TYM800How

Oh how we used to have fun with Tymnet 
This is a sample script for Procomm Plus called TYM800.ASP - ASPECT (ASP) programming script language within Procomm
!!!! However and a very important NOTE TO READER !!!!

TYMNET has been shut down in around Feb of 2004 so this is all historical now!  Although the main access number below has been discontinued one could still use it  for POTS purgatory purposes if you get my drift!

(again this does not work now once TYMNET was shut down - this is History but you can see how it was done)

;; TYMNET SCAN EXAMPLE
;; Stephan Barnes (M4phr1k) 
;; works with PCPLUSTD available on http://www.m4phr1k.com
TRANSMIT "ATDT 18005461000 ^M"
WAITFOR "CONNECT"
TRANSMIT "^M"
TRANSMIT "^M"
WAITFOR "TERMINAL="
TRANSMIT "VT100 ^M"
WAITFOR "YOUR AREA"
TRANSMIT "949,297^M" 
WAITFOR "@"
TRANSMIT "C AAA^M"
WAITFOR "@"
TRANSMIT "C AAB^M"
WAITFOR "@"
TRANSMIT "C AAC^M"
WAITFOR "@"
TRANSMIT "C AAD^M"
WAITFOR "@"
TRANSMIT "C AAE^M"
WAITFOR "@"
TRANSMIT "C AAF^M"
;; you could go on and on....

In the PCPLUSTD terminal window type ALT-F5, it will prompt you for the script Type in TYM800.asp and hit enter

If you set up PCPLUSTD correct and all is well it should execute the script and you should start to see the following:

What is this doing. Well it is dialing TYMNET logging on and then attempting to get to a connection. These first example AAA through AAF are just the begining of how you could script this to search every possible 3 char combo.

Notice also that at the bottom of the screen the window says LOG CLOSED. The log is off. FOR all of my examples if you want to leave PCPLUSTD running and leave and are not watching the screen (the more likely case for long brute forces) you need to turn on a log.

TYPE ALT-F1 and PCPLUS will prompt you for a LOG file name or use PCPLUS.LOG by default in the directory where the program is running. In the setup options ALT-S, you can modify the path and the default file name.

IMPORTANT MUST DO NOTE!!!!:  Since this script is attempting to repeatedly guess passwords, you MUST turn on logging before you execute the script.  In all of my examples in these pages and throughout the Hacking Exposed War Dial sections you have to turn on logging. Logging will write the entire script that is on the screen to a file so that you can come back later and view the file to determine if you were successful.  At this point you might be wondering why you would not want to script waiting for a successful event (getting the correct password or getting the correct connection) and the answer is simple.  Since you don’t know what you will see next after you theoretically reveal a password or correct guess, it is difficult to be scripted.  There is a possibility here should you want to script further.  Should you know what the result looks like upon a successful password entry or guess, you could then script a portion of the ASPECT code to do a WAITFOR whatever the successful response would be and set a flag or condition once that condition is met.  Once again, more chance for random events to occur.  I like the logging process and albeit tedious to review, it is simple in design.  Also, we are assuming that we don’t have any pre-information about the connection.  This might be different if you were a security consultant or auditor working in conjunction with people who know the characteristics of their dial-in connections.

If you made it this far here are 3 things you can try after connecting MANUALLY and then go for it - Just by connecting to 1-800-546-1000 these are legit as of October 2002!

ATT (hmmm...wonder what that is)

LEXIS

NEXUS

Here are OTHER MNEMONIC address From PHRACK 42 (part 3) Check out the other parts 1 and 2:

1, 2 and 3 also for NUMERICS address. And Numerics work. These were the backdoors to MANY companies in my day.

My TYM800.ASP Aspect script and number is for an 800 number so it will not allow collect calls to many of these but hey... :)

Here is a sample of Mnemonic Address (like the IP to HOSTNAME) if you will :)

Comments