F O R C E F I L E S Volume #1 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From The Depths Of - THE REALM -, By: ----====} THE FORCE {====---- 12/03/87 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= FOREWARD -------- Welcome To the FORCE FILES From the Depths of The Realm. What is THE REALM you may ask? Well, just one of the boards I have sysoped, this one was (OR IS, WHO KNOWS) an International BBS with an interesting collection of people. Anyway, I am about to retire for a while from the world of hacking and the following is a basic summary of well over five years of work. (Well, perhaps I won't retire, just evolve into the next stage hehehe). I hope this will make it easier for the people to come and I hope they will add their acquired knowldge. First of all I would like to thank: THUNDERBIRD 1 THE WIZARD THE TRADER And all those who from the begining battled the security of the first analogue computers and passed on their knowldge. The files are broken up into several volumes, covering the following: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= M E N U =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Force File #1 - PUBLIC DATA NETWORKS - AUSTPAC 5052 - MIDAS 5053 - SOME TECHNICAL JUNK ON NETWORKS - AUSTPAC TUTORIAL BY SYSTEM CRUNCHER - NUA STRUCTURES - INTERNATIONAL DNICS Force File #2 - US AREA CODES - TYMNET NUA SPRINTS - TELENET NUA SPRINTS Force File #3 - TELENET NUA SPRINTS CONTINUED - DATAPAC NUA SPRINTS Force File #4 - ITT/UDTS NUA SPRINTS - DIALNET NUA SPRINT - PSS NUA SPRINTS - DATEX-P NUA SPRINTS - TELEPAK NUA SPRINT - TRANSPAK NUA SPRINT - AUSTPAC NUAS - LOCATING PTSN NUMBERS - OBTAINING PASSWORDS / INFOLTRATING SYSTEMS - DEFAULT PASSWORDS - VAX SYSTEMS Force File #5 - UNIX SYSTEMS - PRIMENET, DIALCOM - PRIMOS - PRIMOS DEFAULTS - PRIMOS SUBDIRECTORIES - PRIMOS NUA SPRINTER - PRIMOS PHANTOM - PRIMOS TROJANS Force File #6 - DIALCOM PRIMOS COMMANDS Force File #7 - DIALCOM PRIMOS COMMANDS CONTINUED - PRIMENET PRIMOS COMMANDS Force File #8 - PRIMENET PRIMOS COMMANDS CONTINUED - SELECTED PRIMOS COMMANDS - PRIMOS OPERATOR'S TRICKS - LATEST HACKER'S WEAPON - OUTDIAL SYSTEMS - CANADIAN DATAPAC OUTDIALS - SYSTEM IDENTIFICATION - INFO ON NETWORKS Force File #9 - INFO ON NETWORKS CONTINUED - PHREAKING =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= P U B L I C D A T A N E T W O R K S ========================================= Once upon a time, the old OZ phreakes used their tones on New Zealands lines, to phreak around the world, but with the increasing prices of overseas telecomunications the PUBLIC DATA NETWORKS or PACKET SWITCHING NETWORKS have been one of the most usefulls tools at the hackers disposal. Australia has two major networks. AUSTPAC operated by telecom and very slack, and not so slack MIDAS, run by the OTC. A U S T P A C 5052 ====================== Communicationg via Austpac or Midas for that matter can be a very costly hobby, unless one has NUI or Network User Identification, which lives on someone elses bank accoount. (Think of it as helping the Australian Economy if you have any guilt feelings). The Austpac NUI's a virtually impossible to hack using any sprinting or scaning procedure. (If you don't believe me, have a go at it, if you have fifty or so years to dedicate to it), but they do happen to leak out from time to time. a Typical austpac NUI has the following format: BHPLIBJ9ADF3 where the first six digits are the user supplied id code, ie BHPLIB in this case the NUI used to belong to the BHP LIBRARY. The last six digits are the telecom supplied part for security. One important thing to note is that when a NUI dies, only the last six digits are changed. Don't take my word for it since I haven't been able to verify this personally, but it makes sense and the rumours are there. Once you get the familiar AUSTPAC responce when you call up the system, you have a number of options. 1> - You connect to a system which will take collect calls, in which case, you don't need a nui. The format is just ? where NUA stands for Network User Address ie ?222321000 The NUA's a usually 9 characters long, but they can have two trailing digits to identify the specific system requested to the host. ie ?222321000 will give one system ?22232100001 will give a different system at the same site if appropriate. 2> - If you have a NUI, you can then connect to virtually thousands of systems all over the world. You can connect directly to any network which Austpac will support. If a network is not supported like in the case of DIALNET, you must find an alternate route. For example to excess DIALNET, you need to go via a DIALCOM system or any other system which has a contract to carry data between the network and itself. (I'll explain more about it later on) to connect to a system in the USA for example the format would be ?N- ie ?NBHPLIBJ9ADF3-0311041500101 The 'N' tells austpac that a NUI is to follow and to take the necassary measures. Austpac, like most other networks not only have a numerical address for each host system, but has an equivalent alphabetical code, to simplify the task of memorising the system addresses. For example: ?236620000 will do exactly the same job as: ?.memo In both cases you will be connected to TELECOM's TELEMEMO a mail system developed by the BELL LABORATORIES I believe, but quite useless when compared to the more sophisticated ITT DIALCOM's network, of which MINERVA is but one. (Refer to the DIALCOM NETWORK later on) Host systems on AUSTPAC can be accessed not only via the AUSTPAC PAD, (Packet Assembly, Dissasembly), but through otther networks internationally. The international Code or DNIC for AUSTPAC is 5052 so to connect to TELEMEMO from lets say BERMUDANET, one would type the NUA with the 5052 prefix in front of it. Almost all networks also require a ZERO to be put infront of the DNIC and NUA to indicate an international connection. M I D A S 5053 ---------------- Midas is fundementally very simmilar to AUSTPAC, but there are many very significant differences. First of all the NUI's are only six digits long. This still gives a very large number of possibilities, however sprinting NUI's now becomes slightly closer to reality. There isn't a great deal which is different about Midas, but it has the advantage of connecting directly with another networks PAD. ie by connecting to the DNIC on networks where it is possible you will be connected to the actuall PORT or PAD of the foreign network. With Austpac this is possible only with TYMNET 03106, and few smaller US networks like COMPUSERVE etc. MIDAS unike Austpac at least has the decency to give a prompt '*' and the format for connections is simmilar. Example: *N- ie: *NH7SVCO-03106001572 SOME TECHNICAL JUNK ON NETWORKS -------------------------------- I will not go into any great detail on how the packet switching networks works, but it's worth noting that it's a very clumsy system to use all because it's cost effitient. The Network PORT receives data from your terminal at your speed be it 300, 1200, etc, or 9600 if you are fortunate enough to have a dedicated connection. The Network receives the data and compiles it into a small packet of data. It put's an address tag on it and sends it off. It's bounced by few satellites etc and the system at the other end does the rest. It reads the address tag and delivers it to one of it's local systems at the speed at which it can be digested. As you can imagine, this can get very slow and clumsy over long distances and the only reason that it's done is they can neatly fit few thousand users on the one trunk, whizing individual packets back and forth. About 50% of networks transmit packets at 9600 baud the rest have operating speeds of over 15000 baud. SYSTEM CRUNCHER has done a great job in his Austpac Tutorial, and me being as lazy as I am, cant be bothered typing the info out again, so here is an extract from the file dealing with Error codes and Profiles. They can be used in reference to most other networks ie MIDAS since it is a more or less universal standard. AUSTPAC TUTORIAL BY: SYSTEM CRUNCHER =============================================================================== AUSTPAC PAD PROFILES A profile is a snapshot of all of the current values of PAD parameters. A profile is set for each C-DTE. A standard profile is is a given pre-defined set of PAD parameter values which may correspond to a specific terminal or family of terminals to an application or a family of applications.There are 13 standard profiles. PAR PROFILE NUMBER REF 0 1 2 3 4 5 6 7 8 9 10 11 12 ------------------------------------------------------------------------ 1 1 0 0 1 1 1 1 1 1 1 1 0 1 2 1 0 0 0 0 0 1 1 1 0 1 0 0 3 126 0 0 2 2 126 126 2 2 126 2 0 126 4 0 20 10 80 40 200 0 0 0 3 0 3 0 5 1 0 1 0 0 1 1 1 1 0 1 0 1 6 1 0 0 1 1 1 1 1 1 1 1 0 1 7 2 2 21 21 21 21 21 8 21 1 21 21 2 8 0 0 0 0 0 0 0 0 0 0 0 0 0 9 0 0 0 0 4 7 0 4 7 0 4 0 0 10 0 0 0 0 0 0 0 0 72 0 0 0 0 11 Cannot be set: Not pre-defined in any profile 12 1 0 1 0 0 1 1 1 1 0 1 0 1 13 0 0 0 0 0 0 0 0 1 0 0 0 0 14 0 0 0 0 0 0 0 0 7 0 4 0 0 15 0 0 0 0 0 0 0 0 0 0 1 0 0 16 8 8 8 8 8 8 8 8 8 8 8 8 8 17 24 24 24 24 24 24 24 24 24 24 24 24 24 18 42 42 42 42 42 42 42 42 42 39 10 42 42 ------------------------------------------------------------------------ PARAMETER VALUES IN EACH STANDARD PROFILE PROFILE EXPLANATIONS 0 : Simple profile defined in CCITT Rec X.28; echo by PAD; NO padding after or ; NO idle timer delay. PSTN customers operating at up to 300 BPS or 1200 BPS are usually assigned this profile. 1 : Transparent profile defined in CCITT Rec X.28; suitible for low speed computer port (LSCP) 2 : Profile suitible for LSCP.Note that this is the only LSCP profile which incorporates flow control by the PAD. (Parameter 5 = 1) 3 : Profile recommended for C-DTE communicating with another C-DTE or with an LSCP. There is an idle timer delay to allow data to be sent from an auxiliary device. This profile is also suitible for certain terminals which transmit in blocks. 4 : Same as profile 3 except for a shorter idle timer delay and four padding characters after . 5 : Classic keyboard-printer terminal used for local printing. 6 : Same as simple profile (0) except for the procedures on BREAK. 7 : The only data forwarding conditions here are and BREAK;therefore with this profile complete packet sequences can represent logical entities manipulated by the application. 8 : Profile with only as data forwarding character, 7 padding characters after to C-DTE, and line folding by the PAD after 72 character line. 9 : Profile which is used for access by videotex terminals (1200/75 BPS) Note : Profile 9 has been changed from that previously published and is now only accessible to 1200/75 BPS users. 10: Profile which utilizes "Editing during data transfer" (Parameter 15 = 1) and employs as a line display character (Parameter 18 = 10) 11: This profile could be used instead of profile 2 for an LSCP without flow control by the PAD when a shorter transmission delay is required. 12: Same as profile 0 except for parameter 2, for terminals not needing echo by the PAD. Format to set PAD : SET : PAD COMMANDS AND INDICATIONS ============================================================== | PAD COMMAND | FUNCTION | INDICATION SENT | | FORMAT | | IN REPLY | ============================================================== STAT To request info | FREE or ENGADGED about a virtual | call with the | C-DTE | -------------------------------------------------------------- CLR Clear a virtual | CLR CONF or CLR ERR Call | (In the case of local | procedure error) -------------------------------------------------------------- PAR? To read parameter | PAR | Eg: PAR1:001,5 5:001, | 8:000 -------------------------------------------------------------- SET? To set and read | PAR | Eg: PAR3:0, 5:1 -------------------------------------------------------------- OTHER PAD COMMANDS PAD COMMAND EXAMPLE FUNCTION ============================================================== PROFnn PROF10 | To assign all the PAD | parameters the values | in specified profile -------------------------------------------------------------- RESET RESET | To reset the virtual INT INT | call. To transmit an | interrupt packet to | the correspndent. -------------------------------------------------------------- SET SET 2:0 | To set or change | parameter values | parameters desired -------------------------------------------------------------- ? ?238221000 | Call request-Set up a | call -------------------------------------------------------------- PAD INDICATIONS ASSOCIATED WITH INCOMING EVENTS ============================================================== INDICATION FORMAT | EXPLANATION ============================================================== RESET cause | Reset of call/circuit -------------------------------------------------------------- COM | Call connected -------------------------------------------------------------- COM | There is an incoming call | Applies to receiving C-DTE -------------------------------------------------------------- CLR cause | Call/circuit cleared -------------------------------------------------------------- AUSTPAC | Identifier -------------------------------------------------------------- ERROR | Error in PAD command -------------------------------------------------------------- AUSTPAC MESSAGES - BRIEF CODE | CAUSE ============================================================== CLR OCC | NUMBER BUSY CLR INV | INVALID REQUEST FACILITY CLR RNA | REVERSE CHARGING ACCEPTANCE NOT SUBSCRIBED CLR NC | NO CIRCUITS CLR DER | OUT OF ORDER CLR NA | ACCESS BARRED CLR NP | NO PORT CLR RPE | REMOTE PROCEDURE ERROR CLR ERR | LOCAL PROCEDURE ERROR CLR DTE | DTE ORIGINATED CLR ID | INCOMPATIBLE DESTINATION CLR CONF | CLEAR CONFIRMATION CLR PAD | PAD ORIGINATED CLEARED RESET PAD | PAD ORIGINATED RESET RESET NC | NO CIRCUITS RESET 01 | OUT OF ORDER RESET RPE | REMOTE PROCEDURE ERROR RESET ERR | LOCAL PROCEDURE ERROR ============================================================== AUSTPAC MESSAGES - EXPLANATION CLR OCC : The called party is engadged in other calls and unable to accept the incoming call CLR INV : Invalid facility requested by calling DTE. Eg: Invalid NUI. CLR RNA : The called party does not accept reverse charging. CLR NC : A temporary network fault of network congestion RESET NC : As above CLR DER : Called party is out of order (System down etc.) RESET DER: As above CLR NA : The calling DTE os not permitted to obtain the connection to the called DTE (Eg: CUG) CLR NP : The address specified is outside the numbering plan or is unassigned. CLR RPE : A procedure error has been detected at the remote DTE network interface RESET RPE: As above CLR ERR : A procedure error caused by the local DTE is detected by the PAD (Eg: Incorrect format) RESET ERR: Same as with CLR ERR CLR DTE : Remote DTE has cleared or reset the call RESET DTE: As above CLR ID : The call is not compatible with the remote destination. CLR CONF : Response of PAD to valid clearing by the C-DTE CLR PAD : The PAD has cleared the call at the invitation of the correspondent. RESET PAD: The PAD has reset the call (Eg: Loss of input characters) -------------------------------------------------------------- Note: These codes will be followed by a 3 digit code. These are diagnostic codes which are used by Telecom maintenance staff. MISC. AUSTPAC NOTES PAD recall character : Ctrl 'P' =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= N U A S T R U C T U R E S ----------------------------- There are 2 basic NUA formats. There is the logical structure and the stupid one. There are few exceptions like AUSTPAC NUA's which are just plain crazy. The best example to demonstrate would be two NUA's one on TYMNET, other on TELENET both of which access the same system: TELENET 0311030100341 if you can brake up the NUA into it's components this is what you obtain: 0 3110 301 00 341 Specifies DNIC Address Area Code nothing Host International for TELENET much Address Connection It's important to note that from the TELENET PAD, the NUA would become C 301 341, so since you are likely to come accross a US made NUA listing of Telenet, to convert the NUA's into a more conventional form, just add the 03110 prefix and enough zeroes in between the area code and Address to give a total of 8 digits. (trailing digits not included) TYMNET 0310600157241 Again brake up the NUA into its components. 0 3106 00 1572 41 Specifies DNIC Address Area, no Host Trailing International for TYMNET particular Address Digits Connection pattern to be used by local host. The major ares on TYMNET are 00, 07 and 90. There are a lot of others but they don't have significantly large numbers of NUA's and most of them need two trailing digits which are often somewhere between 01-99. There could be some sort of logical format to TYMNET, but as yet, I haven't discovered it. Thus basically the two formats emerge. 0311030100341xx and 03106001572xx where xx are the trailing digits to provide host with more specific info if required. The NUA's can be up to 15 digits in most cases and the corresponding phone area code is used in the NUA, with exception of TYMNET, ITAPAC and few others. America likes to be different from the rest of the world, as demonstrated by BELL Standards, so they naturally insist on having a slighly different format to their NUA's. Us PADS do no not have the zero prefix, so just remember to leave it out. (Now don't ask me why, just do it.) There are few other exceptions to the universal NUA formats and australia has one of them. AUSTPAC NUA's are reasonably unique in that the have a general format of their own. They may look like random assortments of numbers at first, but there is a definate pattern.(Thank God for that) Most NUA on AUSTPAC are in the follwing series ie: 224122000, 224123000, 224220000, 224221000 etc Basically the last digits reain more or less in their low values. ie most NUA's will be in the series 224122000 - 224122020 for example, with very few having the end value greater than twenty. Again, there may be two trailing digits. The final exception I have found is in the case of DIALNET which is a very small network not even worth bothering about, unless you want to access DIALCOM SYSTEMS in countries with no Public Data network of their own. Their NUA's are of the form 9000xx and are accessibly through primecon systems only. (perhaps there are other routes but as yet I haven't found them) INTERNATIONAL DNICS ------------------- The following is a table of all the current networks I have been able to track down, some of the blanks are yet to be filled in. Unfortunatelly not all are serviced by either MIDAS or AUSTPAC, so you may need to route your connections very carefully if you want to play with a system in SAUDI ARABIA and in other exotic places. COUNTRY NETWORK DNIC COUNTRY NETWORK DNIC ---------------------------------------------------------------------------- ARGENTINA INTERDATA 7220 AUSTRALIA MIDAS 5053 AUSTRALIA AUSTPAC 5052 AUSTRIA RADIO AUSTRIA 2329 AUSTRIA DATEX-P 2322 BAHAMAS IDAS 3406 BAHRAIN BAHNET 4263 BARBADOS IDAS 3423 BELGIUM DCS 2062 BELGIUM - 2068 BELGIUM - 2069 BERMUDA BERMUDANET 3503 BRAZIL INTERDATA 7240 CANADA GLOBEDAT 3025 CANADA INFOSWITCH 3029 CANADA DATAPAC 3020 CAYMAN ISLANDS - 3463 CHILE INTERDATA 7300 COLUMBIA DAPAQ-INTER. 3107 COTE D IVOIRE SYTRANPAC 6122 DENMARK DATAPAK 2382 EGYPT ARENTO - FINLAND FINPAK 2442 FRANCE TRANSPAC 2080 FRANCE NTI 2081 FRENCH ANTILLES DOMPAC 3400 FRENCH GUIANA DOMPAC 7420 FRENCH POLYNESIA TOMPAC 5470 GABON GABONPAC 6282 GERMANY(FED REP) DATEX-P 2624 GERMANY(FED REP) DATEX-P INT 2624 GREECE HELPAC 2022 GUATEMALA GUATEL - HONDURAS - - HONG KONG DATAPAK 4545 HONG KONG IDAS 4542 ICELAND ICEPAC 2740 INDONESIA SKDP 5101 IRISH REP EIRPAC 2724 ISRAEL ISRANET 4251 ITALY ITALCABLE 2227 ITALY ITAPAC 2222 JAPAN VENUS-P 4408 JAPAN DDX-P 4401 LUXEMBOURG LUXPAC 2704 LUXENBOUTG LUXPAC-PSTN 2709 MALAYSIA MAYPAC 5021 MEXICO TELEPAC 3340 NETHERLANDS DATANET 1 2041 NETHERLANDS DABAS 2044 NETHERLANDS DATANET 1 2049 NEW ZEALAND PACNET 5301 NORWAY DATAPAK 2422 OMAN - - PANAMA INTELPAQ - PHILIPPINES GMCR 5150 PHILIPPINES PHILCOM - PORTUGAL TELEPAC 2680 PORTUGAL SABD 2682 PUERTO RICO UDTC 3301 REUNION DOMPAC 6470 SINGAPORE TELEPAC 5252 SOUTH AFRICA SAPONET 6550 SOUTH KOREA DACOM-NET 4501 SPAIN TIDA 2141 SPAIN IBERPAC 2145 SWEDEN DATAPAK 2402 SWEDEN TELEPAK 2405 SWITZERLAND TELEPAC 2284 SWITZERLAND RADIO SUISSE 2289 TAIWAN UDAS 4877 TAIWAN PACNET 4872 THAILAND IDARC 5200 TRINIDAD DATANET-1 3740 TRINIDAD TEXDAT 3745 UN.ARAB EMIRTS. TEDAS - UK PSS 2342 UK IPSS 2341 USA ACCUNET 3134 USA ALASKANET 3135 USA AUTONET 3126 USA COMPUSERVE 3132 USA DATA TRNSPORT 3102 USA FTCC 3124 USA MARKNET 3136 USA MCII-IMPACS 3104 USA RCA-LSDS 3113 USA ITT-UDTS 3103 USA TELENET 3110/3125 USA TRT-DATAPAK 3119 USA TYMNET 3106 USA WUTCO 3101 END END