home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Tue, 29 Dec 1998 11:02:00 -0500 Reply-To: "Simson L. Garfinkel" <simsong@VINEYARD.NET> From: "Simson L. Garfinkel" <simsong@VINEYARD.NET> To: BUGTRAQ@NETSPACE.ORG On Christmas Day, van Hauser/THC announced the availability of THC-SCAN v2.0, the newest version of the THC telephone scanner. He went on to write: > Telephone scanning is really old. Toneloc and my own scanner Thc-Scan have > been used for ages. An since some months also an expensive commercial tool > is available which really sucks (www.sandstorm.net). > However it is still an important part in a security audit, and > hackers/phreakers also need it very often for (*aehm*) informational purpose. As far as we know, Mr. Van Hausen hasn't had actual experience with PhoneSweep. (And our licensing and evaluation policies have so far been successful at keeping the product out of the hands of "hackers/phreakers.") Accordingly, we decided to download his THC program and perform a feature-by-feature comparison -- based on actual use. What follows are the most salient points from that comparison. 1. OVERALL DESIGN THC-SCAN 2.0 is set of MSDOS-based programs that are designed to be run from the DOS command line. (The programs can be run under Windows or OS/2 from a DOS box, but some beta testers reportedly had problems using the program under Windows 98.) The telephone scanner can dial telephone numbers from either a pre-determined range or from a list. The scanner has simple identification techniques that can be used to detect answering computer systems or voice mail boxes (VMBs). The scanner also has a manual mode, in which it dials the modem with the speaker enabled and allows the user to make comments on each number that is dialed. THC-SCAN will automatically redial busy numbers up to a preset limit. THC-SCAN can be used with THC Login Hacker to brute force systems that have been discovered. PhoneSweep is a client/server based telephone scanning system which includes an embedded SQL database, a multi-threaded dialing engine, and a graphical user interface (GUI) that is written in Java. PhoneSweep runs under Windows 95, 98 or NT. The telephone scanner can dial numbers from either pre-determined ranges or from a list. PhoneSweep has an identification engine that can recognize more than 120 different system types, including Microsoft RAS, CarbonCopy, and pcANYWHERE. PhoneSweep has an integrated brute-force engine which can brute force a variety of identified systems. PhoneSweep has a set of controls for redialing busy numbers or making multiple dials to telephone numbers, while observing limits such as the maximum number of times to dial a phone number or try a specific username each day. Finally, PhoneSweep can automatically generate RTF reports using a customizable report template. 2. MARKET THC-SCAN was developed by The Hacker's Choice, a German computer hacking organization. In his announcement, van Hausen identified potential users of the program as "hackers/phreakers." THC has several features that are designed to facilitate covert use, such as a "BOSS KEY" that replaces the computer's screen with an incongruous bitmap and ceases all dialing operation. The program has several features that are designed to defeat (or at least detect) attempts by Deutsche Telekom to detect telephone scanning from residential lines. THC is distributed freely over the Internet. Support is not available. PhoneSweep is designed for computer security auditing by corporate IT officers and computer security consultants. The program utilizes several features to prevent unauthorized use, such as hardware license protection. Support is available from Sandstorm. 3. FEATURES Both THC-SCAN and PhoneSweep provide basic telephone scanning capability. However, there are important differences between the features offered by the two programs, as discussed below: 3.1 Multiple-Modem Support For the serious telephone scanning professional, the importance of scanning on multiple modems cannot be overstated. A telephone scan that takes a month with a single modem can be done in a week with four. Scans that are practical only once a year become practical on a monthly or weekly basis with multiple modems. THC-SCAN does not directly support multiple-modem scanning. To use multiple modems, van Hauser/THC suggests running multiple copies of the program on a computer in separate windows. Although it's possible to do a scan this way, it's awkward: the operator needs to partition the set of phone numbers into multiple dialing sets, and then recombine the results when the scan is done. Scanning this way is also inefficient: if one modem finishes the phone numbers that it needs to scan, it cannot take up the slack from the others. PhoneSweep has direct support for multiple modems. All phone numbers are stored in an embedded SQL database; the dialing engine then determines the next number to dial and automatically hands off this number to the next free modem. In this manner, the modems are used to their maximum efficiency. 3.2 Auto-detection of Voice Mail Boxes (VMBs) Van Hauser/THC says that one of the unique features of THC-SCAN 2.0 is automatic detection of voice mail boxes. But THC-SCAN doesn't really detect voice mail boxes. Instead, it detects that the modem has stopped ringing and that no modem has answered on the other end of the line. This could be due to a voice-mail box, but it also could be because THC-SCAN called a fax machine, because it reached a phone number that is disconnected, or because the phone was answered by a person. PhoneSweep does not support detection of voice mail boxes. 3.3 Manual Mode THC-SCAN has a manual-dial mode in which the operator can manually identify telephone lines by pressing a single-key command; typical commands are "I: Interesting Voice," "Y: Yelling Asshole," and "G: GIRL (Female Voice Response)." PhoneSweep does not have a manual mode, because it is intended for unattended operation. A manual mode such as the one offered with THC-SCAN would also be very confusing when more than one modem was dialing at once. 3.4 Automatic Parity Detection THC-SCAN will automatically determine the parity of dial-up systems. The program does this by analyzing the parity of banner messages received after a remote system has been contacted. Automatic parity detection is useful for an operator who wants to call back a discovered system and attempt further penetration. PhoneSweep does not automatically determine the parity of contacted systems. Instead, PhoneSweep will attempt to automatically detect the operating system or remote access software used on the remote device. PhoneSweep version 1.02 can identify more than 120 different remote host operating systems, including Microsoft Windows NT RAS, Carbon Copy, pcANYWHERE, and standard UNIX dialups. We at Sandstorm believe that system identification is more useful than parity identification. Additionally, parity is often determined by the modem itself, and there is little need to have the software do it 3.5 Serial Port Configuration THC-SCAN is delivered with a program that will attempt to identify the IRQ and I/O base addresses used by a serial port. THC-SCAN needs this information in order to work properly. As a result, THC-SCAN can only work with serial ports that have IRQs and I/O base addresses. PhoneSweep uses the standard Windows communication routines. (Version 1.02 of PhoneSweep will only work with COM1 through COM4, while versions of PhoneSweep currently in beta test will work with COM1 through COM255.) Working with the standard Windows communication routines eliminates the need to configure IRQs and I/O base addresses. This also permits PhoneSweep to work with multi-port I/O cards where a single IRQ is shared between multiple serial ports. As a side effect of using the Windows communication routines, PhoneSweep does not lose characters transmitted by the remote system, whereas programs such as Toneloc and THC, which go directly to the hardware, occasionally do. 3.6 Blacklist THC-SCAN does not support a blacklist (a list of phone numbers to avoid calling), although it does have command-line options that allow ranges of phone number to be "dropped." PhoneSweep allows phone numbers to be removed from the dial list using a graphical user interface. PhoneSweep also supports an overall "blackout period," allowing you to specify certain times during which no dialing will be performed. 3.7 Dialing Rules THC-Scan's dialing rules are limited to sequential/random and busy number handling. PhoneSweep offers a number of dialing rules that gives the auditor significant control in setting up and performing telephone scans. For example, a university might configure PhoneSweep so that phone numbers in dorm rooms are called only during the day, and phone numbers in offices are called only at night. This would allow a single PhoneSweep system to scan for unauthorized dialups among both student and administrative machines. Alternatively, PhoneSweep can be configured to call each phone number at several times throughout the day, to detect modems that are programmed to only answer at given times. PhoneSweep allows the user to set different timeouts for different time periods. For brute force attacks, PhoneSweep can be configured to limit the number of times each day that a phone number is called, or limit the number of times that a specific username is guessed. This can prevent the system from unintentionally locking out valid usernames when a scan is being performed. PhoneSweep also has a feature called "911 Screening" that prevents the dialing engine from inadvertently dialing a phone number associated with emergency response. And finally, PhoneSweep has the traditional dialing rules that allow the user to specify whether calls should be placed in sequential or random order, and how many times a busy phone number should be redialed. 3.8 Fax Detection Many security auditors are interested in identifying both fax machines and dial-up modems that are operating within their organization. Unfortunately, it is difficult for a standard telephone scanner to identify both modems and fax machines. This is because many fax modems will perform caller autodetection, providing fax services when they are called by a fax machine and data services when they are called by a data modem. THC-Scan has no special fax detection capabilities aside from those offered by standard modems. It cannot scan for both fax machines and data modems at the same time. PhoneSweep can be configured to scan for both dial-up modems and fax machines. To perform such a scan, PhoneSweep telephones each phone number twice and compares the result. Fax machines that also respond to modem connection attempts can be potential security loopholes. 3.9 ODBC Support ODBC is the Microsoft Open Database Connectivity Standard, a system that allows programs such as Microsoft Access, Excel, IIS/ASP, or any other ODBC-compatible application to transparently access information stored in any database for which an ODBC adapter has been written. ODBC is a benefit for the serious telephone scanner. ODBC allows the analyst to write an application that can go through the results of a telephone scan in detail. An ODBC adapter that works with a telephone scanner allows the progress of the scan to be monitored in real-time from other application programs. The THC-SCAN v2.0 announcement claimed that THC-SCAN included ODBC support. But in fact, the program doesn't. Instead, the program supports the export of the dialed-number database into delimited text file. The delimiter is the vertical bar ("|"). PhoneSweep 1.02, on the other hand, is based on an embedded SQL database. This database is provided with an ODBC adapter, allowing full ODBC access. 3.10 License Restrictions THC-SCAN is distributed with a relatively broad license agreement that does not control the program's use but that does control redistribution. People who resell THC-SCAN are forbidden from charging "more than twice the whole productional (sic) costs." Furthermore, "if THC-SCAN is used as part of a commercial service that is sold to customers (e.g. Security Audits)," the "paper/email/electronical medium etc. must explicitly mention that "Thc-Scan v2.0 by van Hauser/THC" was used!" PhoneSweep is distributed with a strict license agreement that is designed to prohibit unauthorized use and limit third-party liability for Sandstorm Enterprises. The license specifically states that "PHONESWEEP IS NOT INTENDED FOR PERSONAL, FAMILY OR HOUSEHOLD USE." Sandstorm requires that PhoneSweep customers return a signed copy of the PhoneSweep license agreement to Sandstorm before the PhoneSweep product will be shipped. 4. EVALUATION OF VAN HAUSEN'S CLAIMS With the foregoing evaluation in mind, I would now like to discuss each of van Hausen's claims: > THC-SCAN v2.0 has got the following features: > * Runs on any DOS emulating operating system: > DOS (+Desqview), all Win*, UNIX with Dosemu, Mac with > VirtualPC and other Although THC-SCAN may run under VirtualPC and other DOS emulators, van Hauser notes that some users have reported problems running THC-SCAN under Windows 98. > * ODBC support so you can import your results intro SQL or > Excel Spreadsheets THC-Scan does *not* have ODBC export. It only has the ability to export its call history into a delimited text file. > * Supports the usual Carrier and PBX Scanning mode plus a special > manual mode for trying out PBXs and VMBs Although THC-Scan's manual mode allows an operator to identify telephone lines with a "Girl," a "Yelling Asshole," or an "Interesting Voice," this mode requires constant attention. We doubt whether this mode would be useful in an professional audit environment. > * Many primary identifications possible plus the only one which has > has got secondary id's for countries and ccitts When van Hauser says that "Many primary identifications possible," he is actually referring to the fact that THL-Scan can accept many different CONNECT identification messages from a modem. THC-Scan makes no attempt to identify remote systems. > * the only scanner available which can identify VMBs and > Unused numbers > automatically if configured correctly THC-Scan does not automatically identify VMBs and Unused numbers. What it does is identify phones that stop ringing but do not answer with a modem tone. > * the only scanner which lets you scan numbers specified in > a textfile Sandstorm PhoneSweep allows a list of phone numbers to be imported from a text file. > * Autodetecting 8N1, 7E1 and 7O1 carrier modes Autodetection of modem parity is trivial. What's needed by security auditors is identification of remote systems. PhoneSweep identifies more than 120 different remote system types. THC-Scan does not identify any. > * numerous tools which makes your life easier > * numerous cool options too many to mention :) > * Year-2000 compliance (really important, gee) Sandstorm PhoneSweep is also Year 2000 compliant. > * full source code! Source code for Sandstorm PhoneSweep is restricted to prevent unauthorized use. 5. CONCLUSIONS Overall, both products appear to be well-evolved to their intended markets, but generally inappropriate for each other's. THC-SCAN is designed to be used on low-cost, cast-off computer equipment. The program works with a single phone line; few hackers/phreakers have multiple phone lines that they can dedicate to telephone scanning. PhoneSweep, on the other hand, is tailored for the needs of auditors and is generally inappropriate for use by the computer underground. Instead of optimizing for low-cost PCs, the program was designed for high-throughput: with PhoneSweep 1.02, a single laptop can control up to 4 modems at once. (Sandstorm is beta-testing a version of PhoneSweep that can control 8 modems simultaneously.) Instead of relying upon the wit and programming skill of the operator, PhoneSweep has an automatic identification and brute-force attack engine. While THC-Scan can clearly be used for serious computer security auditing, we do not believe that it is well-suited for this purpose. Instead, we expect that THC-Scan v2.0, like Toneloc, will find use principally among members of the computer underground, who will use THC-Scan to locate vulnerable computers. Interestingly, programs like THC-SCAN actually increase the need for programs such as PhoneSweep. By distributing telephone scanning technology, van Hauser/THC is helping to create and nourish a community of individuals that will seek our and take advantage of unsecured dialups within organizations. These same organizations need to use tools such as PhoneSweep to find their rogue modems before the bad guys do. ------------- Simson L. Garfinkel Sandstorm Enterprises, Inc. www.sandstorm.net +1-617-547-0011 simsong@sandstorm.net
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |