Telebahn is an emulation of an X.25-based Public Data Network – a loose collection of systems that accept X.25 calls through XoT (X.25-over-TCP). A few of my devices are part of the network:
| X.121 address | Device |
|---|---|
471041 |
Cisco 1760 router #1 at Dunelab (the XoT gateway) |
471043 |
C1760 router #2 (connected via 128 kbps sync serial) |
471043 |
C1760 router #3 (connected via 128 kbps serial and 1 Mbps T1) |
Other hosts available on Telebahn:
| X.121 | Device | DECnet | LAT |
|---|---|---|---|
22227100 |
Bernhard Wulf's Cisco 1840
(outbound X.25 and LAT; see show lat services) |
C1840 |
|
22227500 |
Bernhard Wulf's VAX 4000-100A running VAX/VMS V5.5 | 23.41 |
V10031 |
22227130 |
Bernhard Wulf's VAXstation 4000-VLC | 23.40 |
VLC30 |
23000100 |
Hans Hübner's Cisco 2811 (has outbound X.25 and LAT) | ||
23000300 |
Hans Hübner's SPARCstation running SunOS 4.1
(outbound X.25 using pad) |
||
23000200 |
Hans Hübner's VAX 4000-105A running VAX/VMS V5.5
(outbound using SET HOST/X29)
| 23.21 |
EUGENE |
You can call 471041, log in with the easily-guessable password, then use the IOS telnet command to access hosts in dn42 (as long as they offer Telnet access) or poke around using show ip route or similar.
If you don't have a full X.25 implementation, you can use xotpad on Linux which emulates the standard X.28 PAD interface (including Ctrl-P as the PAD escape character):
$ ./xotpad -g x25.symlink.lt 471041
% Dunelab:Cisco1760-top (10.147.18.41)
User Access Verification
Password: *****
Cisco1760-top>show cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Cisco1760-btm Ser 1/1 164 R S 1760 Ser 0/1
DuneGW Fas 0/0 107 R MikroTik bridge1/ether4-cisco
SHORE Fas 0/0 100 H Windows 5 Onboard0
Dune.sym Fas 0/0 157 S VMware ES vmnic0
Cisco1760-top>[Ctrl-P]
*exit
$
By default xotpad uses the *.x25.org DNS directory maintained by Telebahn's operators, but you can also point it directly to the actual XoT gateway.
Vice versa, you can telnet from dn42 to cisco.symlink.dn42 and use the IOS pad command to make X.25 calls to the rest of Telebahn:
Cisco1760-top#pad hansvax
Translating "hansvax.sym"...domain server (10.147.10.53) [OK]
Trying 23000200...Open
Welcome to EUGENE, a VAX 4000/105A running VAX/VMS 5.5-2H4
Please log in as GUEST if you don't have an account and want to have a look.
Log in as NEW to create an account for yourself.
Username: GUEST
Welcome to VAX/VMS V5.5-2H4
You can use the SEND command to chat for now. PHONE is always available,
and HELP is your friend. Enjoy!
Last interactive login on Saturday, 4-JAN-2025 13:06
Last non-interactive login on Saturday, 24-JUN-2023 18:31
<Welcome, TELEBAHN.471041>
$ dir
Directory SYS$SYSDEVICE:[GUEST]
$MAIN.TPU$JOURNAL;5 $MAIN.TPU$JOURNAL;4 $MAIN.TPU$JOURNAL;3 $MAIN.TPU$JOURNAL;2
$MAIN.TPU$JOURNAL;1 LOGIN.COM;2 LOGIN.COM;1 NETSERVER.LOG;1
NOTES$NOTEBOOK.NOTE;1 TEST.DIR;1
Total of 10 files.
$ log
GUEST logged out at 23-JAN-2025 11:51:43.53
[Connection to hansvax closed by foreign host]
Cisco1760-top#
To set up outbound XoT routing on Cisco IOS, use:
service pad to-xot x25 routing x25 route ^471 xot dns x25.symlink.lt x25 route ^(...)(...) xot dns \2.\1.x25.org x25 route ^ clear
The first route (optional) specifically handles the 471 prefix, while the second covers all other Telebahn members (yes, that's a regexp). Finally a catch-all route gives an explicit "Destination unreachable" result for everything else – the IOS implicit default is actually to route all such calls through the first X.25-capable interface.
You should also need to define a custom X.25 profile, both to select the appropriate X.25 version and other parameters, and also to set your own X.25 "caller" address as XoT calls aren't associated with any physical interface (whereas normally IOS would take the caller address and other parameters from the outbound interface).
x25 profile TELEBAHN dxe x25 version 1988 x25 modulo 128 x25 address ######## x25 win 7 x25 wout 7 x25 ips 1024 x25 ops 1024 x25 subscribe packetsize permit 128 1024 x25 subscribe windowsize permit 2 15 ! access-list 10 remark Match all XoT hosts access-list 10 permit any no xot access-group 10 xot access-group 10 profile TELEBAHN
In theory X.25 should allow negotiation of certain parameters such as window size (win/wout and packet size (ips/ops) but sometimes incompatible parameters make the call fail outright; these should work for most systems. Remember that changes to the profile are only applied once you unassign and re-assign it via xot access-group.
Once everything is set up, you can use pad to make a call from IOS EXEC prompt, or x28 to enter the arcane X.28 "standard PAD user interface". The above pad hansvax example shows off Cisco support for X25 records in DNS.
XoT access is provided by IOS 12.4, which isn't exactly ancient but already best left unbothered by botnets. Only a single port (tcp/1998) is accessible through DNAT, and the upstream router applies layer7 filtering to block the most common RDP and HTTP probes, blocking offenders for a week if certain input strings are detected (which cannot happen with legitimate sessions which send input character-by-character).