____. _______ ____. ____. ________ ____. bRUTAL _\ |_____\____ /_\ |_____\ |_____\_____ /_\ |_____ /_ _|_ __ |__/ _|_ / .____/ _._ / / | __ \ l/ /_ |mute \l /_ l /_ \l /_ l /_ --// /__________/____| /__________/_________/________/_________/ / //- - -- > > - - ------- - \ - _______ _______ _______ _______ ____. _______ _______ ____. _ _\_. /__\___. /__\___. /__\ ___/__\ |____\ .__/__\_. /__\ |____ _/_ |_____/ \| __ \| __ ___/ | ____\\ __ |_____/ ,____/ _ \ l /_ l /_ | /_ | l /_ \ /_ l /_ l /_ /__________/________/___l____/______|__________/________/________/________/ // - - - \ cONFLICT / ___ _ - ---. \ / -- - > Brutal Conflict BBS \\ --- `--- -- \ Blue Box - X 25 - Ezines - Hacking - Phreaking 9x NZ HQ Sysops: ReD^BlAdE - ][ype - Dynamics ATW WHQ _____ _.____\_ __. _____ ___\_ / | \_\_|_______ ___\_ / / __ / \/ / / __ \/ __ /wK / / / / / / / / / / ___________________________________. \______\ /_____\__ /\____ /\______\ \ | ____/ /_.___ \/ /____/_____. ____\ __________ A m i g a | \__ ___|_ \_________/ /\_|________ ___\_ / / | / / __ / ____/_ ___/ / ____/_/ __ / / T a c t i c a l | / / / / / / / / / / / / /_ | / /\_______\________\ /___ /\________\______\_____| W a r f a r e | /____/ ______/ / _ \/_ ______ ____ ________ | \ / /__\_ / \_______\_ \ \_________ | / /\ / __ / / /_ ___/ _ / / /_ __ / . /____|___/ / /____\_____/ __\ / /____\_____/ ____/ \______\ _/ /_______\ \_______\ \____/ @BEGIN_FILE_ID.DIZ ______ ._______._______ ____\_ \__| |__ /_______ / _/ \__ __/ /\ /wK .-/_____________/_________\____/|______\---. | aMIGA tACTICAL wARFARE | | Red^Blade/ATW presents a file on hacking | | ** Ascend pipeline terminal server ** | | V0.1 NO NCOMM SCRIPTS | `------------------------------------------'@END_FILE_ID.DIZ Warning: If some dumb ass lamer reads this file, uses it, gets caught then Dont blame Red^Blade, cos this is intended for INformational purposes(yeah right) Note: This version does not have the NCOMM SCRIPTS, this is the 1st beta version the final version will have the scripts.. ________________________________________________ _________________ \_________ \ ____/ _______ __________ \ ______ \ / ____/ /____ \_ \ / ___/ / \ / / / / / / / / / / / \ / / / /___________/_________/________/_________/______\____/___________/R^B ** Ascend pipeline terminal server ** Notes on my experience with them that could help with hacking them by Red^Blade/ATW. Written June/00 Er yeah, I can't tell you how to hack them, as the only ones I encountered are/were via dialins. And when I dial in I get dropped straight at a prompt. so these are mainly notes.. Ascend routers do not have a scripting language ie a c compiler, so the only scripting language you will use is the one with your terminal. What you need. A terminal program that supports VT100, so you need a telnet programme (if you hacking a inet one) or a Dialup software(for dialup hacking duh). Best to get terminal programmes with a Scripting language. Er a decent pc product for windows for telnet is hard to find, Which is why I don't use it, But you should be able to find one. For a pc, i am recommending (Terminate , Dialup) and (Nterm, Inet). For the Amiga I use. DCTELNET for inet and NCOMM for dialup. The only problem with dctelnet is that it does not have a Script language :/. --- When the Pipeline is shipped from the factory, its security features are all set to defaults that enable you to configure and set up the pipeline without any restrictions. When you find one this is what they look like: ** Ascend Pipeline Terminal Server ** login: Password: ** Bad Password There is only one Default account, that I have found and it is: Login: Full Access Password: Ascend Note: Passwords are case-insensitive. This means that you can type it as: "aSCEND","ascend","aScEnD", but they are not elite-insensitive which means you can't type it as "45C3ND". Note I have never had to use that as the ones I find are dialin, you just ring it and get dropped to a prompt straight away :). upon loggin on this is the prompt. ascend% The first thing you should type like on most systems is the "show users" so lets it type it and the reply should be something like this: I Session Line: Slot: Tx Rx Service Host User O ID Chan Port Data Rate Type[mpID] Address Name I 323681764 1:19 2:5 16800 12000 PPP 172.25.154.79 sheep I 323681685 1:20 5:2 64K 64K MP[572] 172.25.191.1 ykh1 I 323681769 1:21 5:1 64K 64K PPP 172.25.154.80 temp0701 I 323681772 1:22 2:6 14400 14400 Termsrv N/A Modem 2:6 I 323681771 1:23 2:14 44000 28800 PPP 172.25.154.15 DiamondP Ok, As you can see from the above that should be quite easy to read, but if you don't understand it here it is. Session ID, you Session id to the router in the order that you have connected to it. ie As you can see i'm 2nd from the bottom, so I'm connection #323681771 to the system. They can also use that to look up who was connection #323681771 so if they looked that up, they would of found out that, I had access to their router via Terminal(ie Dialin, Telnet) but would of found out that I had dialed in because I had no host Address and my Username was via a Modem port. TX DATA means the speed of Transferring the data. RX Rate is the receiving speed of the data. Service type, The service type means your type of connection to the router. ie PPP means a PPP connection, ie internet, Termsrv means that your at the terminal of the router via a telnet connection. MP[572] not to sure about that one but you should be able to telnet into the address of it, and you should hit a box,well i Have.. Address The Address from where the connection came from. User name, Er well duh, your user name or login name to the system, cos we dialed in we get the Modem, and our slot,port. After you see who the users are online you can go back to hacking. I guess if you see 2 termsrv disconnect and relogin later.. Now type "local" ascend% local One of 2 things will happen. 1 -- Okay the first thing that might happen is that it will bring up a VT100 Ascii Menu, where you can control it by pressing/using the cursor keys and will show you alot of options. Unfortunately, I can not show you as the one like this I found, I abused the Telnet access for IRC and they passworded it. but If I can remember on the Left hand side there will be options. First thing I guess is to make a account or enable the Full Access account all functons. go down to the security option. 00-300 Security >00-301 Default 00-302 00-303 Full Access Then to the Full Access Menu 00-303 Full Access Name=Full Access (name of account) >Passwd=ascend (password not case sensitive) Operations=Yes (no Idea) Edit Secutiy=Yes (Edit accounts) Edit System=Yes (Edit the system ie, enable/disable telnet/slip/ppp) Field Service=Yes (NO Idea) Er press Ctrl-D in this menu, it does something, can't remember :((dope :)) 2 --- If option 1 didn't work, then this will happen, It will do a telnet connection on 127.0.0.1 then ask you for a password. It will normally give you 3 chances, then quit the connection. So what you have do is write a script to brute force it(optional) you don't have to have to own them.. The Telnet password is 20 charaters max and not case sensitive.. If you want to assign a Telnet PW in "local" (NOt recommended) then in the local menu do: Open the Ethernet > Mod config > Ether Options -- Commands that you should try to makesure that work are: local, menu, telnet, traceroute. If local, needs a password and they disabled access to telnet then you have lost out on some fun. Telnet is good because you can do a "show arp" and it might display some boxes connected to the Router, and you can telnet into them and hack them. ON a .jp router I found, there Was a Vine Linux box connected to it which seemed to be a .JP Linux strain. I don't know the defaults but it might need a .jp character map for the keyboard. :( Traceroute is quite cool, cos you can do a traceroute on the users ip. ie if there was user called lameuser and his/her ip was 202.35.99.27, then you could do a traceroute on it and hack the other router or box. :). other things I found out via experience is: I Session Line: Slot: Tx Rx Service Host User O ID Chan Port Data Rate Type[mpID] Address Name I 323681764 1:19 2:5 16800 12000 PPP 172.25.154.79 sheep I 323681685 1:20 5:2 64K 64K MP[572] 172.25.191.1 ykh1 I 323681769 1:21 5:1 64K 64K PPP 172.25.154.80 temp0701 I 323681772 1:22 2:6 14400 14400 Termsrv N/A Modem 2:6 I 323681771 1:23 2:14 44000 28800 PPP 172.25.154.15 DiamondP is that if you telnet into the service with MP[572] (cos the Service and the ip look different) It will/might be a box. Also from experience I did a ping/telnet scan on the MP[572] ip ie 172.25.191.1 - 172.25.191.5 and I found Ethernet boxes on them :). How to dial out --------------- I have no idea, As I really didn't have the need so sorry :(. I guess it might be via the "open" command. CLI menus ---------- If you type "help" or "?" this is what you see. ascend% help ? Display help information help " " " quit Closes terminal server session hangup " " " " test test [ ] [ ] local Go to local mode remote remote set Set various items. Type 'set ?' for help show Show various tables. Type 'show ?' for help iproute Manage IP routes. Type 'iproute ?' for help dnstab Manage local DNS table. Type 'dnstab ?' for help slip SLIP command cslip Compressed SLIP command ppp PPP command menu Host menu interface telnet telnet [ -a|-b|-t ] [ ] tcp tcp ping ping traceroute Trace route to host. Type 'traceroute -?' for help rlogin rlogin [ -l user -ec ] [ -l user ] open open < modem-number | slot:modem-on-slot > resume resume virtual connect session close close virtual connect session kill kill pptp pptp l2tp l2tp dnstab edit Starts editor for local DNS table. dnstab entry Displays local DNS table entry. dnstab show Displays local DNS table. iproute add Adds an IP route. iproute delete Deletes and IP route. iproute show Displays IP routes (same as show iproutes) ipxping Pings an IPX host. set all Displays current settings set arp clear Clears ARP cache set fr Frame Relay datalink control set password Enables dynamic password settings set sessid [val] Sets and stores [val] or currentID set term Sets the telnet/rlogin terminal type show arp Displays the ARP cache (shows boxes connected to it :)) show dhcp Displays DHCP configuration parameters show dhcp address Displays DHCP Address Assignment Information show dhcp lease Displays DHCP lease Information show dnstab Displays local DNS table show dnstab entry Displays local DNS table entry show fr dlci [name] Displays all DLCI information, or for [name] show fr lmi Displays Frame relay LMI information show fr stats Displays Frame relay statistics information show icmp Displays ICMP information show if stats Displays interface statistics show if totals Displays interface total counts show igmp clients Displays IGMP clients show igmp groups Displays IGMP groups table show igmp stats Displays IGMP statistics show ip address Displays IP address assignments show ip routes Displays IP routes show ip stats Displays IP statistics show isdn Displays ISDN events show netw networks Displays NetWare IPX Networks show netw pings Displays NetWare IPX ping Stats show netw servers Displays NetWare IPX servers show netw stats Displays NetWare IPX Statistics show revision Displays system revision show sessid Displays current and base session ID show tcp connection Displays TCP connection table show tcp stats Displays TCP statistics show udp listen Displays UDP listen table show udp stats Displays UDP statistics show uptime Displays system uptime misc notes ----------- Er sometimes they have a fucken er Security box or some shit(i'm not a hacker), that spits out this at the login prompt: Enter ID: SNK Challenge: 94283794 (of some numbers similar like that) Enter Response Invalid SNK Response I have no idea how to get past that, but you need a security card that comes with the router so... but all I can tell you is that if you do find the Box that has it on, the default port for it is 7001. so that might help you. Also I found in a newsgroup, that the router only allows two telnet connections at once, and that if each connection keeps sending one byte per second to the router, that the router will not disconnect. Credits -------- Credits for this file goto the www site, where I found 2 html files on Ascend routers which were quite useful and I threw the notes in here. Eon/SLI for telling me "Hmm sounds like a router, Lots of fun" Greetz ------- Personals (amiga) binjinx, chill, case, axl, data stream, zinko, ramonster, darkcye nynexphreak, ][ype, Dr Fonk (boxers) Dr Snake, Dr Fonk, Skyper, Murder, Dynamics, 9xphreak, and many many more i forgot (nz scene) blackleg, krusher, sycotic, eon, barf, crash, lode. Groups The amiga elite, The mad bad krad boxers :), and the .nz scene and last but not least the users of My bbs Brutal conflict :). oh and 809 squad Contact --------- You can contact me at redblade@atwarfare.cjb.net or by doing a /whois Red^Blade on irc. Or on these bbs's. Name Country Sysop Brutal Conflict NZ Me :) 9x NZ HQ, ATW/809 WHQ Electric Warrior UK Axl Cryogenics UK Data-Stream The Northern Place DK Zinko Checkpoint NO TC Master Control US Tron mastercontrol.darktech.org take care. last words. Dea)(alm I've quit the scene so don't ring me and Delete all my numbers and infos!!!!!!!1. EOF ____. _______ ____. ____. ________ ____. bRUTAL _\ |_____\____ /_\ |_____\ |_____\_____ /_\ |_____ /_ _|_ __ |__/ _|_ / .____/ _._ / / | __ \ l/ /_ |mute \l /_ l /_ \l /_ l /_ --// /__________/____| /__________/_________/________/_________/ / //- - -- > > - - ------- - \ - _______ _______ _______ _______ ____. _______ _______ ____. _ _\_. /__\___. /__\___. /__\ ___/__\ |____\ .__/__\_. /__\ |____ _/_ |_____/ \| __ \| __ ___/ | ____\\ __ |_____/ ,____/ _ \ l /_ l /_ | /_ | l /_ \ /_ l /_ l /_ /__________/________/___l____/______|__________/________/________/________/ // - - - \ cONFLICT / ___ _ - ---. \ / -- - > Brutal Conflict BBS \\ --- `--- -- \ Blue Box - X 25 - Ezines - Hacking - Phreaking 9x NZ HQ Sysops: ReD^BlAdE - ][ype - Dynamics ATW WHQ uPLOADED bY: The SysOp lOCATiON : Local [AĦRaDDer v3.5 By AĦRcĝ]