[8866] in bugtraq

home help back first fref pref prev next nref lref last post

Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02

daemon@ATHENA.MIT.EDU (Simson L. Garfinkel)
Tue Dec 29 14:22:08 1998

Date: 	Tue, 29 Dec 1998 11:02:00 -0500
Reply-To: "Simson L. Garfinkel" <simsong@VINEYARD.NET>
From: "Simson L. Garfinkel" <simsong@VINEYARD.NET>
To: BUGTRAQ@NETSPACE.ORG

On Christmas Day, van Hauser/THC announced the availability of
THC-SCAN v2.0, the newest version of the THC telephone scanner. He
went on to write:

> Telephone scanning is really old. Toneloc and my own scanner
Thc-Scan have
> been used for ages. An since some months also an expensive
commercial tool
> is available which really sucks (www.sandstorm.net).
> However it is still an important part in a security audit, and
> hackers/phreakers also need it very often for (*aehm*) informational
purpose.

As far as we know, Mr. Van Hausen hasn't had actual experience with
PhoneSweep. (And our licensing and evaluation policies have so far
been successful at keeping the product out of the hands of
"hackers/phreakers.") Accordingly, we decided to download his THC
program and perform a feature-by-feature comparison -- based on actual
use. What follows are the most salient points from that comparison.


1. OVERALL DESIGN

THC-SCAN 2.0 is set of MSDOS-based programs that are designed to be
run from the DOS command line. (The programs can be run under Windows
or OS/2 from a DOS box, but some beta testers reportedly had problems
using the program under Windows 98.) The telephone scanner can dial
telephone numbers from either a pre-determined range or from a list.
The scanner has simple identification techniques that can be used to
detect answering computer systems or voice mail boxes (VMBs). The
scanner also has a manual mode, in which it dials the modem with the
speaker enabled and allows the user to make comments on each number
that is dialed. THC-SCAN will automatically redial busy numbers up to
a preset limit. THC-SCAN can be used with THC Login Hacker to brute
force systems that have been discovered.

PhoneSweep is a client/server based telephone scanning system which
includes an embedded SQL database, a multi-threaded dialing engine,
and a graphical user interface (GUI) that is written in Java.
PhoneSweep runs under Windows 95, 98 or NT. The telephone scanner can
dial numbers from either pre-determined ranges or from a list.
PhoneSweep has an identification engine that can recognize more than
120 different system types, including Microsoft RAS, CarbonCopy, and
pcANYWHERE. PhoneSweep has an integrated brute-force engine which can
brute force a variety of identified systems. PhoneSweep has a set of
controls for redialing busy numbers or making multiple dials to
telephone numbers, while observing limits such as the maximum number
of times to dial a phone number or try a specific username each day.
Finally, PhoneSweep can automatically generate RTF reports using a
customizable report template.

2. MARKET

THC-SCAN was developed by The Hacker's Choice, a German computer
hacking organization. In his announcement, van Hausen identified
potential users of the program as "hackers/phreakers." THC has several
features that are designed to facilitate covert use, such as a "BOSS
KEY" that replaces the computer's screen with an incongruous bitmap
and ceases all dialing operation. The program has several features
that are designed to defeat (or at least detect) attempts by Deutsche
Telekom to detect telephone scanning from residential lines. THC is
distributed freely over the Internet. Support is not available.

PhoneSweep is designed for computer security auditing by corporate IT
officers and computer security consultants. The program utilizes
several features to prevent unauthorized use, such as hardware license
protection. Support is available from Sandstorm.

3. FEATURES

Both THC-SCAN and PhoneSweep provide basic telephone scanning
capability. However, there are important differences between the
features offered by the two programs, as discussed below:

3.1 Multiple-Modem Support

For the serious telephone scanning professional, the importance of
scanning on multiple modems cannot be overstated. A telephone scan
that takes a month with a single modem can be done in a week with
four. Scans that are practical only once a year become practical on a
monthly or weekly basis with multiple modems.

THC-SCAN does not directly support multiple-modem scanning. To use
multiple modems, van Hauser/THC suggests running multiple copies of
the program on a computer in separate windows. Although it's possible
to do a scan this way, it's awkward: the operator needs to partition
the set of phone numbers into multiple dialing sets, and then
recombine the results when the scan is done. Scanning this way is also
inefficient: if one modem finishes the phone numbers that it needs to
scan, it cannot take up the slack from the others.

PhoneSweep has direct support for multiple modems. All phone numbers
are stored in an embedded SQL database; the dialing engine then
determines the next number to dial and automatically hands off this
number to the next free modem. In this manner, the modems are used to
their maximum efficiency.

3.2 Auto-detection of Voice Mail Boxes (VMBs)

Van Hauser/THC says that one of the unique features of THC-SCAN 2.0 is
automatic detection of voice mail boxes. But THC-SCAN doesn't really
detect voice mail boxes. Instead, it detects that the modem has
stopped ringing and that no modem has answered on the other end of the
line. This could be due to a voice-mail box, but it also could be
because THC-SCAN called a fax machine, because it reached a phone
number that is disconnected, or because the phone was answered by a
person.

PhoneSweep does not support detection of voice mail boxes.

3.3 Manual Mode

THC-SCAN has a manual-dial mode in which the operator can manually
identify telephone lines by pressing a single-key command; typical
commands are "I: Interesting Voice," "Y: Yelling Asshole," and "G:
GIRL (Female Voice Response)."

PhoneSweep does not have a manual mode, because it is intended for
unattended operation. A manual mode such as the one offered with
THC-SCAN would also be very confusing when more than one modem was
dialing at once.

3.4 Automatic Parity Detection

THC-SCAN will automatically determine the parity of dial-up systems.
The program does this by analyzing the parity of banner messages
received after a remote system has been contacted. Automatic parity
detection is useful for an operator who wants to call back a
discovered system and attempt further penetration.

PhoneSweep does not automatically determine the parity of contacted
systems. Instead, PhoneSweep will attempt to automatically detect the
operating system or remote access software used on the remote device.
PhoneSweep version 1.02 can identify more than 120 different remote
host operating systems, including Microsoft Windows NT RAS, Carbon
Copy, pcANYWHERE, and standard UNIX dialups. We at Sandstorm believe
that system identification is more useful than parity identification.
Additionally, parity is often determined by the modem itself, and
there is little need to have the software do it


3.5 Serial Port Configuration

THC-SCAN is delivered with a program that will attempt to identify the
IRQ and I/O base addresses used by a serial port. THC-SCAN needs this
information in order to work properly. As a result, THC-SCAN can only
work with serial ports that have IRQs and I/O base addresses.

PhoneSweep uses the standard Windows communication routines. (Version
1.02 of PhoneSweep will only work with COM1 through COM4, while
versions of PhoneSweep currently in beta test will work with COM1
through COM255.) Working with the standard Windows communication
routines eliminates the need to configure IRQs and I/O base addresses.
This also permits PhoneSweep to work with multi-port I/O cards where a
single IRQ is shared between multiple serial ports. As a side effect
of using the Windows communication routines, PhoneSweep does not lose
characters transmitted by the remote system, whereas programs such as
Toneloc and THC, which go directly to the hardware, occasionally do.

3.6 Blacklist

THC-SCAN does not support a blacklist (a list of phone numbers to
avoid calling), although it does have command-line options that allow
ranges of phone number to be "dropped."

PhoneSweep allows phone numbers to be removed from the dial list using
a graphical user interface. PhoneSweep also supports an overall
"blackout period," allowing you to specify certain times during which
no dialing will be performed.

3.7 Dialing Rules

THC-Scan's dialing rules are limited to sequential/random and busy
number handling.

PhoneSweep offers a number of dialing rules that gives the auditor
significant control in setting up and performing telephone scans. For
example, a university might configure PhoneSweep so that phone numbers
in dorm rooms are called only during the day, and phone numbers in
offices are called only at night. This would allow a single PhoneSweep
system to scan for unauthorized dialups among both student and
administrative machines. Alternatively, PhoneSweep can be configured
to call each phone number at several times throughout the day, to
detect modems that are programmed to only answer at given times.
PhoneSweep allows the user to set different timeouts for different
time periods.

For brute force attacks, PhoneSweep can be configured to limit the
number of times each day that a phone number is called, or limit the
number of times that a specific username is guessed. This can prevent
the system from unintentionally locking out valid usernames when a
scan is being performed.

PhoneSweep also has a feature called "911 Screening" that prevents the
dialing engine from inadvertently dialing a phone number associated
with emergency response. And finally, PhoneSweep has the traditional
dialing rules that allow the user to specify whether calls should be
placed in sequential or random order, and how many times a busy phone
number should be redialed.

3.8 Fax Detection

Many security auditors are interested in identifying both fax machines
and dial-up modems that are operating within their organization.
Unfortunately, it is difficult for a standard telephone scanner to
identify both modems and fax machines. This is because many fax modems
will perform caller autodetection, providing fax services when they
are called by a fax machine and data services when they are called by
a data modem.

THC-Scan has no special fax detection capabilities aside from those
offered by standard modems. It cannot scan for both fax machines and
data modems at the same time.

PhoneSweep can be configured to scan for both dial-up modems and fax
machines. To perform such a scan, PhoneSweep telephones each phone
number twice and compares the result. Fax machines that also respond
to modem connection attempts can be potential security loopholes.

3.9 ODBC Support

ODBC is the Microsoft Open Database Connectivity Standard, a system
that allows programs such as Microsoft Access, Excel, IIS/ASP, or any
other ODBC-compatible application to transparently access information
stored in any database for which an ODBC adapter has been written.
ODBC is a benefit for the serious telephone scanner. ODBC allows the
analyst to write an application that can go through the results of a
telephone scan in detail. An ODBC adapter that works with a telephone
scanner allows the progress of the scan to be monitored in real-time
from other application programs.

The THC-SCAN v2.0 announcement claimed that THC-SCAN included ODBC
support. But in fact, the program doesn't. Instead, the program
supports the export of the dialed-number database into delimited text
file. The delimiter is the vertical bar ("|").

PhoneSweep 1.02, on the other hand, is based on an embedded SQL
database. This database is provided with an ODBC adapter, allowing
full ODBC access.

3.10 License Restrictions

THC-SCAN is distributed with a relatively broad license agreement that
does not control the program's use but that does control
redistribution. People who resell THC-SCAN are forbidden from charging
"more than twice the whole productional (sic) costs."  Furthermore,
"if THC-SCAN is used as part of a commercial service that is sold to
customers (e.g. Security Audits)," the "paper/email/electronical
medium etc. must explicitly mention that "Thc-Scan v2.0 by van
Hauser/THC" was used!"

PhoneSweep is distributed with a strict license agreement that is
designed to prohibit unauthorized use and limit third-party liability
for Sandstorm Enterprises. The license specifically states that
"PHONESWEEP IS NOT INTENDED FOR PERSONAL, FAMILY OR HOUSEHOLD USE."

Sandstorm requires that PhoneSweep customers return a signed copy of
the PhoneSweep license agreement to Sandstorm before the PhoneSweep
product will be shipped.


4. EVALUATION OF VAN HAUSEN'S CLAIMS

With the foregoing evaluation in mind, I would now like to discuss
each of van Hausen's claims:

> THC-SCAN v2.0 has got the following features:
> * Runs on any DOS emulating operating system:
> DOS (+Desqview), all Win*, UNIX with Dosemu, Mac with
> VirtualPC and other

Although THC-SCAN may run under VirtualPC and other DOS emulators, van
Hauser notes that some users have reported problems running THC-SCAN
under Windows 98.

> * ODBC support so you can import your results intro SQL or
> Excel Spreadsheets

THC-Scan does *not* have ODBC export. It only has the ability to
export its call history into a delimited text file.

> * Supports the usual Carrier and PBX Scanning mode plus a special
> manual mode for trying out PBXs and VMBs

Although THC-Scan's manual mode allows an operator to identify
telephone lines with a "Girl," a "Yelling Asshole," or an "Interesting
Voice," this mode requires constant attention. We doubt whether this
mode would be useful in an professional audit environment.

> * Many primary identifications possible plus the only one which has
> has got secondary id's for countries and ccitts

When van Hauser says that "Many primary identifications possible," he
is actually referring to the fact that THL-Scan can accept many
different CONNECT identification messages from a modem. THC-Scan makes
no attempt to identify remote systems.

> * the only scanner available which can identify VMBs and
> Unused numbers
> automatically if configured correctly

THC-Scan does not automatically identify VMBs and Unused numbers. What
it does is identify phones that stop ringing but do not answer with a
modem tone.


> * the only scanner which lets you scan numbers specified in
> a textfile

Sandstorm PhoneSweep allows a list of phone numbers to be imported
from a text file.

> * Autodetecting 8N1, 7E1 and 7O1 carrier modes

Autodetection of modem parity is trivial. What's needed by security
auditors is identification of remote systems. PhoneSweep identifies
more than 120 different remote system types. THC-Scan does not
identify any.

> * numerous tools which makes your life easier
> * numerous cool options too many to mention :)
> * Year-2000 compliance (really important, gee)

Sandstorm PhoneSweep is also Year 2000 compliant.

> * full source code!

Source code for Sandstorm PhoneSweep is restricted to prevent
unauthorized use.

5. CONCLUSIONS

Overall, both products appear to be well-evolved to their intended
markets, but generally inappropriate for each other's. THC-SCAN is
designed to be used on low-cost, cast-off computer equipment. The
program works with a single phone line; few hackers/phreakers have
multiple phone lines that they can dedicate to telephone scanning.

PhoneSweep, on the other hand, is tailored for the needs of auditors
and is generally inappropriate for use by the computer underground.
Instead of optimizing for low-cost PCs, the program was designed for
high-throughput: with PhoneSweep 1.02, a single laptop can control up
to 4 modems at once. (Sandstorm is beta-testing a version of
PhoneSweep that can control 8 modems simultaneously.) Instead of
relying upon the wit and programming skill of the operator, PhoneSweep
has an automatic identification and brute-force attack engine.

While THC-Scan can clearly be used for serious computer security
auditing, we do not believe that it is well-suited for this purpose.
Instead, we expect that THC-Scan v2.0, like Toneloc, will find use
principally among members of the computer underground, who will use
THC-Scan to locate vulnerable computers.

Interestingly, programs like THC-SCAN actually increase the need for
programs such as PhoneSweep. By distributing telephone scanning
technology, van Hauser/THC is helping to create and nourish a
community of individuals that will seek our and take advantage of
unsecured dialups within organizations. These same organizations need
to use tools such as PhoneSweep to find their rogue modems before the
bad guys do.


-------------
Simson L. Garfinkel
Sandstorm Enterprises, Inc.
www.sandstorm.net
+1-617-547-0011
simsong@sandstorm.net

home help back first fref pref prev next nref lref last post