Penetration Testing mailing list archives
Re: [PEN-TEST] X25, all but forgotten?
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Tue, 29 Aug 2000 11:54:15 -0700
On Tue, 29 Aug 2000, Masse, Robert wrote:
audience would consider this 'groundbreaking news'. Many companies still have 'forgotten' X25 links lying around through older VAX/Unix/Primos/Gandalf/Develnet systems that are accidents waiting to happen.
Agreed, there are hundreds of these devices which you see hanging off X.25 networks, PACX, DMS and a sundry of other Ericson, Nortel, Bell devices which are X.25 capable. It's worth noting that almost all of the Nortel hardware out there is both TCP/IP and X.25 capable, so obviously the market is there or at least people are still using X.25 for business.
A lot of those companies are large ones at that with million dollar security budgets that are spent on firewalls and the like...
Agreed, eventually you end up with the 'steel door on a grass hut' syndrome. Where they have layered firewalls, acl control and IDS's bulwarked up front and close to nothing on their dial ups and X.25 connections.
As for a X25 scanner, I had written one 10 years ago in C that would scan DATAPAC (Canadian X25 network that was/(still is?) run by Nortel).
Datapac is actually run by Stentor I believe. http://www.stentor.ca
I can't seem to locate it but if I find it I will send you a copy. It had a NUA finder and a NUI brute forcer.
The problem with vanilla X.25 scanners like NUI brute forcers and NUA grinders is that they often miss the nuances particular to each PSN. For example Datapac has 8 digit NUA's ergo you can write a NUA grinder which starts at a given point and grinds up incrementally to find NUA's which don't live in CUG's (Closed User Group) and will accept collect calls. You do this and voila you have a somewhat dependable NUA scanner. However, this is where the nuances come in, and every PSN has them. First, with Datapac if you scan incrementally you will flag their security folks and find yourself monitored asap. Also, along with the 8 digit NUA's Datapac uses LCN (Logical Channel Numbers) which are numeric extensions after the NUA seperated by a comma. For example: 92100086,123 (This is the Datapac Information System or DIS if I remember correctly) I have never seen the LCN be greater than three numbers but I am not sure this is a hard and fast rule. Further Datapac uses Mneumonics. For example: 92100086,B (This is the DIS in French) The Mneumonics can be variable length and you'll often see things like NUA,PAD or NUA,UNIX , NUA,PACX etc. Add to this that NUI's are often difficult to guess as many networks no longer user straight alpha NUI's. I'm afraid the days of Tymnet livewire/haystack ad nauseum are done. Many now use alphanumeric mixes although not all. You always have the option of buying an NUI which at least for Datapac is something like $75 CDN. If you really need to audit without obtaining your clients NUA's beforehand and they do not accept collect connections this may be your best (and only legal) choice. Alfred Huger VP of Engineering SecurityFocus.com
Current thread:
- [PEN-TEST] X25, all but forgotten? Alfred Huger (Aug 29)
- Re: [PEN-TEST] X25, all but forgotten? edison (Aug 29)
- Re: [PEN-TEST] X25, all but forgotten? Vanja Hrustic (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] X25, all but forgotten? Masse, Robert (Aug 29)
- Re: [PEN-TEST] X25, all but forgotten? Alfred Huger (Aug 29)
- Re: [PEN-TEST] X25, all but forgotten? Frasnelli, Dan (Aug 29)
- Re: [PEN-TEST] X25, all but forgotten? Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] X25, all but forgotten? Peter Van Epp (Aug 30)
- Re: [PEN-TEST] X25, all but forgotten? Alfred Huger (Aug 29)