💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › psnintro.txt captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
The THC Hack/Phreak Archives: PSNINTRO.DOC (842 lines) Note: I did not write any of these textfiles. They are being posted from the archive as a public service only - any copyrights belong to the authors. See the footer for important information. ========================================================================== % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X**=======================================================================**X %!! Phreakers/Hackers/Anarchists !!% X!! -++--++--++--++--++--++--++- !!X %!! !!% X!! THE COMPLETE INTRODUCTORY GUIDE TO SPRINTNET AND !!X %!! SIMILAR PACKET SWITCHED NETWORKS !!% X**=======================================================================**X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X**=======================================================================**X %!! P/H/A - Written By Doctor Dissector On Sunday, April 22, 1990 - P/H/A !!% X**=======================================================================**X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % X % Part I: Disclaimer ------------------ The sole purpose of this document is to educate. Neither the author nor the sponsor group (Phreakers/Hackers/Anarchists) will be held responsible for the reader's actions before, during, and following exposure to this document as well as the validity or accuracy of the information contained within this document. Part II: Introduction --------------------- Packet switching networks can be said to be the most useful tool for both the inexperienced and the experienced hack. When I first learned about PSNs (SprintNet/Telenet in general), I discovered that there were not any good "full length" introductions or guides to the use of these systems. In effect, scrounging around for a small file here and another there was not very productive in any sense. So, I decided to compile a "complete" introduction and guide, as I know it, to the "world" of the packet switched network. Enjoy! Doctor Dissector - PHA Part III: Table Of Contents --------------------------- Part Description ----- ------------------------------------------------------------- I Disclaimer II Introduction III Table Of Contents IV What Is A Packet Switched Network? V Network Protocols VI PAD Security VII Connection To The SprintNet PAD VIII X.121 International Address Format IX Network User Identification X Setting PAD ITI/X.3 Parameters XI Disconnect Code Sequence XII Misc Network Notes XIII Appendix XIV Conclusion And Closing Notes XV Greets, Hellos, Etc.... Appendix Description -------- ----------------------------------------------------------- A Hunt/Confirm Sequence Codes B PAD Command Summary C ITI/X.3 Parameter Summaries D International DNIC/PSN List E Overseas PSNs Which Accept Collect Calls F Network Protocol List G Glossary Part IV: What Is A Packet Switched Network? ------------------------------------------- A packet switched network can be accessed through any local POTS dialup/port. Systems known as "hosts" on the PSN pay for connection to the PSN depending on transmission speed and protocol type. PSNs offer more efficient data transfer and less rates as compared to the typical circuit switched call. Thus, to anyone who would be interested in transferring large amounts of data over either the PSN or the circuit system, the PSN would result in an increase of convenience due to the reduction of data transmission error and cost. Another feature of the PSN is the speed and data translation which takes place between the PSN's PAD (Packet Assembler/Disassembler) and the host. For example, one could connect to the PSN's PAD at 1200 bps and the PAD could connect to the host system at 9600 bps and still allow the user to receive error free transmission. This "flow control" is done by the actual increase or decrease of the data packet between the PAD and the user or the PAD and the host. PSNs also have the ability to interconnect through special gateways which might allow one user who dialed one PSN's PAD and then connected to another PSN's PAD through a system which was accessible by the first. Almost every PSN in the world can be accessed through gateways on one PSN to another PSN, through subsequent gateways until the target PSN is achived; of course, there are always exceptions, some private or small data networks may not be reachable through gateways, these systems can only be reached, usually, through direct dialins. Some PSNs allow the caller to execute "collect calls" to host systems which accept them, although the majority of the hosts on any given PSN do not accept collect calls. To connect to a host system which does not accept collect calls, one must possess a network user identifier (NUI) or access to a private system on the PSN which accepts collect calls and has the ability to access another PSN with its own identifier. These will be discussed further into this document. Part V: Network Protocols ------------------------- The PSN utilizes several communications protocols similar to the communications protocols used by typical asynchronous modems. However, MOST PSNs utilize synchronous communications and the X type protocols versus the typical modem's asynchronous V protocols. As a result, the PAD of any PSN also serves as a synchronous/asynchronous translator between the synchronous netowrk and the asynchronous modem. Most PSNs offer network speeds from snail's pace baud rates of 300 bps (asynchronous) to the lightning of 48,000 bps (synchronous). The most common data protocol used by PSNs today is the X.25 protocol, thus if one were able to access a private PAD which offered support for the X.25 protocol, one could access virtually any network user address (NUA) from that PAD. SprintNet PADs support the X.25 protocol, so if one had an NUI of sorts, one also could access any NUA from the SprintNet PAD. See appendix F for a list of network protocols. Part VI: PAD Security --------------------- SprintNet PADs and most dialin PADs in general have no "immediate" form of telephone security common within their systems. Plainly, SprintNet and most PSN dialin PADs cannot trace on the fly, as they do not have their own equiptment to trace incomming calls. HOWEVER, this does not mean that they CANNOT trace; SprintNet can, and will, upon probable cause, cooperate with the telco to trace calls. Notice that tracing usually is premeditated and one-time abusers have a very slim chance of being caught. Also note that most PAD activities are logged and if abuse is suspected, the PSN owners would most likely suspect the abuser as originating from the local area, since the POTS dialin/port is also located in the same area. Once online, security from "calling" hosts which do not accept collect calls is enforced by the presence of the NUI. Without an NUI, one would usually be stuck, only able to call systems accepting collect calls, sans the use of another system's NUI. There is one more aspect of seucurity worth mentioning. Whenever a packet of data is sent to a host system, a header of data is sent stating where the originating "call" is being placed by. Thus, if you were connecting to "312312" from your local POTS dialin/port that owned an address of "20231H," the system at 312312 would know the call was being originated from 20231H. Once again, if someone were abusing any system on the PSN and that system saved a log of the originating addresses accessing that system, the owners of the abused system could easily determine which POTS dialin/port number the abuser was using, and then inform the PSN security of possible abuse in that dialin's local area. Because of this ability to "trace" the originating address, there is one way to foil this. One could connect to another PAD, and then, from that PAD connect to the target system. Thus, the POTS dialin/port address will be sent to the connected PAD, and the connected PAD would intercept the POTS address and send the connected PAD's address to the target system instead of the POTS address. SO, if the target system was abused and the owners attempted to "trace" the originating address, they would receive the address of the connected PAD. For example: you dial your local POTS dialin/port which had an address of "71516G," log into another PAD at "415100," connect from 415100 to "213213." The system at 213213 if "traced" would find that you were originating from 415100, not 71516G. See how it works? Good... Notice that the system 213213 would still know that you were originating from 71516G, but the folks you were genuinely abusing wouldn't know that! Part VII: Connection To The SprintNet PAD ----------------------------------------- The following procedure outlines the methods used to connect to and through the SprintNet PAD. Step Procedures Network/Operator Response ---- ---------- ------------------------- 1 Turn on your terminal. Make sure it's Online. 2 Dial your local SprintNet access number. 3 For data sets Bell 103 & 113 type, depress the DATA button. 4 Enter the hunt/confirm sequence <CR> <CR> for your baud/parity type. For E,7,1 1200/2400, type <CR> twice. For hunt/confirm sequences, see appendix A. 5 SprintNet will identify itself, TELENET its port address, and then send 909 14B a TERMINAL= prompt for terminal identification. "D1" specifies TERMINAL=D1<CR> dumb terminal. 6 NUI Input: After SprintNet gives the "@" prompt, type "ID ;" and @ID ;ABCD<CR> then your ID code, follwed by a PASSWORD=123456<CR> <CR>. Then enter your password followed by another <CR>. If you don't have an NUI, you can always access systems which allow collect calls. 7 At the "@" prompt, you can enter @02341123456790<CR> the network user address (NUA) of the desired host. If, during the connection attempt wish to abort the attempt, a BREAK signal will bring you back to the "@" prompt. 8 SprintNet will respond with a (address) CONNECTED connection message, or an error message. 9 To disconnect from your computer, (address) DISCONNECTED log off as usual. SprintNet will send a disconnect message. To disconnect off of a system without logging off, typing "<CR>@<CR>" will bring you back to the "@" prompt. Part VIII: X.121 International Address Format --------------------------------------------- Most PSNs around the world follow the X.121 format for access to both domestic and international hosts. SprintNet does not require some parts of the format for domestic connection, which will be discussed below. +----------------------------------------- Zero Handler For SprintNet | (Formats The X.121 Address) | | | | +--------------------------------- Data Network Identifier | | Code (DNIC) | | | | | | +------------------------- Area Code of Host | | | | | | | | | +--------------- DTE Address of Host | | | | | | | | | | | | +-------- Port Address | | | | | | | | | | |0| |DDDD| |AAA| |HHHHH| |PP| | +------- Optional 'Subaddress' Field for Packet Mode DTE For a complete list of DNICs/PSNs according to country, please see appendix D. On SprintNet, a "0" MUST lead the NUA, although on other PSNs, this may not be necessary. On SprintNet, the DNIC is defaulted to 3110. Any host entered at the "@" prompt, if domestic to Telenet/USA, will not require the input of zero handler or the 3110 DNIC. For example: Domestic X.121 SprintNet Int'l ---------- -------------- --------------- 2129966622 31102129966622 031102129966622 212869 311021200869 0311021200869 21244 311021200044 0311021200044 Part IX: Network User Identification ------------------------------------ Network user identifiers (NUIs) offer full SprintNet PAD use for any distance or amount of time for any host accessible by the PAD in question. Think of the NUI as a /<-/<00l Kode for calling long distance. Any systems that you call are logged, and each call is charged. At the end of the month, the owner of the NUI is billed. So, it is possible to hack out NUIs and use them, but like k0dez, abuse kills. NUIs can be entered into SprintNet in two ways. The first method is to type "ID ;xxxx" where xxxx can be from 4-? charachters in length, both alphabetic and numeric. Then, at the password prompt, enter a password. The second method for entering an NUI is in conjunction to the NUA you are accessing. The format is "<NUA>,<ID>,<PW>" where at the "@" prompt you would type the desired NUA, followed by a comma, then your ID followed by a comma, and then your password. Your password will not be echoed. Part X: Setting PAD ITI/X.3 Parameters -------------------------------------- Online PAD parameter modification may be desired for certain applications, connections, or data transfers. See appendix C for brief summaries of these parameters. Modification of these parameters can be done by the following procedure at the "@" prompt: X.3 Parameters -------------- To display current parameters: "PAR?<CR>" The PAD will respond with: "PAR1:<VALUE>,2:<VALUE>,..." To modify parameter(s): "SET? <PARM>:<VALUE>,<PARM>:<VALUE>,..." The PAD will respond with: "PAR<PARM>:<VALUE>,..." ITI Parameters -------------- To display current parameters: "PAR? 0,<PARM>,<PARM>,..." The PAD will respond with: "PAR<PARM>:<VALUE>,<PARM>:<VALUE>,..." To modify parameter(s): "SET? 0:33,<PARM>:<VALUE>,<PARM>:<VALUE>,..." The PAD will respond with: "PAR0:33,<PARM>:<VALUE>,..." Part XI: Disconnect Code Sequence --------------------------------- When disconnected off of any host on SprintNet, a disconnect coding sequence with a string of data will be sent to your terminal. The following is a translation format for the disconnect coding. <NUA> DISCONNECTED AA BB TT:TT:TT:TT CCC DD Where: <NUA> is the NUA of the given host system. AA is the clearing code. BB is the diagnositc code. TT:TT:TT:TT is the time spent on the host. CCC is the number of frames received. DD is the number of frames sent. Part XII: Misc Network Notes ---------------------------- Just a few things one might want to know when using PSNs: 1) When using/abusing a private PAD, try to use it after business hours, as the operators will not tend to discover your presence as quickly. 2) When hacking or abusing ANY system on ANY PSN, if anything seems different or suspicious, logoff, disconnect, or HANG-UP IMMEDIATELY! Much better SAFE than SORRY! 3) For a complete and updated list of POTS dialin/ports, dial the IN-WATS number at 1-800-546-1000 or 1-800-546-2000, type "MAIL," and for user name and password, enter "PHONES." You will be diverted to the SprintNet dialing directory & a menu. From then on you will have plenty of info about POTS dialins and port numbers. 4) For international information concerning SprintNet and other PSNs, get to a SprintNet "@" prompt and type "MAIL." Then, for the user name, enter "INTL/ASSOCIATES." For the password, type "INTL," and you will be diverted to the international information menu. 5) For even more info on SprintNet and PCP, the NUA for the PCP support BBS is 311090900631 (909631 domestic). 6) Some 2400 bps and 2400+ bps PADs have problems recognizing 8,N,1 connections. Sometimes they only allow E,7,1 transmissions. Experimentation or inquiry may yeild results. SprintNet's customer information line is at 1-800-336-0437, overseas is 1-703-689-6400. 7) PCP outdials and other outdial systems are abundant on the PSNs throughout the world. If you have any NUAs to these or find any, they utilize the typical Hayes AT command set, so they should be easy to figure out. MOST of the time, they ONLY allow dialing of local (to the oudial's area code) numbers, but some have been known to allow interstate and even international calls. Experimentation, again, is always necessary. 8) Domestically, the "AAA" (Area Code) portion of the NUA is usually the same as the area code (NPA) of the same calling area. However, some area codes are shared on the network and some non-existant area codes such as 909, 223, 224 and others contain hosts. 9) On any PAD, the data transmission rates may be slowed, due to the assembley/disassembley time, called packet delay. Depending on which system, baud, and transfer protocol used, pad delay can differ from almost none to noticable fractions of seconds. PCP oudials are notorious for LLOONNGG pad delays.... Part XIII: Appendix ------------------- Appendix A: Hunt/Confirm Sequence Codes ======================================= Bits Stop Parity Modem Baud Duplex Sequence ---- ---- ------ ---------- ------ -------- 7 1 EVEN 300-1200 FULL <CR><CR> 7 1 EVEN 300-1200 HALF <CR>;<CR> 7 1 EVEN 2400 FULL @<CR> 7 1 EVEN 2400 HALF @;<CR> 8 1 NONE 300-1200 FULL <CR>D<CR> 8 1 NONE 300-1200 HALF <CR>H<CR> 8 1 NONE 2400 FULL @D<CR> 8 1 NONE 2400 HALF @H<CR> At BPS speeds 2400+, wait 1/2 a second BEFORE and AFTER the "@" sign in the sequence above. Appendix B: PAD Command Summary =============================== The following is a list of commands usable from the "@" prompt on the SprintNet PSN. Command Description ----------- ------------------------------------------------------------- <NUA> Connects to the host specified by that NUA. C <NUA> Connects to the host specified by that NUA. STAT Displays the network port address (NUA of the port). FULL Sets duplex to full. HALF Sets duplex to half. DTAPE Prepares the PSN for bulk file transfers. CONT Continues the current connected session/connect attempt. BYE Aborts connect attempt/disconnects from current session. D Aborts connect attempt/disconnects from current session. HANGUP Logs you off from the SprintNet PAD. TERM <TERM> Changes the terminal specification to that of <TERM>. MAIL Request connection to SprintNet Telemail. TELEMAIL Request connection to SprintNet Telemail. ID ;<ID> Enter NUI, <ID> is your ID. This is followed by a PASSWORD prompt. Password will not be echoed. TEST CHAR Test if you are receiving garbled output. If so, adjust parity or data bits, and then try again. If errors persist, be sure to complain to SprintNet customer service! TEST ECHO Test if your input is being garbled by Telenet. Similar otherwise as TEST CHAR. Appendix C: ITI/X.3 Parameter Summaries ======================================= Para- Para- meter Description (Default Value) meter Description (Default Value) ----- --------------------------- ----- --------------------------- 1 Line feed Insertion (0) 31+ Interrupt Character (0) 2 Network Message Display (0) 32 Automatic Hang-up (0) 3 Echo (1) 33+ Flush Output (0) 4 Echo Mask (163) 34 Transmit on Timers (1) 5 Transmit Mask (2) 35 Idle Timer (80) 6* Buffer Size (0) 36 Interval Timer (0) 7* Command Mask (127) 37 Network Usage Display (0) 8* Command Mask (3) 38 Carriage Return PAD (Variable) 9 Carriage Return PAD (Fixed) 39 Padding Options (1) 10 Linefeed Padding 40 Insert on Break (0) 11 Tab Padding 41 PAD-Terminal Flow Control (0) 12 Line Width 42 PAD-Terminal XON Character (17) 13 Page Length (0) 43 PAD-Terminal XOFF Character (19) 14 Line Folding (1) 44* Generate Break (INV) 15 Page Wait (0) 45* APP on Break (0) 16 Interrupt on Break (0) 46 Input Unlock Option (0) 17 Break Code (0) 47 Input Unlock Timer (0) 18 NVT Options (0) 48 Input Unlock Character (0) 19 Initial Keyboard State (0) 49 Output Lock Option (2) 20 Half/Full Duplex 50 Output Lock Timer (10) 21 Real Character Code 51 Output Lock Option (0) 22 Printer Style 53* Break Options (0) 23 Terminal Type 54 Terminal-PAD Flow Control (0) 24 Permanent Terminal (0) 55 Terminal-PAD XON Character (17) 25 Manual or Auto Connect (0) 56 Terminal-PAD XOFF Character (19) 26 Rate 57 Connection Mode (2) 27 Delete Character (127) 58 Escape to Command Mode (1) 28 Cancel Character (24) 59* Flush Output on Break (0) 29 Display Character (18) 60 Delayed Echo 30+ Abort Output Character (0) 63 Eight-bit Transparency (1) 64+ Early ACK (0) 65 More-Data Bit Generation (3) 66 Defer Processing of User (0) 67 ESP Packetizing Option (0) 68 Escape Sequence Timer (0) 69 Escape Sequence Maximum Length (0) 70 Escape Sequence Initiator (0) 71 Parameter Reset on Disconnect (0) Note: - All Telenet Parameters must follow the National Option Marker (Parameter 0, value '21' Hex) in PAD Messages. - Parameters marked with "*" should not be used. - Parameters marked with "+" should be used with caution. Appendix D: International DNIC/PSN List ======================================= Note: This is not a complete list! COUNTRY NETWORK DNIC ------- ------- ---- ALASKA ALASCOM 3135 ANTIGUA ANTIGUA 3443 ARGENTINA ARPAC 7220 ARGENTINA ARPAC 7222 AUSTRIA DATEX-P 2322 AUSTRIA RA 2329 AUSTRALIA AUSPAC 5052 AUSTRALIA MIDAS 5053 BAHAMAS BATELCO 3640 BAHRAIN IDAS 4263 BARBADOS IDAS 3423 BELGIUM DCS 2062 BELGIUM DCS-TELEX 2068 BELGIUM DCS-PSTN 2069 BERMUDA IPSD 3503 BRAZIL INTERDATA 7240 BRAZIL RENPAC 7241 BRAZIL RENPAC 7249 BRAZIL RENPAC 7248 CAMEROON CAMPAC 6242 CANADA DATAPAC 3020 CANADA GLOBEDAT 3025 CANADA CNCP 3028 CANADA TYMNET CANADA 3106 CAYMAN ISLANDS IDAS 3463 CHILE ENTEL 7302 CHILE ENTEL 3104 CHINA PTELCOM 4600 COLUMBIA DAPAQ 3107 COSTA RICA RACSADATOS 7120 COSTA RICA RACSAPAC 7122 COSTA RICA RACSAPAC 7128 COSTA RICA RACSAPAC 7129 COTE D'IVOIRE SYTRANPAC 6122 DENMARK DATAPAK 2382 DEMMARK DATAPAK 2383 DOMINICAN REPUBLIC UDTS 3700 EGYPT ARENTO 6020 FINLAND FINNPAK 2442 FRANCE TRANSPAC 2080 FRANCE N.T.I. 2081 FRANCE TRANSPAC 9330 FRANCE TRANSPAC 9331 FRANCE TRANSPAC 9332 FRANCE TRANSPAC 9333 FRANCE TRANSPAC 9334 FRANCE TRANSPAC 9335 FRANCE TRANSPAC 9336 FRANCE TRANSPAC 9337 FRANCE TRANSPAC 9338 FRANCE TRANSPAC 9339 FRENCH ANTILLES DOMPAC 3400 FRENCH GUYANA DOMPAC 7420 GABON GABONPAC 6282 GERMANY DATEX-P 2624 GREECE HELPAK 2022 GREENLAND DATAPAK 2901 GUAM LSDS-RCA 5350 GUATEMALA GUATEL 7040 HONDURAS HONDUTEL 7080 HONG KONG IDAS 4542 HONG KONG DATAPAK 4545 HUNGARY DATEXL 2160 HUNGARY DATEXL 2161 ICELAND ICEPAC 2740 INDONESIA SKDP 5101 IRELAND IPSS (EIRE) 2721 IRELAND EIREPAC 2724 ISRAEL ISRANET 4251 ITALY DARDO 2222 ITALY ITAPAC 2227 IVORY COAST SYTRANPAC 6122 JAMAICA JAMINTEL 3380 JAPAN DDX-P 4401 JAPAN VENUS-P 4408 JAPAN NISNET 4406 JAPAN NI+CI 4410 KUWAIT 4263 LEBANON SODETEL 4155 LUXEMBOURG LUXPAC 2704 LUXEMBOURG PSTN 2709 MALAYSIA MAYPAC 5021 MAURITIUS MAURIDATA 6170 MEXICO TELEPAC 3340 NETHERLANDS DATANET-1 2040 NETHERLANDS DATANET-1 2041 NETHERLANDS DABAS 2044 NETHERLANDS DATANET 2049 NETHERLANDS/ANTILLES UDTS ITT 3620 NETHERLANDS/MARIANAS PCINET 5351 NEW CALEDONIA TOMPAC NC 5460 NEW ZEALAND PACNET 5301 NORWAY DATAPAK 2422 PANAMA INTELPAQ 7141 PANAMA INTELPAQ 7142 PHILIPPINES CAPWIRE 5151 PHILIPPINES PHILCOM RCA 5152 PHILIPPINES GMCR 5154 PHILIPPINES ETPI-2 5156 POLYNESIA TOMPAC 5470 PORTUGAL TELEPAC 2680 PORTUGAL SABD 2682 PUERTO RICO UDTS- PDIA 3301 PUERTO RICO UDTS- I 3300 QATAR DOHPAC 4271 REUNION ISLAND DOMPAC 6470 SAN MARINO X-NET 2922 SAUDI ARABIA BAHNET 4263 SINGAPORE TELEPAC 5252 SINGAPORE TELEPAC 5258 SOUTH AFRICA SAPONET 6550 SOUTH AFRICA SAPONET 6559 SOUTH KOREA DACOM-NET 4501 SOUTH KOREA DNS 4503 SPAIN TIDA 2141 SPAIN IBERPAK 2145 SWEDEN TELEPAK 2405 SWEDEN DATAPAK 2402 SWITZERLAND TELEPAC 2284 SWITZERLAND DATALINK 2289 TAHITI TOMPAC 5470 TAIWAN UDAS 4877 TAIWAN PACNET 4872 THAILAND IDAR 5200 TORTOLA 3483 TRINIDAD TEXTET 3740 TRINIDAD DATANETT 3745 TUNISIA RED25 6050 TURKEY TURPAC 2862 TURKS BWI 3763 UNITED ARAB EMIRATES EMDAN 4241 UNITED ARAB EMIRATES TELEX 4243 UNITED ARAB EMIRATES TEDAS 4310 UNITED KINGDOM IPSS 2341 UNITED KINGDOM PSS 2342 UNITED KINGDOM MPDS MERCURY 2350 UNITED KINGDOM PSS MERCURY 2352 U.S.S.R. IASNET 2502 UNITED STATES OF AMERICA TELENET 3110 UNITED STATES OF AMERICA TYMNET 3106 U.S. VIRGIN ISLANDS