Re: x.25 / x.28 pentesting

From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Thu Jul 28 2005 - 10:37:03 EDT


Hey Marcos,

> Someone have experinece doing audit on x.25 networks?

Yeah. Good to know there's someone else who's still carrying on X.25
audits nowadays, thought i remained almost alone ;)

> I need to audit a service that use x.28 access (calling by modem) to
> connect to a host in a x.25 network.
>
> I remember from loooong time ago about tools to do scannings in x25
> networks through a x28 dialin PAD and try some kind of basic hack in the
> host that found. But I have forget the name of this tools (and also lose
> it in some diskette). Any idea about some more moderm (or old) tool to
> help with x25?

Ah, nice question... X.25 is still a really effective attack vector:
nevertheless a lot of people seem to forget about it or believe that's
secure only 'cause it's old -- this is a common (and pretty dangerous)
misunderstanding that involves other old communication protocols too [1].

X.25 penetration testing through an X.28 pad is always painful, but you
could try to build minicom scripts to automate some tasks (scanning of
NUAs and/or subaddresses, depending on your testing scope, etc.). You
should also try to search the web for some Perl scripts (i remember one
that was able to scan Sprintnet NUAs, but it was easily customizable
IIRC... it was called x25cat or something like that) and for the good old
ADMx25 suite by antilove. There were also some tools for NUI scanning, but
i don't think you're gonna need them.

Also, take a look at some old tools and whitepapers me and some friends
wrote. The tools aren't really meant for X.25 testing through X.28, but
maybe you'll find them useful after you penetrate the first system:

http://www.0xdeadbeef.info/code/vudu
http://www.0xdeadbeef.info/code/fvudu
http://www.0xdeadbeef.info/code/autoscan.pl
http://www.0xdeadbeef.info/code/psibrute.com
http://www.0xdeadbeef.info/code/backdoor.bas
http://wayreth.eu.org/x25bru.c
http://blackhats.it/it/papers/x25.pdf

Finally, even if someone was indeed able to develop a working remote
exploit for X.25 networks [2], remember that X.25 hacking is mostly based
on manual password guessing sessions, so you'd better be prepared ;)

Hope it helps. Ciao,

[1] "Since DECnet is a less well-known protocol, nobody is attempting to
    hack it": http://itmanagement.earthweb.com/erp/article.php/3517186

[2] Remote login exploit via X25 pad. Working on Solaris 2.6/7/8.
    (CVE-2001-0797) by inode. The code is not public yet.

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:40 EDT