The following scheme shows how the X.25 call setup works: T1 +---+ T3
+----<---| S1 |--->----+ | | Ready | |
| +---+ | Transition Table ! ! --- +---+---+ +---+----+ T1 DTE: Call Request | S2 | | S2 | T2 DCE: Call Connected |DCE Waiting| |DCE Waiting| T3 DCE: Incoming Call +---+ +---+ T4 DTE: Call Accepted | | | | T5 DCE: Incoming Call | | +---+ | | T6 DTE: Call Request | +---->| S5 |<----+ | T7 DCE: Call Connected | T5 | Call Collision| T6 | | +---+ | | | | | T2 T7 | T4 | | ! | | +---+---+ | +--->| S5 |<---+ | Data Transfer | +---+
Error Codes
Table 6-1 and the tables that follow contain detailed lists of useful X.25 error codes. The codes have been organized into two main categories and into specific subcategories.
X.3/X.28 PAD Answer Codes
From time to time, X.25 networks can transmit signals
• As a reply to a command (X.3 PAD parameters change, reading PAD parameters, etc.)
• On their own initiative
• As a consequence of an action from the remote DTE
Following this logic, you could receive four different types of signal codes (see Table 6-2): • Error signals
• Disconnection signals • Reset signals
Error Code Error Description
COM Call connected The X.25 call has been established. NP NUA not present The called X.25 address does not exist. DER Out of order The called remote DTE is out of order. OCC Busy The called remote DTE does not have any
available virtual channels (VCs) at the moment. DTE Dropped by
remote DTE
The called remote DTE canceled your X.25 call. This can mean that the remote DTE requires a subaddress specifi cation (1 to 2 digits, such as: 0–>9 or 00 > 99).
ACLs could avoid this to establish a session with the remote DTE. In this case, an X.25 spoofi ng attack could help a lot.
RPE Remote
procedure error
Called DTE is waiting for additional information (called “optional information”) in the X.25 packet. This information could be represented by subaddresses under a numerical format (generally three digits are required even if the address has only three digits total or alphanumeric characters). In some X.3 PADs, this extension must be preceded by the letter D or P. Using D before the User Field displays the additional information, whereas using P applies for a “no echo” on the X.3 PAD.
RNA Reverse not allowed
The called remote DTE does not accept reverse charge X.25 calls.
NA Access barred The called remote DTE does not accept the X.25 call from the calling DTE. It only accepts X.25 calls from authorized X.25 addresses. This case is very different from the previously mentioned DTE error: The customer is not defi ning the ACL. In this specifi c case, X.25 carrier enables this fi ltering service and authorizes the remote DTEs at a network level.
Chapter 6: Unconventional Data Attack Vectors
161
Signal Type Description Error Signals
ERR CAN The command is correct from a syntax point of view, but it’s not allowed in this state.
ERR ILL The command is not correct from the syntax point of view and is not recognized.
ERR EXP A timeout has been reached and the command hasn’t been completed.
ERR PNA X.3 PAD profi le has not been assigned. Disconnection
Signals
CLR OCC The called remote DTE does not have any VCs available at the moment.
CLR NC Network congestion conditions or a temporary fault in the network itself does not allow new virtual calls to be established. CLR INV The request is not valid.
CLR NA The called remote DTE does not accept X.25 calls from the calling DTE. It only accepts X.25 calls from authorized X.25 addresses. This also means that the Closed User Group (CUG) is not compatible.
CLR ERR The requested call is canceled due to a local procedure error. CLR RPE The requested call is canceled due to a remote DTE procedure
error.
CLR NP The called NUA is not assigned. CLR DER The called DTE is out of order.
CLR PAD PAD canceled the X.25 call, following a “clear call” invitation from the remote DTE.
CLR DTE Remote DTE canceled the X.25 call.
CLR RNA Remote DTE does not accept reverse charge X.25/X.28 calls. CLR ID The requested X.29 protocol application modalities between the
X.25 network PAD and the remote X.25 DTE are not correct.
X.25 Addressing Format
The X.25 addressing format is very similar to PSTN. Whenever we talk about the Network User Address (NUA), we mean its internationally standard format (X.121 address).
An NUA is composed of • DNIC
• NUA
The DNIC is creating with the DCC plus the network code of the X.25 network itself in a specific country, resulting is a four-digit international code.
• DCC 3 digits • NCC 1 digit
For example, the DNIC for Italy, ITAPAC X.25 network is 2222:
222 DCC for Italy + 2, which is the network country code for ITAPAC
The (local) NUA begins with the NCC and is then composed of the so-called area code and the network port address (NPA). The NUA standard is 12 digits maximum, even if the average is from 6 to 10 digits, depending on the country and X.25 network
Signal Type Description Reset Signals
RESET DTE Remote DTE put the Virtual Call in reset mode.
RESET RPE The call has been put in reset mode due to a remote DTE procedure error.
RESET ERR The call has been put in reset mode due to a local procedure error. RESET NC The call has been put in reset mode due to a remote DTE network
congestion state.
RESET DER The call has been put in reset mode due to a remote DTE out-of- service state.
RESET NOP The call has been put in reset mode because the network is restarting its service.
RESET DOP The call has been put in reset mode because remote DTE is restarting the service.
Chapter 6: Unconventional Data Attack Vectors
163
size. For example, an NUA might be 21122878 (an old X.25 address from the Politechnic of Turin, Italy) where:
• 2 is for ITAPAC.
• 11 is for the (PSTN) area code for the town of Turin. • 22 878 is for the NPA.
The full X.121 address for this host would then be 222 2 11 22 878
By dissecting it, you obtain the following logic: 022221122878
|\ /|\_ _/|
| | | | | |____ 22878: Network Port Address (NPA) | | | |_|_____ 11: Area Code for Torino
| | |__________ 2: ITAPAC Network (since more networks exist) | |____________ 222: DCC assigned to Italy by ITU
| Reading it both externally and locally: 0 222 2 11 22 878 from other networks;
21122878 from Italy/ITAPAC.
This means that if a customer asks you to perform a penetration test on an X.25 address, the first thing to apply is the X.121 address analysis to determine:
• Country where host is located
• If the address is correct for legal authorization • If the address is working
• The average cost for the X.25 calls needed by the X.25 security testing service you are going to supply
For example, if a customer supplies these NUAs for testing: • 0311021210126
• 0280221229 • 02624301119090
your analysis should match the following: DNIC (4) AC(3) NPA(5)
3110 212 10126 (USA, SprintNet, NYC) 2802 21 229 (Cyprus, CytaPac, Limassol) 2624 30 111-9090 (Germany, DATEX-P, Berlin)
More detailed information on X.25 addressing, X.25 hacking and defense techniques, and general tips related to the X.25 world may be found in the following presentations that you can find online:
• Hack in the Box 2005, Kuala Lumpur: X.25 (in)security at http://www .packetstormsecurity.org/hitb05/BT-Raoul-Chiesa-X25-Security.pdf
• Hack in the Box 2007, Dubai: X.25 in the Arab World at http://conference.hitb.org/ hitbsecconf2007dubai/materials/D2%20-%20Raoul%20Chiesa%20-%20X25%20netw orks%20in%20the%20Arab%20World.pdf