ISDN stands for Integrated Services Digital Network, meaning a public network composed of digital telephony and data-transport services; these services are offered by regional telephone carriers.
The main difference between PSTN and ISDN involves the totally digital approach to the telephone network, which allows voice, data, text, graphics, music, video, and other source material to be transmitted over the already existing telephone wires. ISDN applications include high-speed image applications (e.g., the well-known Group IV facsimile), additional telephone lines in homes to serve the telecommunication industry, high-speed file transfer, and videoconferencing.
From the penetration tester’s point of view, ISDN is pretty nice since it allows incredibly fast phone scanning (less than one second), in order to find which telephone numbers are active or not, avoiding having to wardial many phone numbers and then discovering that 50 percent of them are not active.
Also, value-added services (VAS) such as toll-free numbers offer the penetration tester clues. To give you a very nice example, an 800 phone number (e.g., 800-123-4567) does not really exist in the telephone network; instead it’s an alias: Every 800 corresponds to a real phone number, such as 212-123-4567, which is assigned a flag in the phone carrier’s database, specifying the phone number itself as a toll-free number to avoid billing the caller, and assigning the bill instead to the receiving party.
This means that—depending on the toll-free number configuration and the number of PRI lines—you could obtain the real phone number and then scan around it in order to locate answering modems, like Enrique did in the story at the beginning of this chapter.
The ISDN world offers two different types of services:
• ISDN BRI Service ISDN Basic Rate Interface (BRI) Service is the ISDN wall- plugged adapter in homes or small offi ces. This service offers two B channels and one D channel (2B+D). The BRI B-channel service operates at 64 kbps and is meant to carry user data; the BRI D-channel service operates at 16 kbps and is meant to carry control and signaling information, although it can support user data transmission under certain circumstances (X.25 over D-channel; see “RFC 1356—Multiprotocol Interconnect on X.25 and ISDN in the Packet Mode”). The D-channel signaling protocol comprises Layers 1 through 3 of the OSI reference model. BRI also provides for framing control and other overhead, bringing its total bit rate to 192 kbps. The BRI physical layer specifi cation is the International Telecommunication Union-Telecommunications Standards Section (ITU-T) I.430 (the ITU was formerly the Consultative Committee for International Telegraph and Telephone [CCITT]).
• ISDN PRI Service ISDN Primary Rate Interface (PRI) Service offers 23 B channels and 1 D channel in North America and Japan, yielding a total bit rate of 1.544 Mbps (the PRI-D channel runs at 64 kbps). In Europe, Australia, and other countries, ISDN PRI provides 30 B channels plus 1 (or 2) 64-kbps
D channel, with a total interface rate of 2.048 Mbps (a 2-Mbits line). The PRI physical layer specifi cation is ITU-T I.431.
In the corporate world, ISDN is mainly used for two focused and specific assets: • PBXs ISDN PRI lines are generally connected to the company’s PBX in order
to manage the incoming and outgoing voice communications easily.
• Backup ISDN lines When referring to backup ISDN lines, we mean ISDN BRI lines, usually connected to Cisco boxes and properly confi gured to set up an ISDN data connection to the ISP, should the main Internet link fail. In this last case, the penetration tester can discover previously unknown ISDN-related information by examining the ISDN confi guration and logs of the Cisco box itself.
Introducing PSDN and X.25
The PSDN or Public Switched Data Network uses traditional, analog telephone lines to transmit data packets. Although it can be used to describe other systems, we’re using it to refer to X.25 networks that communicate via normal telephone lines.
In the 1970s the TLC market wanted a set of protocols to provide companies with wide area network (WAN) connectivity across public data networks (PDNs). The result of this development effort—led by a United Nations agency called the International Telecommunications Union or ITU—was a group of protocols, the most popular being X.25.
The International Telecommunication Union-Telecommunication Standards Sector (ITU-T) (formerly CCITT) is the ITU committee responsible for voice and data communications. ITU-T members include the FCC, the European Postal Telephone and Telegraph organizations, the common carriers, and many computer and data communication companies. As a direct result, X.25 was developed by the common carriers (the telephone companies acting as a monopoly, essentially, since most of them were ITU members) rather than by any single commercial enterprise. The specification is, therefore, designed to work well regardless of a user’s system type or manufacturer. As a result, X.25 is truly a global standard.
X.25 networks are often erroneously seen as “old, retired networks.” However, in the past decade, these “dead” networks were the victims of an incredible number of high- level attacks launched toward finance systems, multinationals, telcos, civil and military aeronautical networks, and governmental infrastructures. In fact, hackers use X.25 networks to attack computer systems around the world. Usually, this is a side effect of the security approach used by corporate companies—especially telcos—where they invest a lot of money in the security on the TCP/IP connection side but neglect their X.25 access points. Major corporations are still linked to X.25 networks, for instance, Alcatel, Digital (now Compaq), KPMG, E&Y, and so on. Moreover, X.25 networks are widely used (as they exploded much later) in Africa, the Middle East, and Central Asia, resulting in government and military computer systems being linked to these networks.
Many Internet users seem to view X.25 networks as mysterious. They view X.25 networks as an alien invention used only by telecommunications carriers to achieve
Chapter 6: Unconventional Data Attack Vectors
131
international connectivity. Another common mistake is to think that X.25 networks aren’t used anymore; this is completely wrong! X.25 technology has been used to construct the most pervasive data network—the global public data network formed by the PTTs connects at least 95 different countries.
Internet administrators may assume that tracing attackers across an X.25 network is almost impossible. The descriptions given in Clifford Stoll’s book, The Cuckoo’s Egg, reinforce this impression. In a chapter of the book the author describes the process of contacting Ron Vivier at Telenet/SprintNet, who then contacts Steve White, and so on, back to Hannover in Germany. In reality, tracing attacks across an X.25 network is as easy (or as difficult) as on a TCP/IP network.
This quick overview ends with a mention of the Société Internationale de Télécommunications Aéronautiques (SITA), established in 1949 (http://www.sita.aero). SITA is a worldwide company that manages flight connections for many airlines. In airports all over the world, you’ll find computer terminals with SITA logon banners. SITA has its own X.25 network and decided to “share” the network, forcing the first three digits of the Network User Address (NUA) to become the identifiers for the country.
Remember that it is not just the global public data network that uses X.25; many private and corporate networks also use X.25. Some of the techniques described here are equally applicable to private networks. Dealing with attacks that take place across an X.25 network requires the ability to
• Monitor the traffi c • Check the system logs
• Identify the origin and target of calls
The last section of this chapter will explain the key differences between TCP/IP and X.25 security testing, including a technical overview of the PSDN ITU standard protocols.