💾 Archived View for gemini.spam.works › mirrors › textfiles › phreak › itapac.txt captured on 2020-10-31 at 15:41:35.
-=-=-=-=-=-=-
_______________________________________________________________________________ ItaPac - A Brief Introduction A Telecom Computer Security Bulletin File _______________________________________________________________________________ Prologue -------- This text will represent a very complete tutorial about a packet switching network used in Italy: ItaPac. The purpose of this file is to supply very interesting information to have secure use and VERY LONG ItaPac password lifetime. It includes also a brief summary of what (shit) ItaPac is, techincal terms, various news. What's ItaPac ------------- ItaPac is the Italian Packet Switched Network. The "packet" protocol is called as it is because the data which travels through the network is assembled in 255 char groups (packets), with an address physically in the net towards which data is sent at fixed time intervals. Packets can thus contain different source data, and in this way they divide the cost of transmission and optimize net traffic. All of which runs transparent to the users, which doesn't remark of commutation, and works in an apparent "real time". In order to support all available protocols, the Packet Switch needs gestional software. As for definition, all terminals able to support the switching are called PADs (packet assembly-disassembly) and work following the CCITT X.25 recommendations. A PAD is very expensive to run. It is not the software or hardware that is so expensive, but rather the continuous maintenance and supervision required to keep the system running. Normally, most of the users prefer have the switching handled by an ACP Server which makes his call and transforms the packet proto- col from X.25 to an X.28 asycronous, that is compatable with the normal modems that we use. The user becomes like a DTE (Data Terminal Equipment), he connects to an ACP (Adapter/Concentretor of Packets) and can operate in trasparency without any kind of problems. The user can login to a pad in either of two ways: 1) DIRECTLY: by dedicated wire installed by Italcable. The cost is higher, but that guarantees a much higher transmission quality. 2) SWITCHED: by phone (switched line, not to be confused with ACP, even if there are similarities); the cost is much lower, but the transmission quality is unacceptable at times. The direct X.28 user has his own network user address (NUA). Some users have only one NUA while others have a multiplexed system. This system generally consists of one NUA and a variable number of subaddresses. The actual number of subaddresses depends on the number of doors he has into his pad. The switched user (poor) can only call others DTE, but he cannot receive calls, because he doesn't a network user address. In effect the only address where he can answer is that of the PAD on which he is logged on. Thus the DTE call from a phone number (of home, office, etc), if he can receive calls from another DTE, means that the hardware is able to scan the call, and we will all be in the shit (sorry for the hard expression). Taking apart the quality in trasmission, there is no difference between the two X.28 types: both need a modem. The first, connected to a standard phone line, and the second to dedicated one. For the rest of this file we will talk about the X.28 terminals of the second type: the dedicated ItaPac PADs. The ACP at their time, are connected to NCP (Nodes of Commutation of Packets) with transit functions or access for DTE X.25 and of local commutation. The NCP are connected between them at high speed (64k/second), and ACP are conn- ected to NCP at 9600 bit/second. ___________________________________________________________________________ | | | | | | | User Class | Xmit Methods | Speeds | Protocols | Access Methods | |______________|________________|__________|_____________|__________________| | | | | | | | Char by Char | Start/Stop | 300/1200 | X28 | Via Phone or | | Terminal | Full/Half Dup. | baud | | Direct | |______________|________________|__________|_____________|__________________| | | | | | | | Packet | HDLC | 2400 and | X25 | Direct | | Terminals | Full Duplex | 9600 bps | | Only | |______________|________________|__________|_____________|__________________| The CCITT standard makes it possible to interface ItaPac with other networks around the world. In effect, the NCPs are connected as big telephonic centers. Anyway, it seems that all European traffic to the USA and other countries, such as Australia, Argentina, Japan, etc, will transmit by the centers that are in Paris, France. Maybe from Paris data is sent via satellite, but I don't know. NUIs, NUAs, and DNICs --------------------- Well, when you connect to one of ItaPac's entry points (of which there are 41 ACP sites on Italian terrain at 300/200 baud and full duplex (V21, V22)), ItaPac responds: ACP:** I T A P A C ** GENOVA 32 PORTA: 4 The above is an example of the herald for an entry node in Genoa. In the example you can note that the number "32:" is really the node (the phone number you have called). Larger cities generally have more than one node. The PORTA is the port to the node (the physical entry point to the node). "PORTA: 4" means that you are connected to the fourth port of this particular Genoa ItaPac node. You can also see from the above example that there are 3 other people connected to the same node as you. Every ItaPac node can support at greatest a finite number of ports. If all the ports of a node are in use then the PAD will reject all new DTE calls. Frequently most (or all) of the ports until Friday night will not answer at all. Until one logs you off you cannot enter a port that is in use. Very often the first 2 or 3 ports will be busy from an internal console, or these will be reserved as an "emergency lane" for internal-use-only. A good way to use a free door is to send to people that are probably the callers an Urgent Call Income (UCI; in the States it is known as a BVC -- Busy Verification Signal -- AKA emergency interrupt). The you can redial the node. This time ItaPac will answer. The message "Beware, please, Urgent Urban Call Incoming" will appear on the screen. This will blow our friend from the port, thus freeing it for our use. Eh eh. Now for some definitions. 1) NUI 2) NUA 3) CUG (optional) NUI - Network User Identification: Nothing other than an ItaPac password. Every time you call an NUA, ItaPac will charge the account of owner of the password. Often NUIs are valid only for certain nodes. That is if the contract signed with Italcable will allow a 300 baud at Genova on 2697, this NUI will not work on the 2564 node. SYNTAX: the NUI must be preceded by UPPERCASE "N" and finished by a minus "-". The NUI MUST BE TYPED IN UPPERCASE. Between "N" and "-" the NUI will not be displayed (echoed). You will obtain only "N-" on display. NUA-Network User Address: the physical address of a remote DTE. Similar to a phone number, you understand. Must be typed without blank inside and soon after the NUI (or a timeout will occur and ItaPac will hang up on you). CUG - Close User Group: this is basically a high-security NUI. CUG stands for Close User Group. CUG users have access to optional parameters that are used for user recognition (and you know what that means). Having a CUG account is very handy. CUG users have the ability to inibit hackers (after all, they are there for network security, right?). There are less CUG users in Italy than the USA and are generally rare (but I know of one). A typical example would be the US Tymnet NUAs (03106nnnnnn). The PAS response will be ACP:CLR NA or Call Not Accepted and shut down. Makes hacking on a CUG account a good way to waste your time. Now we will take a closer look at an ItaPac NUAs structure (the numbers are examples only): DCC NC | __| / \| 12345678901234 \_ / | DNIC DNIC = Data Network Identification Code; it contains the address of the country to be called and the code for the network chosen. It is then divided into two parts: DCC and NC. DCC is the Data Country Code; a three digit number that is the phone prefix. Every country has different one. NC is the Network Code; a country can have more than one data network. In Italy there is ONLY packet switched network, the code is "2" and it is Dardo. Follow with: the prefix of the called city, the DTE number, an eventual suffix that is the "phone particular" (max 4 digit). Note: The DCC is used only to call outside. DCC must be preceded by a zero. ItaPac, in this case, is different from other countries. Let's show a pratical example: The Cilea of Milan (Segrate). The NUA is: 2220208 |||______ local address of DTE ||_______ 2 (02) = Milano |________ NC: 2 = ItaPac Now, another example: the Altos Unix (altger) in Munich, West Germany (note: a favorite hangout of Xtension). The NUA is: 026245890040004 |\ /|\_ _/| | | | | |____ 40004: network address | | | |_______ 5 8900: munich prefix | | |__________ 4: DATEX-P (germany ItaPac) | |____________ 262: DCC West Germany |______________ foreign call The NUA's structure isn't so all the time. NUAs can exist that don't appear to have countries or cities. This because the address is sent to an indicated ACP that will provide the rerouting of the call. If the NCP has been instructed to consider a certain address like another, the DTE can have a Rome NUA and be located in Genoa. As call with the account to called... It's very important to be able to read an NUA. Many times you can find systems like VAXs and UNIXs and some refer to not-interactive logins; NUAs are not often completed. An NUA without a DNIC is like a phone number without an area code: its meaning is nothing. Usually the system makes references to a subject network, or it supplies other info in a less clear fashion. At this need I will supply a very short list of world wide DNICs I've found (notice that they are old hat, the new stuff is only for friends)... Beware: many countries own more than one national network (GB, USA, etc) then you will probably hear a thousand cries of "In USA where? On Tymnet, or Autonet? or Telenet? or RCA? EtherNet?" And I can continue... DNIC Network Name Country _______________________________________________________________________________ 2041 Datanet 1 Netherlands 2062 DCS Belgium 2080 Transpac France 2284 Telepac Switzerland 2322 Datex-P Austria 2329 Radaus Austria 2342 PSS UK 2382 Datapak Denmark 2402 Datapak Sweden 2405 Telepak Sweden 2442 Finpak Finland 2624 Datex-P West Germany 2704 Luxpac Luxembourg 2724 Eirpak Ireland 3020 Datapac Canada 3028 Infogram Canada 3103 ITT/UDTS USA 3106 Tymnet USA 3110 Telenet USA 3340 Telepac Mexico 3400 UDTS-Curacau Curacau 4251 Isranet Israel 4401 DDX-P Japan 4408 Venus-P Japan 4501 Dacom-Net South Korea 4542 Intelpak Singapore 5052 Austpac Australia 5053 Midas Australia 5252 Telepac Hong Kong 5301 Pacnet New Zealand 6550 Saponet South Africa 7240 Interdata Brazil 7241 Renpac Brazil 9000 Dialnet USA 7421 Dompac French Guiana This list may be in the hands of hackers everywhere. And, because the bread for a hacker is done with ItaPac's floor, the minimum I suggest is to learn by memory the main International DNICs. Not these for French Guiana, but the main European and American ones. Let's return to ItaPac. When you are connected to a remote system, the network sends an ACP: COM and it leaves the field and lets you join the host. To clear call and return in command mode (the star "*" prompt) must make some differences. 1 - for the most part, the host leaves the possibility to user to talk with his PAD, either to setup his parameters, close, reset or confirm the call. In this case, often frequently, with the sequence CTRL-P ItaPac will reappear with its "*" prompt and it accepts commands. Typing "CLR" ItaPac will close the virtual call to host and answer "ACP: CLR CONF". 2 - Some Hosts, usually those with internal PADs, won't allow to ItaPac control to the user. CTRL-P is not recognized, and the only way to logoff or catch the control of the PAD is send a ten LONG-BREAK sequences. The BREAK, not to be confused with CTRL-C, that is not in this site, is an INTERNAL signal whic(BFs not an ASCII code. It is used by the communication program you use to send that acknowledgment. If you don't have the capability to send BREAK (short or long); beware not to use these black holes from where the only way to exit will be the physical disconnect from the PAD (ie, drop carrier on the modem). 3 - The use of CLR is not correct and in most cases it will cause serious problems to host machines. In effect, their software (or perhaps hardware) is not able to translate correctly the loss of carrier and enters into a "Wait-State Pending", that will finish only before a well-defined interval. In the mean time, this door is unavailable. Network administratons never like CTRL-P CLR. Network Signals, Profiles (Outline, Shapes, Sketch), Parameters --------------------------------------------------------------- A detailed description about all net signals, standard outlines and parameter sets, is supplied from a "manual about ItaPac access from X28 start-stop terminals" This manual can easily be "thieved" at kermesses in Italcables stands, in more desperate cases, you can ask that to your friends. What is not written therein into from Italcable is the meaning about parameters 14,15,16,17,18,19. Official guide stops at the 13th. But command ^P PAR? gives a full list with 19 entries! Now here are the descriptions: 14: Padding after Line feed (LF) 0 No padding inserted 1-15 When it is in the Data Transfer state, the pad inserts a time delay from 1 to 15 chars times the length after each LF that it inserts. The normal setting is determined by the terminal in use. 15: Editing of data This parameter and the following parameters (16, 17, and 18) determines how editing of data is perfomed when the pad is in the Data Transfer State 0 editing of data is not possible 1 Must be set to this value if the editing facility required 16: Charachter delete character 0 characted deletion is not possible 1-255 This is the IA5 decimal code of the choosen delete character. The normal setting is 127 (for RUBOUT or DEL) 17: Buffer delete character 0 Buffer deletion is not possible 1-255 This is IA5 decimal code of the choosen buffer delete char. The normal setting is 24 (CTRL-X) or (CAN) 18: Buffer display character 0 Buffer display is not possible 1-255 This is the IA5 decimal code of the choosen buffer display char. The normal setting is 18 (CTRL-R) or (TAPE-ON) Parameter 19 is unknown. One word about Delete. It's possible to correct what is typed in command mode via the DEL key. If you use the Backspace (ASCII 8) key ItaPac will not accept corrections but it will translate these as true chars. PAD SPEED --------- If your modem will colloquiate with a PAD at a defined baud rate (300 or 1200, full duplex) the packet transmission will slow in a drastic way the number of incoming and outgoing characters from your DTE. PADs send a continuous stream of clear-to-send and Ready-to-send signals that are really macro rests between packets. At lower transmission speeds (ie, 300 baud) the switching does not feel right, but at 1200 it does. We have computed that the speed of real transfers and receiving can, at maximum performance, raise to 450 baud. It is slower when you transfer a file, when the PADs work is very heavy. Via Xmodem, the PAD will try to destroy time-out signals, or confuse all. Public computer systems such as Delphi know that also. If you aren't able to download correctly using the Xmodem protocol then that means that only the remote host isn't detecting the differences between packets and asybchronous terminals. The question is: will it happen only on ItaPac (not new) or is a common problem to all NCPs? "NC" Nights ----------- There are nights in which every address you call is "NC". The Network Conges- tion state is very frequent on ItaPac, and will disallow the use of the network used from NCP. The causes are very mysterious. At night Firms aren't using ItaPac, and it seems the network is used only by hobbists. Then what? At the Service center they negate all, but this is reality. ItaPac, at the end, is an asshole. It has very high rates but they will add a joke to the classical thief: some- times it doesn't work. How does it not work? Ha! To them everything is always ok. And then someone will cry scandal if you try to bypass them! NUIs USED --------- Usually, NUIs that are used (or had been used) are demo NUIs. It hasn't an account, and then -in theory- cannot exaust. Operators cannot ever notify their use, because they don't have a record of calls...If a demo NUI will die, the cause can be one of only two: 1) ItaPac has changed codes due to normal administration 2) ItaPac was warning about the happening, or from their techician who had noted abnormal traffic and has controlled, or from an external (a son of a bitch spy!) +2-15-87 +-+ | | +--+ +--+ +--+ +--+ | | | | |_| 53ST6R An historical NUA- it has been working for over 2 years, and for a SPY... HOW GET AN NUI -------------- The more simple and safe method is to copy that from kermesses where Italcable, or otherwise, use X.28 wires. The dedicated X28 DOESN'T NEED AN NUI because they are directly connected. Go near the operator and ask "That is a MODEM?" Operator (if they have the time) will be moved to pity, in front of so much ingnorance, and he feels so relaxed, types in his pw. You, with an optimum eye, must read the keyboard and memorize the NUI. This is called shoulder surfing. It is well, in the case of big kermesses, to try to catch ANY booklet, agenda, block notes left near terminals. If the stand is owned by Italcable, ALL you can catch, must BE, without differences. A new scanning technique, based on trying statistically calculated, is in exam between DTE222. This technique may guarantee, if applied to a long scan time, posithives results in NUI research. The minimum number of NUI tried cannot be less than to 100,000 (1 hundred thousand), causing cost and time problems. At large lines, that rule is like: a NUI generator will provide to create a very likely NUI following the same criteria. A scanner will try all in an automatic manner. It tries 8, then it uses a valid NUI to connect to 22000 (Echo pad), immediatly it logs off (CLR CONF), putting zero thanks to ACP:COM the ACP:ERR ILL counter (how we know, to 10th ERR ILL the pad will logoff physical call [hangs]). The 9th try is as security margin. Then the scanning will restart. At 1200 baud - therefore - we had a 1400 hours tested NUI average. This, is all talk! In addition, it seems that before 700 ERR ILL, not looking counter reset, ItaPac will hang up. That will make it more diff- icult for our computer; it araises at times (will redial number) and make the search more expensive. NETWORK SIGNALS --------------- Net can send several mesages: - as answer to a command - for his own decision - following an action performed byt remote terminal 1. Errors messages ERR CNA syntax of command is correct, but not allowed in this state ERR ILL command is not syntactically correct or the hit is not recognized ERR EXP timeout and command was not completed ERR PNA the requested outline is not assigned yet 2. Logoff messages CLR OCC the called number is busy CLR NC Network congestion or temporaly failure of hardaware cannot allow new calls CLR INV Requested performance is not valid CLR NA The calling number cannot have connection to DTE (ex: Close User Group not compatable) CLR ERR Call is hung for a local procedure error CLR RPE Call is hung for a remote DTE error CLR NP Called NUA is not assigned CLR DER Called NUA is out of order CLR PAD PAD has hung the call because he had received am invitation to "clear" from DTE CLR DTE Remote DTE hung call CLR RNA Remote DTE cannot accept charged calls 3. Reset Messages RESET DTE Remote has resetted virtual circuit RESET RPE Call is putt in reset state for remote DTE error RESET ERR Call is reset for a local error RESET NC Call is hung for a network congestion RATES AND DUTIES ---------------- For whoever wants to subscribe ItaPac, here are the rates. For whoever uses it as Portoguese it might be interesting to have an idea about how much it costs the real owner of an NUI. The, if you have one, don't abuse and don't tell it to the four winds. Remember that real owner can, at any moment, change it! BY X.28 Switched Phone ---------------------- Class (baud) Lire/Month 300 12,150 1200 7,100 NUI duties: 7,200 / month to these must be added: modem duties mail and telegraph duties contributions and trafic (counter turns!) The amount of the first two isn't clearly specified on the rates-sheets, but it is marked as: Following the current rates. Last, is so divided: they will consider the distance betweenyouser site and the centre of relhative area phone code. X.25-X.28 Direct Connection --------------------------- Class (baud) Lire/Month 300 108,000 1200 139,500 2400 208,800 4800 275,400 9600 311,400 To these must be added: modem duties duties foryouse of area to area circuitery duties for new wires Time rates for Ports Taken -------------------------- class (baud) Lire/Minute (or fract) 300 13.50 1200 18.00 Time Rates ---------- 6.80 Lire/minute or fraction Volume rates ------------ 1.78 Lire/segment or fraction thereof (1 segment= 64 octets) Rates to call ------------- 30 lire / call Addings per NUI --------------- 7,200 / month For time and volume rates there is a 30% discount from 9 PM to 8 AM every day, including Saturday and non-working days PVC Rates --------- 54,000 Lire / Month Class of Max Charge of line --------------------------- 9,000 * KB / Month CUG --- Master 56,700 Lire / Month Users 900 Lire / Month Payment to Called ----------------- 8,100 / Month Change Options Parms -------------------- 45,000 Lire Speed Class Change ------------------ 90,000 lire Calls List ---------- Lire 30 each voice in list International Trafic [The rates are in Gold Francs (GF)] Europe ------ GF 0.107 / min or fraction thereof Extra Europe ------------ GF 0.3333 / min or fract (1) GF 0.4 / min or fract (2) GF 0.5 / min or fract (3) (1) North America or Middle East directly connected to Italy (2) Other countries out from Europe directly connected to Italy (3) All others In a few words, if you aren't a Multinational Company, but an hobbist, you must charge a 20 years money loan to be able to afford ItaPac. The Network is also able to receive characters following international Alphabet from CCITT No. 5 (IA5) with 1 or 2 stop bits and it will produce even chars with the #2 stop bit. In the exchange of control chars between terminals and net, ItaPac will translate characters dropping out the parity and send chars with even parity. Characters are exchanged in transparent way to user regard- ing parity and bits. TO CONNECT VIA THE SWITCHED WAY ------------------------------- 1) Dial the ItaPac node phone number. Whoever doesn't have an automatic modem must switch to data within 10 seconds from the first ItaPac tone. 2) send two <CR> to build the phisycal connection (within 30 seconds) 3) ItaPac will send the network herald, ACP identification and entry port (as explained) 4) At you're request: enter the virtual call state by typing ACP: FREE 5) send call request by issuing the NUI, the NUA and the data field (max 12 characters optional). E.g: if the NUI is AAAAAA and the NUA is 2345678 you must type: NAAAAAA-2345678 <CR>. The NUI is never echoed on screen. All sequences must blank free and entered within 120 seconds from first keypress. If you type a wrong NUI, net will answer ACP: ERR ILL. If you also need to send a data string, (e.g. ABCD) send: NAAAAAA-2345678 D or P ABCD <CR>. Typing 'D' before string the following data will be echoed, with 'P'. 6) net give ACP: COM if call is done. From this moment starts the data exchange phase and, until you disconnect, all commands to the net must be preceded with the ^P sequence. If the call is not correct, the net will answer by sending a disconnect signal to specify the cause of it. After 10 times of unsuccessfully placed calls, the net will hang up the carrier. If the call is possible, the NUA will receive an ACP: (caller address) COM. COMMANDS -------- The following commands can be issued prior to having a connection, meanwhile data transfer. In the last case, type a ^P before to exit data session (either it's considered as data itself). At end of command send <CR>. Beware that in a start-stop terminals calls (X.28) commands must sent also from TH in packet way, following X.29 procedures. 1) Virtual call state request: STAT <CR> will answer: - if call is on : ACP: ENGAGED - if call is off : ACP: FREE 2) Shape Choose PROF <CR> network will put on that (see later). At start the #3 is default outline. 3) Commands to send only during the data exchange (preceded by ^P) reset request: ^P RESET <CR> That command will cancel call followings data on line. 4) Interrupt send to remote DTE: ^P INT <CR> This packet will go over travelling data. Then, the action taked by host is software depending on. THE EDITING FEATURE. By the Editing Feature, you can delete a char or a line to make editing the PAD provide buffered characters. The editing function is ever in use during X.28 and the ACP xmit. To have it meanwhile data transfer you must choose parm 15. In this case, the user can choose between parms 16,17 and 18 the usable chars to request editing function and he can, via par 19, editing signals send by PAD. 1) Delete a char To make the deletion of the last type character you must send parm 16 defines the character (default DEL) before receving this char, the PAD will erase last character in the editing buffer, and, if parm 16 is different from 0, it send the signal about the erased char as said from par 19: if parm 19 is set to 0, no signal sent if parm 19 is set to 1, pad sent IA5 signal; this procedure is suggested for printer like terminals If parm 19 is set to 2, pad will sent a BS SP BS sequence of IA5. This procedure will locate cursor at inserting point of new char and is therefore suggested for video terminals. 2) Erase a line To erase a line you must send the char set into parm 17 (def: CAN). Before receving this character, the PAD will erase the buffer and, if parm 6 is set to anything save 0, it will send the line deletion character, following par- ameter 19: if parm 19 is set to 0 : nothing sent if parm 19 is set to 1 : pad send XXX if parm 19 is set to 2 : pad will send SP BS SP of IA5 for a number times as the number of chars in the buffer 3) Display a line To obtain a line display you must send char defined by parm 12 (def: DC2). Before receive this char pad will sent to terminal all chars stored in the buffer. _______________________________________________________________________________ Downloaded From P-80 Systems 304-744-2253