jfalcon

modem outbound (dial)

50 posts in this topic

Well I found the below on the net and it's cool that it's there... but I haven't been able to get it to connect to shit. Supposedly it's in Moscow and there are some sprintnet systems still active in .ru. So.... any ideas? Remember, sharing is caring... :)

---

root@subspace:/# telnet 213.135.65.146 5000

Trying 213.135.65.146...

Connected to 213.135.65.146.

Escape character is '^]'.

*** Ascend modem pool server ***

Server ready.

Connected to modem 8:2...

atz

OK

0

Share this post


Link to post
Share on other sites

That's pretty leet. I've read about internet outdials like this in old text files, but I didn't think they existed anymore.

0

Share this post


Link to post
Share on other sites

Thats cool! Where exactly did you find the ip addy? Scanning or surfing the web?

I played with it tried dialing some numbers, I would dial ATDT### it would pause then say no carrier. I only tried calling US #s though, maybe we should try other foreign #s.

Edited by SUB-S0NIX
0

Share this post


Link to post
Share on other sites

Supposedly it's for Moscow so you'll have to work from there. Maybe whois can narrow it down.

Yeah... it is pretty neat. In reading it looks like Ascend modem pools by default use 5000 as their port. I remember the outdials of before so I thought I would toss this up for people to experience. If you do get it working, let me know.

And yeah... I found it in my websurfing adventures... www.x25.com.ru - (seems really inactive tho).

0

Share this post


Link to post
Share on other sites
Supposedly it's for Moscow so you'll have to work from there.  Maybe whois can narrow it down.

Yeah... it is pretty neat.  In reading it looks like Ascend modem pools by default use 5000 as their port.  I remember the outdials of before so I thought I would toss this up for people to experience.  If you do get it working, let me know.

And yeah... I found it in my websurfing adventures... www.x25.com.ru - (seems really inactive tho).

Jfalcon showed this to me a while back, and it is pretty cool. I think its mostly a inbound pool. One trick that we use to do "back in the old days" on x.25 networks when finding a "out dial" was....

ATDL

Attention Dial last number. That way, you could get a idea where people dialed and the structure of dial string. You can also try

A/

This will repeat whatever the last command was. On some modems, you could do a:

AT&V

Which dumps the registers and there current values. Some modems will also display the last 5 numbers dialed. I _believe_ there was a command set to dump just the last 5 numbers. It's been so freaking long, I don't recall if thats acurate or not. Yes, I tried all these techniques on that Russian modem :)

0

Share this post


Link to post
Share on other sites

Yeah, I haven't even used a modem in years. I remember one real world difference in the way to use the commands beave mentioned was that you would use ATDL instead of A/ when you wanted to send non-dial commands before re-dialing. ATDL? to just display the last dialed number. I really don't remember any command to dump the last five numbers or what aspect of registers would even deal with it, sorry.

0

Share this post


Link to post
Share on other sites

*** Ascend modem pool server ***

Server ready.

Connected to modem 4:16...

ATDL

OK

A/

OK

A/

OK

ATLD

NO CARRIER

AT&V

ACTIVE PROFILE:

B1 E1 L0 M1 N1 Q0 T V1 W0 X4 Y0 &C1 &D2 &G0 &J0 &K3 &Q5 &R1 &S0 &T5 &X0

S00:000 S01:000 S02:043 S03:013 S04:010 S05:008 S06:002 S07:050 S08:002 S09:006

S10:014 S11:095 S12:050 S18:000 S25:005 S26:001 S36:007 S37:000 S38:020 S46:138

S48:007 S95:000

OK

I got it to do some thing! Alkali Jack, it wasn't password protected for me. Try again. But as far as getting a modem to dial out, any number that I try still comes back with a "NO CARRIER". I tried looking for ISP dial-up numbers in russia to see if I could communicate with another modem, but I couldn't find any numbers. I guess you are right beave, it must be some type of in bound pool.

Edited by SUB-S0NIX
0

Share this post


Link to post
Share on other sites

Traceroute shows it's definitelty Russian! A lookup through Sam Spade shows indeed it's in Moscow -- the IP resolves to VT-2-E0-1.core.telecore.net.ru, which is the domain for the ISP part of TeleCom Service in Moscow (possibly their internal network?)

Nmap identifies the device as a terminal server using Ascend TAOS which explains the "Ascend modem pool server." My guess would be that you guys are connecting to what is *supposed* to be a dial *in* line -- for those who don't know how a terminal server works, it allows you to dial a terminal session (minicom, hyperterminal, kermit) into a modem and get a telnet session from a *network* server. So it's like having a pile of modems connected to a server on ttySx ports. They use a similar setup on the Grex system (www.grex.org) to allow dialins. So, this is an old-timey shell account server, for when the Global InterWeb was text-based! You could buy a dumb terminal and a modem to connect to this machine, rather than pay for a full-out computer. You have to love the old stuff still alive in Russia!

Port 5000 isn't the thing's telnet port -- 23 is! 5000 is UPnP, which, to my understanding, is like dumbed-down snmp (which also happens to be present on the terminal server). That's why Alkali Jack got a password prompt -- he just telnetted to it. Telnetting to port 5000 is like telnetting to a SMTP server on port 25. You get to manually interface with the service, rather than having some protocol-handler take care of it for you.

There's a finger port open, which, if this is like any of the other dialin systems I've played with in the past, will most likely redirect to the shell account server's finger port, so you can pull information on people with accounts.

Here's the nmap dump, so no one has to bug the terminal server:

bash-3.00# nmap -sS -O 213.135.65.146

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-01-20 11:04 EST
Interesting ports on VT-2-E0-1.core.telecore.net.ru (213.135.65.146):
(The 1650 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
23/tcp   open     telnet
25/tcp   filtered smtp
79/tcp   open     finger
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
161/tcp  filtered snmp
162/tcp  filtered snmptrap
445/tcp  filtered microsoft-ds
1025/tcp filtered NFS-or-IIS
5000/tcp open     UPnP
Device type: terminal server
Running: Ascend TAOS
OS details: Ascend/Lucent Max (HP,4000-6000) version 6.1.3 - 7.0.2+

Nmap run completed -- 1 IP address (1 host up) scanned in 11.800 seconds

And telnetting directly to it gives you this:

bash-3.00# telnet  VT-2-E0-1.core.telecore.net.ru
Trying 213.135.65.146...
Connected to VT-2-E0-1.core.telecore.net.ru.
Escape character is '^]'.


(VT-2.tsr.ru) Enter password:

As you can see, the VT-2.tsr.ru shows the terminal server is redirecting to another machine's telnet port. As this is inaccessible from the public internet, I'd say that it's part of an internal name-scheme for the server. That, and the finger port make this seem like it's a general point of demarcation between a private internal network and both the external Internet and the Russian phone system. Visiting tsr.ru redirects you to inet.tsr.ru, which, unfortunately, is in Cyrillic, so I can't very well read it.

If anyone *can* read Cyrillic, it would be neat to find out if one can get a free shell account with them or something!

Edited by systems_glitch
0

Share this post


Link to post
Share on other sites
If anyone *can* read Cyrillic, it would be neat to find out if one can get a free shell account with them or something!

Babelfish.altavista.com is able to parse the page. Under tekk.info it gives this info:


Telephone numbers
Protocols: V.34+, V.90, K56Flex

Protocol: V.34+ 739-0241 NEW!
737-6233, 786-8796
737-6201, 737-6257,
956-1785, 956-7580,
785-9696

956-2631
Addresses DNS- servers
Primary:
Second: 213.135.64.2
213.135.64.5
Address of the mail server
mail.tsr.ru POP3, SMTP, IMAP4, the Web- interface
Address of proxy of the server
proxy.tsr.ru Port 3128
Server of the teleconferences
news.tsr.ru  
Address of Web page (on silence)
http://www.tsr.ru/~vaw_login  
Address FTP- server (for the pages on silence)
users.tsr.ru
 
Address of the server of the statistics
http://www.tsr.ru/Stat Access only from the networks of the operator
Coordinates of the twenty-four hour service of the technical support
Telephone:
e-mail: 218-0560
support@tsr.ru

Of course dialing those numbers proves fruitless. But like Beave said, they might be part of an inbound queue... so maybe dialing these numbers from VoIP will get a RING response so we can use them as inbound.

Edited by jfalcon
0

Share this post


Link to post
Share on other sites
One trick that we use to do "back in the old days" on x.25 networks when finding a "out dial" was....

X.25? "Old Days?"

*sigh* I feel old now.

0

Share this post


Link to post
Share on other sites
One trick that we use to do "back in the old days" on x.25 networks when finding a "out dial" was....

X.25? "Old Days?"

*sigh* I feel old now.

Hey you big dork, we're about the same age :)

I think of Sprintnet/GTE Telenet in the mid 90's and earlier when I say, "old days".

0

Share this post


Link to post
Share on other sites
5000 is UPnP, which, to my understanding, is like dumbed-down snmp (which also happens to be present on the terminal server). That's why Alkali Jack got a password prompt -- he just telnetted to it. Telnetting to port 5000 is like telnetting to a SMTP server on port 25. You get to manually interface with the service, rather than having some protocol-handler take care of it for you.

Your right, that's exactly what I did. Oops.

However, I don't think that port 5000 is actually using the UPnP protocol. Why would it be accepting AT modem commands? I think it might actually be a service called Immediate Modem.

edited after more research

A document called the MAX TAOS 8.0.5 Cumulative Release Note contains the complaint (on pg.6) that "The immediate modem service on the MAX 3000 only worked with the default port value of 5000." TAOS is the OS of the device, so Immediate Modem service must be what we're dealing with. This document says

The Immediate Modem feature allows local terminal server users (who have not dialed into the MAX and have therefore not been authenticated) to Telnet to a MAX to access the MAX unit's modems, so that they can place outgoing calls without going through MAX terminal server interface.

So we can conclude that the original assumption that this is an outdial is correct. I don't think it has anything to do with UPnP. It's prupose is to allow Network users to place outgoing modem calls.

Other documents:

http://lady.stsland.ru/dialout.html contains text captured from the same type of device, labled "DialOut"

http://lady.stsland.ru/ also contains a list of other IP addresses in Russia that may also be (or have been) outdials.

http://archives.real-time.com/rte-ascend/1...v/msg00038.html Here is a guy trying to configure such a device.

Edited by Alkali Jack
0

Share this post


Link to post
Share on other sites

yea, thats a inbound pool for sure.

some times, if you send ath 3 times in a row, it will hang up the modem, and drop you to a real telnet.

i know of a few that you can dial in and out with, kinda handy at times.

0

Share this post


Link to post
Share on other sites

Telnet: 2XX.1XX.XX.1XX:23

Username: XXX

Password: XXX

--edit by droops

-----------------------------------------------------------------------

Cisco.jpg

-----------------------------------------------------------------------

213.135.70.161

Traceroute: minprom-1.access.telecore.net.ru

-----------------------------------------------------------------------

inetnum: 213.135.70.160 - 213.135.70.167

netname: MINPROM

descr: MINPROM of Moscow Region

descr: Tverskaja str, 12/2

descr: Moscow, Russia

country: RU

admin-c: VVR33-RIPE

tech-c: TLN-RIPE

status: ASSIGNED PA

mnt-by: TELECORE-NOC

source: RIPE # Filtered

role: TeleCore Network NOC

address: CJSC TeleCom Service

address: Fonvizina 5a

address: 127322, Moscow, Russia

remarks: phone: +7 095 979 5014

phone: +7 495 979 5014

remarks: phone: +7 095 218 0560

phone: +7 495 218 0560

remarks: fax-no: +7 095 979 1137

fax-no: +7 495 979 1137

nic-hdl: TLN-RIPE

admin-c: AA58-RIPE

tech-c: AA58-RIPE

tech-c: EM1414-RIPE

remarks: trouble: +-----------------------------------------------------------

remarks: trouble: ! Operation time:

remarks: trouble: ! NOC: 5x8 (10:00-18:00) MSK

remarks: trouble: ! User support: 24x7

remarks: trouble: +-----------------------------------------------------------

remarks: trouble: ! Contacts:

remarks: trouble: ! Whois Privacy and Spam Prevention by Whois Source - for complains

remarks: trouble: ! Whois Privacy and Spam Prevention by Whois Source - for routing and peering questions

remarks: trouble: ! Whois Privacy and Spam Prevention by Whois Source - for user support

remarks: trouble: ! Whois Privacy and Spam Prevention by Whois Source - for general questions

remarks: trouble: +-----------------------------------------------------------

mnt-by: TELECORE-NOC

source: RIPE # Filtered

abuse-mailbox: Whois Privacy and Spam Prevention by Whois Source

remarks: modified for Russian phone area changes

person: Vladimir Rysev

address: Tverskaja str, 12/2

address: Moscow, Russia

remarks: phone: +7 095 926 61 08

phone: +7 495 926 61 08

nic-hdl: VVR33-RIPE

mnt-by: TELECORE-NOC

source: RIPE # Filtered

remarks: modified for Russian phone area changes

Edited by droops
0

Share this post


Link to post
Share on other sites

Telnet: 2XX.1XX.XX.1XX:23

Username: XXX

Password: XXX

--edit by droops

The router != outdial. Don't confuse the two and don't shutdown the router. Else one may find the KGB at their front door step ready to send you to the gulag. Yes, the KGB are still around. :)

0

Share this post


Link to post
Share on other sites

One may not want to advertize the username/password like that...just because it's cool and one doesn't need a script-kiddie type logging in to halt the router! I should imagine the people using that system for internet access would probably be pretty angry...and considering Cisco routers will at least record the *last* IP you logged in from... "OMG HAX 1337!!!!! I'm h4x0r1ng t3h Ru5514!"

How'd you get that, though? I mean I know telnet transmits cleartext, but if I remember correctly from CCNA class, the # at the prompt indicates priveledged account. *We* always kept our routers so that priveledged could only log in with the physical TTY console.

Has anyone explored any further with it?

0

Share this post


Link to post
Share on other sites
One may not want to advertize the username/password like that...just because it's cool and one doesn't need a script-kiddie type logging in to halt the router! I should imagine the people using that system for internet access would probably be pretty angry...and considering Cisco routers will at least record the *last* IP you logged in from... "OMG HAX 1337!!!!! I'm h4x0r1ng t3h Ru5514!"

How'd you get that, though? I mean I know telnet transmits cleartext, but if I remember correctly from CCNA class, the # at the prompt indicates priveledged account. *We* always kept our routers so that priveledged could only log in with the physical TTY console.

Has anyone explored any further with it?

The company that owns it is on a black list of spammers.

0

Share this post


Link to post
Share on other sites
One may not want to advertize the username/password like that...just because it's cool and one doesn't need a script-kiddie type logging in to halt the router! I should imagine the people using that system for internet access would probably be pretty angry...and considering Cisco routers will at least record the *last* IP you logged in from... "OMG HAX 1337!!!!! I'm h4x0r1ng t3h Ru5514!"

How'd you get that, though? I mean I know telnet transmits cleartext, but if I remember correctly from CCNA class, the # at the prompt indicates priveledged account. *We* always kept our routers so that priveledged could only log in with the physical TTY console.

Has anyone explored any further with it?

The company that owns it is on a black list of spammers.

That shouldn't matter. It's infrastructure. If you're going to access it (and I have in the past accessing when I got it from the same site you did) treat it like a good backpacker and do no harm. This is to all that read and use the info in this thread.

0

Share this post


Link to post
Share on other sites

i edited the above ip, username and password.

0

Share this post


Link to post
Share on other sites

The Ascend Max 1800. Pic of what yer connecting to.

max1800sm.gif

From ATI3 and ATI6, looks like a Rockwell chipset. (yes, way too much time as a 56k modem tech at an ISP back in the day)

ati3
V2.098-K56_DLP_CSM
ati6
RC56DPF L8565A Rev 47.22/47.22

Here's the AT command set for that chipset. enjoy.

Rockwell 56k modem AT command set

-------------------

Don't stick marbles up your nose.

0

Share this post


Link to post
Share on other sites

I'm assuming the modem pool is segregated from the pstn behind some pbx hardware, or equivilent. that hardware is likely implementing a dialing policy at the border. The pool seems relatively large, and the daemon seems to be selecting one at random, so it would be a bit of work, but I think ATDLing the lot of them isn't a bad idea. another thing to try to possibly glean info about the local calling area would be to configure the modem to display caller id:

at#cid?

0

OK

at#cid=?

0,1,2

OK

at#cid=2

OK

at#cid?

2

and monitor for inbound calls, if there ever are any. Any other interesting developements?

0

Share this post


Link to post
Share on other sites

About the only thing I've noticed when I first started playing with them was how quick NO CARRIER came up. With different starting numbers (ie 8 or 9) it tended to be slower... so it might help.

0

Share this post


Link to post
Share on other sites
Yes, the KGB are still around. :)

Now it's called FSB :o

0

Share this post


Link to post
Share on other sites

Sorry for bumping, but I find this topic interesting. I have been playing with this modem pool, although I haven't managed to connect yet.

-------------------------------------

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\[user]>telnet 213.135.65.146 5000

*** Ascend modem pool server ***

Server ready.

Connected to modem 8:1...

ath1

OK

atd [number goes here]

►►►►►►►►►► [number goes here]►►►►►►►►►►

NO CARRIER

Connection lost.

C:\Documents and Settings\[user]>

------------------------------------------

Hmmm... If you do ath1 first the number seems to be dialed for real, as the numbers appear more slowly.

Also, a search of that IP on google reveals this site: http://zarabotok.my-page.ru/free/modem.htm

The server IP is mentioned there. Anyway, I cannot understand anything, not even with google translator.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now