299 lines
14 KiB
Plaintext
299 lines
14 KiB
Plaintext
|
|
|||
|
|
|||
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|||
|
$$ $$
|
|||
|
$$ A Guide to DataPAC $$
|
|||
|
$$ $$
|
|||
|
$$ A Technical Information File for the Canadian Hacker $$
|
|||
|
$$ $$
|
|||
|
$$ (C) 1989,1990 The Fixer - A Free Press Publication $$
|
|||
|
$$ $$
|
|||
|
$$ Edition 1.1 - April 18, 1990 $$
|
|||
|
$$ $$
|
|||
|
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
|
|||
|
|
|||
|
Foreword
|
|||
|
--------
|
|||
|
|
|||
|
Welcome to the exciting world of Packet Switched Data Communications. Your
|
|||
|
position as an outside hacker makes Telecom Canada's Packet Switched
|
|||
|
Network -- DATAPAC -- an even more magical place for you and all those close
|
|||
|
to you. Isn't life grand...
|
|||
|
|
|||
|
What is DataPac?
|
|||
|
----------------
|
|||
|
|
|||
|
|
|||
|
DataPac is the Packet Switched Network of Telecom Canada, a consortium of
|
|||
|
major telephone companies across Canada. Originally brought into being in the
|
|||
|
late 1970's, Datapac's main purpose is to provide effective, reliable, high-
|
|||
|
speed data transfer to the business computing community nationwide. Several
|
|||
|
different levels of service are available on Datapac, from public-access PACX
|
|||
|
access that resembles a digital telephone system, to dedicated high-speed
|
|||
|
point-to-point leased lines. Since most hackers aren't likely to have a
|
|||
|
leased line in their homes, this file will be mainly concerned with Datapac's
|
|||
|
Public Network.
|
|||
|
|
|||
|
Logging on:
|
|||
|
-----------
|
|||
|
|
|||
|
Firstly, find the phone number of the DataPac public dial port in your locale.
|
|||
|
DataPac has provided dial ports in almost every town with a population higher
|
|||
|
than the average IQ, and has WATS access ports for the rest of Canada. You
|
|||
|
will find the phone number for the appropriate modem speed in the white pages
|
|||
|
under DATAPAC PUBLIC DIAL PORT 3101 (at least that is where it is in BC Tel's
|
|||
|
phonebooks.) The WATS numbers are available in Telecom Canada's annual 800
|
|||
|
service directory, or to this 800 scanner, The Bible. Tommy's Canadian WATS
|
|||
|
phonebook also carries a set of WATS DataPac dial ports.
|
|||
|
|
|||
|
Once you have connected, raise DataPac's attention by typing a period (.)
|
|||
|
followed by a carriage return.
|
|||
|
|
|||
|
You should now have a prompt resembling this:
|
|||
|
|
|||
|
DATAPAC: 6470 0138
|
|||
|
|
|||
|
You have entered a whole new world.
|
|||
|
|
|||
|
|
|||
|
Basic addressing:
|
|||
|
-----------------
|
|||
|
|
|||
|
To the remote user (YOU), DataPac works pretty much like a normal phone system
|
|||
|
would, except that communications are data, not voice, and to connect to a
|
|||
|
system, you type an ADDRESS rather than a phone number.
|
|||
|
|
|||
|
Perhaps the first system a hacker new to DataPac should connect to is
|
|||
|
DataPac's own information service. Its address is 92100086. This service
|
|||
|
provides documentation and information relative to DataPac, and is invaluable
|
|||
|
to all DataPac users. This file will (attempt to) avoid duplicating the DIS
|
|||
|
and simply explain the basics of hacking it.
|
|||
|
|
|||
|
As you see, 92100086 is eight digits (nice base-2 number...). On DataPac,
|
|||
|
addresses are commonly shown in two parts, i.e. 9210 0086. This clarifies the
|
|||
|
TRUE MEANING of the address and shows its similarity to a phone number: the
|
|||
|
first four digits are the "prefix" and the last four are the "suffix." The
|
|||
|
prefix is unique to a given location in Canada, for example all DataPac
|
|||
|
addresses staring with 6470 are located in Victoria, British Columbia. A
|
|||
|
given location may have one or several prefices, depending on the "population
|
|||
|
density" of subscribing systems in each area. So, as you might imagine,
|
|||
|
Ottawa is far from being our largest city but has the second highest .udber of
|
|||
|
subscribing systems, thanks to our Beloved leadership (the Loony Mulroney).
|
|||
|
Toronto, Montreal, Vancouver, Edmonton and Ottawa all have several DataPac
|
|||
|
prefices. This will become important to you later in this file.
|
|||
|
|
|||
|
The last four digits, the suffix, is as arbitrary as a phone number suffix
|
|||
|
would be. Although the range is 0000 to 9999, it is very rare to find a
|
|||
|
DataPac subscriber system with a suffix higher than 2000. This too will be
|
|||
|
explained later.
|
|||
|
|
|||
|
|
|||
|
DataPac Outdial and the NUI
|
|||
|
---------------------------
|
|||
|
|
|||
|
DataPac offers users of the public switched network NUIs, or Network User
|
|||
|
Identifications. These are identification codes for a monthly charge that
|
|||
|
entitle the DataPac user to greater access to the system. DataPac charges by
|
|||
|
the month, by the minute, and by the KiloPacket (256,000 bytes) for access.
|
|||
|
If you have a NUI, these charges are billed to you (or the owner of the NUI,
|
|||
|
heh heh heh). If you don't, all your connections on DataPac are treated as
|
|||
|
"collect", or billed to the system you connect to. Obviously, a great number
|
|||
|
of systems will not accept your collect "call" and you will find this a common
|
|||
|
message from DataPac as your exploits on the system wear on. Needless to say,
|
|||
|
this makes NUIs a cherished asset among DataPac hackers.
|
|||
|
|
|||
|
DataPac offers a service to NUI subscribers called DataPac Outdial. DataPac
|
|||
|
currently has dial-out modems in 18 major centres (NOT VICTORIA! ARGH!
|
|||
|
WICKEY-WAH!) through which calls within the local area of these modems can be
|
|||
|
placed at 300 or 1200 baud. Needless to say, you M U S T have a NUI to use
|
|||
|
DataPac Outdial, or be calling from a system with a dedicated line into
|
|||
|
DataPac (some systems on DataPac let you "shell" back into the network; these
|
|||
|
are real gems because you get NUI privileges). The restrictions are that
|
|||
|
bauds can only be 300 or 1200, and many off-network systems will cause DataPac
|
|||
|
to drop the connection and give a "Remote Procedure Error." Caveat Emptor.
|
|||
|
|
|||
|
Scanning DataPac
|
|||
|
----------------
|
|||
|
|
|||
|
This is what you are reading this file for...
|
|||
|
To scan DataPac, you pick a target city and prefix to scan. Say Toronto,
|
|||
|
3910 XXXX. For now, XXXX represents the suffix. So, you want to start with
|
|||
|
zero. The proper syntax would be 3910 0000 (or just 39100000). ALWAYS PAD
|
|||
|
THE SUFFIX WITH ZEROES. The address must be eight digits long. Type this
|
|||
|
address in. If you connect, you will be informed so. If not, try the next
|
|||
|
one: 39100001 and then the next...
|
|||
|
39100002
|
|||
|
39100003
|
|||
|
39100004
|
|||
|
39100005
|
|||
|
39100006
|
|||
|
39100007
|
|||
|
and so on.
|
|||
|
|
|||
|
You are likely to get several messages during the course of scanning DataPac,
|
|||
|
including Call Connected (the one you really want), Destination Busy (try
|
|||
|
later), Address Not In Service (no system there), Access Barred (either you
|
|||
|
need an NUI or it is originate only), Collect Call Refused (You need an NUI).
|
|||
|
|
|||
|
If you really screw up, you might get one of these:
|
|||
|
|
|||
|
Invalid Address: You typed less than 8 digits.
|
|||
|
|
|||
|
Comma required before Data Characters: Usually seen when the hacker makes a
|
|||
|
"typo". DataPac allows you to pass parameters to the host system by following
|
|||
|
the address with a comma and one or more data characters. This is
|
|||
|
infrequently used so nothing more will be said.
|
|||
|
|
|||
|
Now, DataPac has some anti-scanning mechanisms in place, which can be defeated
|
|||
|
readily. If you get more than 9 error messages in a row, DataPac will hang up
|
|||
|
on you. Also if you are connected to DataPac for a certain period of time (it
|
|||
|
almost seems random but it averages about a minute) without successfully
|
|||
|
connecting to a system, you will also be dumped. So robotically scanning one
|
|||
|
number after the next will result in many re-dials, as DataPac is not densely
|
|||
|
populated enough to guarantee a connection for every nine or fewer scan
|
|||
|
attempts, even if you are using an NUI. So, what you need to do is insure
|
|||
|
that you DO successfully connect often enough to avoid having to redial often.
|
|||
|
You are much more visible to the phone comapny when you scan than you are to
|
|||
|
DataPac, so minimising your redial "profile" is to your benefit. You can
|
|||
|
assure minimal redial if you connect, say, every 5 dial attempts, to a KNOWN-
|
|||
|
GOOD address, anHkhgB@Dsconnect from it. Disconnecting is not difficult,
|
|||
|
just type CTRL-P followed by the letters CLR or CLEAR. The ^P CLR string will
|
|||
|
result in the message: Call Cleared - Local Directive, and more importantly,
|
|||
|
will reset that hack-counter and hack-timer so you can continue scanning
|
|||
|
without actually phoning DataPac multiple times.
|
|||
|
|
|||
|
In the course of testing my own scanner programs, I have come across a few
|
|||
|
addresses which I connect to normally, then immediately clear the connection,
|
|||
|
giving the messages:
|
|||
|
|
|||
|
DATAPAC: Call connected to 5550 0039
|
|||
|
(001) remote charging,n,128
|
|||
|
|
|||
|
DATAPAC: Call Cleared - Remote Request
|
|||
|
|
|||
|
This is a good number if you use an automatic scanner because you just call
|
|||
|
that address say every 8 calls and continue scanning. At this writing,
|
|||
|
55500039 is no longer a "working" address, so you'll have to find one on your
|
|||
|
own.
|
|||
|
|
|||
|
To save time, you will probably want to end your scan of a given prefix at
|
|||
|
XXXX2000. It has been my own experience that little or nothing lies ABOVE
|
|||
|
2000.
|
|||
|
|
|||
|
Once You Connect
|
|||
|
----------------
|
|||
|
|
|||
|
After you have performed a scan of a DataPac and you have a list of addresses,
|
|||
|
you're halfway finished. Now yo want to manually dial each of these systems
|
|||
|
to find out what they hold. Many will just freeze, some will have computers
|
|||
|
such as VAXes and System/370s running a wide variety of operating systems.
|
|||
|
Truly DataPac is an Eden for hackers.
|
|||
|
|
|||
|
Some systems will have PACXs of their own; these always have more than one
|
|||
|
computer connected and many have dialout ports. DIALOUT ports, although
|
|||
|
usually password protected, are the elusive Fata Morgana of the DataPac
|
|||
|
scanner. Private dialouts are usually free of the kludges and restrictions of
|
|||
|
DataPac's dialout and can call anywhere in the world. No wonder most of them
|
|||
|
have passwords. If you find an unprotected private dialout, or the password
|
|||
|
and address of a protected one, you Sir have hit the proverbial jackpot.
|
|||
|
The Gandalf PACX has DIALOUT as a DEFAULT, and few PACXs have removed it, but
|
|||
|
almost all have protected it.
|
|||
|
|
|||
|
Now I am about to tell you something that may seem to contradict my earlier
|
|||
|
writing: A datapac address with a system on it MAY have sub-addresses. The
|
|||
|
syntax is thus:
|
|||
|
|
|||
|
3910 0156 XX
|
|||
|
or
|
|||
|
3910 0156 X
|
|||
|
|
|||
|
You can place a ninth or even tenth digit on a known-valid address and you
|
|||
|
will usually connect with something that is often quite different from the
|
|||
|
prime address. This is for systems without PACXs that want to have several
|
|||
|
machines on DataPac at the same address. So much for only eight digits...
|
|||
|
|
|||
|
One final thing to try on a PACX is PAD or PAC. Many PACX's allow you to re-
|
|||
|
enter DataPac through the host system. In most cases this gives you all the
|
|||
|
privileges of an NUI because DataPac has someone to bill now. Your
|
|||
|
connections are no longer "collect" and the REAL fun, including DataPac
|
|||
|
Outdial, begins.
|
|||
|
|
|||
|
Other Networks
|
|||
|
--------------
|
|||
|
|
|||
|
Yes, there is life beyond DataPac. There are many Packet Switched Networks in
|
|||
|
existence around the globe, most of which can communicate with most of the
|
|||
|
rest. In the United States, two major ones are Tymnet and Telenet (damned
|
|||
|
foreigners...).
|
|||
|
|
|||
|
Now, you will find that even FEWER addresses from other networks will be
|
|||
|
available to Canadian hackers due to the fact that inter-network collect
|
|||
|
charges can be astronomical. But since the US has a higher density in its
|
|||
|
networks than Canada, you will also find your scans of other networks can
|
|||
|
easily be as rich or better than DataPac scans.
|
|||
|
|
|||
|
The syntax for connecting to an address on a foreign network via DataPac is
|
|||
|
thus:
|
|||
|
|
|||
|
1 XXXX YYYYYYYY
|
|||
|
|
|||
|
1 indicates an "OtherNet" call. XXXX is the DNIC, Data Network ID Code.
|
|||
|
There is a text file on Tommy's Holiday Camp and other hacking BBSes listing
|
|||
|
the names and DNICs of the major networks worldwide; the number of them may
|
|||
|
surprise you. YYYYYYYY can vary in length; different networks have different
|
|||
|
addressing syntaxes. Telenet, like DataPac, uses an eight-digit address with
|
|||
|
possible extensions and data characters. Tymnet uses a six digit address,
|
|||
|
also allowing extensions. Finding the syntaxes for other networks may require
|
|||
|
a little ingenuity on your part; but you're a hacker, AREN'T YOU.
|
|||
|
|
|||
|
Here is an example of a call into Telenet:
|
|||
|
|
|||
|
1 3110 31200061
|
|||
|
|
|||
|
1 was the Othernet indicator; it is the only circumstance in which a DataPac
|
|||
|
address may be LESS than eight digits (try 13106; you WILL connect).
|
|||
|
|
|||
|
3110 was the DNIC for Telenet.
|
|||
|
|
|||
|
31200061 was the Telenet address. It works like DataPac, except that the
|
|||
|
Prefix is based on the area code in which the remote system resides. Very,
|
|||
|
VERY helpful to scanners, and this makes Telenet a joy to scan.
|
|||
|
|
|||
|
When scanning a foreign network (and foreign can mean Canadian too; CNCP has a
|
|||
|
network with its own DNIC separate from DataPac) you will often get the
|
|||
|
following message:
|
|||
|
|
|||
|
DATAPAC: Call cleared - temporary network problem
|
|||
|
|
|||
|
This is usually an error message generated by the foreign network that DataPac
|
|||
|
doesn't support. With 200 networks all claiming to be "THE Data
|
|||
|
Communications Authority", it's not surprising that their messages are not
|
|||
|
always compatible.
|
|||
|
|
|||
|
DataPac's DNIC is 3020. Tymnets's is 3106. Telenet's is 3110.
|
|||
|
|
|||
|
Legal Implications of DataPac
|
|||
|
-----------------------------
|
|||
|
|
|||
|
At this point, it is not at all illegal merely to be ON DataPac. It is
|
|||
|
uncertain at this time whether SCANNING DataPac is a crime, or if the
|
|||
|
network's keepers know what is going on. It is DEFINITELY an offence to try
|
|||
|
to hack a password on a system on DataPac just as on any other computer, but
|
|||
|
the question remains as to whether or not DataPac knows where you are. Thus
|
|||
|
far no DataPac-related busts have been reported but there have been some major
|
|||
|
crackdowns on American networks. The same advice can be given to DataPac
|
|||
|
hacking as to regular telephone hacking: (1) Scan randomly. (2) Scan with
|
|||
|
friends; this confounds investigations. (3) Hack passes at your own risk.
|
|||
|
(4) Remember the first law of bragging: Your friends turn you in
|
|||
|
|
|||
|
Conclusion
|
|||
|
----------
|
|||
|
|
|||
|
What you get out of this file will depend entirely on what you do with it. As
|
|||
|
with all forms of hacking, a great deal of effort is required on your part to
|
|||
|
have a truly satisfying hacking experience, and you must be prepared to take
|
|||
|
certain risks, even to the jeopardy of your freedom. If you have more than a
|
|||
|
rodent-level understanding of telecomputing you should now be able to hack any
|
|||
|
network in the world through DataPac, and with the right amount of initiative
|
|||
|
and ingenuity, the world is yours.....
|
|||
|
|