$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$ $$ $$ A Guide to DataPAC $$ $$ $$ $$ A Technical Information File for the Canadian Hacker $$ $$ $$ $$ (C) 1989,1990 The Fixer - A Free Press Publication $$ $$ $$ $$ Edition 1.1 - April 18, 1990 $$ $$ $$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Foreword -------- Welcome to the exciting world of Packet Switched Data Communications. Your position as an outside hacker makes Telecom Canada's Packet Switched Network -- DATAPAC -- an even more magical place for you and all those close to you. Isn't life grand... What is DataPac? ---------------- DataPac is the Packet Switched Network of Telecom Canada, a consortium of major telephone companies across Canada. Originally brought into being in the late 1970's, Datapac's main purpose is to provide effective, reliable, high- speed data transfer to the business computing community nationwide. Several different levels of service are available on Datapac, from public-access PACX access that resembles a digital telephone system, to dedicated high-speed point-to-point leased lines. Since most hackers aren't likely to have a leased line in their homes, this file will be mainly concerned with Datapac's Public Network. Logging on: ----------- Firstly, find the phone number of the DataPac public dial port in your locale. DataPac has provided dial ports in almost every town with a population higher than the average IQ, and has WATS access ports for the rest of Canada. You will find the phone number for the appropriate modem speed in the white pages under DATAPAC PUBLIC DIAL PORT 3101 (at least that is where it is in BC Tel's phonebooks.) The WATS numbers are available in Telecom Canada's annual 800 service directory, or to this 800 scanner, The Bible. Tommy's Canadian WATS phonebook also carries a set of WATS DataPac dial ports. Once you have connected, raise DataPac's attention by typing a period (.) followed by a carriage return. You should now have a prompt resembling this: DATAPAC: 6470 0138 You have entered a whole new world. Basic addressing: ----------------- To the remote user (YOU), DataPac works pretty much like a normal phone system would, except that communications are data, not voice, and to connect to a system, you type an ADDRESS rather than a phone number. Perhaps the first system a hacker new to DataPac should connect to is DataPac's own information service. Its address is 92100086. This service provides documentation and information relative to DataPac, and is invaluable to all DataPac users. This file will (attempt to) avoid duplicating the DIS and simply explain the basics of hacking it. As you see, 92100086 is eight digits (nice base-2 number...). On DataPac, addresses are commonly shown in two parts, i.e. 9210 0086. This clarifies the TRUE MEANING of the address and shows its similarity to a phone number: the first four digits are the "prefix" and the last four are the "suffix." The prefix is unique to a given location in Canada, for example all DataPac addresses staring with 6470 are located in Victoria, British Columbia. A given location may have one or several prefices, depending on the "population density" of subscribing systems in each area. So, as you might imagine, Ottawa is far from being our largest city but has the second highest .udber of subscribing systems, thanks to our Beloved leadership (the Loony Mulroney). Toronto, Montreal, Vancouver, Edmonton and Ottawa all have several DataPac prefices. This will become important to you later in this file. The last four digits, the suffix, is as arbitrary as a phone number suffix would be. Although the range is 0000 to 9999, it is very rare to find a DataPac subscriber system with a suffix higher than 2000. This too will be explained later. DataPac Outdial and the NUI --------------------------- DataPac offers users of the public switched network NUIs, or Network User Identifications. These are identification codes for a monthly charge that entitle the DataPac user to greater access to the system. DataPac charges by the month, by the minute, and by the KiloPacket (256,000 bytes) for access. If you have a NUI, these charges are billed to you (or the owner of the NUI, heh heh heh). If you don't, all your connections on DataPac are treated as "collect", or billed to the system you connect to. Obviously, a great number of systems will not accept your collect "call" and you will find this a common message from DataPac as your exploits on the system wear on. Needless to say, this makes NUIs a cherished asset among DataPac hackers. DataPac offers a service to NUI subscribers called DataPac Outdial. DataPac currently has dial-out modems in 18 major centres (NOT VICTORIA! ARGH! WICKEY-WAH!) through which calls within the local area of these modems can be placed at 300 or 1200 baud. Needless to say, you M U S T have a NUI to use DataPac Outdial, or be calling from a system with a dedicated line into DataPac (some systems on DataPac let you "shell" back into the network; these are real gems because you get NUI privileges). The restrictions are that bauds can only be 300 or 1200, and many off-network systems will cause DataPac to drop the connection and give a "Remote Procedure Error." Caveat Emptor. Scanning DataPac ---------------- This is what you are reading this file for... To scan DataPac, you pick a target city and prefix to scan. Say Toronto, 3910 XXXX. For now, XXXX represents the suffix. So, you want to start with zero. The proper syntax would be 3910 0000 (or just 39100000). ALWAYS PAD THE SUFFIX WITH ZEROES. The address must be eight digits long. Type this address in. If you connect, you will be informed so. If not, try the next one: 39100001 and then the next... 39100002 39100003 39100004 39100005 39100006 39100007 and so on. You are likely to get several messages during the course of scanning DataPac, including Call Connected (the one you really want), Destination Busy (try later), Address Not In Service (no system there), Access Barred (either you need an NUI or it is originate only), Collect Call Refused (You need an NUI). If you really screw up, you might get one of these: Invalid Address: You typed less than 8 digits. Comma required before Data Characters: Usually seen when the hacker makes a "typo". DataPac allows you to pass parameters to the host system by following the address with a comma and one or more data characters. This is infrequently used so nothing more will be said. Now, DataPac has some anti-scanning mechanisms in place, which can be defeated readily. If you get more than 9 error messages in a row, DataPac will hang up on you. Also if you are connected to DataPac for a certain period of time (it almost seems random but it averages about a minute) without successfully connecting to a system, you will also be dumped. So robotically scanning one number after the next will result in many re-dials, as DataPac is not densely populated enough to guarantee a connection for every nine or fewer scan attempts, even if you are using an NUI. So, what you need to do is insure that you DO successfully connect often enough to avoid having to redial often. You are much more visible to the phone comapny when you scan than you are to DataPac, so minimising your redial "profile" is to your benefit. You can assure minimal redial if you connect, say, every 5 dial attempts, to a KNOWN- GOOD address, anHkhgB@Dsconnect from it. Disconnecting is not difficult, just type CTRL-P followed by the letters CLR or CLEAR. The ^P CLR string will result in the message: Call Cleared - Local Directive, and more importantly, will reset that hack-counter and hack-timer so you can continue scanning without actually phoning DataPac multiple times. In the course of testing my own scanner programs, I have come across a few addresses which I connect to normally, then immediately clear the connection, giving the messages: DATAPAC: Call connected to 5550 0039 (001) remote charging,n,128 DATAPAC: Call Cleared - Remote Request This is a good number if you use an automatic scanner because you just call that address say every 8 calls and continue scanning. At this writing, 55500039 is no longer a "working" address, so you'll have to find one on your own. To save time, you will probably want to end your scan of a given prefix at XXXX2000. It has been my own experience that little or nothing lies ABOVE 2000. Once You Connect ---------------- After you have performed a scan of a DataPac and you have a list of addresses, you're halfway finished. Now yo want to manually dial each of these systems to find out what they hold. Many will just freeze, some will have computers such as VAXes and System/370s running a wide variety of operating systems. Truly DataPac is an Eden for hackers. Some systems will have PACXs of their own; these always have more than one computer connected and many have dialout ports. DIALOUT ports, although usually password protected, are the elusive Fata Morgana of the DataPac scanner. Private dialouts are usually free of the kludges and restrictions of DataPac's dialout and can call anywhere in the world. No wonder most of them have passwords. If you find an unprotected private dialout, or the password and address of a protected one, you Sir have hit the proverbial jackpot. The Gandalf PACX has DIALOUT as a DEFAULT, and few PACXs have removed it, but almost all have protected it. Now I am about to tell you something that may seem to contradict my earlier writing: A datapac address with a system on it MAY have sub-addresses. The syntax is thus: 3910 0156 XX or 3910 0156 X You can place a ninth or even tenth digit on a known-valid address and you will usually connect with something that is often quite different from the prime address. This is for systems without PACXs that want to have several machines on DataPac at the same address. So much for only eight digits... One final thing to try on a PACX is PAD or PAC. Many PACX's allow you to re- enter DataPac through the host system. In most cases this gives you all the privileges of an NUI because DataPac has someone to bill now. Your connections are no longer "collect" and the REAL fun, including DataPac Outdial, begins. Other Networks -------------- Yes, there is life beyond DataPac. There are many Packet Switched Networks in existence around the globe, most of which can communicate with most of the rest. In the United States, two major ones are Tymnet and Telenet (damned foreigners...). Now, you will find that even FEWER addresses from other networks will be available to Canadian hackers due to the fact that inter-network collect charges can be astronomical. But since the US has a higher density in its networks than Canada, you will also find your scans of other networks can easily be as rich or better than DataPac scans. The syntax for connecting to an address on a foreign network via DataPac is thus: 1 XXXX YYYYYYYY 1 indicates an "OtherNet" call. XXXX is the DNIC, Data Network ID Code. There is a text file on Tommy's Holiday Camp and other hacking BBSes listing the names and DNICs of the major networks worldwide; the number of them may surprise you. YYYYYYYY can vary in length; different networks have different addressing syntaxes. Telenet, like DataPac, uses an eight-digit address with possible extensions and data characters. Tymnet uses a six digit address, also allowing extensions. Finding the syntaxes for other networks may require a little ingenuity on your part; but you're a hacker, AREN'T YOU. Here is an example of a call into Telenet: 1 3110 31200061 1 was the Othernet indicator; it is the only circumstance in which a DataPac address may be LESS than eight digits (try 13106; you WILL connect). 3110 was the DNIC for Telenet. 31200061 was the Telenet address. It works like DataPac, except that the Prefix is based on the area code in which the remote system resides. Very, VERY helpful to scanners, and this makes Telenet a joy to scan. When scanning a foreign network (and foreign can mean Canadian too; CNCP has a network with its own DNIC separate from DataPac) you will often get the following message: DATAPAC: Call cleared - temporary network problem This is usually an error message generated by the foreign network that DataPac doesn't support. With 200 networks all claiming to be "THE Data Communications Authority", it's not surprising that their messages are not always compatible. DataPac's DNIC is 3020. Tymnets's is 3106. Telenet's is 3110. Legal Implications of DataPac ----------------------------- At this point, it is not at all illegal merely to be ON DataPac. It is uncertain at this time whether SCANNING DataPac is a crime, or if the network's keepers know what is going on. It is DEFINITELY an offence to try to hack a password on a system on DataPac just as on any other computer, but the question remains as to whether or not DataPac knows where you are. Thus far no DataPac-related busts have been reported but there have been some major crackdowns on American networks. The same advice can be given to DataPac hacking as to regular telephone hacking: (1) Scan randomly. (2) Scan with friends; this confounds investigations. (3) Hack passes at your own risk. (4) Remember the first law of bragging: Your friends turn you in Conclusion ---------- What you get out of this file will depend entirely on what you do with it. As with all forms of hacking, a great deal of effort is required on your part to have a truly satisfying hacking experience, and you must be prepared to take certain risks, even to the jeopardy of your freedom. If you have more than a rodent-level understanding of telecomputing you should now be able to hack any network in the world through DataPac, and with the right amount of initiative and ingenuity, the world is yours.....