities. This because the address is sent to an indicated ACP
that will provide the rerouting of the call. If the NCP has been instructed to
consider a certain address like another, the DTE can have a Rome NUA and be
located in Genoa. As call with the account to called…

It’s very important to be able to read an NUA. Many times you can find systems
like VAXs and UNIXs and some refer to not-interactive logins; NUAs are not
often completed. An NUA without a DNIC is like a phone number without an area
code: its meaning is nothing. Usually the system makes references to a subject
network, or it supplies other info in a less clear fashion. At this need I
will supply a very short list of world wide DNICs I’ve found (notice that they
are old hat, the new stuff is only for friends)…

Beware: many countries own more than one national network (GB, USA, etc) then
you will probably hear a thousand cries of “In USA where? On Tymnet, or
Autonet? or Telenet? or RCA? EtherNet?” And I can continue…

DNIC Network Name Country
_______________________________________________________________________________

2041 Datanet 1 Netherlands
2062 DCS Belgium
2080 Transpac France
2284 Telepac Switzerland
2322 Datex-P Austria
2329 Radaus Austria
2342 PSS UK
2382 Datapak Denmark
2402 Datapak Sweden
2405 Telepak Sweden
2442 Finpak Finland
2624 Datex-P West Germany
2704 Luxpac Luxembourg
2724 Eirpak Ireland
3020 Datapac Canada
3028 Infogram Canada
3103 ITT/UDTS USA
3106 Tymnet USA
3110 Telenet USA
3340 Telepac Mexico
3400 UDTS-Curacau Curacau
4251 Isranet Israel
4401 DDX-P Japan
4408 Venus-P Japan
4501 Dacom-Net South Korea
4542 Intelpak Singapore
5052 Austpac Australia
5053 Midas Australia
5252 Telepac Hong Kong
5301 Pacnet New Zealand
6550 Saponet South Africa
7240 Interdata Brazil
7241 Renpac Brazil
9000 Dialnet USA
7421 Dompac French Guiana

This list may be in the hands of hackers everywhere. And, because the bread
for a hacker is done with ItaPac’s floor, the minimum I suggest is to learn by
memory the main International DNICs. Not these for French Guiana, but the main
European and American ones.

Let’s return to ItaPac. When you are connected to a remote system, the network
sends an ACP: COM and it leaves the field and lets you join the host. To clear
call and return in command mode (the star “*” prompt) must make some diff-
erences.

1 – for the most part, the host leaves the possibility to user to talk with his
PAD, either to setup his parameters, close, reset or confirm the call. In
this case, often frequently, with the sequence CTRL-P ItaPac will reappear
with its “*” prompt and it accepts commands. Typing “CLR” ItaPac will
close the virtual call to host and answer “ACP: CLR CONF”.

2 – Some Hosts, usually those with internal PADs, won’t allow to ItaPac control
to the user. CTRL-P is not recognized, and the only way to logoff or catch
the control of the PAD is send a ten LONG-BREAK sequences. The BREAK, not
to be confused with CTRL-C, that is not in this site, is an INTERNAL signal
whic(BFs not an ASCII code. It is used by the communication program you
use to send that acknowledgment. If you don’t have the capability to send
BREAK (short or long); beware not to use these black holes from where the
only way to exit will be the physical disconnect from the PAD (ie, drop
carrier on the modem).

3 – The use of CLR is not correct and in most cases it will cause serious
problems to host machines. In effect, their software (or perhaps hardware)
is not able to translate correctly the loss of carrier and enters into a
“Wait-State Pending”, that will finish only before a well-defined interval.
In the mean time, this door is unavailable. Network administrators never
like CTRL-P CLR.

Network Signals, Profiles (Outline, Shapes, Sketch), Parameters
—————————————————————
A detailed description about all net signals, standard outlines and parameter
sets, is supplied from a “manual about ItaPac access from X28 start-stop
terminals”

This manual can easily be “thieved” at kermesses in Italcables stands, in more
desperate cases, you can ask that to your friends.

What is not written therein into from Italcable is the meaning about parameters
14,15,16,17,18,19. Official guide stops at the 13th. But command ^P PAR?
gives a full list with 19 entries! Now here are the descriptions:

14: Padding after Line feed (LF)
0 No padding inserted
1-15 When it is in the Data Transfer state, the pad inserts a time delay from
1 to 15 chars times the length after each LF that it inserts. The
normal setting is determined by the terminal in use.

15: Editing of data
This parameter and the following parameters (16, 17, and 18) determines
how editing of data is perfomed when the pad is in the Data Transfer
State
0 editing of data is not possible
1 Must be set to this value if the editing facility required

16: Charachter delete character
0 characted deletion is not possible
1-255 This is the IA5 decimal code of the choosen delete character. The
normal setting is 127 (for RUBOUT or DEL)

17: Buffer delete character
0 Buffer deletion is not possible
1-255 This is IA5 decimal code of the choosen buffer delete char. The normal
setting is 24 (CTRL-X) or (CAN)

18: Buffer display character
0 Buffer display is not possible
1-255 This is the IA5 decimal code of the choosen buffer display char. The
normal setting is 18 (CTRL-R) or (TAPE-ON)

Parameter 19 is unknown. One word about Delete. It’s possible to correct what
is typed in command mode via the DEL key. If you use the Backspace (ASCII 8)
key ItaPac will not accept corrections but it will translate these as true
chars.

PAD SPEED
———
If your modem will colloquiate with a PAD at a defined baud rate (300 or 1200,
full duplex) the packet transmission will slow in a drastic way the number of
incoming and outgoing characters from your DTE.

PADs send a continuous stream of clear-to-send and Ready-to-send signals that
are really macro rests between packets. At lower transmission speeds (ie, 300
baud) the switching does not feel right, but at 1200 it does. We have computed
that the speed of real transfers and receiving can, at maximum performance,
raise to 450 baud. It is slower when you transfer a file, when the PADs work
is very heavy. Via Xmodem, the PAD will try to destroy time-out signals, or
confuse all. Public computer systems such as Delphi know that also. If you
aren’t able to download correctly using the Xmodem protocol then that means
that only the remote host isn’t detecting the differences between packets
and asybchronous terminals.

The question is: will it happen only on ItaPac (not new) or is a common
problem to all NCPs?

“NC” Nights
———–
There are nights in which every address you call is “NC”. The Network Conges-
tion state is very frequent on ItaPac, and will disallow the use of the network
used from NCP. The causes are very mysterious. At night Firms aren’t using
ItaPac, and it seems the network is used only by hobbists. Then what? At the
Service center they negate all, but this is reality. ItaPac, at the end, is an
asshole.

It has very high rates but they will add a joke to the classical thief: some-
times it doesn’t work. How does it not work? Ha! To them everything is
always ok. And then someone will cry scandal if you try to bypass them!

NUIs USED
———
Usually, NUIs that are used (or had been used) are demo NUIs. It hasn’t an
account, and then -in theory- cannot exaust. Operators cannot ever notify
their use, because they don’t have a record of calls…If a demo NUI will die,
the cause can be one of only two:

1) ItaPac has changed codes due to normal administration

2) ItaPac was warning about the happening, or from their techician who had
noted abnormal traffic and has controlled, or from an external (a son of
a bitch spy!)

+2-15-87
+-+
| |
+–+ +–+
+–+ +–+
| |
| |
|_|
53ST6R

An historical NUA- it has been working for over 2 years, and for a SPY…

HOW GET AN NUI
————–
The more simple and safe method is to copy that from kermesses where Italcable,
or otherwise, use X.28 wires. The dedicated X28 DOESN’T NEED AN NUI because
they are directly connected.

Go near the operator and ask “That is a MODEM?”

Operator (if they have the time) will be moved to pity, in front of so much
ingnorance, and he feels so relaxed, types in his pw. You, with an optimum
eye, must read the keyboard and memorize the NUI. This is called shoulder
surfing.

It is well, in the case of big kermesses, to try to catch ANY booklet, agenda,
block notes left near terminals. If the stand is owned by Italcable, ALL you
can catch, must BE, without differences.

A new scanning technique, based on trying statistically calculated, is in exam
between DTE222. This technique may guarantee, if applied to a long scan time,
posithives results in NUI research. The minimum number of NUI tried cannot be
less than to 100,000 (1 hundred thousand), causing cost and time problems.

At large lines, that rule is like: a NUI generator will provide to create a
very likely NUI following the same criteria. A scanner will try all in an
automatic manner. It tries 8, then it uses a valid NUI to connect to 22000
(Echo pad), immediatly it logs off (CLR CONF), putting zero thanks to ACP:COM
the ACP:ERR ILL counter (how we know, to 10th ERR ILL the pad will logoff
physical call [hangs]). The 9th try is as security margin. Then the scanning
will restart. At 1200 baud – therefore – we had a 1400 hours tested NUI
average. This, is all talk! In addition, it seems that before 700 ERR ILL,
not looking counter reset, ItaPac will hang up. That will make it more diff-
icult for our computer; it araises at times (will redial number) and make the
search more expensive.

NETWORK SIGNALS
—————
Net can send several mesages:
– as answer to a command
– for his own decision
– following an action performed byt remote terminal

1. Errors messages

ERR CNA syntax of command is correct, but not allowed in this state
ERR ILL command is not syntactically correct or the hit is not recognized
ERR EXP timeout and command was not completed
ERR PNA the requested outline is not assigned yet

2. Logoff messages

CLR OCC the called number is busy
CLR NC Network congestion or temporaly failure of hardaware cannot allow new
calls
CLR INV Requested performance is not valid
CLR NA The calling number cannot have connection to DTE (ex: Close User
Group not compatable)
CLR ERR Call is hung for a local procedure error
CLR RPE Call is hung for a remote DTE error
CLR NP Called NUA is not assigned
CLR DER Called NUA is out of order
CLR PAD PAD has hung the call because he had received am invitation to
“clear” from DTE
CLR DTE Remote DTE hung call
CLR RNA Remote DTE cannot accept charged calls

3. Reset Messages

RESET DTE Remote has resetted virtual circuit
RESET RPE Call is putt in reset state for remote DTE error
RESET ERR Call is reset for a local error
RESET NC Call is hung for a network congestion

RATES AND DUTIES
—————-
For whoever wants to subscribe ItaPac, here are the rates. For whoever uses it
as Portoguese it might be interesting to have an idea about how much it costs
the real owner of an NUI. The, if you have one, don’t abuse and don’t tell it
to the four winds. Remember that real owner can, at any moment, change it!

BY X.28 Switched Phone
———————-
Class (baud) Lire/Month
300 12,150
1200 7,100

NUI duties: 7,200 / month

to these must be added:

modem duties
mail and telegraph duties
contributions and trafic (counter turns!)

The amount of the first two isn’t clearly specified on the rates-sheets, but it
is marked as:

Following the current rates. Last, is so divided: they will consider the
distance betweenyouser site and the centre of relhative area phone code.

X.25-X.28 Direct Connection
—————————
Class (baud) Lire/Month
300 108,000
1200 139,500
2400 208,800
4800 275,400
9600 311,400

To these must be added:

modem duties
duties foryouse of area to area circuitery
duties for new wires

Time rates for Ports Taken
————————–
class (baud) Lire/Minute (or fract)
300 13.50
1200 18.00

Time Rates
———-
6.80 Lire/minute or fraction

Volume rates
————
1.78 Lire/segment or fraction thereof (1 segment= 64 octets)

Rates to call
————-
30 lire / call

Addings per NUI
—————
7,200 / month

For time and volume rates there is a 30% discount from 9 PM to 8 AM every day,
including Saturday and non-working days

PVC Rates
———
54,000 Lire / Month

Class of Max Charge of line
—————————
9,000 * KB / Month

CUG

Master 56,700 Lire / Month
Users 900 Lire / Month

Payment to Called
—————–
8,100 / Month

Change Options Parms
——————–
45,000 Lire

Speed Class Change
——————
90,000 lire

Calls List
———-
Lire 30 each voice in list

International Trafic [The rates are in Gold Francs (GF)]

Europe
——
GF 0.107 / min or fraction thereof

Extra Europe
————
GF 0.3333 / min or fract (1)
GF 0.4 / min or fract (2)
GF 0.5 / min or fract (3)

(1) North America or Middle East directly connected to Italy
(2) Other countries out from Europe directly connected to Italy
(3) All others

In a few words, if you aren’t a Multinational Company, but an hobbist, you must
charge a 20 years money loan to be able to afford ItaPac.

The Network is also able to receive characters following international Alphabet
from CCITT No. 5 (IA5) with 1 or 2 stop bits and it will produce even chars
with the #2 stop bit. In the exchange of control chars between terminals and
net, ItaPac will translate characters dropping out the parity and send chars
with even parity. Characters are exchanged in transparent way to user regard-
ing parity and bits.

TO CONNECT VIA THE SWITCHED WAY
——————————-
1) Dial the ItaPac node phone number. Whoever doesn’t have an automatic modem
must switch to data within 10 seconds from the first ItaPac tone.

2) send two to build the phisycal connection (within 30 seconds)

3) ItaPac will send the network herald, ACP identification and entry port (as
explained)

4) At you’re request: enter the virtual call state by typing ACP: FREE

5) send call request by issuing the NUI, the NUA and the data field (max 12
characters optional). E.g: if the NUI is AAAAAA and the NUA is 2345678 you
must type: NAAAAAA-2345678 . The NUI is never echoed on screen. All
sequences must blank free and entered within 120 seconds from first keypress.
If you type a wrong NUI, net will answer ACP: ERR ILL. If you also need to
send a data string, (e.g. ABCD) send: NAAAAAA-2345678 D or P ABCD .
Typing ‘D’ before string the following data will be echoed, with ‘P’.

6) net give ACP: COM if call is done.

From this moment starts the data exchange phase and, until you disconnect, all
commands to the net must be preceded with the ^P sequence. If the call is not
correct, the net will answer by sending a disconnect signal to specify the
cause of it. After 10 times of unsuccessfully placed calls, the net will hang
up the carrier. If the call is possible, the NUA will receive an ACP: (caller
address) COM.

COMMANDS
——–
The following commands can be issued prior to having a connection, meanwhile
data transfer. In the last case, type a ^P before to exit data session (either
it’s considered as data itself). At end of command send . Beware that in
a start-stop terminals calls (X.28) commands must sent also from TH in packet
way, following X.29 procedures.

1) Virtual call state request:
STAT
will answer:
– if call is on : ACP: ENGAGED
– if call is off : ACP: FREE

2) Shape Choose

PROF
network will put on that (see later). At start the #3 is default outline.

3) Commands to send only during the data exchange (preceded by ^P)
reset request: ^P RESET
That command will cancel call followings data on line.

4) Interrupt send to remote DTE:
^P INT
This packet will go over travelling data. Then, the action taked by host
is software depending on.

THE EDITING FEATURE.

By the Editing Feature, you can delete a char or a line to make editing the PAD
provide buffered characters. The editing function is ever in use during X.28
and the ACP xmit. To have it meanwhile data transfer you must choose parm 15.
In this case, the user can choose between parms 16,17 and 18 the usable chars
to request editing function and he can, via par 19, editing signals send by
PAD.

1) Delete a char

To make the deletion of the last type character you must send parm 16 defines
the character (default DEL) before receving this char, the PAD will erase last
character in the editing buffer, and, if parm 16 is different from 0, it send
the signal about the erased char as said from par 19:

if parm 19 is set to 0, no signal sent
if parm 19 is set to 1, pad sent IA5 signal; this procedure is suggested
for printer like terminals
If parm 19 is set to 2, pad will sent a BS SP BS sequence of IA5. This
procedure will locate cursor at inserting point of new char and is
therefore suggested for video terminals.

2) Erase a line

To erase a line you must send the char set into parm 17 (def: CAN). Before
receving this character, the PAD will erase the buffer and, if parm 6 is set
to anything save 0, it will send the line deletion character, following par-
ameter 19:

if parm 19 is set to 0 : nothing sent
if parm 19 is set to 1 : pad send XXX
if parm 19 is set to 2 : pad will send SP BS SP of IA5 for a number times
as the number of chars in the buffer

3) Display a line

To obtain a line display you must send char defined by parm 12 (def: DC2).
Before receive this char pad will sent to terminal all chars stored in the
buffer.

_______________________________________________________________________________
$ 

An Explanation of Packet Switching Networks, by Doc Holiday and Phantom Phreaker

r10

R

7/82: Explaination of PSNs
Name: Doc Holiday #14
Date: 12:34 am Mon Jul 11, 1988

Packet switching networks are
designed primarily for on-line
applications in which the data must be
delivered to its destination
immediately. However, there can be a
store-and-forward capability which in
most cases is used only if a
destination terminal is inoperative.
A packet of data is usually 128
bytes of data, part of which includes
the packet routing control information
required to get the packet to its
destination. A packet is sent through
a communications network as an
individual transmission completely
independent of the rest of the
sentence or block of data. The
complete message is normally assembled
only at its destination and not at a
store-and-forward network computer
node. Thus the error detection and
correction function is limited to the
individual packet of data rather than
a block of data.
The public packet switching
operators have selected an efficient
communications protocol similar to
CCITT x.25 for transmision of data
throughout the network, which includes
hundreds of cities around the US and
around the world. Unfortunately, most
of today’s terminals do not operate
under the x.25 protocol. To resolve
this problem, the network vendors have
devised a device called a PAD, which
acts as a combionation protocol
converter, a packetizer/depacketizer,
and a multiplexer. Also available are
software protocol converter packages
for computers that use the network
directly without a PAD.

–Continued on next message–

Read:(1-82,7),? :

8/82: PSNs CONT
Name: Doc Holiday #14
Date: 12:51 am Mon Jul 11, 1988

The functions of a packet
switching network include all of those
of a message switching network.
Today’s public packet switching
networks are not looking for the
store-and-forward type of operation,
although they will provide a mailbox
arrangement in which one location
sends mail and receives mail as well
as the other location.
Packet switching networks provide
users with a terminal compatibility
enhancement feature. Terminals that
are not otherwise able to communicate
with each other can take advantage of
the protocol converter function so, for
example, asynchronous terminals can
talk to synchronous terminal, and so
on..

ADVANTAGES of packet switching
networks:

The advantages of a packet
switching network include those of the
mesage switching network. In
addition, however, there is the online
type of operation that affords the
excellent response time that is needed
for the brief transmissions between an
inquiry or data entry terminal and a
host computer. One of the important
features of a packet network is the
establishment of communications
between different types of terminals
that ordinarily cannot exchange data
without some kind of separate protocol
converter. Today’s packet switching
networks are also noted for their
backup lines and alternate routing
capability plus a very efficient,
cost-effective use of the network.

“I feel like I’m rambling.. so
I’ll stop.”
–Phantom Phreaker

–Doc Holiday

Read:(1-82,8),? :

9: Text Philez P-Z
[UD:Punter][Unltd.Time][UnltdBlk]:

The Complete Introductory Guide to Sprintnet and Similar Packet-Switched Networks by Doctor Dissector (April 22, 1990)

The THC Hack/Phreak Archives: PSNINTRO.DOC (842 lines)
Note: I did not write any of these textfiles. They are being posted from
the archive as a public service only – any copyrights belong to the
authors. See the footer for important information.
==========================================================================
% X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X %
X**=======================================================================**X
%!! Phreakers/Hackers/Anarchists !!%
X!! -++–++–++–++–++–++–++- !!X
%!! !!%
X!! THE COMPLETE INTRODUCTORY GUIDE TO SPRINTNET AND !!X
%!! SIMILAR PACKET SWITCHED NETWORKS !!%
X**=======================================================================**X
% X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X %
X**=======================================================================**X
%!! P/H/A – Written By Doctor Dissector On Sunday, April 22, 1990 – P/H/A !!%
X**=======================================================================**X
% X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X %

Part I: Disclaimer
——————
The sole purpose of this document is to educate. Neither the author nor
the sponsor group (Phreakers/Hackers/Anarchists) will be held responsible
for the reader’s actions before, during, and following exposure to this
document as well as the validity or accuracy of the information contained
within this document.

Part II: Introduction
———————
Packet switching networks can be said to be the most useful tool for both
the inexperienced and the experienced hack. When I first learned about
PSNs (SprintNet/Telenet in general), I discovered that there were not any
good “full length” introductions or guides to the use of these systems. In
effect, scrounging around for a small file here and another there was not
very productive in any sense. So, I decided to compile a “complete”
introduction and guide, as I know it, to the “world” of the packet switched
network. Enjoy!
Doctor Dissector – PHA

Part III: Table Of Contents
—————————
Part Description
—– ————————————————————-
I Disclaimer
II Introduction
III Table Of Contents
IV What Is A Packet Switched Network?
V Network Protocols
VI PAD Security
VII Connection To The SprintNet PAD
VIII X.121 International Address Format
IX Network User Identification
X Setting PAD ITI/X.3 Parameters
XI Disconnect Code Sequence
XII Misc Network Notes
XIII Appendix
XIV Conclusion And Closing Notes
XV Greets, Hellos, Etc….

Appendix Description
——– ———————————————————–
A Hunt/Confirm Sequence Codes
B PAD Command Summary
C ITI/X.3 Parameter Summaries
D International DNIC/PSN List
E Overseas PSNs Which Accept Collect Calls
F Network Protocol List
G Glossary

Part IV: What Is A Packet Switched Network?
——————————————-
A packet switched network can be accessed through any local POTS
dialup/port. Systems known as “hosts” on the PSN pay for connection to
the PSN depending on transmission speed and protocol type. PSNs offer
more efficient data transfer and less rates as compared to the typical
circuit switched call. Thus, to anyone who would be interested in
transferring large amounts of data over either the PSN or the circuit
system, the PSN would result in an increase of convenience due to the
reduction of data transmission error and cost.
Another feature of the PSN is the speed and data translation which
takes place between the PSN’s PAD (Packet Assembler/Disassembler) and
the host. For example, one could connect to the PSN’s PAD at 1200 bps
and the PAD could connect to the host system at 9600 bps and still
allow the user to receive error free transmission. This “flow control”
is done by the actual increase or decrease of the data packet between
the PAD and the user or the PAD and the host.
PSNs also have the ability to interconnect through special gateways
which might allow one user who dialed one PSN’s PAD and then connected
to another PSN’s PAD through a system which was accessible by the first.
Almost every PSN in the world can be accessed through gateways on one
PSN to another PSN, through subsequent gateways until the target PSN
is achived; of course, there are always exceptions, some private or
small data networks may not be reachable through gateways, these systems
can only be reached, usually, through direct dialins.
Some PSNs allow the caller to execute “collect calls” to host
systems which accept them, although the majority of the hosts on any
given PSN do not accept collect calls. To connect to a host system which
does not accept collect calls, one must possess a network user identifier
(NUI) or access to a private system on the PSN which accepts collect
calls and has the ability to access another PSN with its own identifier.
These will be discussed further into this document.

Part V: Network Protocols
————————-
The PSN utilizes several communications protocols similar to the
communications protocols used by typical asynchronous modems. However,
MOST PSNs utilize synchronous communications and the X type protocols
versus the typical modem’s asynchronous V protocols. As a result, the
PAD of any PSN also serves as a synchronous/asynchronous translator
between the synchronous netowrk and the asynchronous modem.
Most PSNs offer network speeds from snail’s pace baud rates of
300 bps (asynchronous) to the lightning of 48,000 bps (synchronous).
The most common data protocol used by PSNs today is the X.25 protocol,
thus if one were able to access a private PAD which offered support for
the X.25 protocol, one could access virtually any network user address
(NUA) from that PAD. SprintNet PADs support the X.25 protocol, so if
one had an NUI of sorts, one also could access any NUA from the SprintNet
PAD. See appendix F for a list of network protocols.

Part VI: PAD Security
———————
SprintNet PADs and most dialin PADs in general have no “immediate”
form of telephone security common within their systems. Plainly, SprintNet
and most PSN dialin PADs cannot trace on the fly, as they do not have
their own equiptment to trace incomming calls. HOWEVER, this does not
mean that they CANNOT trace; SprintNet can, and will, upon probable
cause, cooperate with the telco to trace calls. Notice that tracing
usually is premeditated and one-time abusers have a very slim chance
of being caught. Also note that most PAD activities are logged and if
abuse is suspected, the PSN owners would most likely suspect the abuser
as originating from the local area, since the POTS dialin/port is also
located in the same area.
Once online, security from “calling” hosts which do not accept collect
calls is enforced by the presence of the NUI. Without an NUI, one would
usually be stuck, only able to call systems accepting collect calls, sans
the use of another system’s NUI.
There is one more aspect of seucurity worth mentioning. Whenever a
packet of data is sent to a host system, a header of data is sent stating
where the originating “call” is being placed by. Thus, if you were
connecting to “312312” from your local POTS dialin/port that owned an
address of “20231H,” the system at 312312 would know the call was being
originated from 20231H. Once again, if someone were abusing any system on
the PSN and that system saved a log of the originating addresses accessing
that system, the owners of the abused system could easily determine which
POTS dialin/port number the abuser was using, and then inform the PSN
security of possible abuse in that dialin’s local area. Because of this
ability to “trace” the originating address, there is one way to foil this.
One could connect to another PAD, and then, from that PAD connect to
the target system. Thus, the POTS dialin/port address will be sent to
the connected PAD, and the connected PAD would intercept the POTS address
and send the connected PAD’s address to the target system instead of
the POTS address. SO, if the target system was abused and the owners
attempted to “trace” the originating address, they would receive the
address of the connected PAD. For example: you dial your local POTS
dialin/port which had an address of “71516G,” log into another PAD at
“415100,” connect from 415100 to “213213.” The system at 213213 if
“traced” would find that you were originating from 415100, not 71516G.
See how it works? Good… Notice that the system 213213 would still
know that you were originating from 71516G, but the folks you were
genuinely abusing wouldn’t know that!

Part VII: Connection To The SprintNet PAD
—————————————–
The following procedure outlines the methods used to connect to
and through the SprintNet PAD.

Step Procedures Network/Operator Response
—- ———- ————————-
1 Turn on your terminal. Make sure
it’s Online.

2 Dial your local SprintNet access
number.

3 For data sets Bell 103 & 113 type,
depress the DATA button.

4 Enter the hunt/confirm sequence
for your baud/parity type. For
E,7,1 1200/2400, type twice.
For hunt/confirm sequences, see
appendix A.

5 SprintNet will identify itself, TELENET
its port address, and then send 909 14B
a TERMINAL= prompt for terminal
identification. “D1” specifies TERMINAL=D1
dumb terminal.

6 NUI Input: After SprintNet gives
the “@” prompt, type “ID ;” and @ID ;ABCD
then your ID code, follwed by a PASSWORD=123456
. Then enter your password
followed by another . If you
don’t have an NUI, you can always
access systems which allow collect
calls.

7 At the “@” prompt, you can enter @02341123456790
the network user address (NUA) of
the desired host. If, during the
connection attempt wish to abort
the attempt, a BREAK signal will
bring you back to the “@” prompt.

8 SprintNet will respond with a (address) CONNECTED
connection message, or an error
message.

9 To disconnect from your computer, (address) DISCONNECTED
log off as usual. SprintNet will
send a disconnect message. To
disconnect off of a system without
logging off, typing “@” will
bring you back to the “@” prompt.

Part VIII: X.121 International Address Format
———————————————
Most PSNs around the world follow the X.121 format for access to both
domestic and international hosts. SprintNet does not require some parts
of the format for domestic connection, which will be discussed below.

+—————————————– Zero Handler For SprintNet
| (Formats The X.121 Address)
|
|
|
| +——————————— Data Network Identifier
| | Code (DNIC)
| |
| |
| | +————————- Area Code of Host
| | |
| | |
| | | +————— DTE Address of Host
| | | |
| | | |
| | | | +——– Port Address
| | | | |
| | | | |

|0| |DDDD| |AAA| |HHHHH| |PP|

|
+——- Optional ‘Subaddress’
Field for Packet Mode
DTE

For a complete list of DNICs/PSNs according to country, please see
appendix D.
On SprintNet, a “0” MUST lead the NUA, although on other PSNs, this
may not be necessary.
On SprintNet, the DNIC is defaulted to 3110. Any host entered at the
“@” prompt, if domestic to Telenet/USA, will not require the input of
zero handler or the 3110 DNIC. For example:

Domestic X.121 SprintNet Int’l
———- ————– —————
2129966622 31102129966622 031102129966622
212869 311021200869 0311021200869
21244 311021200044 0311021200044

Part IX: Network User Identification
————————————
Network user identifiers (NUIs) offer full SprintNet PAD use for
any distance or amount of time for any host accessible by the PAD in
question. Think of the NUI as a /<-/<00l Kode for calling long distance. Any systems that you call are logged, and each call is charged. At the end of the month, the owner of the NUI is billed. So, it is possible to hack out NUIs and use them, but like k0dez, abuse kills. NUIs can be entered into SprintNet in two ways. The first method is to type "ID ;xxxx" where xxxx can be from 4-? charachters in length, both alphabetic and numeric. Then, at the password prompt, enter a password. The second method for entering an NUI is in conjunction to the NUA you are accessing. The format is ",,” where at the “@”
prompt you would type the desired NUA, followed by a comma, then your
ID followed by a comma, and then your password. Your password will not
be echoed.

Part X: Setting PAD ITI/X.3 Parameters
————————————–
Online PAD parameter modification may be desired for certain
applications, connections, or data transfers. See appendix C for brief
summaries of these parameters. Modification of these parameters can be
done by the following procedure at the “@” prompt:

X.3 Parameters
————–
To display current parameters: “PAR?
The PAD will respond with: “PAR1:,2:,…”

To modify parameter(s): “SET? :,:,…”
The PAD will respond with: “PAR:,…”

ITI Parameters
————–
To display current parameters: “PAR? 0,,,…”
The PAD will respond with: “PAR:,:,…”

To modify parameter(s): “SET? 0:33,:,:,…”
The PAD will respond with: “PAR0:33,:,…”

Part XI: Disconnect Code Sequence
———————————
When disconnected off of any host on SprintNet, a disconnect coding
sequence with a string of data will be sent to your terminal. The
following is a translation format for the disconnect coding.

DISCONNECTED AA BB TT:TT:TT:TT CCC DD

Where:
is the NUA of the given host system.
AA is the clearing code.
BB is the diagnositc code.
TT:TT:TT:TT is the time spent on the host.
CCC is the number of frames received.
DD is the number of frames sent.

Part XII: Misc Network Notes
—————————-
Just a few things one might want to know when using PSNs:

1) When using/abusing a private PAD, try to use it after business
hours, as the operators will not tend to discover your presence
as quickly.

2) When hacking or abusing ANY system on ANY PSN, if anything seems
different or suspicious, logoff, disconnect, or HANG-UP
IMMEDIATELY! Much better SAFE than SORRY!

3) For a complete and updated list of POTS dialin/ports, dial the
IN-WATS number at 1-800-546-1000 or 1-800-546-2000, type “MAIL,”
and for user name and password, enter “PHONES.” You will be
diverted to the SprintNet dialing directory & a menu. From then on
you will have plenty of info about POTS dialins and port numbers.

4) For international information concerning SprintNet and other PSNs,
get to a SprintNet “@” prompt and type “MAIL.” Then, for the user
name, enter “INTL/ASSOCIATES.” For the password, type “INTL,” and
you will be diverted to the international information menu.

5) For even more info on SprintNet and PCP, the NUA for the PCP
support BBS is 311090900631 (909631 domestic).

6) Some 2400 bps and 2400+ bps PADs have problems recognizing 8,N,1
connections. Sometimes they only allow E,7,1 transmissions.
Experimentation or inquiry may yeild results. SprintNet’s customer
information line is at 1-800-336-0437, overseas is 1-703-689-6400.

7) PCP outdials and other outdial systems are abundant on the PSNs
throughout the world. If you have any NUAs to these or find any,
they utilize the typical Hayes AT command set, so they should be
easy to figure out. MOST of the time, they ONLY allow dialing of
local (to the oudial’s area code) numbers, but some have been known
to allow interstate and even international calls. Experimentation,
again, is always necessary.

8) Domestically, the “AAA” (Area Code) portion of the NUA is usually
the same as the area code (NPA) of the same calling area. However,
some area codes are shared on the network and some non-existant
area codes such as 909, 223, 224 and others contain hosts.

9) On any PAD, the data transmission rates may be slowed, due to the
assembley/disassembley time, called packet delay. Depending on which
system, baud, and transfer protocol used, pad delay can differ from
almost none to noticable fractions of seconds. PCP oudials are
notorious for LLOONNGG pad delays….

Part XIII: Appendix
——————-
Appendix A: Hunt/Confirm Sequence Codes
=======================================
Bits Stop Parity Modem Baud Duplex Sequence
—- —- —— ———- —— ——–
7 1 EVEN 300-1200 FULL
7 1 EVEN 300-1200 HALF ;
7 1 EVEN 2400 FULL @
7 1 EVEN 2400 HALF @;
8 1 NONE 300-1200 FULL D
8 1 NONE 300-1200 HALF H
8 1 NONE 2400 FULL @D
8 1 NONE 2400 HALF @H

At BPS speeds 2400+, wait 1/2 a second BEFORE and AFTER the
“@” sign in the sequence above.

Appendix B: PAD Command Summary
===============================
The following is a list of commands usable from the “@” prompt on the
SprintNet PSN.

Command Description
———– ————————————————————-
Connects to the host specified by that NUA.
C Connects to the host specified by that NUA.
STAT Displays the network port address (NUA of the port).
FULL Sets duplex to full.
HALF Sets duplex to half.
DTAPE Prepares the PSN for bulk file transfers.
CONT Continues the current connected session/connect attempt.
BYE Aborts connect attempt/disconnects from current session.
D Aborts connect attempt/disconnects from current session.
HANGUP Logs you off from the SprintNet PAD.
TERM Changes the terminal specification to that of .
MAIL Request connection to SprintNet Telemail.
TELEMAIL Request connection to SprintNet Telemail.
ID ; Enter NUI, is your ID. This is followed by a PASSWORD
prompt. Password will not be echoed.
TEST CHAR Test if you are receiving garbled output. If so, adjust
parity or data bits, and then try again. If errors persist,
be sure to complain to SprintNet customer service!
TEST ECHO Test if your input is being garbled by Telenet. Similar
otherwise as TEST CHAR.

Appendix C: ITI/X.3 Parameter Summaries
=======================================
Para- Para-
meter Description (Default Value) meter Description (Default Value)
—– ————————— —– —————————
1 Line feed Insertion (0) 31+ Interrupt Character (0)
2 Network Message Display (0) 32 Automatic Hang-up (0)
3 Echo (1) 33+ Flush Output (0)
4 Echo Mask (163) 34 Transmit on Timers (1)
5 Transmit Mask (2) 35 Idle Timer (80)
6* Buffer Size (0) 36 Interval Timer (0)
7* Command Mask (127) 37 Network Usage Display (0)
8* Command Mask (3) 38 Carriage Return PAD (Variable)
9 Carriage Return PAD (Fixed) 39 Padding Options (1)
10 Linefeed Padding 40 Insert on Break (0)

11 Tab Padding 41 PAD-Terminal Flow Control (0)
12 Line Width 42 PAD-Terminal XON Character (17)
13 Page Length (0) 43 PAD-Terminal XOFF Character (19)
14 Line Folding (1) 44* Generate Break (INV)
15 Page Wait (0) 45* APP on Break (0)
16 Interrupt on Break (0) 46 Input Unlock Option (0)
17 Break Code (0) 47 Input Unlock Timer (0)
18 NVT Options (0) 48 Input Unlock Character (0)
19 Initial Keyboard State (0) 49 Output Lock Option (2)
20 Half/Full Duplex 50 Output Lock Timer (10)

21 Real Character Code 51 Output Lock Option (0)
22 Printer Style 53* Break Options (0)
23 Terminal Type 54 Terminal-PAD Flow Control (0)
24 Permanent Terminal (0) 55 Terminal-PAD XON Character (17)
25 Manual or Auto Connect (0) 56 Terminal-PAD XOFF Character (19)
26 Rate 57 Connection Mode (2)
27 Delete Character (127) 58 Escape to Command Mode (1)
28 Cancel Character (24) 59* Flush Output on Break (0)
29 Display Character (18) 60 Delayed Echo
30+ Abort Output Character (0) 63 Eight-bit Transparency (1)
64+ Early ACK (0)
65 More-Data Bit Generation (3)
66 Defer Processing of User (0)
67 ESP Packetizing Option (0)
68 Escape Sequence Timer (0)
69 Escape Sequence Maximum Length (0)
70 Escape Sequence Initiator (0)
71 Parameter Reset on Disconnect (0)

Note: – All Telenet Parameters must follow the National Option Marker
(Parameter 0, value ’21’ Hex) in PAD Messages.
– Parameters marked with “*” should not be used.
– Parameters marked with “+” should be used with caution.

Appendix D: International DNIC/PSN List
=======================================
Note: This is not a complete list!

COUNTRY NETWORK DNIC
——- ——- —-
ALASKA ALASCOM 3135
ANTIGUA ANTIGUA 3443
ARGENTINA ARPAC 7220
ARGENTINA ARPAC 7222
AUSTRIA DATEX-P 2322
AUSTRIA RA 2329
AUSTRALIA AUSPAC 5052
AUSTRALIA MIDAS 5053
BAHAMAS BATELCO 3640
BAHRAIN IDAS 4263
BARBADOS IDAS 3423
BELGIUM DCS 2062
BELGIUM DCS-TELEX 2068
BELGIUM DCS-PSTN 2069
BERMUDA IPSD 3503
BRAZIL INTERDATA 7240
BRAZIL RENPAC 7241
BRAZIL RENPAC 7249
BRAZIL RENPAC 7248
CAMEROON CAMPAC 6242
CANADA DATAPAC 3020
CANADA GLOBEDAT 3025
CANADA CNCP 3028
CANADA TYMNET CANADA 3106
CAYMAN ISLANDS IDAS 3463
CHILE ENTEL 7302
CHILE ENTEL 3104
CHINA PTELCOM 4600
COLUMBIA DAPAQ 3107
COSTA RICA RACSADATOS 7120
COSTA RICA RACSAPAC 7122
COSTA RICA RACSAPAC 7128
COSTA RICA RACSAPAC 7129
COTE D’IVOIRE SYTRANPAC 6122
DENMARK DATAPAK 2382
DEMMARK DATAPAK 2383
DOMINICAN REPUBLIC UDTS 3700
EGYPT ARENTO 6020
FINLAND FINNPAK 2442
FRANCE TRANSPAC 2080
FRANCE N.T.I. 2081
FRANCE TRANSPAC 9330
FRANCE TRANSPAC 9331
FRANCE TRANSPAC 9332
FRANCE TRANSPAC 9333
FRANCE TRANSPAC 9334
FRANCE TRANSPAC 9335
FRANCE TRANSPAC 9336
FRANCE TRANSPAC 9337
FRANCE TRANSPAC 9338
FRANCE TRANSPAC 9339
FRENCH ANTILLES DOMPAC 3400
FRENCH GUYANA DOMPAC 7420
GABON GABONPAC 6282
GERMANY DATEX-P 2624
GREECE HELPAK 2022
GREENLAND DATAPAK 2901
GUAM LSDS-RCA 5350
GUATEMALA GUATEL 7040
HONDURAS HONDUTEL 7080
HONG KONG IDAS 4542
HONG KONG DATAPAK 4545
HUNGARY DATEXL 2160
HUNGARY DATEXL 2161
ICELAND ICEPAC 2740
INDONESIA SKDP 5101
IRELAND IPSS (EIRE) 2721
IRELAND EIREPAC 2724
ISRAEL ISRANET 4251
ITALY DARDO 2222
ITALY ITAPAC 2227
IVORY COAST SYTRANPAC 6122
JAMAICA JAMINTEL 3380
JAPAN DDX-P 4401
JAPAN VENUS-P 4408
JAPAN NISNET 4406
JAPAN NI+CI 4410
KUWAIT 4263
LEBANON SODETEL 4155
LUXEMBOURG LUXPAC 2704
LUXEMBOURG PSTN 2709
MALAYSIA MAYPAC 5021
MAURITIUS MAURIDATA 6170
MEXICO TELEPAC 3340
NETHERLANDS DATANET-1 2040
NETHERLANDS DATANET-1 2041
NETHERLANDS DABAS 2044
NETHERLANDS DATANET 2049
NETHERLANDS/ANTILLES UDTS ITT 3620
NETHERLANDS/MARIANAS PCINET 5351
NEW CALEDONIA TOMPAC NC 5460
NEW ZEALAND PACNET 5301
NORWAY DATAPAK 2422
PANAMA INTELPAQ 7141
PANAMA INTELPAQ 7142
PHILIPPINES CAPWIRE 5151
PHILIPPINES PHILCOM RCA 5152
PHILIPPINES GMCR 5154
PHILIPPINES ETPI-2 5156
POLYNESIA TOMPAC 5470
PORTUGAL TELEPAC 2680
PORTUGAL SABD 2682
PUERTO RICO UDTS- PDIA 3301
PUERTO RICO UDTS- I 3300
QATAR DOHPAC 4271
REUNION ISLAND DOMPAC 6470
SAN MARINO X-NET 2922
SAUDI ARABIA BAHNET 4263
SINGAPORE TELEPAC 5252
SINGAPORE TELEPAC 5258
SOUTH AFRICA SAPONET 6550
SOUTH AFRICA SAPONET 6559
SOUTH KOREA DACOM-NET 4501
SOUTH KOREA DNS 4503
SPAIN TIDA 2141
SPAIN IBERPAK 2145
SWEDEN TELEPAK 2405
SWEDEN DATAPAK 2402
SWITZERLAND TELEPAC 2284
SWITZERLAND DATALINK 2289
TAHITI TOMPAC 5470
TAIWAN UDAS 4877
TAIWAN PACNET 4872
THAILAND IDAR 5200
TORTOLA 3483
TRINIDAD TEXTET 3740
TRINIDAD DATANETT 3745
TUNISIA RED25 6050
TURKEY TURPAC 2862
TURKS BWI 3763
UNITED ARAB EMIRATES EMDAN 4241
UNITED ARAB EMIRATES TELEX 4243
UNITED ARAB EMIRATES TEDAS 4310
UNITED KINGDOM IPSS 2341
UNITED KINGDOM PSS 2342
UNITED KINGDOM MPDS MERCURY 2350
UNITED KINGDOM PSS MERCURY 2352
U.S.S.R. IASNET 2502
UNITED STATES OF AMERICA TELENET 3110
UNITED STATES OF AMERICA TYMNET 3106
U.S. VIRGIN ISLANDS

The LOD/H Present: A Novice’s Guide to Hacking- 1989 edition

+++++++++++++++++++++++++++++++++++++++++++++++++
| The LOD/H Presents |
++++++++++++++++ ++++++++++++++++
\ A Novice’s Guide to Hacking- 1989 edition /
\ ========================================= /
\ by /
\ The Mentor /
\ Legion of Doom/Legion of Hackers /
\ /
\ December, 1988 /
\ Merry Christmas Everyone! /
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
**********************************************************************
| The author hereby grants permission to reproduce, redistribute, |
| or include this file in your g-file section, electronic or print |
| newletter, or any other form of transmission that you choose, as |
| long as it is kept intact and whole, with no ommissions, delet- |
| ions, or changes. (C) The Mentor- Phoenix Project Productions |
| 1988,1989 512/441-3088 |
**********************************************************************
Introduction: The State of the Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After surveying a rather large g-file collection, my attention was drawn to
the fact that there hasn’t been a good introductory file written for absolute
beginners since back when Mark Tabas was cranking them out (and almost
*everyone* was a beginner!) The Arts of Hacking and Phreaking have changed
radically since that time, and as the 90’s approach, the hack/phreak community
has recovered from the Summer ’87 busts (just like it recovered from the Fall
’85 busts, and like it will always recover from attempts to shut it down), and
the progressive media (from Reality Hackers magazine to William Gibson and
Bruce Sterling’s cyberpunk fables of hackerdom) is starting to take notice
of us for the first time in recent years in a positive light.
Unfortunately, it has also gotten more dangerous since the early 80’s.
Phone cops have more resources, more awareness, and more intelligence that they
exhibited in the past. It is becoming more and more difficult to survive as
a hacker long enough to become skilled in the art. To this end this file
is dedicated . If it can help someone get started, and help them survive
to discover new systems and new information, it will have served it’s purpose,
and served as a partial repayment to all the people who helped me out when I
was a beginner.
Contents
~~~~~~~~
This file will be divided into four parts:
Part 1: What is Hacking, A Hacker’s Code of Ethics, Basic Hacking Safety
Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,
Outdials, Network Servers, Private PADs
Part 3: Identifying a Computer, How to Hack In, Operating System
Defaults
Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,
Acknowledgements
Part One: The Basics
~~~~~~~~~~~~~~~~~~~~
As long as there have been computers, there have been hackers. In the 50’s
at the Massachusets Institute of Technology (MIT), students devoted much time
and energy to ingenious exploration of the computers. Rules and the law were
disregarded in their pursuit for the ‘hack’. Just as they were enthralled with
their pursuit of information, so are we. The thrill of the hack is not in
breaking the law, it’s in the pursuit and capture of knowledge.
To this end, let me contribute my suggestions for guidelines to follow to
ensure that not only you stay out of trouble, but you pursue your craft without
damaging the computers you hack into or the companies who own them.
I. Do not intentionally damage *any* system.
II. Do not alter any system files other than ones needed to ensure your
escape from detection and your future access (Trojan Horses, Altering
Logs, and the like are all necessary to your survival for as long as
possible.)
III. Do not leave your (or anyone else’s) real name, real handle, or real
phone number on any system that you access illegally. They *can* and
will track you down from your handle!
IV. Be careful who you share information with. Feds are getting trickier.
Generally, if you don’t know their voice phone number, name, and
occupation or haven’t spoken with them voice on non-info trading
conversations, be wary.
V. Do not leave your real phone number to anyone you don’t know. This
includes logging on boards, no matter how k-rad they seem. If you
don’t know the sysop, leave a note telling some trustworthy people
that will validate you.
VI. Do not hack government computers. Yes, there are government systems
that are safe to hack, but they are few and far between. And the
government has inifitely more time and resources to track you down than
a company who has to make a profit and justify expenses.
VII. Don’t use codes unless there is *NO* way around it (you don’t have a
local telenet or tymnet outdial and can’t connect to anything 800…)
You use codes long enough, you will get caught. Period.
VIII. Don’t be afraid to be paranoid. Remember, you *are* breaking the law.
It doesn’t hurt to store everything encrypted on your hard disk, or
keep your notes buried in the backyard or in the trunk of your car.
You may feel a little funny, but you’ll feel a lot funnier when you
when you meet Bruno, your transvestite cellmate who axed his family to
death.
IX. Watch what you post on boards. Most of the really great hackers in the
country post *nothing* about the system they’re currently working
except in the broadest sense (I’m working on a UNIX, or a COSMOS, or
something generic. Not “I’m hacking into General Electric’s Voice Mail
System” or something inane and revealing like that.)
X. Don’t be afraid to ask questions. That’s what more experienced hackers
are for. Don’t expect *everything* you ask to be answered, though.
There are some things (LMOS, for instance) that a begining hacker
shouldn’t mess with. You’ll either get caught, or screw it up for
others, or both.
XI. Finally, you have to actually hack. You can hang out on boards all you
want, and you can read all the text files in the world, but until you
actually start doing it, you’ll never know what it’s all about. There’s
no thrill quite the same as getting into your first system (well, ok,
I can think of a couple of bigger thrills, but you get the picture.)
One of the safest places to start your hacking career is on a computer
system belonging to a college. University computers have notoriously lax
security, and are more used to hackers, as every college computer depart-
ment has one or two, so are less likely to press charges if you should
be detected. But the odds of them detecting you and having the personel to
committ to tracking you down are slim as long as you aren’t destructive.
If you are already a college student, this is ideal, as you can legally
explore your computer system to your heart’s desire, then go out and look
for similar systems that you can penetrate with confidence, as you’re already
familar with them.
So if you just want to get your feet wet, call your local college. Many of
them will provide accounts for local residents at a nominal (under $20) charge.
Finally, if you get caught, stay quiet until you get a lawyer. Don’t vol-
unteer any information, no matter what kind of ‘deals’ they offer you.
Nothing is binding unless you make the deal through your lawyer, so you might
as well shut up and wait.
Part Two: Networks
~~~~~~~~~~~~~~~~~~
The best place to begin hacking (other than a college) is on one of the
bigger networks such as Telenet. Why? First, there is a wide variety of
computers to choose from, from small Micro-Vaxen to huge Crays. Second, the
networks are fairly well documented. It’s easier to find someone who can help
you with a problem off of Telenet than it is to find assistance concerning your
local college computer or high school machine. Third, the networks are safer.
Because of the enormous number of calls that are fielded every day by the big
networks, it is not financially practical to keep track of where every call and
connection are made from. It is also very easy to disguise your location using
the network, which makes your hobby much more secure.
Telenet has more computers hooked to it than any other system in the world
once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
which you can connect to from your terminal.
The first step that you need to take is to identify your local dialup port.
This is done by dialing 1-800-424-9494 (1200 7E1) and connecting. It will
spout some garbage at you and then you’ll get a prompt saying ‘TERMINAL=’.
This is your terminal type. If you have vt100 emulation, type it in now. Or
just hit return and it will default to dumb terminal mode.
You’ll now get a prompt that looks like a @. From here, type @c mail
and then it will ask for a Username. Enter ‘phones’ for the username. When it
asks for a password, enter ‘phones’ again. From this point, it is menu
driven. Use this to locate your local dialup, and call it back locally. If
you don’t have a local dialup, then use whatever means you wish to connect to
one long distance (more on this later.)
When you call your local dialup, you will once again go through the
TERMINAL= stuff, and once again you’ll be presented with a @. This prompt lets
you know you are connected to a Telenet PAD. PAD stands for either Packet
Assembler/Disassembler (if you talk to an engineer), or Public Access Device
(if you talk to Telenet’s marketing people.) The first description is more
correct.
Telenet works by taking the data you enter in on the PAD you dialed into,
bundling it into a 128 byte chunk (normally… this can be changed), and then
transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
then takes the data and hands it down to whatever computer or system it’s
connected to. Basically, the PAD allows two computers that have different baud
rates or communication protocols to communicate with each other over a long
distance. Sometimes you’ll notice a time lag in the remote machines response.
This is called PAD Delay, and is to be expected when you’re sending data
through several different links.
What do you do with this PAD? You use it to connect to remote computer
systems by typing ‘C’ for connect and then the Network User Address (NUA) of
the system you want to go to.
An NUA takes the form of 031103130002520
\___/\___/\___/
| | |
| | |____ network address
| |_________ area prefix
|______________ DNIC
This is a summary of DNIC’s (taken from Blade Runner’s file on ItaPAC)
according to their country and network name.
DNIC Network Name Country DNIC Network Name Country
_______________________________________________________________________________
|
02041 Datanet 1 Netherlands | 03110 Telenet USA
02062 DCS Belgium | 03340 Telepac Mexico
02080 Transpac France | 03400 UDTS-Curacau Curacau
02284 Telepac Switzerland | 04251 Isranet Israel
02322 Datex-P Austria | 04401 DDX-P Japan
02329 Radaus Austria | 04408 Venus-P Japan
02342 PSS UK | 04501 Dacom-Net South Korea
02382 Datapak Denmark | 04542 Intelpak Singapore
02402 Datapak Sweden | 05052 Austpac Australia
02405 Telepak Sweden | 05053 Midas Australia
02442 Finpak Finland | 05252 Telepac Hong Kong
02624 Datex-P West Germany | 05301 Pacnet New Zealand
02704 Luxpac Luxembourg | 06550 Saponet South Africa
02724 Eirpak Ireland | 07240 Interdata Brazil
03020 Datapac Canada | 07241 Renpac Brazil
03028 Infogram Canada | 09000 Dialnet USA
03103 ITT/UDTS USA | 07421 Dompac French Guiana
03106 Tymnet USA |
There are two ways to find interesting addresses to connect to. The first
and easiest way is to obtain a copy of the LOD/H Telenet Directory from the
LOD/H Technical Journal #4 or 2600 Magazine. Jester Sluggo also put out a good
list of non-US addresses in Phrack Inc. Newsletter Issue 21. These files will
tell you the NUA, whether it will accept collect calls or not, what type of
computer system it is (if known) and who it belongs to (also if known.)
The second method of locating interesting addresses is to scan for them
manually. On Telenet, you do not have to enter the 03110 DNIC to connect to a
Telenet host. So if you saw that 031104120006140 had a VAX on it you wanted to
look at, you could type @c 412 614 (0’s can be ignored most of the time.)
If this node allows collect billed connections, it will say 412 614
CONNECTED and then you’ll possibly get an identifying header or just a
Username: prompt. If it doesn’t allow collect connections, it will give you a
message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to
the right, and return you to the @ prompt.
There are two primary ways to get around the REFUSED COLLECT message. The
first is to use a Network User Id (NUI) to connect. An NUI is a username/pw
combination that acts like a charge account on Telenet. To collect to node
412 614 with NUI junk4248, password 525332, I’d type the following:
@c 412 614,junk4248,525332 <---- the 525332 will *not* be echoed to the screen. The problem with NUI's is that they're hard to come by unless you're a good social engineer with a thorough knowledge of Telenet (in which case you probably aren't reading this section), or you have someone who can provide you with them. The second way to connect is to use a private PAD, either through an X.25 PAD or through something like Netlink off of a Prime computer (more on these two below.) The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area Code that the computer is located in (i.e. 713 xxx would be a computer in Houston, Texas.) If there's a particular area you're interested in, (say, New York City 914), you could begin by typing @c 914 001 . If it connects,
you make a note of it and go on to 914 002. You do this until you’ve found
some interesting systems to play with.
Not all systems are on a simple xxx yyy address. Some go out to four or
five digits (914 2354), and some have decimal or numeric extensions
(422 121A = 422 121.01). You have to play with them, and you never know what
you’re going to find. To fully scan out a prefix would take ten million
attempts per prefix. For example, if I want to scan 512 completely, I’d have
to start with 512 00000.00 and go through 512 00000.99, then increment the
address by 1 and try 512 00001.00 through 512 00001.99. A lot of scanning.
There are plenty of neat computers to play with in a 3-digit scan, however,
so don’t go berserk with the extensions.
Sometimes you’ll attempt to connect and it will just be sitting there after
one or two minutes. In this case, you want to abort the connect attempt by
sending a hard break (this varies with different term programs, on Procomm,
it’s ALT-B), and then when you get the @ prompt back, type ‘D’ for disconnect.
If you connect to a computer and wish to disconnect, you can type @
and you it should say TELENET and then give you the @ prompt. From there,
type D to disconnect or CONT to re-connect and continue your session
uninterrupted.
Outdials, Network Servers, and PADs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In addition to computers, an NUA may connect you to several other things.
One of the most useful is the outdial. An outdial is nothing more than a modem
you can get to over telenet- similar to the PC Pursuit concept, except that
these don’t have passwords on them most of the time.
When you connect, you will get a message like ‘Hayes 1200 baud outdial,
Detroit, MI’, or ‘VEN-TEL 212 Modem’, or possibly ‘Session 1234 established
on Modem 5588’. The best way to figure out the commands on these is to
type ? or H or HELP- this will get you all the information that you need to
use one.
Safety tip here- when you are hacking *any* system through a phone dialup,
always use an outdial or a diverter, especially if it is a local phone number
to you. More people get popped hacking on local computers than you can
imagine, Intra-LATA calls are the easiest things in the world to trace inexp-
ensively.
Another nice trick you can do with an outdial is use the redial or macro
function that many of them have. First thing you do when you connect is to
invoke the ‘Redial Last Number’ facility. This will dial the last number used,
which will be the one the person using it before you typed. Write down the
number, as no one would be calling a number without a computer on it. This
is a good way to find new systems to hack. Also, on a VENTEL modem, type ‘D’
for Display and it will display the five numbers stored as macros in the
modem’s memory.
There are also different types of servers for remote Local Area Networks
(LAN) that have many machine all over the office or the nation connected to
them. I’ll discuss identifying these later in the computer ID section.
And finally, you may connect to something that says ‘X.25 Communication
PAD’ and then some more stuff, followed by a new @ prompt. This is a PAD
just like the one you are on, except that all attempted connections are billed
to the PAD, allowing you to connect to those nodes who earlier refused collect
connections.
This also has the added bonus of confusing where you are connecting from.
When a packet is transmitted from PAD to PAD, it contains a header that has
the location you’re calling from. For instance, when you first connected
to Telenet, it might have said 212 44A CONNECTED if you called from the 212
area code. This means you were calling PAD number 44A in the 212 area.
That 21244A will be sent out in the header of all packets leaving the PAD.
Once you connect to a private PAD, however, all the packets going out
from *it* will have it’s address on them, not yours. This can be a valuable
buffer between yourself and detection.
Phone Scanning
~~~~~~~~~~~~~~
Finally, there’s the time-honored method of computer hunting that was made
famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
Wargames. You pick a three digit phone prefix in your area and dial every
number from 0000 –> 9999 in that prefix, making a note of all the carriers
you find. There is software available to do this for nearly every computer
in the world, so you don’t have to do it by hand.
Part Three: I’ve Found a Computer, Now What?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This next section is applicable universally. It doesn’t matter how you
found this computer, it could be through a network, or it could be from
carrier scanning your High School’s phone prefix, you’ve got this prompt
this prompt, what the hell is it?
I’m *NOT* going to attempt to tell you what to do once you’re inside of
any of these operating systems. Each one is worth several G-files in its
own right. I’m going to tell you how to identify and recognize certain
OpSystems, how to approach hacking into them, and how to deal with something
that you’ve never seen before and have know idea what it is.
VMS- The VAX computer is made by Digital Equipment Corporation (DEC),
and runs the VMS (Virtual Memory System) operating system.
VMS is characterized by the ‘Username:’ prompt. It will not tell
you if you’ve entered a valid username or not, and will disconnect
you after three bad login attempts. It also keeps track of all
failed login attempts and informs the owner of the account next time
s/he logs in how many bad login attempts were made on the account.
It is one of the most secure operating systems around from the
outside, but once you’re in there are many things that you can do
to circumvent system security. The VAX also has the best set of
help files in the world. Just type HELP and read to your heart’s
content.
Common Accounts/Defaults: [username: password [[,password]] ]
SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB
OPERATOR: OPERATOR
SYSTEST: UETP
SYSMAINT: SYSMAINT or SERVICE or DIGITAL
FIELD: FIELD or SERVICE
GUEST: GUEST or unpassworded
DEMO: DEMO or unpassworded
DECNET: DECNET
DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
‘.’ prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you’re trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES
UNIX- There are dozens of different machines out there that run UNIX.
While some might argue it isn’t the best operating system in the
world, it is certainly the most widely used. A UNIX system will
usually have a prompt like ‘login:’ in lower case. UNIX also
will give you unlimited shots at logging in (in most cases), and
there is usually no log kept of bad attempts.
Common Accounts/Defaults: (note that some systems are case
sensitive, so use lower case as a general rule. Also, many times
the accounts will be unpassworded, you’ll just drop right in!)
root: root
admin: admin
sysadmin: sysadmin or admin
unix: unix
uucp: uucp
rje: rje
guest: guest
demo: demo
daemon: daemon
sysbin: sysbin
Prime- Prime computer company’s mainframe running the Primos operating
system. The are easy to spot, as the greet you with
‘Primecon 18.23.05’ or the like, depending on the version of the
operating system you run into. There will usually be no prompt
offered, it will just look like it’s sitting there. At this point,
type ‘login ‘. If it is a pre-18.00.00 version of Primos,
you can hit a bunch of ^C’s for the password and you’ll drop in.
Unfortunately, most people are running versions 19+. Primos also
comes with a good set of help files. One of the most useful
features of a Prime on Telenet is a facility called NETLINK. Once
you’re inside, type NETLINK and follow the help files. This allows
you to connect to NUA’s all over the world using the ‘nc’ command.
For example, to connect to NUA 026245890040004, you would type
@nc :26245890040004 at the netlink prompt.
Common Accounts/Defaults:
PRIME PRIME or PRIMOS
PRIMOS_CS PRIME or PRIMOS
PRIMENET PRIMENET
SYSTEM SYSTEM or PRIME
NETLINK NETLINK
TEST TEST
GUEST GUEST
GUEST1 GUEST
HP-x000- This system is made by Hewlett-Packard. It is characterized by the
‘:’ prompt. The HP has one of the more complicated login sequences
around- you type ‘HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP’.
Fortunately, some of these fields can be left blank in many cases.
Since any and all of these fields can be passworded, this is not
the easiest system to get into, except for the fact that there are
usually some unpassworded accounts around. In general, if the
defaults don’t work, you’ll have to brute force it using the
common password list (see below.) The HP-x000 runs the MPE operat-
ing system, the prompt for it will be a ‘:’, just like the logon
prompt.
Common Accounts/Defaults:
MGR.TELESUP,PUB User: MGR Acct: HPONLY Grp: PUB
MGR.HPOFFICE,PUB unpassworded
MANAGER.ITF3000,PUB unpassworded
FIELD.SUPPORT,PUB user: FLD, others unpassworded
MAIL.TELESUP,PUB user: MAIL, others unpassworded
MGR.RJE unpassworded
FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96 unpassworded
MGR.TELESUP,PUB,HPONLY,HP3 unpassworded
IRIS- IRIS stands for Interactive Real Time Information System. It orig-
inally ran on PDP-11’s, but now runs on many other minis. You can
spot an IRIS by the ‘Welcome to “IRIS” R9.1.4 Timesharing’ banner,
and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
in, and keeps no logs of bad attempts. I don’t know any default
passwords, so just try the common ones from the password database
below.
Common Accounts:
MANAGER
BOSS
SOFTWARE
DEMO
PDP8
PDP11
ACCOUNTING
VM/CMS- The VM/CMS operating system runs in International Business Machines
(IBM) mainframes. When you connect to one of these, you will get
message similar to ‘VM/370 ONLINE’, and then give you a ‘.’ prompt,
just like TOPS-10 does. To login, you type ‘LOGON ‘.
Common Accounts/Defaults are:
AUTOLOG1: AUTOLOG or AUTOLOG1
CMS: CMS
CMSBATCH: CMS or CMSBATCH
EREP: EREP
MAINT: MAINT or MAINTAIN
OPERATNS: OPERATNS or OPERATOR
OPERATOR: OPERATOR
RSCS: RSCS
SMART: SMART
SNA: SNA
VMTEST: VMTEST
VMUTIL: VMUTIL
VTAM: VTAM
NOS- NOS stands for Networking Operating System, and runs on the Cyber
computer made by Control Data Corporation. NOS identifies itself
quite readily, with a banner of ‘WELCOME TO THE NOS SOFTWARE
SYSTEM. COPYRIGHT CONTROL DATA 1978,1987’. The first prompt you
will get will be FAMILY:. Just hit return here. Then you’ll get
a USER NAME: prompt. Usernames are typically 7 alpha-numerics
characters long, and are *extremely* site dependent. Operator
accounts begin with a digit, such as 7ETPDOC.
Common Accounts/Defaults:
$SYSTEM unknown
SYSTEMV unknown
Decserver- This is not truly a computer system, but is a network server that
has many different machines available from it. A Decserver will
say ‘Enter Username>’ when you first connect. This can be anything,
it doesn’t matter, it’s just an identifier. Type ‘c’, as this is
the least conspicuous thing to enter. It will then present you
with a ‘Local>’ prompt. From here, you type ‘c ‘ to
connect to a system. To get a list of system names, type
‘sh services’ or ‘sh nodes’. If you have any problems, online
help is available with the ‘help’ command. Be sure and look for
services named ‘MODEM’ or ‘DIAL’ or something similar, these are
often outdial modems and can be useful!
GS/1- Another type of network server. Unlike a Decserver, you can’t
predict what prompt a GS/1 gateway is going to give you. The
default prompt it ‘GS/1>’, but this is redifinable by the
system administrator. To test for a GS/1, do a ‘sh d’. If that
prints out a large list of defaults (terminal speed, prompt,
parity, etc…), you are on a GS/1. You connect in the same manner
as a Decserver, typing ‘c ‘. To find out what systems
are available, do a ‘sh n’ or a ‘sh c’. Another trick is to do a
‘sh m’, which will sometimes show you a list of macros for logging
onto a system. If there is a macro named VAX, for instance, type
‘do VAX’.
The above are the main system types in use today. There are
hundreds of minor variants on the above, but this should be
enough to get you started.
Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
Occasionally you will connect to a system that will do nothing but sit
there. This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time. The following list will usually
make *something* happen.
1) Change your parity, data length, and stop bits. A system that won’t re-
spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don’t have a term
program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
While having a good term program isn’t absolutely necessary, it sure is
helpful.
2) Change baud rates. Again, if your term program will let you choose odd
baud rates such as 600 or 1100, you will occasionally be able to penetrate
some very interesting systems, as most systems that depend on a strange
baud rate seem to think that this is all the security they need…
3) Send a series of ‘s.
4) Send a hard break followed by a .
5) Type a series of .’s (periods). The Canadian network Datapac responds
to this.
6) If you’re getting garbage, hit an ‘i’. Tymnet responds to this, as does
a MultiLink II.
7) Begin sending control characters, starting with ^A –> ^Z.
8) Change terminal emulations. What your vt100 emulation thinks is garbage
may all of a sudden become crystal clear using ADM-5 emulation. This also
relates to how good your term program is.
9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
JOIN, HELP, and anything else you can think of.
10) If it’s a dialin, call the numbers around it and see if a company
answers. If they do, try some social engineering.
Brute Force Hacking
~~~~~~~~~~~~~~~~~~~
There will also be many occasions when the default passwords will not work
on an account. At this point, you can either go onto the next system on your
list, or you can try to ‘brute-force’ your way in by trying a large database
of passwords on that one account. Be careful, though! This works fine on
systems that don’t keep track of invalid logins, but on a system like a VMS,
someone is going to have a heart attack if they come back and see ‘600 Bad
Login Attempts Since Last Session’ on their account. There are also some
operating systems that disconnect after ‘x’ number of invalid login attempts
and refuse to allow any more attempts for one hour, or ten minutes, or some-
times until the next day.
The following list is taken from my own password database plus the data-
base of passwords that was used in the Internet UNIX Worm that was running
around in November of 1988. For a shorter group, try first names, computer
terms, and obvious things like ‘secret’, ‘password’, ‘open’, and the name
of the account. Also try the name of the company that owns the computer
system (if known), the company initials, and things relating to the products
the company makes or deals with.
Password List
=============
aaa daniel jester rascal
academia danny johnny really
ada dave joseph rebecca
adrian deb joshua remote
aerobics debbie judith rick
airplane deborah juggle reagan
albany december julia robot
albatross desperate kathleen robotics
albert develop kermit rolex
alex diet kernel ronald
alexander digital knight rosebud
algebra discovery lambda rosemary
alias disney larry roses
alpha dog lazarus ruben
alphabet drought lee rules
ama duncan leroy ruth
amy easy lewis sal
analog eatme light saxon
anchor edges lisa scheme
andy edwin louis scott
andrea egghead lynne scotty
animal eileen mac secret
answer einstein macintosh sensor
anything elephant mack serenity
arrow elizabeth maggot sex
arthur ellen magic shark
asshole emerald malcolm sharon
athena engine mark shit
atmosphere engineer markus shiva
bacchus enterprise marty shuttle
badass enzyme marvin simon
bailey euclid master simple
banana evelyn maurice singer
bandit extension merlin single
banks fairway mets smile
bass felicia michael smiles
batman fender michelle smooch
beauty fermat mike smother
beaver finite minimum snatch
beethoven flower minsky snoopy
beloved foolproof mogul soap
benz football moose socrates
beowulf format mozart spit
berkeley forsythe nancy spring
berlin fourier napoleon subway
beta fred network success
beverly friend newton summer
bob frighten next super
brenda fun olivia support
brian gabriel oracle surfer
bridget garfield orca suzanne
broadway gauss orwell tangerine
bumbling george osiris tape
cardinal gertrude outlaw target
carmen gibson oxford taylor
carolina ginger pacific telephone
caroline gnu painless temptation
castle golf pam tiger
cat golfer paper toggle
celtics gorgeous password tomato
change graham pat toyota
charles gryphon patricia trivial
charming guest penguin unhappy
charon guitar pete unicorn
chester hacker peter unknown
cigar harmony philip urchin
classic harold phoenix utility
coffee harvey pierre vicky
coke heinlein pizza virginia
collins hello plover warren
comrade help polynomial water
computer herbert praise weenie
condo honey prelude whatnot
condom horse prince whitney
cookie imperial protect will
cooper include pumpkin william
create ingres puppet willie
creation innocuous rabbit winston
creator irishman rachmaninoff wizard
cretin isis rainbow wombat
daemon japan raindrop yosemite
dancer jessica random zap
Part Four: Wrapping it up!
~~~~~~~~~~~~~~~~~~~~~~~~~~
I hope this file has been of some help in getting started. If you’re
asking yourself the question ‘Why hack?’, then you’ve probably wasted a lot
of time reading this, as you’ll never understand. For those of you who
have read this and found it useful, please send a tax-deductible donation
of $5.00 (or more!) in the name of the Legion of Doom to:
The American Cancer Society
90 Park Avenue
New York, NY 10016
******************************************************************************
References:
1) Introduction to ItaPAC by Blade Runner
Telecom Security Bulletin #1
2) The IBM VM/CMS Operating System by Lex Luthor
The LOD/H Technical Journal #2
3) Hacking the IRIS Operating System by The Leftist
The LOD/H Technical Journal #3
4) Hacking CDC’s Cyber by Phrozen Ghost
Phrack Inc. Newsletter #18
5) USENET comp.risks digest (various authors, various issues)
6) USENET unix.wizards forum (various authors)
7) USENET info-vax forum (various authors)
Recommended Reading:
1) Hackers by Steven Levy
2) Out of the Inner Circle by Bill Landreth
3) Turing’s Man by J. David Bolter
4) Soul of a New Machine by Tracy Kidder
5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all
by William Gibson
6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
California, 94704, 415-995-2606
7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.
Acknowledgements:
Thanks to my wife for putting up with me.
Thanks to Lone Wolf for the RSTS & TOPS assistance.
Thanks to Android Pope for proofreading, suggestions, and beer.
Thanks to The Urvile/Necron 99 for proofreading & Cyber info.
Thanks to Eric Bloodaxe for wading through all the trash.
Thanks to the users of Phoenix Project for their contributions.
Thanks to Altos Computer Systems, Munich, for the chat system.
Thanks to the various security personel who were willing to talk to
me about how they operate.
Boards:
I can be reached on the following systems with some regularity-
The Phoenix Project: 512/441-3088 300-2400 baud
Hacker’s Den88: 718/358-9209 300-1200 baud
Smash Palace South: 512/478-6747 300-2400 baud
Smash Palace North: 612/633-0509 300-2400 baud


JANET PAD Listing Revision 1.2 (March 1st, 1990)

                               JPAD12.TXT
                               ----------

             JANET PAD listing - revision 1.2 - 1st March 1990

Hi everyone...

Here's a list of dial-up PAD's that will give you access to the JANET network!
Unless stated, these all use 7 data bits, even parity and one stop bit.
I've also given the baud rates where I know them (V21=300, V22=1200, V22bis=2400
, and V23=1200/75)

When you've got through to the PAD, you might get a 'Which Service?' prompt.
If so, type 'PAD<cr>'. Sometimes you'll need to hit <cr> a few times to get
a response from the machine.

Once you're at the 'PAD>' prompt (you might need to hit 'Return' a few times
to wake up the PAD), you can call any computer system on JANET by entering
'CALL xxxxxxxxxxxx', where 'xxxxxxxxxxxx' is the 12- or 14-digit network
address of the machine in question. Note that JANET will only get you as the
remote computer's login screen - from there on you are on your own and will
have to find/guess ID's and passwords...

To start you off, two excellent public-access systems exist on JANET that are
CRAMMED with info and useful clues for would-be hackers!

These are:      JANET News Machine: 000050005002 (login as 'NEWS' - no password
                                                  needed)
                NISS Bulletin Board:000062200000

These two systems will give you plenty of starting points for possible hacks
(net addresses etc). But make sure that you're on a local call if possible -
before I found these PAD numbers, I spent 3 hours on a long-distance call to
the Janet News Machine!!!

Hope this info is of use and interest - leave a msg for 'Boris' on GoobTel
(0602-706307;V21/23) if you have questions/comments/suggestions/good passwords!!

One more thing - try calling 000002010001 - this is a PD software archive
run by Lancaster Uni. - they carry s/w for PC, ST, Amiga, BBC and (I think)
other machines as well. Eventually I'll put up a file on here going into
more detail...(by the way, you'll need to login with username 'pdsoft' and
password 'pdsoft' - both in lower case)

Bye for now, and have great fun - I did!

Cheers, Boz

Birmingham U...............021-471-2611
                           021-471-2101
Cambridge U................0223-338888 (V21/23)
                           0223-338848 (V21/22/22bis/23)
Cranfield U................0234-752795
                           0234-752796
Daresbury U................0925-68461 (V21/22/22bis/23 and MNP) *
Durham U...................091-374-2832
Edinburgh U................031-667-1071 (V21/22)
Glasgow U..................041-334-8100
U. of Lon. Comp. Centre....071-831-6171 (V21/22)
                           071-831-6181 (V23 - 8-N-1) *
U. College Lon.............071-388-2333 (V21/22/22bis) *
Queen Mary's College Lon...081-980-7100 (V21)
                           081-981-7331 (V23)
King's College Lon.........071-379-7985 (V21)
                           071-240-4928 (V23)
Lancaster U................0544-677544 (V21/22/22bis/23+MNP - 8-N-1) *
Leeds U....................0532-461514 (use CALL Jnnnnnnnnnnnn) *
Nottingham U...............0602-507521 (V21/22/22bis/23) *
                           0602-507522 (V23)
                           0602-507523 (V22) *
Oxford U...................0865-722311 (V21/22/22bis/23)
Strathclyde U..............041-552-8467
York U.....................0904-433826 (V21)
                           0904-433827 (V23)

                   UPDATES WITH THIS REVISION (1.3):

Added Leeds Uni's PAD (0532-461514).
Changed the line format slightly to squeeze in more comments.
Changed the format of the introductory notes to make them more readable (!)
Changed all London 01 codes to the new 071/081 format.

REVISION 1.2 (1 Mar '90)
Another name change - to JPADxx.TXT. Hopefully this is easier to type - and
leaves me a bit of room for extending the filename if necessary!

ULCC's V23 node (071-831-6181) is actually 8-N-1 and not 7-E-1 as listed in
previous revisions.

The PAD's which I have actually tested and found to work OK are now marked
with asterisks (*).

In the introductory note, I have now mentioned the systems that prompt 'Which
Service?' instead of dropping straight into the PAD. Hopefully this will sort
out a few problems people might be having.

REVISION 1.1 (18th Feb '90)
Lancaster Uni's PAD actually uses 8 bits, no parity, one stop bit instead of
7-E-1! Apologies for the error...

No more mistakes detected so far...!

Cheers, Boz

Downloaded From P-80 Systems 304-744-2253

European Computers List #1 by Kerrang Khan

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%				      %
%	   European Computers	      %
%				      %
%	list #1 as compiled by	      %
%				      %
%	     Kerrang Khan	      %
%				      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

  Here is a list of some of the computers in Europe that you can access via
Telenet.  To make an international data call you need a Telenet ID, but the
quantity of the systems justifies the effort.  A few quick notes before the
list.

  1) To call the # listed precede it with 'C 0'+#.  IE - 'C 0234223440144'.

  2) There are two major networks in the UK (where most of these systems are
located.  These are Janet and Sercnet.	There are many gateways into these
datanets, but the main PAD is 22351919169.

  3) Instructions for use.  Too call a Sercnet host you would type the host
nmemonic at the '>' prompt preceded by a period.  ie '.EDXA' will put you
through to the Ediburgh University.  As Janet and Sercnet have become so
intertwined its hard to tell them apart, the method is the same for Janet.  The
PAD also accepts numeric addresses, but like nmemonics they must be preceded
with a dot.  Its because its expecting an ID before the period, but its too
much to explain.  Its something of a hackers dream to hop from system to
system, so have fun.  There is a method of getting through with out using a
Telenet ID but it involves an international call and using a European standard
modem.	If there are any specific questions, please E-mail me.

	Have fun,
	   Kerrang Khan

Here is it...

[>Downloaded from The World of Cryton<] [414] 462-8978 *ELITE* Phreaker's Club]
Call The Works BBS - 1600+ Textfiles! - [914]/238-8195 - 300/1200 - Always Open


ICE: Inner Circle Elites Present: The Hack/Phreak Handbook v1.00 by Liquid Jesus (June 9, 1992)

                                                                   [06.09.92]
                 _____________        __________         __________
                /____    ____/\      /   ______/\       /   ______/\
                \__ /   /\___\/     /   /\_____\/      /   /\_____\/
                   /   / /         /   / /            /   /_/___
                  /   / /         /   / /            /   ______/\
                 /   / /         /   / /            /   /\_____\/
            ____/   /_/__       /   /_/____        /   /_/____
           /____________/\     /__________/\      /__________/\
           \____________\/     \__________\/      \__________\/

                              HQ: [416] 934-4055

                    +------------------------------------+
                    | INNER CIRCLE ELITES (ICE) Present: |
           +--------+------------------------------------+---------+
           |                                                       |
           |   -- The Hack/PHreak Handbook v1.00 [Release #1] --   |
           |                                                       |
           |                    by Liquid Jesus                    |
           |                                                       |
           +-------------------------------------------------------+
        %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                    Part I: Introduction 
                   Part II: Rules, Code of Ethics, Warnings
                  Part III: Definitions of terms
                   Part IV: Hacking systems: UNIX, VAX, and PRIME
                    Part V: Datapac, finding systems to hack
                   Part VI: End of Transmission
        %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Part I: Introduction 
~~~~~~~~~~~~~~~~~~~~

	Ok, so it's time to write an introductory phile for all those people
out there who have always wanted to do stuff like they see in the movies but
don't know how.  Well, almost like you see in the movies.  This file isn't
going to teach you how to launch ICBM's at Russia or anything, but it will
get you to become familiar with some hack/phreak (h/p) terms that are
commonly used.  I've tried writting this before but I didn't know where to
start.  H/P texts get spread around the world so quickly, that if I wrote a
hack/phreak text on how to get started in the St. Catharines/Niagara area,
people in Europe won't have a clue as to what the hell I was talking about.
But screw it, the way I see things it's better to get people started here
then over there.  At least I can see the effects of this file if it's for
local people.

	Alot of you may already have knowledge about alot of the systems I'm
going to talk about (VAX, Unix, Primos, etc..) from your university
experiences (alot of universities use VAX's in particular, and you may have
already used the Unix operating system on those good old ICON's in high
school).  If you don't have any previous experience with these systems,
don't panic, this file should explain most of what you need to know on
getting started.  You may be asking yourself "Why is he writting this file
anyways?".  Well, for one, because the phreak community in Niagara SUCKS.
As far as I know, my BBS is the only one supporting h/p areas that are
active.  Two, it seems I'm the only one calling long distance because I'm
the only one that CAN (for free).  With more people calling for free, the
more of the world will be brought to Niagara (instead of people like myself
going to all continents chasing after things).  Also, I'll be
concentrating on the Datapac network, because it's the biggest Canadian
network around and it has local dialups all across the country.  Future
releases will get more into detail about other networks such as Tymnet,
Telenet, ItaPAC, etc..

Part II: Rules, Code of Ethics, Warnings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Before I start talking about anything, I'd like to state some of the
rules to follow, some of the phreak's codes of ethics, and some warnings on
what to do and what NOT to do:

 1 - Always share information.  A "fone phreak" is someone who shares what
     he finds, with other people, that's the whole idea.  There's strength
     in numbers and there's a hellova lot more chance on cracking a system
     that 200 people know about, then cracking a system that one person has
     found but chooses to keep it a secret.

 2 - Don't destroy information.  This is a *must follow* rule.  If you have
     broken into a computer for some company and can't find anything of
     interest, don't start formatting hard drives and screwing up the system.
     The chance of getting caught could double or triple as soon as you do
     this (ESPECIALLY if you are calling that system through a network,
     there's more chance that someone may be watching what you're doing).
     Of course it's okay to delete any files that may show that you where IN
     the system (log files, incorrect password files, etc..) but don't 
     kill anything for no reason.

 3 - Help others.  You'll find most people in the phreak community will be
     willing to help you and answer questions as long as you're polite.  
     You WILL do most of your learning by yourself but there will also be
     times when you've got something you have NO CLUE about, and have to ask
     someone who does.  So once YOU are experienced and someone has a
     question, answer it no matter how basic the question may seem.  
     Remember, everyone was a beginner sometime.

 4 - Don't go too far into things you don't know about.  There are certain
     things out there that only the most experience hackers should screw
     with (eg: C.B.I., Cosmos, some 1-800 services, etc..).  

 5 - Don't show off by telling people what you've done.  Sure it's okay
     to talk to other phreaks about your doings, but if you have someone
     on a board who you've known for awhile, but doesn't seem to be into the
     h/p scene, don't start babbling to him about all the stuff you've
     hacked.  I've heard a FEW stories about people bragging to other people
     that they don't really know, and have arrived in a pile of dung for it.
     Only talk about hack/phreak stuff on hack/phreak BBS's.

	Well those are most of the things you should follow, sure there's
lots of other rules I could have put up but those are the main ones.  I hope
they help.  I know there'll always be that ONE person that doesn't share his
info, or that ONE person that will want to destroy every system he finds,
but I hope the majority will be follow those rules.

	Oh yah, before I go on, you're probably wondering "What the hell's
the difference between a hacker and a phreak".  Well, a hacker is basically
someone who is interested in information, someone who wants to get into
systems to LEARN from them.  A phreak is someone who wants to use that
knowledge to his advantage (free phone calls, use of pay services, etc..).
A lot of hackers stay to their own area, hacking local systems, whereas a lot
of phreaks don't even own computers!  All you need to phreak is a touchtone
phone (essentially).  Of course, a lot of phreaks use their knowledge to
HACK on other systems that they can get to calling long distance, and alot of
hackers get into phreaking for the same reason.  I guess the main difference
is that hackers want to learn information, and phreaks are more interested
in sharing it.  A little knowledge can be a dangerous thing.

Part III: Definitions of H/P Terms
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Ok, not all of these following terms are used JUST in the h/p
community but you should know what they mean.  You could be writing down
stuff from a VMB and not know what the hell you're writing down.  Knowing
the terminology is important.  There's literally HUNDREDS of things I
could list here, but I'll stick to the stuff you need to know... If you
want a full list of terminology call the ICE HQ BBS (416-934-4055) and get
it there.

800 Services - there are MANY types of 800 services (eg: PBX's (Private
     Branch eXchanges), 950's, etc..) that allow you to call for free.
     PBX's are the most popular service and are used by big companies.  
     Ok, a company wants it's employees to be able to make long distance 
     phone calls (for business purposes only of course) so that the calls 
     are billed directly to the company.  The employee would call up the 
     800 number, enter a code, and then would be switched over to another 
     line and would hear a dial tone.  From here he enters the long distance
     number he wants to call.  What hackers/phreaks do find these services,
     hack out the codes, and use them for themselves.  Most 800 services are
     limited to calling within North America but I HAVE seen a few that
     allow overseas calls.  When you call long distance using an 800 service,
     it just as a standard connection so uploading and downloading on BBS's
     is possible (unlike when calling using PADs - more on this below).  
     The prob with these services is that once a code is hacked out, it's
     spread over VMBs to hundreds  of other hackers, and the codes don't 
     last long.

Amex - American Express credit card

CC - Calling Card.  Calling Cards are used widespread in Europe (especially
     AT&T's) and North America (usually MCI's - safer to use here.).  The
     main calling cards that are used by phreaks are AT&T's (also referred 
     to as ATTs), MCI, Sprint, and even Bell once in awhile.  MCI's are 
     safe to use, I've used a number of them racking up hundreds of dollars 
     in unpaid long distance calls and haven't been bothered by anyone.  
     The problem with using calling cards to call for free is that they 
     don't last long.  If you get a calling card over a VMB then chances 
     are their's a few THOUSAND other phreaks using that same card to call 
     all over the world within a few hours.  It's unusual for a calling 
     card to last more than a day or two.

CC - Credit Card.  Yes, the same abbreviation is used for calling cards as
     credit card's.  The only thing credit cards are good for basically is
     calling up porno lines.  They're useless without all the info.  Most
     of the time when you get a credit card it will just be the card
     number (14-16 digit) and the expiry date (month and year eg: 10/93
     for Oct. 1993).  If by some chance you get a credit card that has
     ALL the info (holder's name, SIN #, age, date of birth, issuing
     bank, etc...) you've got yourself a hot item.  If the card is new
     (virgin - nobody else knows about it) you can do a number of things.
     1: you can call up pay services and register with them (eg:
     CompuServe, GEnie, BIX, etc) or 2: you can do a mail order and et
     yourself that 700 meg hard drive you've always wanted.  There are
     a couple of drawbacks to do this though.  You have to know how much
     money the holder has left to spend on the card (yes, you can also
     find this out...) and you have to have an empty house to have it
     mailed to (or do what some people I know have done - order it
     straight to your house).  Anyways... I don't think I have to tell
     you the advantages of having someone else's credit card information.
     If you've got one then use your imagination.  And whatever you do,
     stay quiet about it.  Credit card fraud is a bitchin offence.  Major
     cc's that are frequently ripped of are American Express, VISA, and
     MasterCard.

Codes - Well it's pretty self-explanitory but a code can be anything from
    a way to call long distance for free, to a number of a virgin VMB
    system, to a backdoor to a porno chat line, to a login to a VAX system.
    Codes are basically anything that will let you use a pay service (of 
    any kind) for free, or something that will get you into somewhere
    you're not supposed to be.

PAD - Packet Assembler/Disassembler.  That's one name, it's also referred
    to by some as a Public Access Device.  All it is, is a program that is
    tied into a network (eg: X.25) and it allows you to call any other 
    system in the world that is also connected to the X.25 network via
    it's network user address (NUA).  Advantages of using a PAD to call
    systems is that you get a crystal clear connection - no line noise.
    The disadvantage, is since what you type is put into a packet (usually
    128 or 256 bytes - but this can be changed), there is a DELAY called
    "PAD delay".  Eg: you get to prompt that says "Hit any Key to Continue"
    so you hit the return key.  Text would not continue to come out from
    the other end for a few seconds after that.  Also, when you're typing
    in large amounts of text as in messages, the text you enter will appear
    on your screen in chunks at a time.  The major disadvantage of calling
    through PADs is that upload/downloading isn't possible.  There ARE u/d
    protocals designed to take pad delay into account but none for 
    microcomputers yet (or none that I know of).  Some people claim to have
    gotten (I know, bad grammer) Zmodem to work when calling through a PAD
    but I haven't myself.

NUI - Network User Identification.  This is similar to an NUA but the 
    major difference is that it's used by only one person and not an 
    entire company.  Eg: an employee connects to Datapac and enters his
    NUI (usually a 6-digit #) and from there he can call any system in
    the world via X.25 network.  If his company is in Toronto Canada and
    he's off on business in France, he can hook up to his companies 
    system by using his NUI to call.  Datapac NUI's are scarce and chances
    are you won't be using one that often.

NUA - Network User Address.  These are numbers consisting of a variable
    number of digits that are used by the X.25 network to connect you to
    other systems.  An NUA is kind of like a phone number.  Eg: the NUA 
    for an international chat line in France called QSD is 208057040540.
    So to connect to QSD I'd get to a PAD, enter the calling command 
    (usually c1) then the NUA of the system I want to connect to.  So at 
    the PAD prompt (I'll use the PADs on Primos computers called "NetLink"
    as an example) I'd enter c1208057040540 [return] and in seconds it 
    would say something like PAD - Call connected to 208057040540 and I'd
    be on QSD.  There are thousands of NUAs for all types of systems 
    ranging from chat lines, to university VAX's, to government mainframes,
    to small company computers, to online libraries.  

OD - OutDial.  This is a phone line that you connect to via it's NUA
    and from there it switches you to an average telephone line from
    which you can call out using ordinary telephone numbers.  Most 
    major urban areas have an outdial and all outdials are connected to
    by it's NUA.  An example for Milwaukee Wisconsin, USA is
    311041400020 which has a 2400 baud modem attached to it (some outdials
    even have 9600 modems attached to them.  So if I wanted to call Tone
    Town BBS in Milwaukee Wisconsin which has a phone number of
    (414)781-3218 I'd connect to my PAD, then connect to the Milwaukee 
    outdial, and from there I'd type ATZ [return] (to reset the modem at 
    the outdial), then ATDT7813218 [return] and that would make a local 
    call from the outdial to the BBS.  Lists of outdials and the areas
    they're for are availible on most half-decent hack/phreak BBS's.  Of
    course the only way to get to an outdial is through a PAD and that
    will give you PAD delay, but hey, it's a crystal clear connection and
    it's free.  Outdials (normal ones) only allow you to make local calls
    from them although SOME outdials (Global Outdials - GOD's) allow you
    to make calls anywhere.  I'd say only about 1 in 20 outdials are
    GOD's.  There's no way to tell the difference, only to try to call
    long distance from the outdial and see for yourself.  Oh yah, if you
    want a menu when you're connected to an outdial, enter "%" and hit
    return.  You'll get a "READY" prompt then type "?" and hit return for
    a menu.

VMB - Voice Mail Box.  These are neat little devices used by company 
    employees to recieve voice mail.  Essentially what they are is a
    1-800 answering machine.  It allows the owner to be away on business
    and still check for any messages by entering a secret "passcode". When
    this passcode is entered the owner can listen to his messages, delete
    them, change his greet or do a number of other things.  A standard
    voice mail system could have up to a thousand or more mail boxes on it.
    So what's the use of 'em?  When you call a VMB system a recorded message
    will come on asking you to enter the voice mailbox number (usually a 3
    or 4 digit number) using your average touchtone phone.  You enter the
    mailbox number of the person you're trying to reach and they're recorded
    message (called the "greet") will be played.  How they're used?  Well
    phreaks call up these VMB services and hack out the passcodes of other
    people's mailboxes and use it for themselves.  This allows phreaks
    from all over the country to call up, listen to the greet (which is 
    usually filled with codes), and leave some codes (if the person has
    any) after the beep.  EG: I call up Digital Assassin's voice mailbox
    at 1-800-268-6683 (just an example), enter 4251 at the recording (an
    example of what his mailbox # would be) and his pre-recorded message
    would come on listing a bunch of codes to different services, bbs
    numbers to call, etc..  then at the beep, if I didn't have any codes
    I could advertise my favorite bbs eg: "Hi, this is Liquid Jesus.  Call
    Psychiatric CyberHell BBS at 416-934-4055.  Later" and hang up.  If
    Digital Assassin was cool he'd put this in his next greet.  Most
    greets are updated every day or second day.  VMB's are the best way
    to trade information quickly and the best way to get new codes.

Ok, so you still don't know how to call long distance for free right? 
Well from the above mentioned terms, there's 2 different ways:

1 - using 800 services
2 - using a PAD

eg. for 800 service:

I type AT&C <cr> to set my modem's carrier detect ON.
I type ATXD (NOT hitting return yet)
I pick up my touch tone and enter the 800 service (eg: 1-800-123-4567)
at the tone I enter the code, and then I recieve another dialtone.
I enter 1-416-934-4055 (the number of the BBS I'm calling).
When I hear the carrier I hit return (which sends the ATXD to the modem
telling it to connect) and hang up my voice phone and WALLA!  I'm
connected.

eg. for a PAD  (little more complicated...)

I call up my local Datapac dialup (eg: 687-1115 - a 2400bps dialup)
I enter ".." <cr>    (two periods and return to tell Dpac I'm there)
I enter the datapac address of the system I want to connect to eg:20500015
plus <cr> and now I'm connected to that system.  I now enter the username
and password or whatever is needed to enter the system.  Once in, I get to
the PAD on that system, at the pad I enter the NUA of the OutDial that I
want to connect to.  Once connected to the outdial I enter ATZ <cr> then
ATDT<number> <cr> and that will connect me.  So basically it's connecting
to Datapac -> system -> pad -> outdial -> BBS

The only way to use either is for someone to tell you EXACTLY how because
each system is different.  I don't have any working PADs right now so I
can't give you a working example.

Ok, enough of that.

PART IV: Hacking Systems
~~~~~~~~~~~~~~~~~~~~~~~~

	The three computer systems I'm going to talk about are Unix, VAX,
and Prime.  Unix's are easy to use, VAX's have very powerful commands, and
Primes... well Primes are relatively SHIT but have *excellent* PAD
software (called "NetLink") and easy to use commands.  Jeez, some Prime
systems will even let you boost your own access... (duhh..) but most don't
contain any good info on them.  Each have an easy way to identify them.
Unix systems will ask for a "Login:" and "Password:" and will give you
unlimited tries and will never kick you off, although they will NOT tell 
you if you've entered a wrong login or password but will just tell you 
that ONE of them didn't work (eg: "Invalid login or password").  VAX 
systems ask for a "Username:" and "Password:" and will allow only 3
invalid tries before kicking you off.  Once in, VAX's will give you a "$"
for a prompt.  Prime systems will display a line as soon as you connect
something like:

PRIMENET 22.0.3 VOID

The "Primenet" tells you it's a Prime system, the 22.0.3 is the revision
of PRIMOS the system is running under (it's operation system ie PrimOS)
and the "VOID" is the system nodename upon connect.  It will not give you
a "login" prompt but you can either enter "login" and hit return to get 
one or just simply type "login <username>" and it will then give you the
"Password:" prompt.  Prime systems only give one chance to connect before
they kick you off.  Prime systems give an "OK," as a prompt.  Now, going 
into more detail on Unix's, Vax's, and Primes...

                                 VAX's:
                                 ------

     The VAX acronym is derived from Virtual Address eXtension.  The VAX
computer is designed to use memory addresses beyond the hardware's actual
limits, enabling it to handle programs that are too large to fit into 
physical memory.  The VAX computer system is a member of the Digital 
Equipment Corporation (DEC) computer family.  Currently the VAX series 
includes models spanning the desktop VAX station to mainframe class 
multi-CPU VAX processors.  These vary from the superminis, like MicroVAX, 
to the older, moderate sized 11/7XX series, to the newer 6000 series. 
These computer systems commonly use an operating system known as VMS.

    The VMS acronym is for Virtual Memory System.  The operands of VMS
are very similar to other operating systems.  Back in the days of 
stand-alone computer systems, DEC had the idea for streamlining the 
operation of their computers for business and engineering.  It conceived
VMS as a way of allowing the basic computer management to be done by a user
familiar with any of the multiple systems it made.

How to get into a VAX by default login/passwords:
-------------------------------------------------

	When DEC designed the VAX they put in several default accounts to
test them out.  These accounts have passwords which don't change from 
system to system.  The system manager should have removed them before the
system was put online but it is not done all the time.  Here are several
defaults for VAX systems:

  Username      Password
  ------------  -----------------
  DECNET        DECNET               -- The accounts listed with
* SYSTEST       UETP                    asterisks "*" next to them are
                SYSTEST                 very powerful accounts.  Defaults
  SYSTEM        SYSTEM                  that have worked for me in the
  DEFAULT       DEFAULT                 past are OPERATOR and SYSTEM. 
* FIELD         FIELD
  OPERATIONS    OPERATIONS
  OPERATOR      OPERATOR
* SUPPORT       SUPPORT     
                DEC

OK, so this basically tells you how to recognize when you've connected to
a VAX and possible ways to get in.  I'm not going to get into detail about
commands but if you DO manage to get into a VAX system, they give
unlimited descriptions of the commands availible.  Just hit HELP at the
prompt and you can get a full description of anything.  The online HELP
will explain it better than I can...

                                 PRIME's
                                 -------
[Some of the following information extracted from "Introduction to the
 PRIMOS Operation System" by the VOID Hackers..]

One thing about Primes is that they're generally ignored by the average
hacker because of the lack of information on them and unfamiliarity, but
PRIMOS is a very user-friendly operating system.  Main Prime owners these
days are corporations and governments.  Different models of Primes are the
Prime 250's (ancient) and 750's (also ancient but still in use), the Prime
4150's (a mid-range system) and the huge Prime 9550's (high-end mini's). 
Also in the high-end spectrum is the Prime MCXL's (super-mini's) and Prime
workstation clusters.  As there are many models, there are just as many
revisions of PRIMOS (the Prime operating system) they run on.  About all
you'll see today are Rev. 20.xx, 21.xx, 22.xx or 23.xx but some foreign
packet-switching networks (PSN's) are still running revisions 17.xx,
18.xx, and 19.xx. (such as Brazil's Interdata or Renpac networks).  Here
are a list of default logins/passwords for PRIME systems:

 User ID         Password                Comments
___________________________________________________________________________

 ADMIN           ADMIN, ADMINISTRATOR    Administrator account
 CMDNC0          CMDNC0                  External command UFD maintenance
 DEMO            DEMO, GUEST             Demo account
 DIAG            DIAG                    Diagnostic account
 FAM             FMA                     File Access Manager
 GAMES           GAMES                   Games account (only on schools)
 GUEST           GUEST, VISITOR          Demo account
 HELP            HELP                    Help subsystem account
 INFO            INFO                    Information account
 JCL             JCL                     Job Control Language account
 LIB             LIB, LIBRARY            Library maintenance account
 NETMAN          NETMAN                  Network controller account
 NETPRIV         NETPRIV                 Network priv account
 NEWS            NEWS                    News account
 NONETPRIV       NONETPRIV               Network nopriv account
 PRIME           PRIME                   Prime account
 PR1ME           PR1ME                   Prime account
 PRIMOS          PRIMOS                  Prime account
 PRIMOS_CL       PRIMOS_CL               Prime account
 REGIST          REGIST                  User registration account
 RJE             RJE                     Remote Job Entry account
 STUDENT         STUDENT, SCHOOL         Student account (only on schools)
 SYSADM          SYSADM, ADMIN           Administrator account
 SYSTEM          SYSTEM                  Administrator account
 TEST            TEST                    Test account
___________________________________________________________________________

Anyways.. if you do get a successful login and password it will return
something like this (I'll call the username "PRIMEUSER" as an example):

        PRIMEUSER (user 87) logged in Sunday, 22 Jan 89 16:15:40.
        Welcome to PRIMOS version 21.0.3
        Copyright (c) 1988, Prime Computer, Inc.
        Serial #<serial_number> (company_name)
        Last login Wednesday, 18 Jan 89 23:37:48.

'serial_number' and 'company_name' will be replaced by the actual serial number
and company name of the company that owns the Prime computer site.

Once you're in PRIMOS will give you one of two prompts: "OK," or "ER!". 
Both are the same, the later just means the previous command you entered
had an error (ie: invalid command).

Ok, to get a list of commands and descriptions type "HELP" for a list of
commands and " <Command Name> HELP " or " HELP <command Name> " for
additional information on that command.

UNIX:
-----

There's too much information on the Unix system for me to decide where to
begin so I'll just state the basics.  I'll give you a big file that
explains Unix's inside-out upon request.  Ok, Unix systems as stated
before are identified with the "login:" and "password:" prompts.  Unix's
will give unlimited attempts to get a correct login/password combination.
Powerful default logins are "root, daemon, sysadm, sysadmin, spool" with
the "root" login being the most powerful of all.

PART V: DATAPAC, FINDING SYSTEMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	Ok, so you wanna get out there and get started right?  Ok, well if
you live in the St. Catharines/Niagara area of Ontario what you do is call
up your local Datapac dialup (eg: 687-1104, 687-1115) and once you're
connected you must enter 2 periods and hit return ".. <cr>" and you'll get
something like

DATAPAC: 3720 1350

or something... The first thing you need to know about Datapac is that the
addresses of the systems connected to it are 8 digits long (when in
standard format... some are up to 20 digits long).  Most have the first
digit higher than "1" and the forth digit a "0".  The good thing about
Datapac is that it has an extensive online help system.  To reach this
enter the address "92100086" and hit return.  It will give a menu and you
can go from there are read up about Datapac as much as you want.

Scanning Datapac:

Ok, the best way to find other systems hooked up with datapac is to scan
for them.  First, decide on what numbers you're going to scan.  Eg: if you
wanted to scan from say 71500000 up, set a macro key to "715000" and enter
the macro+01 then macro+02 then macro+03 etc. etc...  if there's nothing
at that address you'll recieve a "DATAPAC - Invalid Address" response. 
One thing to keep in mind: after every 8 invalid addresses you enter IN A
ROW, Datapac will hang up on you.  Therefore, you MUST enter an address
that connects to a system every 8 unsuccessful tries.  An example is a
system at "20800315" which will connect you to a system and immediately
kick you back to Datapack.  Enter this address after every 8 invalid 
addresses when scanning.  This will keep you from being kicked off for
invalid attempts.  Eg: If I was scanning 205000xx I'd enter 205000 in a
macro, enter macro+00, macro+01, macro+02, etc.. and if I got to macro+07
(which would be 20500007) I'd enter the other macro (20800315) and that
would keep me from being kicked of datapac.  Then I could keep scanning...

You'll come across alot of weird systems when scanning Dpac.  Most will be
either Unix, Prime, or VAX systems but you'll get alot that say stuff like
"Service=" or "Password>" or just really screwed up stuff.  If you ever
get to a Unix (which gives you unlimited tries to login) and want to get
back to Datapac enter 2 CTRL-D's and hit return at the "Login:" prompt.

UNRESPONSIVE SYSTEMS:

Some systems will connect and be unresponsive.  When this happens try
sending a hard break (or a bunch of them) or try the CTRL-<key> keys going
through the alphabet.  If you're convinced you've tried everything and the
system still isn't responding just hangup and call Datapac back up.

Most of the responses you get while scanning will be 

DATAPAC - Invalid Address

but once in awhile you'll get something like

DATAPAC - Remote Directive

or

DATAPAC - Incompatible Destination

or something else... Don't worry about writing down these addresses
because they're useless.  The only one (besides DATAPAC - Call Connected
of course) to keep track of is "DATAPAC - Collect Call Refused".  This
means that the system at the address you entered will not pay for the
connection.  It is still possible to reach that system by using a PAD so
don't throw those addresses away.

If you've done alot of scanning and still can't find anything of interest
here's a few things you can check out:

ADDRESS:  SYSTEM IT CONNECTS TO:
--------  -------------------------------------------------------------
20800015  VAX system
31500475  PRIME system

20800121  Another VAX system
20800095  something to screw around with
20800122  Canadian Chambers of Commerce Database
33400672  another thing to screw around with...
41100043  Info Globe Database
41500077  Humber College
43601541  Canada Life Insurance
43700265  Rehabilitation Services of Canada (VAX system)
44400224  Infomart Online (VAX)
44400053  IBM Information Services
59100088  Athabasca University
67200056  Alberta Research Council (MicroVAX)
70800051  Air Canada (UNIX)
92100086  Datapac Information System

All of those were taken from the I.C.E. Datapac Address List (over 200
systems listed... check it out - availible on my BBS - ICE HQ)

Ok.. I've talked a little more than I planned to but there's still alot
more I want to tell you about.  This is just the first version of this
handbook so whatever you want to know about, call my BBS and leave me
feedback and I'll make SURE your question is answered in the next release
no matter how small it may be.  If you or someone you know would like to be
a guest writer, let me know and tell me what you're gonna talk about, or
just send in a text file and I'll look at it and put it in the next
release.

This first release is just to open people's eyes to the h/p society and
the questions can flow from here.  When I know what people want to know
about (specifically.. it's very hard to explain hack/phreaking in general)
I'll know what to put in the next release.  There are of course, some
things you have to be familiar with before I can start going into detail
about them.

Please call my BBS and leave any comments or suggestions about this so I
can make the next release better.  This is a sort of "alpha" release...

Some H/P BBS's to check out:
---------------------------
416-648-8175  Meltdown - lotsa messages and codes
414-781-3218  Tone Town - 330 megs, good h/p file section
510-946-1737  PH.B.I. - excellent text files!

and of course, my BBS:

   !!!!! -+- PSYCHIATRIC CYBERHELL (ICE HQ): (416) 934-4055 -+- !!!!!!
         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

If this is the sort of thing you might be interested in, then my BBS is
the ONLY BBS in Niagara supporting active H/P message and file areas and
gets calls from phreaks worldwide.  Get in the message bases there and ask
questions because they'll be answered by people with EXPERIENCE.
MY BBS ONCE AGAIN: 416-934-4055 - St. Catharines
Tell me you got the number from this text file!!!!!

**************************************************************************
If you ARE experience and just happen to have come across this file and
you live somewhere else in the world and just wanna say hi or whatever.. I
can be contacted in the following countries:

InterNet/UUCP........ liquid_jesus@pegasus.ch
Canada............... ICE WHQ: (416)934-4055, Club Z BBS: (416)934-6795
United States........ Tone Town BBS: (414)781-3218
France (direct)...... +33 36431515 (type "THELINE") mailbox name: ICE92
France (via X.25).... 208057040540 (mailbox name: ICE92)
Switzerland.(direct). +41 (0)71 715577 (10 lines) (username: Liquid_Jesus)
Switzerland (X.25)... 228475212574 (Same as above)
Iceland (direct)..... 354-1-78099, 670990
Iceland (X.25)....... 274011991000 (username: AmiPhreak)
**************************************************************************

Ok, I want LOTS of feedback on this phile so send me LOTS of mail on it!

-Liquid Jesus