Re: [PEN-TEST] X25, all but forgotten?

[Alfred Huger <ah () SECURITYFOCUS COM>]

On Tue, 29 Aug 2000, Masse, Robert wrote:

> audience would consider this 'groundbreaking news'. Many companies still
> have 'forgotten' X25 links lying around through older
> VAX/Unix/Primos/Gandalf/Develnet systems that are
> accidents waiting to happen.


Agreed, there are hundreds of these devices which you see hanging off X.25
networks, PACX, DMS and a sundry of other Ericson, Nortel, Bell devices
which are X.25 capable. It's worth noting that almost all of the Nortel
hardware out there is both TCP/IP and X.25 capable, so obviously the
market is there or at least people are still using X.25 for business.

> A lot of those companies are large ones at
> that with million dollar security budgets that are spent on firewalls and
> the like...

Agreed, eventually you end up with the 'steel door on a grass hut'
syndrome. Where they have layered firewalls, acl control and IDS's
bulwarked up front and close to nothing on their dial ups and X.25
connections.


> As for a X25 scanner, I had written one 10 years ago in C that would scan
> DATAPAC (Canadian X25 network that was/(still is?) run by Nortel).

Datapac is actually run by Stentor I believe. http://www.stentor.ca


> I can't
> seem to locate it but if I find it I will send you a copy.  It had a NUA
> finder and a NUI brute forcer.

The problem with vanilla X.25 scanners like NUI brute forcers and NUA
grinders is that they often miss the nuances particular to each PSN. For
example Datapac has 8 digit NUA's ergo you can write a NUA grinder which
starts at a given point and grinds up incrementally to find NUA's which
don't live in CUG's (Closed User Group) and will accept collect calls. You
do this and voila you have a somewhat dependable NUA scanner. However,
this is where the nuances come in, and every PSN has them.

First, with Datapac if you scan incrementally you will flag their security
folks and find yourself monitored asap. Also, along with the 8 digit NUA's
Datapac uses LCN (Logical Channel Numbers) which are numeric extensions
after the NUA seperated by a comma. For example:

92100086,123 (This is the Datapac Information System or DIS if I remember
correctly)

I have never seen the LCN be greater than three numbers but I am not sure
this is a hard and fast rule.

Further Datapac uses Mneumonics. For example:

92100086,B (This is the DIS in French)

The Mneumonics can be variable length and you'll often see things like
NUA,PAD or NUA,UNIX , NUA,PACX etc.

Add to this that NUI's are often difficult to guess as many networks no
longer user straight alpha NUI's. I'm afraid the days of Tymnet
livewire/haystack ad nauseum are done. Many now use alphanumeric mixes
although not all. You always have the option of buying an NUI which at
least for Datapac is something like $75 CDN. If you really need to audit
without obtaining your clients NUA's beforehand and they do not accept
collect connections this may be your best (and only legal) choice.



Alfred Huger
VP of Engineering
SecurityFocus.com