Re: [PEN-TEST] X25, all but forgotten?

[Vanja Hrustic <vanja () RELAYGROUP COM>]

On Tue, 29 Aug 2000, Alfred Huger wrote:

> Hey folks,
>
> I was sitting around with some friends over my holidays and we were
> discussing X25 auditing. For example, does anyone do it anylonger? I know
> that a great many companies still maintain connectivity to X25 networks
> like Transpac,Datex,Datapac,Tymnet etc. Seems to me it would be an
> important part of any network audit given that many X25 backends live in
> dusty corners and are rarely secured with serious diligence.

Quite often people that administer 'Internet' part of the network are not
in any way in charge of systems connected to X.25. In most cases, those
systems are 'internal' systems, and are (as you say) just "living in the
dusty corners". So, nobody actually touches them anymore (people set it
up, run, and then move to another company :).

Not to forget the fact that very many systems on X.25 are not UNIX or NT,
and it's fairly hard to find people who will maintain them (Primos, VMSs,
Tandems, HP3000s and many many different OSs, systems, hardware...).

And it's really heaven for curious guys, since there are so many systems
with default passwords, or no passwords at all...

Yet, those companies invest hundreds of thousands of $$$ into firewalls,
IDSs, VPNs and all the other buzzwords...

> 1. Is anyone doing this anymore (legally)? If so what X25 networks are you
> seeing folks still connected to?

I wonder if anybody is lucky enough to get any X.25 system 'included' in
the scope of work. It's usually like "Naaah, that doesn't matter..."

> 2. Are there any automated tools for this? I remember SALT scripts (and
> the like) for Minicom and Telix (anyone remember Telix?) as well as some
> dcl and sh programs for this, however I have not seen them for years
> (literally).

Automated tools for scanning or 'hacking'?

Well, there are/were automated scanners written in C for various UNIX
platforms (Ultrix, SunOS, Bull, AIX, DG-UX... might be more). There are
also automated scanners for VMS, written in C. Those are 'multi-line'
scanners (if I can say so), that are not using single X.25 link for
scanning - they're using as much as they can. I know that there were VAXes
with 128 X.25 links - imagine that scanner ;) Some of the scanners were
also having a bit of 'intelligence' to recognize when network is down
(network congestion - everyone's favourite ;), or when scan of
subaddresses needs to be performed, etc. It all depended on network
responses, and had to be tuned for each net.

And those tools are 'extremely private'.

There were heaps of shell/DCL scripts for UNIX and VMS which were also
called 'batch scanners', since they were fairly dumb - you set the
'range', and the scanner just does it, no matter what the responses are,
or if the network is congested, etc... Those were also running in the
background, without need for human intervention. And those scanners needed
'modifications' for each UNIX brand, because of differences in PAD
software. There were also some VMS scanners that would mail (using
PSIMAIL) results to remote system. That was 'mother of distributed
scanners' ;)

And, of course, there were all those 'interactive' scanners (scripts
for comm software, shell/DCL scripts, etc) where human would need to sit
in front the screen and log COMs, and other stuff. I think most people
used things like that, for Sprint and Datapac scanning.

> 3. Anyone in commercial scanner land thinking on adding this? It's an idea
> we mulled at Secure Networks but discarded it for a number of technical
> reasons and an obvious marketing concern - we had no idea if there was a
> market for it.

Adding X.25 scanning? Or X.25 'hacking'? :)

I can imagine that scanner would be a nightmare to write, since adding
support for every X.25 card would, probably, be needed.

Not to mention the bills auditors would need to pay for, let's say,
100,000 scanned NUAs :) X.25 was always charged by 'call' and 'transfer',
I don't know if that has changed.

I don't think there would be market for that, really.

Vanja