Complete Guide to AGNPAC v2.0 CYB0RG/ASM www.hackcanada.com 1999.05.30 ---------------- What is AGNPAC? ---------------- AGNPAC is the Alberta Government Packet Switched Network (PSN) based on the X.25 protocol. It is a Wide Area Network which spans across Alberta. It is used to connect systems and networks used by the Alberta Government, Alberta Registries, hospitals, schools, libraries, and other such entities. The backbone for this network is made up of full T1 fibre optic lines. Other WAN's and nodes are connected to the AGNPAC backbone via T1, 128K Frame Relay circuits (full CIR), and multiple 128K Frame Relay circuits. The network can also be connected to through local dialups in most cities and large towns in Alberta. AGNPAC is built, managed, and maintained by Alberta Public Works Supply and Service (APWSS) and funded by the Alberta provincial government. Recently publicly funded school board use has also come into play with beta trials becoming more widespread through the late nineties. The AGNPAC network has been in existance since at least 1995, however, no information regarding it has been publicly available... until now. There is still much to learn about this network, and this file, the most complete publicly available document on AGNPAC, is still somewhat lacking. However, this file will be updated as new discoveries are made. --------------------- Connecting to AGNPAC --------------------- Dial ports exist in most major towns and cities across Alberta. The standard communication parameters 8/N/1 are used although some systems on AGNPAC may use 7/E/1. When you connect you will see a message similar to this: AGNPAC: 4007 030 ----------- Dial Ports ----------- Athabasca (780) 675-9424 Barrhead (780) 674-2045 Blairmore (403) 562-7426 Bonnyville (780) 826-1753 Brooks (403) 793-2254 Calgary (403) 234-8066 Calgary (403) 269-7425 v.34 only Camrose (780) 672-3689 Canmore (403) 678-6966 Cardston (403) 653-1006 Claresholm (403) 625-2241 Drayton Valley (780) 542-6038 Drumheller (403) 823-4224 Edmonton (780) 420-6198 v.34 only Edmonton (780) 425-5674 Edmonton (780) 425-5691 Edmonton (780) 429-1522 Edson (780) 723-5352 Evansburg (780) 727-3572 Fairview (780) 835-5688 Fort McMurray (780) 743-6302 Grande Cache (780) 827-2044 Grande Prairie (780) 539-0195 Hanna (403) 854-2615 High Level (780) 926-2142 High Prairie (780) 523-2673 Hinton (780) 865-1393 Jasper (780) 852-4846 Lac La Biche (780) 623-3832 Lethbridge (403) 380-2067 Lloydminster (780) 875-1237 Manning (780) 836-2683 Medicine Hat (403) 528-2135 Olds (403) 556-2930 Oyen (403) 664-2505 Peace River (780) 624-1055 Pincher Creek (403) 627-2444 Red Deer (403) 341-4097 Rocky Mountain House (403) 845-5552 Slave Lake (780) 849-2826 Smoky Lake (780) 656-2291 St. Paul (780) 645-1847 Stettler (403) 742-5581 Valleyview (780) 524-2454 Vegreville (780) 632-2213 Vermillion (780) 853-6941 Wainwright (780) 842-5103 Wetaskiwin (780) 352-2384 Whitecourt (780) 778-4677 ------------------ System Addressing ------------------ Host systems attached to AGNPAC are addessed most commonly by 9 digit Network User Addresses (NUA's). That's 1 billion possible NUA's. These NUA's follow a simple format of 9 consecutive digits (#########). Other NUA formats may exist but the only exception to the 9 digit NUA that I know of is something I call an "alias". Aliases are acronyms preceded by a dot. These aliases resolve to a regular NUA which is revealed when you connect to the host. Here are some examples of known aliases and their corresponding NUA's: .govtcpdial = 4004 11188 .cgsbbs = 4004 059010 (oddly enough this resolves to a 10 digit NUA) Anyway, back to the NUA's. As far as I can tell the 9 digit NUA's have a 4 digit prefix and a 5 digit suffix. Or possibly they break down like this: (####)(###)(##) : : : City Code? ..: : : : : Address Prefix? ........: : : System Address? .............: But that's just a hunch I've got based on the NUA's that I know of. I also have reason to believe there may be system subaddressing, or Logical Channels (LCN), in which case the address may be suffixed with 1 or 2 digits to connect to a subaddress of the system. And there may also be mnemonics, data characters which follow the address preceded by a comma. Mnemonics are used to connect to sub-systems of the host system. But again, this is all just speculation for now. ---------------------------- Connecting to a Host System ---------------------------- To connect to a system you enter it's NUA and if it is valid you will get a message like this: AGNPAC: call connected to #### ##### Now you may receive an identifying message and the system's prompt depending on the system, or you may get a connect message and no prompt at all. Sometimes if you press it will forward you to the hosts prompt. To disconnect from a host that you have connected to and get back to the main prompt use the command "p clr". For a list of known NUA's refer to the "AGNPAC NUA Directory" (agnpacnua.txt) on www.hackcanada.com in the Canadian H/P-Hacking section. --------------------- Command Line Options --------------------- Some of these are used from the main prompt and some are used in conjunction with an NUA. The command summary is as follows: ------- ---------------------------- ------------------------------- Command Use Description ------- ---------------------------- ------------------------------- c Closed User Group clr Preceded by p Used to clear a circuit locally f [Restricted] Fast Select int Preceded by p Interrupt l Packet Size n n ######### (where # is NUA) Normal call (default) p p ######### (where # is NUA) Priority call par? Displays parameters reset Preceded by p Resets locally set : [,:] Sets parameters stat Displays status ------- ---------------------------- ------------------------------- Let's look at the use of each command/option in further detail... c Closed user group. clr This command is used to disconnect from a host system. Hit p and you will get a triangular prompt, then type clr and you will return to the AGNPAC command prompt. f Fast select. int Interrupts a circuit. l Packet size. n This option is used in conjunction with an NUA like this "n #########" (where # is NUA). It sets the priority of the call to "normal" which is the default so this command option is not generally needed. p This option is used in conjunction with an NUA like this "p #########" (where # is NUA). It sets the priority of the call to "high". par? This command returns a list of parameters and their settings that looks something like this: AGNPAC: par 001:001, 002:001, 003:002, 004:000, 005:000, 006:001 007:001, 008:000, 009:002, 010:000, 011:021, 012:000 013:004, 014:000, 015:000, 016:del, 017:can, 018:dc2 019:002, 020:000, 021:003, 022:000, 118:del, 119:can 120:dc2, 121:000, 122:000, 123:001, 125:000, 126:004 Now, if you really care what all the parameters are for, pop onto Datapac and check out the section on PAD Alteration Information that is on the Datapac Information Service (DIS) located at NUA 92100086. reset Resets parameters to default. set Set a parameter value. Syntax=set : [,:] stat This command returns a status list that looks something like this: AGNPAC: free XXXX XXX outgoing options: remote charging local charging -default normal -default priority no preselect rpoa no select rpoa incoming options: local charging -normal & priority remote charging --------------- Scanning NUA's --------------- The most important thing to know when scanning NUA's on AGNPAC is how to disconnect from an NUA that you have connected to and get back to the main prompt. This is done with the command "p clr". The second most important thing to know is that you will be disconnected from AGNPAC after ten failed attempts in a row. You will want to connect then disconnect from a known good NUA after every 8 or 9 failed attempts. Scanning anything manually is a time consuming chore and clearly an automated script makes the task much nicer. To get you started, here is a quick-n-dirty script for Telemate that gets the job done. As it stands it can scan a maximum of 100 NUA's at a time. Probably a good idea because if you sit there scanning for hours somebody you don't want to is probably more likely to notice what you are doing. Then again, they don't seem to be monitoring for this kind of activity at all yet. ; - - - - - - - - - - - - - - - < CUT HERE > - - - - - - - - - - - - - - - ; -- AGNHACK lite -- ; CYB0RG/ASM - 06/99 ; www.hackcanada.com ; ; This is a cheap little AGNPAC NUA scanner for Telemate. As it stands, it ; can scan 100 NUA's in about 4 minutes. You can tinker with the delays to ; get better performance, or, rewrite the whole thing to suit your needs. ; It is probably a good idea to change the value of strHome every once in ; a while. #include "toolbox2.scr" string strHome, strLogfile, strNua, strPrefix, strSuffix, strTemp strHome = "400405603" ; valid NUA iAttempts = 0 ; initialize attempts counter iMaxattempts = 9 ; Number of NUA's to try before ; connect/disconnect from strHome PRINT "Enter Prefix (#######): " INPUTN strPrefix,7 PRINT PRINT "Enter Suffix Start (##): " INPUTN strTemp,2 ATOI strTemp, iSuffixstart PRINT PRINT "Enter Suffix End (##): " INPUTN strTemp,2 ATOI strTemp, iSuffixend PRINT PRINT "Enter Logfile Name and hit : " INPUT strLogfile LOGON strLogfile ; start logging to file REPEAT strSuffix = "00" ITOA iSuffixstart, strTemp CONCAT strSuffix, strTemp ; pad suffix LENGTH strSuffix, iLen SUBSTR strSuffix, iLen - 1, 2, strSuffix ; trim leading zeros strNua = strPrefix CONCAT strNua, strSuffix ; build whole NUA PUT strNua ; connect to NUA DELAY 14 ; give time to log PUT "^PCLR" ; disconnect from NUA DELAY 5 ; wait for prompt iSuffixstart = iSuffixstart + 1 iAttempts = iAttempts + 1 IF iAttempts = iMaxattempts ; connect to valid NUA to ; prevent disconnect LOGPAUSE ; stop logging PUT strHome ; connect to valid NUA DELAY 7 ; wait PUT "^PCLR" ; exit the valid NUA DELAY 7 ; wait iAttempts = 0 ; reset attempts count LOGRESUME ; start logging again ENDIF UNTIL iSuffixstart = iSuffixend + 1 LOGOFF ; close log file HANGUP ; +++ATH0 ; End of Script ; - - - - - - - - - - - - - - - < CUT HERE > - - - - - - - - - - - - - - - Note: You have to compile the script with TMS.EXE. If you don't know how to use Telemate... rtfm. This is the "Complete Guide to AGNPAC" not the "Complete Guide to Telemate". --------------- Error Messages --------------- More often than not when scanning for NUA's you will get an error message rather than a call connected message. There are simply FAR more unassigned NUA's than there are NUA's in use. Here is a guide to some of the most common error messages and their meanings. Errors generated by improper use of command line options are fairly self-explanitory and are not covered here. AGNPAC: call cleared - address not in service The most common message. It means the address is currently not assigned to a host system. AGNPAC: call cleared - temporary network problem The host system is either temporarily or permanently down. Generally, whole blocks (#######00-#######99) will be down and respond with this message. AGNPAC: call cleared - destination not responding The host is ignoring your connect request or it is down. Again, you will find that NUA's in blocks of one hundred respond with this message. AGNPAC: call cleared - destination busy The host system may just be temporarily busy, permanently busy, or down. Again, you will find that NUA's in blocks of one hundred respond with this message. AGNPAC: call cleared - access barred The calling terminal is not permitted to establish a connection to the host system. AGNPAC emits this error message on direction from the host. It is a system that only accepts calls from specified originating NUA's. Again, you will find that NUA's in blocks of one hundred respond with this message. AGNPAC: call cleared - remote directive This is likely a clearing of the virtual circuit in response to a clear request packet sent from the host system. The right subaddressing and/or mnemonics can probably get by this. AGNPAC: call cleared - local directive This message indicates that the user has used the "clr" command to clear the virtual circuit in order to disconnect from an NUA. AGNPAC: call cleared - incompatible destination I think this indicates that an incorrect number of digits were entered for an NUA. AGNPAC: comma required before data characters This message is common when you mistype an NUA. This message may refer to the use of mnemonics to connect to sub-systems of the host as mentioned in the "System Addressing" section of this file. AGNPAC: invalid command Invalid command line option. AGNPAC: command not allowed Command line option used improperly. AGNPAC: service option not subscribed Some NUA's result in this message. I don't know why. ------------- Legal Issues ------------- Now, connecting to AGNPAC via a publicly accessible dial port and scanning NUA's is one thing... hacking the hosts you find attached to it is obviously illegal. Have fun learning how to navigate a packet switched network, but don't be an idiot and don't break the law. -------- Credits -------- Shouts to The Clone and Wizbone for helping pioneer research on this network. And to Deicide for the file "Introduction to Datapac" which gave me insight into the command line options. Copyright (c) 1999 Hack Canada www.hackcanada.com