How to piss off Telus with your ADSL Modem amongst other things. 09/26/01 Sitting here with nothing better to do, i thought i would write up a little article on what information i've gathered on the Telus network in good ol' Edmonton. Also, let it be known according to a tier 1 (yes, the godlike teir 1 guys) tech support guy, claiming he works for telus (he answered at 310-inet) that telus does NOT, i repeat DOES NOT support the x86 arch (guess i'll just have to back to using my alpha) Disclamer: This is for educational purposes only, if you happen to have the police knock on your door at 7 AM to exersize a search warrant to obtain all computer related materials in your residence because of what you did in this article, then thats too fkn bad, cause your the dumb shit who let somone else tell him what to do. btw, only done this with a 3com home connect modem, but logic dictates that those damned cisco's should behave the same too. Now, down to business. 1) Overview The Telus Network is relatively secure, in so far as it doesnt usually spew packets all over the network like lovely cable modems do. The only thing ive seen actually travel across their dsl network is half life games (lord knows why, im too fucked up to figure it out right now). Now for all you little script kiddiots out there that figure they can jack their 1.5mbit DSL line up to a 4mbit down 640 kbit up line with windows registry tweaks or patches are out of their fucking mind. your bandwidth is setup at your DSLAM at your nearest friendly but nicely guarded telus CO. 2) How it works K, when you turn your DSL modem on, you will notice the alert light flash a couple times. that means its posting (ive since sold my DSL modem and cant remember what color the flases are) it will pause for a few seconds, then start flashing again for about 30sec+ this is it loading the IOS (Intergrated Operating System (or sumphin)) after this, it will attempt to handshake with the DSLAM at the telus CO. if your line is not configured for DSL or the line is too noisy, it will turn red, but if fate smiles, it will go green. nuff said. 3) DHCP DHCP is an absolutly beautiful thing. it stands for Dynamic Host Configuration Protocol. Basically, what happens, is your OS (whatever it may be) sends a broadcast message through your ethernet card, which gets routed to Sodium.bctel.net (Primary DHCP Server) The server then checks the MAC (Media Access Control) Adress of your ethernet card (remember registering your computers with telus when you first got DSL? ) now, telus has implemented somwhat of a security feature here, if your MAC Addy is not registered with their server you are assigned an ip address on their LAN (always a 10.*.*.* address) but, if you have registered, you will automagically be assigned a fully routeable IP address (161.184 if your old school DSL or 142.59.*.* for all us newbies) along with your IP address you are given the information for your DNS Servers (sodium at it again) and your default Gateway. This is all done while your computer is booting (or for us linux people, when dhcpcd kicks in). Now for you windows people, somtimes you will notice that windows will just seem to hang while its booting, but its just waiting for the DHCP server to respond (more often than not its offline or bogged to hell *shakes head*). But the great thing with DHCP, is that it means telus can change your IP and move you around all it pleases, because you have a dynamic IP. Now if your going to be running a domain, and want to get a static IP (pretty much a pre req) your going to have to pay telus an extra $59/mnth (or so) just to have the same ip all the time. sounds pretty fucking silly now doesnt it? 4) Security? I have a friend on Shaw Cable, in Millwoods (you know who you are) who would give his left nut to be able to smurf (yes it still works) from his Cable modem. Shaw has gotten somewhat smart, and from what ive seen, they have finally read the paper on smurf and how to fix0r the routers so that you cannot send spoofed ICMP Echo Request packets anymore. This is why Telus is my personal favourite for a broadband ISP (when its working). Telus doesnt filter sweet fuck all. but, be careful dont let this fool you into thinking that they're stupid, because the Telus internet security guy watching your packets go by, and red flagging your account is far from stupid. Now lets say you happen to smurf somone, and they report the logs from their firewall/sniffer/packet logging device to abuse@telus.net, and they check it out they will notice that you've been up to somthing and send you a warning. you will get 3 of these (i got 2 for DDOS'in before i got smart) if you have 3 warning on your account it will be terminated for a period of 30 days, and i belive they will also still expect you to pay for the service for those 30 days. 5) Having Fun A while ago somone named The Gonz (or somthing similar) wrote an article on 'hard encoding your ip'. Honestly I still laugh to this day when i think about that. no twit at telus is going to send the police after you for taking an IP. Now my idea works the same way (this is where linux really shines) After you boot your computer, get your default Gateway, it will be 142.59.*.1 (i hope =/) now write this down, its important and for DNS servers use 199.185.220.36 and 199.185.220.52 since their much faster and alot more reliable. Ok, So you've done that, now what? well, now you can set your IP to anything you want (well almost) My gateway used to be 142.59.212.1 if memory serves me. now this doesnt mean i could set my IP addy to 142.59.0.0 or 142.59.245.69 in my experence you have 2 full class B subnets above your routers IP for you to use ex. 142.59.213.5, 142.59.214.67 and 142.59.215.30) now, if you choose an IP address, and your net access doesnt work period, that means that somone else is currently using that IP address (2 machines on the internet cant share the same one) i find IP address's ending in .255 and .0 are fun to go on IRC from. when I first starting doing this, their were no reverse DNS record set for the IP, so it wouldnt resolve. after using a certain IP for about a couple weeks, telus would seem to put a reverse name on it (oh well, dont worry, their not on to you) But, dont think just taking an IP and not using the one they gave you will let you escape being caught. If they were to actually look at the packets your sending they would find a nice little thing, that points them right to you. the MAC Address on your ethernet card. there are supposed to be no numbers the same but its a lie. now if you search on freshmeat.net for ethermac (i belive) you will find a beautiful little utility for linux, what it does, is modify how packets are sent (you must be r00t) and instead of your real MAC Address being there, its just a random one (put your next door neighbours MAC Address in there for extra fun.) 6) Ok, when are we going to have fun? With my somwhat limited knowledge of exactly how the telus network is setup and what my packets look like on their end, as near as I can figure, unless they go through a fuckload of trouble while your sending your packets, it is hard to trace you by just looking at the dumped TCP/IP Packets their loggers would pick up. Now, what can you do now? well as far as i know, telus has only 1 DHCP server for Alberta, and maybe BC too. and also how all the hapless lusers depend on that DHCP server. (after windows reboots, or your lease expires, you will always have to get a new IP address) Now, lets say what would happen if that DHCP server wasnt there? if it mysteriously got knocked offline by a DDOS (namely a smurf attack) because remember, they also do not filter your packets. Now, besides making the telus networking techs scream like little babys, there are other things you could be doing. Mass scanning, trying to exploit a box etc. now as long as you dont say on the same IP too long, and switch your MAC address somtimes, and dont do REALLY stupid shit, telus shouldnt notice, or catch you. If they do, well who knows what will happen. 7) Other fun things todo (Under linux of course silly) Depending on how you set your Broadcast address, and how your particular router is setup, it is possible to put your Ethernet card into promiscuous mode and see whats going on. (ifconfig eth0 promisc) now, as far as sniffers go, tcpdump is a nice one. it is an easy way to find out whats going on in your network and how many subscribers there are and who is using their DSL at the moment. their are other sniffing suits you can find kicking around on various sites, i think there might be some on freshmeat.net, that will automagically sniff passwords and whatnot for you, and convienently dump them into a text file for you to sort through after a few hours of sniffing. I found in the ending days of my DSL line, a porn site started up, and we shared the same router. now i got real lucky, since this poor SOB had never discovered SSH, and loved to share his plain text passwords with me (sniffers are beautiful arnt they). Anyway, somtime if your lucky, you might catch a telus tech logging into your router to make changes and then youve got a new and very fast toy to play with. Other things to piss off the poor people at tech support is alias your ethernet card so that it occupies every single IP that your router services (during evening rush of course =D, remember only 1 computer can use a IP address at the same time, or else they fight!) you can do other things, like run a shitload of eggies off your box, all on diff IPs. Im sure you'll find somthing fun todo, just dont make their lifes too difficult. Anyways, I met The Clone at a party for last night, and we played crazy 8's for like 5 hours straight, and after we talked for a fkn long time, he told me i should write an article. This is the first time i've ever written one, so if you dont like it, too bad. Keep safe boys and Girls, and life is nothing but 1's and 0's. sheppard shep@tr4nce.com www.amishrakefight.org/gfy