TScan [Telenet/Sprintnet Scanner] Version 0.1 By The Beave [Dec. 2000(c)] beave@vistech.net ftp://ftp.vistech.net/pub/linux/tscan Introduction ------------ Welcome to the Telenet scanner. This little utility can be used to scan/map out the Sprintnet (formally known as GTE Telenet, and always will be) network. Telenet is a worldwide X.25 based network used by a lot of companys, universities, and other institutions. A nice thing about this network is it is nothing like the Internet. Its a nice escape, and for 'old school' hackers, like myself, its a nice place to find vintage system. While there are a lot of Unix based systems on the networks, don't be suprised if you find VAX's, Prime's, DECservers, MVS mainframes, VTAM's and many more wierd and interesting things. The Telenet Network Itself -------------------------- "Telenet" was started in 1974 by the BBN (Bolt, Beranek & Newman). According to PBS (http://www.pbs.org/internet/timeline), is the first "commerical version of ARPANET". Its a Packet Switching Network (PSN), that makes its usage from the PAD (Private Assembler/Disassembler) a bit different. The PAD is where you enter your target network addresses to remote computer systems. First off, you'll have to find a local dialup to a PAD. Included with this program is a file (TelenetDialups.txt) with dialups as of Oct 1st, 2000. When you dial-in, you'll need to set your favorite terminal software (minicom, seyon, telix, etc) settings to 7 data bits, 1 stop bit and even parity (the scanner defaults to this). When connecting to your local dialup/PAD at rates less then 1200 baud, you'll need to send several "returns". When connecting higher (9600+), send a "@" followed by a "return". If your area is not included in the TelenetDialups.txt file, you can call the 1-800 PAD and see if there is any more information. Call 1-800-546-2500, or 1-800-546-1000. Once connected and entering your "TERMINAL=" type, type - "c mail". This will connect you to TELENET mail. At the username prompt, enter "PHONES" with the password of "PHONES". This is a public service of Telenet to help users find dialups within there area. One little hint, however. Don't scan on the 1-800 PAD. Theres not much you can connect to, and that would probably raise some eyebrowse. (long WATS connections, that is). Once you connect to your local PAD, and get to the "TERMIMAL=" prompt, your can hit "enter", or you're terminal type. I usually just hit enter. Some people type "d1" or things of that nature. It really doesn't make much of a different. After getting past that point, you should be presented with a "@" prompt. This is the PAD prompt, awaiting where you want to go. Let's look a little how NUAs (Network User Addresses) are setup... 3110 212 XXXXX PP ^ ^ ^ ^ | | | | DNIC NPA ADD Port DNIC = Data Network Identification Code. NPA = The NPA/area code (but not always, more on the later) of the target) Add = Address. I've also seen it called "DTE" (Data Terminal Equipment). I don't know whats technically correct. Port = Port of the target address. So, for the time being, let keep it simple. Lets drop the idea of DNIC's and ports... We're connecting on a standard Telenet dialup.. Lets say theres a network address at 312374 (a MVS system in Chicago - GUTS). So, at the PAD prompt, you'd type "312374". The NPA being 312, and the address/DTE would be 374. If, at the PAD prompt, you typed that, you'd be connected across the X.25/Telenet network to that (in this case, Chicago) address/system. With this in mind, we can get into basic scanning. For example (if we want to stay within the same DNIC.. more on that later), lets say we are interested in North Florida (NPA 904) systems. We know that addresses will start (well, for the most part) with 904. Thats the Jacksonville, Florida (and use to be all of North Florida) NPA. With this in mind, we know 904 NPA's on Telenet will be from 90400000-90499999. So, we could setup "tscan" to "scan" the 904 NPA from 90400000 to 90499999. Within that range, it would record what systems where found (A little more on logging later). Now on to the DNIC and ports.... The DNIC's identify what network you're connecting to. Telenet inter-twines with various networks (For example, Tymnet). Some remote countries have there own DNIC's. To me, this is a little less interesting, as I like to scan the U.S. systems. Thats up to you. Actually, I'm working on a "working" DNIC listing now. The ports are another matter. We've seen full network schemes, but lets look at another way to connect to Telenet (3110 DNIC) ports. The ports work somewhat like TCP/IP ports. Most of the time they are disabled, or have special purposes. Lets go back to our example of the 312374 NUA. Lets say we found our little system in Chicago, and we want to poke around a bit. We've seen the full scheme of a NUA (for example, the 312374 would be.... 31103123740000). The last two digits being the port. Theres another way to target the port... for example... at the PAD prompt, we could type.... 312374.1 This would tell our PAD to connect to the 312 NUA and address/DTE of 374 on port 1. Never underestimate the things you can find on "port scanning" a NUA. Back in the day, I found a company (A Ultrix box) that would give you a shell on a certain port. The scanner is not built to scan ports. Its simply there to find systems. Sprintnet Monitoring/Telenet Monitoring --------------------------------------- I get alot of questions about this. Keep in mind, I am not a lawyer, so these thoughts here are only based on my own accounts and processes in courts that I've seen... Telenet is a public network. I imagine "scanning" is about as legal as "ping scanning" (or whatever) a TCP/IP/Intenet connected network. To me, I sort of look at it like using my little PRO-2034 Freq. scanner. Thats pretty much what I use this utility for. Mapping a network, much the same way I freq. scan. The point (if you ask me) that you'll get in the most trouble is when you try to actually "login" to the remote machine you find. Maybe its more like "wardialing", or what-have-you. We know what legal ramification that can have... anyways.. To me, its about finding 'old-school' systems that are still connected... Still on the air.... still working... You find a lot of wierd shit. Thats what I love. For example, I'm sure you've been to a airport terminal and looked at the little displays for incomming/outgoing/canceled flights. Once, I found a system and that was all it did. Sure, not real "hack" value, but totally cool to me. Thats why I love this network.... The wierd shit you can find.... Not a lot is known about this current networks security functions... A lot of this information maybe old and outdated. Telenet's security software is known as TAMS (Telenet Access Manager System). The TAMS security software (for the network) is located in Restin, Virginia. At least, when we last knew about it. The system tracks invalid NUI's (Network User Identifiers), setup of "easy" names (for example, "mail"), etc. In one Phrack article, "Dr. Dissectors" NUAA program was under investigation. I seriously doubt it was because of usage, but because of its popularity. With all this said, use this utility at your own risk. Non-NPA systems --------------- Don't get to caught up in just scanning NPA's. (I'm assuming were not talking DNIC's here). For example... The 850 == florida. Thats not always the case. For example, the "224" was Citicorp (now Citigroup) for a long time. NASA had there own "NPA" within Telenet (311, I believe). There are other NUA's that do not start with the standard NPA. Logging ------- Tscan current logs... REFUSED COLLECT CALLS - This means a NUI. ACCESS BARRED = You can't get to it from your PAD CONNECTED = A Sucessful connect. REVERSE CHARGES NOT SUBSCIBED Thanks ------ bulletproof - For the FreeBSD box to port (well, fix) tscan. azure - For reporting that it works under OpenBSD Supported plateforms. --------------------- Currently, I've personally only used tscan on Linux based system. It should work fine on any Intel based linux installation. It compiles, and reportly works under OpenBSD. I don't have a modem on any of my OpenBSD boxes, so I can't verify it. It seems to compile fine (and probably work) on the Sun Sparc OpenBSD installation.