Ascend pipeline terminal server
______ ._______._______
____\_ \__| |__ /_______
/ _/ \__ __/ /\ /wK
.-/_____________/_________\____/|______\---.
| aMIGA tACTICAL wARFARE |
| Red^Blade/ATW presents a file on hacking |
| ** Ascend pipeline terminal server ** |
| V0.1 NO NCOMM SCRIPTS |
`------------------------------------------'Warning
If some dumb ass lamer reads this file, uses it, gets caught then Don't blame Red^Blade, cos this is intended for INformational purposes (yeah right)
Note
This version does not have the NCOMM SCRIPTS, this is the 1st beta version the final version will have the scripts..
________________________________________________ _________________
\_________ \ ____/ _______ __________ \ ______ \
/ ____/ /____ \_ \ / ___/ / \ / / /
/ / / / / / / / \ / / /
/___________/_________/________/_________/______\____/___________/R^B** Ascend pipeline terminal server **
Notes on my experience with them that could help with hacking them by Red^Blade/ATW.
Written June/00
Er yeah, I can't tell you how to hack them, as the only ones I encountered are/were via dialins. And when I dial in I get dropped straight at a prompt. so these are mainly notes..
Ascend routers do not have a scripting language ie a c compiler, so the only scripting language you will use is the one with your terminal.
What you need
A terminal program that supports VT100, so you need a telnet program (if you hacking a inet one) or a Dialup software(for dialup hacking duh). Best to get terminal programs with a Scripting language.
Er a decent pc product for windows for telnet is hard to find, Which is why I don't use it, But you should be able to find one. For a pc, i am recommending (Terminate , Dialup) and (Nterm, Inet).
For the Amiga I use. DCTELNET for inet and NCOMM for dialup. The only problem with dctelnet is that it does not have a Script language :/.
---
When the Pipeline is shipped from the factory, its security features are all set to defaults that enable you to configure and set up the pipeline without any restrictions.
When you find one this is what they look like:
** Ascend Pipeline Terminal Server **
login:
Password:** Bad Password
There is only one Default account, that I have found and it is:
Login: Full Access
Password: AscendNote: Passwords are case-insensitive. This means that you can type it as: "aSCEND","ascend","aScEnD", but they are not elite-insensitive which means you can't type it as "45C3ND".
Note I have never had to use that as the ones I find are dialin, you just ring it and get dropped to a prompt straight away :).
upon login on this is the prompt.
ascend%The first thing you should type like on most systems is the "show users" so lets it type it and the reply should be something like this:
I Session Line: Slot: Tx Rx Service Host User
O ID Chan Port Data Rate Type[mpID] Address Name
I 323681764 1:19 2:5 16800 12000 PPP 172.25.154.79 sheep
I 323681685 1:20 5:2 64K 64K MP[572] 172.25.191.1 ykh1
I 323681769 1:21 5:1 64K 64K PPP 172.25.154.80 temp0701
I 323681772 1:22 2:6 14400 14400 Termsrv N/A Modem 2:6
I 323681771 1:23 2:14 44000 28800 PPP 172.25.154.15 DiamondPOk, As you can see from the above that should be quite easy to read, but if you don't understand it here it is.
Session ID, you Session id to the router in the order that you have connected to it. ie As you can see i'm 2nd from the bottom, so I'm connection #323681771 to the system. They can also use that to look up who was connection #323681771 so if they looked that up, they would of found out that, I had access to their router via Terminal (ie Dialin, Telnet) but would of found out that I had dialed in because I had no host Address and my Username was via a Modem port.
TX DATA means the speed of Transferring the data.
RX Rate is the receiving speed of the data.
Service type, The service type means your type of connection to the router. ie PPP means a PPP connection, ie internet, Termsrv means that your at the terminal of the router via a telnet connection. MP[572] not to sure about that one but you should be able to telnet into the address of it, and you should hit a box, well i Have..
Address
The Address from where the connection came from.
User name, Er well duh, your user name or login name to the system, cos we dialed in we get the Modem, and our slot, port.
After you see who the users are online you can go back to hacking. I guess if you see 2 termsrv disconnect and relogin later..
Now type "local"
ascend% localOne of 2 things will happen.
1
Okay the first thing that might happen is that it will bring up a VT100 Ascii Menu, where you can control it by pressing/using the cursor keys and will show you alot of options. Unfortunately, I can not show you as the one like this I found, I abused the Telnet access for IRC and they passworded it.
but If I can remember on the Left hand side there will be options.
First thing I guess is to make a account or enable the Full Access account all functions.
go down to the security option.
00-300 Security
>00-301 Default
00-302
00-303 Full AccessThen to the Full Access Menu
00-303 Full Access
Name=Full Access (name of account)
>Passwd=ascend (password not case sensitive)
Operations=Yes (no Idea)
Edit Secutiy=Yes (Edit accounts)
Edit System=Yes (Edit the system ie, enable/disable telnet/slip/ppp)
Field Service=Yes (NO Idea)Er press Ctrl-D in this menu, it does something, can't remember :((dope :))
2
If option 1 didn't work, then this will happen, It will do a telnet connection on 127.0.0.1
then ask you for a password.
It will normally give you 3 chances, then quit the connection. So what you have do is write a script to brute force it(optional) you don't have to have to own them..
The Telnet password is 20 characters max and not case sensitive..
If you want to assign a Telnet PW in "local" (NOT recommended) then in the local menu do:
Open the Ethernet > Mod config > Ether Options
--
Commands that you should try to make sure that work are: local, menu, telnet, traceroute.
If local, needs a password and they disabled access to telnet then you have lost out on some fun.
Telnet is good because you can do a "show arp" and it might display some boxes connected to the Router, and you can telnet into them and hack them. ON a .jp router I found, there Was a Vine Linux box connected to it which seemed to be a .JP Linux strain. I don't know the defaults but it might need a .jp character map for the keyboard. :(
Traceroute is quite cool, cos you can do a traceroute on the users ip. ie if there was user called lameuser and his/her ip was 202.35.99.27, then you could do a traceroute on it and hack the other router or box. :).
other things I found out via experience is:
I Session Line: Slot: Tx Rx Service Host User
O ID Chan Port Data Rate Type[mpID] Address Name
I 323681764 1:19 2:5 16800 12000 PPP 172.25.154.79 sheep
I 323681685 1:20 5:2 64K 64K MP[572] 172.25.191.1 ykh1
I 323681769 1:21 5:1 64K 64K PPP 172.25.154.80 temp0701
I 323681772 1:22 2:6 14400 14400 Termsrv N/A Modem 2:6
I 323681771 1:23 2:14 44000 28800 PPP 172.25.154.15 DiamondPis that if you telnet into the service with MP[572] (cos the Service and the ip look different) It will/might be a box.
Also from experience I did a ping/telnet scan on the MP[572] ip ie 172.25.191.1 - 172.25.191.5 and I found Ethernet boxes on them :).
How to dial out
I have no idea, As I really didn't have the need so sorry :(. I guess it might be via the "open" command.
CLI menus
If you type "help" or "?" this is what you see.
ascend% help
? Display help information
help " " "
quit Closes terminal server session
hangup " " " "
test test <phone-number> [ <frame-count> ] [ <optional fields> ]
local Go to local mode
remote remote <station>
set Set various items. Type 'set ?' for help
show Show various tables. Type 'show ?' for help
iproute Manage IP routes. Type 'iproute ?' for help
dnstab Manage local DNS table. Type 'dnstab ?' for help
slip SLIP command
cslip Compressed SLIP command
ppp PPP command
menu Host menu interface
telnet telnet [ -a|-b|-t ] <host-name> [ <port-number> ]
tcp tcp <host-name> <port-number>
ping ping <host-name>
traceroute Trace route to host. Type 'traceroute -?' for help
rlogin rlogin [ -l user -ec ] <host-name> [ -l user ]
open open < modem-number | slot:modem-on-slot >
resume resume virtual connect session
close close virtual connect session
kill kill <session ID>
pptp pptp <server-name>
l2tp l2tp <server-name>
dnstab edit Starts editor for local DNS table.
dnstab entry Displays local DNS table entry.
dnstab show Displays local DNS table.
iproute add Adds an IP route.
iproute delete Deletes and IP route.
iproute show Displays IP routes (same as show iproutes)
ipxping Pings an IPX host.
set all Displays current settings
set arp clear Clears ARP cache
set fr Frame Relay datalink control
set password Enables dynamic password settings
set sessid [val] Sets and stores [val] or currentID
set term Sets the telnet/rlogin terminal type
show arp Displays the ARP cache (shows boxes connected to it :))
show dhcp Displays DHCP configuration parameters
show dhcp address Displays DHCP Address Assignment Information
show dhcp lease Displays DHCP lease Information
show dnstab Displays local DNS table
show dnstab entry Displays local DNS table entry
show fr dlci [name] Displays all DLCI information, or for [name]
show fr lmi Displays Frame relay LMI information
show fr stats Displays Frame relay statistics information
show icmp Displays ICMP information
show if stats Displays interface statistics
show if totals Displays interface total counts
show igmp clients Displays IGMP clients
show igmp groups Displays IGMP groups table
show igmp stats Displays IGMP statistics
show ip address Displays IP address assignments
show ip routes Displays IP routes
show ip stats Displays IP statistics
show isdn Displays ISDN events
show netw networks Displays NetWare IPX Networks
show netw pings Displays NetWare IPX ping Stats
show netw servers Displays NetWare IPX servers
show netw stats Displays NetWare IPX Statistics
show revision Displays system revision
show sessid Displays current and base session ID
show tcp connection Displays TCP connection table
show tcp stats Displays TCP statistics
show udp listen Displays UDP listen table
show udp stats Displays UDP statistics
show uptime Displays system uptimemisc notes
Er sometimes they have a fucken er Security box or some shit(i'm not a hacker), that spits out this at the login prompt:
Enter ID:
SNK Challenge: 94283794 (of some numbers similar like that)Enter Response
Invalid SNK ResponseI have no idea how to get past that, but you need a security card that comes with the router so...
but all I can tell you is that if you do find the Box that has it on, the default port for it is 7001. so that might help you.
Also I found in a newsgroup, that the router only allows two telnet connections at once, and that if each connection keeps sending one byte per second to the router, that the router will not disconnect.
Credits
Credits for this file goto the www site, where I found 2 html files on Ascend routers which were quite useful and I threw the notes in here.
Eon/SLI for telling me "Hmm sounds like a router, Lots of fun"
Greetz
Personals
- (amiga) binjinx, chill, case, axl, data stream, zinko, ramonster, darkcye nynexphreak, ][ype, Dr Fonk
- (boxers) Dr Snake, Dr Fonk, Skyper, Murder, Dynamics, 9xphreak, and many many more i forgot
- (nz scene) blackleg, krusher, sycotic, eon, barf, crash, lode.
Groups
- The amiga elite, The mad bad krad boxers :), and the .nz scene and last but not least the users of My bbs Brutal conflict :). oh and 809 squad
Contact
You can contact me at redblade@atwarfare.cjb.net or by doing a /whois Red^Blade on irc.
Or on these bbs's.
Name Country Sysop
Brutal Conflict NZ Me :) 9x NZ HQ, ATW/809 WHQ
Electric Warrior UK Axl
Cryogenics UK Data-Stream
The Northern Place DK Zinko
Checkpoint NO TC
Master Control US Tron mastercontrol.darktech.orgtake care.
last words. Dea)(alm I've quit the scene so don't ring me and Delete all my numbers and infos!!!!!!!!.
EOF
