Bugtraq mailing list archives

Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02

From: vh () REPTILE RUG AC BE (vh)
Date: Sun, 3 Jan 1999 01:12:24 +0100


Hi folks!


I come back to Aleph1's policy that someone may defend his product ,-)
Dear Aleph1, please let this email through and then begin to kill
the thread. I try to make my arguments for and against my "product"
and the one from sandstorm as balanced as possible.
Just to clear some errors and marketing hype.


Well, an email from Simson Garfinkel to me says:

Like you, I have little interest in starting a public flame war. And if you
think that I have made some mistakes in my evaluation of THC-SCAN, I would
very much like to correct them in the version of the evaluation that we
post on our website. As I indicated in my posting, I think that there is a
role for both THC-SCAN and for PhoneSweep.


I take this chance here. So here we go.

Telephone scanning is really old. Toneloc and my own scanner Thc-Scan have
been used for ages. An since some months also an expensive commercial tool
is available which really sucks (www.sandstorm.net).


As far as we know, Mr. Van Hausen hasn't had actual experience with
PhoneSweep.


It is true that I didn't have a copy of that program. However I read all
available descriptions how it works so I can say I have a very detailled
overview. (But I'd welcome a copy of the professional version ;-)

1. OVERALL DESIGN

THC-SCAN 2.0 is set of MSDOS-based programs that are designed to be
run from the DOS command line.
PhoneSweep runs under Windows 95, 98 or NT. The telephone scanner can
dial numbers from either pre-determined ranges or from a list.


Thc-Scan was coded in mind to run on as much platforms as possible
with as much automation as possible. I think I achieved that goal quite
well. Also it's internal configuration for what to scan and in which way
to interpret the results is very flexible. It is not designed to do phone
scanning only, it should & will show any number which behaves unusually.
PhoneSweep on the other hand has got other customers. These are
guys with not much knowledge about carrier hacking but have to perform
phone audits as part of their internal security checks.

PhoneSweep has an identification engine that can recognize more than
120 different system types, including Microsoft RAS, CarbonCopy, and
pcANYWHERE. PhoneSweep has an integrated brute-force engine which can
brute force a variety of identified systems.


In the past 3 years I received about 60 emails of people who requested that
feature, auto-Identification and auto-Hacking. I didn't put that in for a
purpose (it's trivial to implement). By this any kid without any knowledge
could hack/crack any system which has got default accounts enabled.
When people do darkside hacking they should use their brain and not just
"run a program".
You call my program evil, yours was written by the devil himself ,-)

2. MARKET

THC-SCAN was developed by The Hacker's Choice, a German computer
hacking organization. In his announcement, van Hausen identified
potential users of the program as "hackers/phreakers." THC has several
features that are designed to facilitate covert use, such as a "BOSS
KEY" that replaces the computer's screen with an incongruous bitmap
and ceases all dialing operation. The program has several features
that are designed to defeat (or at least detect) attempts by Deutsche
Telekom to detect telephone scanning from residential lines. THC is
distributed freely over the Internet.


every point is correct. except: THC is a european hacking/phreaking group
and I made the source for Thc-Scan available because well known security
experts asked me to give them the source ... So the target customers of
Thc-Scan are not only hackers/phreakers, but also the expert security
community. (but not your customers. your customers wouldn't like the
behaviour and complexity of my program.)

Support is not available.


not a commercial support. ,-)  I answer all emails, naturally.
And the source code is support by itself (well, but then again not *this*
code ,-)

3.4 Automatic Parity Detection
THC-SCAN will automatically determine the parity of dial-up systems.

PhoneSweep does not automatically determine the parity of contacted
systems. Instead, PhoneSweep will attempt to automatically detect the
operating system or remote access software used on the remote device.


I'd propose to add this feature to your product. it's easy to implement and
really important. If I put a unix system up with a modem configured to 7E1,
your product won't identify this.
In short: there's nothing bad or evil about adding features from an
"underground program". Those guys sometimes have a good idea. accept this.

For brute force attacks, PhoneSweep can be configured to limit the
number of times each day that a phone number is called, or limit the
number of times that a specific username is guessed. This can prevent
the system from unintentionally locking out valid usernames when a
scan is being performed.


This is evil! If you are authorized to do your security audit you may check
the password lists for weak passwords instead of cracking them like a hacker
would do. That would be faster and more professional anyway!
,-)

3.10 License Restrictions

THC-SCAN is distributed with a relatively broad license agreement that
does not control the program's use but that does control
redistribution. People who resell THC-SCAN are forbidden from charging
"more than twice the whole productional (sic) costs."  Furthermore,
"if THC-SCAN is used as part of a commercial service that is sold to
customers (e.g. Security Audits)," the "paper/email/electronical
medium etc. must explicitly mention that "Thc-Scan v2.0 by van
Hauser/THC" was used"


you take money, I take fame. Thats the reward a programmer/hacker/phreaker
gets.

THC-Scan does not automatically identify VMBs and Unused numbers. What
it does is identify phones that stop ringing but do not answer with a
modem tone.


just at note that this point: 100% of those numbers identified as unused
numbers (with the -U parameter) are identified correct.

* full source code!


Source code for Sandstorm PhoneSweep is restricted to prevent unauthorized use.


In your website you tell your costumers NOT to use underground products
because no source code is available and there'd always be trojans in it.
No there's a program available with source and you make this statement.
marketing shit.

Overall, both products appear to be well-evolved to their intended
markets, but generally inappropriate for each other's.


I fully agree with that statement.

PhoneSweep, on the other hand, is tailored for the needs of auditors


It is tailored for several things. but exactly not for these.

Sorry that I put "sandstorm sucks" in my posting. What I think about the
sandstorm product:
        Good: 4 modems supported (but only in the professional version)
        Bad:  it costs money, no source code, Windows only application,
              only carrier scanning possible, few functionality.
        Mixed Feelings: GUI only, ID of carriers + auto-cracking.


Last words: I didn't reply to all those compares what features each product
supports and whats good/bad about this. Most are presented with a marketing
hype and are WRONG, but we can discuss these in private.
Everything I did is there for a purpose and it does it's job well.


Outlook: I think about programming a distributed wardialer for unix with
tcp/ip to control each daemon running. Is there interest for that out there?


Ciao...
                van Hauser / THC - [The Hacker's Choice]


THC's Webpage -> http://r3wt.base.org


Type Bits/KeyID    Date       User ID
pub  2048/CDD6A571 1998/04/27 van Hauser / THC <vh () reptile rug ac be>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----

Current thread:

Re: PATH variable in zip-slackware 2.0.35, (continued)
- - - Re: PATH variable in zip-slackware 2.0.35 kay (Jan 06)
    - l0phtcrack 2.5 released The Forlorn (Jan 04)
  - Re: PATH variable in zip-slackware 2.0.35 kay (Jan 02)
  - SUN almost has a clue! (automountd) Corruptio Optimi Pessima (Jan 04)
    - Re: SUN almost has a clue! (automountd) Casper Dik (Jan 05)
  - January SysAdmin EY script DoS bug. Jan B. Koum (Jan 04)
  - Win95/98 SMB Authentication Vulnerability (fwd) Weld Pond (Jan 04)
- FreeBSD 2.2.5 Security problem Missouri FreeNet Administration (Jan 02)
  - Re: FreeBSD 2.2.5 Security problem Eivind Eklund (Jan 03)
  - Re: FreeBSD 2.2.5 Security problem User NEAL (Jan 03)
- Re: Comparison of THC-SCAN v2.0 with Sandstorm PhoneSweep 1.02 vh (Jan 02)