Complete Guide to AGNPAC v2.0
CYB0RG/ASM
www.hackcanada.com
1999.05.30
----------------
What is AGNPAC?
----------------
AGNPAC is the Alberta Government Packet Switched Network (PSN) based on the
X.25 protocol. It is a Wide Area Network which spans across Alberta. It is
used to connect systems and networks used by the Alberta Government, Alberta
Registries, hospitals, schools, libraries, and other such entities.
The backbone for this network is made up of full T1 fibre optic lines. Other
WAN's and nodes are connected to the AGNPAC backbone via T1, 128K Frame Relay
circuits (full CIR), and multiple 128K Frame Relay circuits. The network can
also be connected to through local dialups in most cities and large towns in
Alberta.
AGNPAC is built, managed, and maintained by Alberta Public Works Supply and
Service (APWSS) and funded by the Alberta provincial government. Recently
publicly funded school board use has also come into play with beta trials
becoming more widespread through the late nineties.
The AGNPAC network has been in existance since at least 1995, however, no
information regarding it has been publicly available... until now. There is
still much to learn about this network, and this file, the most complete
publicly available document on AGNPAC, is still somewhat lacking. However,
this file will be updated as new discoveries are made.
---------------------
Connecting to AGNPAC
---------------------
Dial ports exist in most major towns and cities across Alberta. The standard
communication parameters 8/N/1 are used although some systems on AGNPAC may
use 7/E/1. When you connect you will see a message similar to this:
AGNPAC: 4007 030
-----------
Dial Ports
-----------
Athabasca (780) 675-9424
Barrhead (780) 674-2045
Blairmore (403) 562-7426
Bonnyville (780) 826-1753
Brooks (403) 793-2254
Calgary (403) 234-8066
Calgary (403) 269-7425 v.34 only
Camrose (780) 672-3689
Canmore (403) 678-6966
Cardston (403) 653-1006
Claresholm (403) 625-2241
Drayton Valley (780) 542-6038
Drumheller (403) 823-4224
Edmonton (780) 420-6198 v.34 only
Edmonton (780) 425-5674
Edmonton (780) 425-5691
Edmonton (780) 429-1522
Edson (780) 723-5352
Evansburg (780) 727-3572
Fairview (780) 835-5688
Fort McMurray (780) 743-6302
Grande Cache (780) 827-2044
Grande Prairie (780) 539-0195
Hanna (403) 854-2615
High Level (780) 926-2142
High Prairie (780) 523-2673
Hinton (780) 865-1393
Jasper (780) 852-4846
Lac La Biche (780) 623-3832
Lethbridge (403) 380-2067
Lloydminster (780) 875-1237
Manning (780) 836-2683
Medicine Hat (403) 528-2135
Olds (403) 556-2930
Oyen (403) 664-2505
Peace River (780) 624-1055
Pincher Creek (403) 627-2444
Red Deer (403) 341-4097
Rocky Mountain House (403) 845-5552
Slave Lake (780) 849-2826
Smoky Lake (780) 656-2291
St. Paul (780) 645-1847
Stettler (403) 742-5581
Valleyview (780) 524-2454
Vegreville (780) 632-2213
Vermillion (780) 853-6941
Wainwright (780) 842-5103
Wetaskiwin (780) 352-2384
Whitecourt (780) 778-4677
------------------
System Addressing
------------------
Host systems attached to AGNPAC are addessed most commonly by 9 digit Network
User Addresses (NUA's). That's 1 billion possible NUA's. These NUA's follow a
simple format of 9 consecutive digits (#########). Other NUA formats may
exist but the only exception to the 9 digit NUA that I know of is something
I call an "alias".
Aliases are acronyms preceded by a dot. These aliases resolve to a regular
NUA which is revealed when you connect to the host. Here are some examples of
known aliases and their corresponding NUA's:
.govtcpdial = 4004 11188
.cgsbbs = 4004 059010 (oddly enough this resolves to a 10 digit NUA)
Anyway, back to the NUA's. As far as I can tell the 9 digit NUA's have a 4
digit prefix and a 5 digit suffix. Or possibly they break down like this:
(####)(###)(##)
: : :
City Code? ..: : :
: :
Address Prefix? ........: :
:
System Address? .............:
But that's just a hunch I've got based on the NUA's that I know of. I also
have reason to believe there may be system subaddressing, or Logical Channels
(LCN), in which case the address may be suffixed with 1 or 2 digits to
connect to a subaddress of the system. And there may also be mnemonics, data
characters which follow the address preceded by a comma. Mnemonics are used
to connect to sub-systems of the host system. But again, this is all just
speculation for now.
----------------------------
Connecting to a Host System
----------------------------
To connect to a system you enter it's NUA and if it is valid you will get a
message like this:
AGNPAC: call connected to #### #####
Now you may receive an identifying message and the system's prompt depending
on the system, or you may get a connect message and no prompt at all.
Sometimes if you press <enter> it will forward you to the hosts prompt.
To disconnect from a host that you have connected to and get back to the main
prompt use the command "<ctrl>p clr<cr>".
For a list of known NUA's refer to the "AGNPAC NUA Directory" (agnpacnua.txt)
on www.hackcanada.com in the Canadian H/P-Hacking section.
---------------------
Command Line Options
---------------------
Some of these are used from the main prompt and some are used in conjunction
with an NUA. The command summary is as follows:
------- ---------------------------- -------------------------------
Command Use Description
------- ---------------------------- -------------------------------
c Closed User Group
clr Preceded by <ctrl>p Used to clear a circuit locally
f [Restricted] Fast Select
int Preceded by <ctrl>p Interrupt
l Packet Size
n n ######### (where # is NUA) Normal call (default)
p p ######### (where # is NUA) Priority call
par? Displays parameters
reset Preceded by <ctrl>p Resets locally
set <par>:<val> [,<par>:<val>] Sets parameters
stat Displays status
------- ---------------------------- -------------------------------
Let's look at the use of each command/option in further detail...
c Closed user group.
clr This command is used to disconnect from a host system. Hit <ctrl>p
and you will get a triangular prompt, then type clr<cr> and you will
return to the AGNPAC command prompt.
f Fast select.
int Interrupts a circuit.
l Packet size.
n This option is used in conjunction with an NUA like this "n #########"
(where # is NUA). It sets the priority of the call to "normal" which
is the default so this command option is not generally needed.
p This option is used in conjunction with an NUA like this "p #########"
(where # is NUA). It sets the priority of the call to "high".
par? This command returns a list of parameters and their settings that
looks something like this:
AGNPAC: par 001:001, 002:001, 003:002, 004:000, 005:000, 006:001
007:001, 008:000, 009:002, 010:000, 011:021, 012:000
013:004, 014:000, 015:000, 016:del, 017:can, 018:dc2
019:002, 020:000, 021:003, 022:000, 118:del, 119:can
120:dc2, 121:000, 122:000, 123:001, 125:000, 126:004
Now, if you really care what all the parameters are for, pop onto
Datapac and check out the section on PAD Alteration Information that
is on the Datapac Information Service (DIS) located at NUA 92100086.
reset Resets parameters to default.
set Set a parameter value. Syntax=set <par>:<val> [,<par>:<val>]
stat This command returns a status list that looks something like this:
AGNPAC: free XXXX XXX
outgoing options: remote charging
local charging -default
normal -default
priority
no preselect rpoa
no select rpoa
incoming options: local charging
-normal & priority
remote charging
---------------
Scanning NUA's
---------------
The most important thing to know when scanning NUA's on AGNPAC is how to
disconnect from an NUA that you have connected to and get back to the main
prompt. This is done with the command "<ctrl>p clr<cr>". The second most
important thing to know is that you will be disconnected from AGNPAC after
ten failed attempts in a row. You will want to connect then disconnect from
a known good NUA after every 8 or 9 failed attempts.
Scanning anything manually is a time consuming chore and clearly an automated
script makes the task much nicer. To get you started, here is a quick-n-dirty
script for Telemate that gets the job done. As it stands it can scan a maximum
of 100 NUA's at a time. Probably a good idea because if you sit there scanning
for hours somebody you don't want to is probably more likely to notice what
you are doing. Then again, they don't seem to be monitoring for this kind of
activity at all yet.
; - - - - - - - - - - - - - - - < CUT HERE > - - - - - - - - - - - - - - -
; -- AGNHACK lite --
; CYB0RG/ASM - 06/99
; www.hackcanada.com
;
; This is a cheap little AGNPAC NUA scanner for Telemate. As it stands, it
; can scan 100 NUA's in about 4 minutes. You can tinker with the delays to
; get better performance, or, rewrite the whole thing to suit your needs.
; It is probably a good idea to change the value of strHome every once in
; a while.
#include "toolbox2.scr"
string strHome, strLogfile, strNua, strPrefix, strSuffix, strTemp
strHome = "400405603" ; valid NUA
iAttempts = 0 ; initialize attempts counter
iMaxattempts = 9 ; Number of NUA's to try before
; connect/disconnect from strHome
PRINT "Enter Prefix (#######): "
INPUTN strPrefix,7
PRINT
PRINT "Enter Suffix Start (##): "
INPUTN strTemp,2
ATOI strTemp, iSuffixstart
PRINT
PRINT "Enter Suffix End (##): "
INPUTN strTemp,2
ATOI strTemp, iSuffixend
PRINT
PRINT "Enter Logfile Name and hit <cr>: "
INPUT strLogfile
LOGON strLogfile ; start logging to file
REPEAT
strSuffix = "00"
ITOA iSuffixstart, strTemp
CONCAT strSuffix, strTemp ; pad suffix
LENGTH strSuffix, iLen
SUBSTR strSuffix, iLen - 1, 2, strSuffix ; trim leading zeros
strNua = strPrefix
CONCAT strNua, strSuffix ; build whole NUA
PUT strNua ; connect to NUA
DELAY 14 ; give time to log
PUT "^PCLR" ; disconnect from NUA
DELAY 5 ; wait for prompt
iSuffixstart = iSuffixstart + 1
iAttempts = iAttempts + 1
IF iAttempts = iMaxattempts ; connect to valid NUA to
; prevent disconnect
LOGPAUSE ; stop logging
PUT strHome ; connect to valid NUA
DELAY 7 ; wait
PUT "^PCLR" ; exit the valid NUA
DELAY 7 ; wait
iAttempts = 0 ; reset attempts count
LOGRESUME ; start logging again
ENDIF
UNTIL iSuffixstart = iSuffixend + 1
LOGOFF ; close log file
HANGUP ; +++ATH0
; End of Script
; - - - - - - - - - - - - - - - < CUT HERE > - - - - - - - - - - - - - - -
Note: You have to compile the script with TMS.EXE. If you don't know how to
use Telemate... rtfm. This is the "Complete Guide to AGNPAC" not the
"Complete Guide to Telemate".
---------------
Error Messages
---------------
More often than not when scanning for NUA's you will get an error message
rather than a call connected message. There are simply FAR more unassigned
NUA's than there are NUA's in use. Here is a guide to some of the most
common error messages and their meanings. Errors generated by improper use
of command line options are fairly self-explanitory and are not covered here.
AGNPAC: call cleared - address not in service
The most common message. It means the address is currently not assigned
to a host system.
AGNPAC: call cleared - temporary network problem
The host system is either temporarily or permanently down. Generally,
whole blocks (#######00-#######99) will be down and respond with this
message.
AGNPAC: call cleared - destination not responding
The host is ignoring your connect request or it is down. Again, you will
find that NUA's in blocks of one hundred respond with this message.
AGNPAC: call cleared - destination busy
The host system may just be temporarily busy, permanently busy, or down.
Again, you will find that NUA's in blocks of one hundred respond with
this message.
AGNPAC: call cleared - access barred
The calling terminal is not permitted to establish a connection to the
host system. AGNPAC emits this error message on direction from the host.
It is a system that only accepts calls from specified originating NUA's.
Again, you will find that NUA's in blocks of one hundred respond with
this message.
AGNPAC: call cleared - remote directive
This is likely a clearing of the virtual circuit in response to a clear
request packet sent from the host system. The right subaddressing and/or
mnemonics can probably get by this.
AGNPAC: call cleared - local directive
This message indicates that the user has used the "clr" command to clear
the virtual circuit in order to disconnect from an NUA.
AGNPAC: call cleared - incompatible destination
I think this indicates that an incorrect number of digits were entered
for an NUA.
AGNPAC: comma required before data characters
This message is common when you mistype an NUA. This message may refer to
the use of mnemonics to connect to sub-systems of the host as mentioned
in the "System Addressing" section of this file.
AGNPAC: invalid command
Invalid command line option.
AGNPAC: command not allowed
Command line option used improperly.
AGNPAC: service option not subscribed
Some NUA's result in this message. I don't know why.
-------------
Legal Issues
-------------
Now, connecting to AGNPAC via a publicly accessible dial port and scanning
NUA's is one thing... hacking the hosts you find attached to it is obviously
illegal. Have fun learning how to navigate a packet switched network, but
don't be an idiot and don't break the law.
--------
Credits
--------
Shouts to The Clone and Wizbone for helping pioneer research on this network.
And to Deicide for the file "Introduction to Datapac" which gave me insight
into the command line options.
Copyright (c) 1999 Hack Canada
www.hackcanada.com