[8871] in bugtraq
Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02
daemon@ATHENA.MIT.EDU (Ryan Russell)
Wed Dec 30 12:19:42 1998
Date: Tue, 29 Dec 1998 17:15:11 -0800
Reply-To: Ryan Russell <Ryan.Russell@SYBASE.COM>
From: Ryan Russell <Ryan.Russell@SYBASE.COM>
X-To: "Simson L. Garfinkel" <simsong@VINEYARD.NET>
To: BUGTRAQ@NETSPACE.ORG
Hmm... I gotta reply to this one. I won't go over every point,
so let me just say that at least Simson acknowledges some features
that THC has that PhoneSweep doesn't.
>As far as we know, Mr. Van Hausen hasn't had actual experience with
>PhoneSweep. (And our licensing and evaluation policies have so far
>been successful at keeping the product out of the hands of
>"hackers/phreakers.")
Unless your policies have prevented you from selling or giving
out any copies yet, you have no way of knowing if your product
has been "kept out of the hands of hackers/phreakers" do you?
Some of us have budgets, and would have no difficulty spending
~$2500.
Your web site references work done by Peter Shipley.
Peter's work could be considered, at best, umm... voluntary.
Your FAQ implies that the way Peter scans would not
be allowed with your product.
(snipped section describing architecture of PhoneSweep
and protocol identification features, which are actually impressive.
Also skipped "market" section which implies that THC caters
to only slimy haxors, and PhoneSweep would only be of
use to Legitimate Security Guys.)
>3.1 Multiple-Modem Support
>
>For the serious telephone scanning professional, the importance of
>scanning on multiple modems cannot be overstated. A telephone scan
>that takes a month with a single modem can be done in a week with
>four. Scans that are practical only once a year become practical on a
>monthly or weekly basis with multiple modems.
>
>THC-SCAN does not directly support multiple-modem scanning. To use
>multiple modems, van Hauser/THC suggests running multiple copies of
>the program on a computer in separate windows. Although it's possible
>to do a scan this way, it's awkward: the operator needs to partition
>the set of phone numbers into multiple dialing sets, and then
>recombine the results when the scan is done. Scanning this way is also
>inefficient: if one modem finishes the phone numbers that it needs to
>scan, it cannot take up the slack from the others.
So, some sort of script or batch file is in order, then?
>3.2 Auto-detection of Voice Mail Boxes (VMBs)
>
>Van Hauser/THC says that one of the unique features of THC-SCAN 2.0 is
>automatic detection of voice mail boxes. But THC-SCAN doesn't really
>detect voice mail boxes. Instead, it detects that the modem has
>stopped ringing and that no modem has answered on the other end of the
>line. This could be due to a voice-mail box, but it also could be
>because THC-SCAN called a fax machine, because it reached a phone
>number that is disconnected, or because the phone was answered by a
>person.
>
>PhoneSweep does not support detection of voice mail boxes.
I'm willing to believe that neither product could do this properly without
some sort of voice processing boards, or at least specifying which
models of modems should be used.
>3.3 Manual Mode
>
>THC-SCAN has a manual-dial mode in which the operator can manually
>identify telephone lines by pressing a single-key command; typical
>commands are "I: Interesting Voice," "Y: Yelling Asshole," and "G:
>GIRL (Female Voice Response)."
>
>PhoneSweep does not have a manual mode, because it is intended for
>unattended operation. A manual mode such as the one offered with
>THC-SCAN would also be very confusing when more than one modem was
>dialing at once.
I appreciate not having those extra features so I don't get confused,
thanks.
>3.4 Automatic Parity Detection
>
>THC-SCAN will automatically determine the parity of dial-up systems.
>The program does this by analyzing the parity of banner messages
>received after a remote system has been contacted. Automatic parity
>detection is useful for an operator who wants to call back a
>discovered system and attempt further penetration.
>
>PhoneSweep does not automatically determine the parity of contacted
>systems. Instead, PhoneSweep will attempt to automatically detect the
>operating system or remote access software used on the remote device.
>PhoneSweep version 1.02 can identify more than 120 different remote
>host operating systems, including Microsoft Windows NT RAS, Carbon
>Copy, pcANYWHERE, and standard UNIX dialups. We at Sandstorm believe
>that system identification is more useful than parity identification.
>Additionally, parity is often determined by the modem itself, and
>there is little need to have the software do it
I'm confused... Some of these protocols depend on parity, etc.. being
correct,
no? You'd need to have the right parity to attempt brute force on some
protocols?
>3.6 Blacklist
>
>THC-SCAN does not support a blacklist (a list of phone numbers to
>avoid calling), although it does have command-line options that allow
>ranges of phone number to be "dropped."
>
>PhoneSweep allows phone numbers to be removed from the dial list using
>a graphical user interface. PhoneSweep also supports an overall
>"blackout period," allowing you to specify certain times during which
>no dialing will be performed.
So, some sort of script or batch file is in order, then?
>3.9 ODBC Support
>
>ODBC is the Microsoft Open Database Connectivity Standard, a system
>that allows programs such as Microsoft Access, Excel, IIS/ASP, or any
>other ODBC-compatible application to transparently access information
>stored in any database for which an ODBC adapter has been written.
>ODBC is a benefit for the serious telephone scanner. ODBC allows the
>analyst to write an application that can go through the results of a
>telephone scan in detail. An ODBC adapter that works with a telephone
>scanner allows the progress of the scan to be monitored in real-time
>from other application programs.
>
>The THC-SCAN v2.0 announcement claimed that THC-SCAN included ODBC
>support. But in fact, the program doesn't. Instead, the program
>supports the export of the dialed-number database into delimited text
>file. The delimiter is the vertical bar ("|").
>
>PhoneSweep 1.02, on the other hand, is based on an embedded SQL
>database. This database is provided with an ODBC adapter, allowing
>full ODBC access.
So I can use a full-size database if I want, via ODBC? (Yes, I do
ask all my security vendors database questions... look at the domain
in my e-mail address.)
>3.10 License Restrictions
>
>THC-SCAN is distributed with a relatively broad license agreement that
>does not control the program's use but that does control
>redistribution. People who resell THC-SCAN are forbidden from charging
>"more than twice the whole productional (sic) costs." Furthermore,
>"if THC-SCAN is used as part of a commercial service that is sold to
>customers (e.g. Security Audits)," the "paper/email/electronical
>medium etc. must explicitly mention that "Thc-Scan v2.0 by van
>Hauser/THC" was used!"
You're assuming I'd be embarassed to mention that I'd
used THC?
>PhoneSweep is distributed with a strict license agreement that is
>designed to prohibit unauthorized use and limit third-party liability
>for Sandstorm Enterprises. The license specifically states that
>"PHONESWEEP IS NOT INTENDED FOR PERSONAL, FAMILY OR HOUSEHOLD USE."
Oh THAT'S clear... So I can't wardial myself, my family or my house?
>> * Autodetecting 8N1, 7E1 and 7O1 carrier modes
>
>Autodetection of modem parity is trivial.
And you don't, because....
>What's needed by security
>auditors is identification of remote systems. PhoneSweep identifies
>more than 120 different remote system types. THC-Scan does not
>identify any.
Tremendously useful, and that feature is the only reason I would consider
buying
a wardialer instead of using the currently available free ones.
>> * full source code!
>
>Source code for Sandstorm PhoneSweep is restricted to prevent
>unauthorized use.
Oh, that arguement will go over big with this crowd.
>Overall, both products appear to be well-evolved to their intended
>markets, but generally inappropriate for each other's. THC-SCAN is
>designed to be used on low-cost, cast-off computer equipment. The
>program works with a single phone line; few hackers/phreakers have
>multiple phone lines that they can dedicate to telephone scanning.
Of course, some of us have a couple of dozen PRI's worth that we could
use if we wanted...
>PhoneSweep, on the other hand, is tailored for the needs of auditors
>and is generally inappropriate for use by the computer underground.
Au contrare... your program sounds like it would be a lot
more useful for hostile attacks.
>Instead of optimizing for low-cost PCs, the program was designed for
>high-throughput: with PhoneSweep 1.02, a single laptop can control up
>to 4 modems at once. (Sandstorm is beta-testing a version of
>PhoneSweep that can control 8 modems simultaneously.)
If it's multithreaded, uses ODBC, and can use COM1 through 255,
why does it only work with 4 modems?
>Instead of
>relying upon the wit and programming skill of the operator, PhoneSweep
>has an automatic identification and brute-force attack engine.
Too many insults.... must mock PhoneSweep...
>While THC-Scan can clearly be used for serious computer security
>auditing, we do not believe that it is well-suited for this purpose.
>Instead, we expect that THC-Scan v2.0, like Toneloc, will find use
>principally among members of the computer underground, who will use
>THC-Scan to locate vulnerable computers.
Hmm.. I'd rather use your program for locating vulnerable computers..
sounds easier.
>Interestingly, programs like THC-SCAN actually increase the need for
>programs such as PhoneSweep. By distributing telephone scanning
>technology, van Hauser/THC is helping to create and nourish a
>community of individuals that will seek our and take advantage of
>unsecured dialups within organizations. These same organizations need
>to use tools such as PhoneSweep to find their rogue modems before the
>bad guys do.
Hey! Just like the antivirus vendors.
Sorry for the flames. Since you decided to take the time to promote
your commercial product at the expense of a free program that comes
with source code, well, you deserved it. You should have the opportunity
to defend your product, but I for one don't appreciate the insinuations
that one tool is obviously intended only for evil while the other
can only be used for good.
Ryan