THC-SCAN
| | ||
THC-Scan, also written for DOS, took the best parts of ToneLoc and added a few new features. THC-Scan also manages phone numbers through .dat files, although the format is unique. Because the documentation for this tool is complete, we'll focus on examples that show the similarity of THC-Scan to ToneLoc, that show off a new feature, or that cover any of the unspoken "gotchas" that creep into tools.
| Note | If you receive a "Runtime error 200" error when running any of the THC-Scan tools, you will need to recompile the source (if you can find a Pascal compiler), run it in a DOS emulator (doscmd, dosemu ), or try using Windows XP. |
The pun-laden THC group , or The Hackers Choice, also has other tools covered in this book. If you are interested in more of their phone-hacking tools, you may wish to try THC-Dialup Login Hacker (recently updated) or THC-PBXHacker (from 1995). Each tool has a very narrow use but might come in handy when testing old dial-up systems.
Implementation: Configuring THC-Scan
THC-Scan is about the most user -friendly DOS-based program we've seen. Each option in the configure screen (see Figure 18-8) has a short description for each setting.
Figure 18-8: Configuring THC-Scan
Probably the only change you'll need to make in the MODEM CONFIG menu is to set the correct COM port used by the modem. Figure 18-9 shows this menu.
Figure 18-9: Modem configuration options
The MODEM RESPONSES menu allows you to customize the name of possible responses. The interesting column is the program to execute. You can specify an external program, such as HyperTerminal or PCAnywhere. Then, if THC-Scan detects a certain response string, you can launch the specified program with one of the function keys (F1 through F8). Note that you have to specify the program in the EXECUTE CONFIG menu before you can assign it here. Also, you'll have to use the DOS 8.3 naming convention, so if the file is in C:\Program Files\ remember to call it C:\Progra~1. Figure 18-10 shows the default Modem Response menu.
Figure 18-10: Modem responses
You can change the name of the logfiles for the scan, but it's usually easier to leave this menu in the default (see Figure 18-11) and use the /P option on the command line to instruct THC-Scan to store all of the logfiles in a custom directory.
Figure 18-11: Logfiles
Finally, the MISCELLANEOUS menu is important for setting the time delays during and between dials.
Implementation: Running THC-Scan
Every command-line option for ToneLoc, with the exception of /C (alternate configuration file) and /T (only report Tones), works with THC-Scan. One cool feature of THC-Scan is that it can accept phone numbers from a text file, which is handy when you need to dial disparate ranges in multiple exchanges. Specify the text file (following the 8.3 naming convention) after the @ symbol:
C:\thc-scan.exe @num_list.txt
Another feature of THC-Scan is basic support for distributed dialing. This enables you to run a session across multiple computers. THC-Scan comes with a batch file in the /misc directory called netscan.bat, which outputs the necessary command line for each of three, five, or ten different computers in the modem pool. You need to add an environment variable, CLIENT , to specify the client number of the current computer. You can do this from the command line; however, you may need to edit the CLIENTS (plural) and DEEP variables in the netscan.bat file. THC-Scan launches immediately after the batch file, so make sure it is in your path and that the ts.cfg file is correct.
C:\set CLIENT=1 && netscan.bat 9495555 C:\THC-SCAN 1-949555 /M:949555 R:0-3333 /Q C:\set CLIENT=2 && netscan.bat 9495555 C:\THC-SCAN 2-949555 /M:949555 R:3334-6666 /Q C:\set CLIENT=2 && netscan.bat 9495555 C:\THC-SCAN 3-949555 /M:949555 R:6667-9999 /Q
| Note | All .dat file manipulation must be done manually. |
In the preceding example, the full phone exchange for 949-555-0000 through -9999 is split across three computers. Notice that most of the work for running the modems and managing the .dat files still has to be done by hand. Nor does this method work for numbers in disparate exchanges. In this aspect, THC-Scan's support of modem pools is not very robust.
Implementation: Navigating THC-Scan
THC-Scan also provides shortcut keys to interact with a currently running scan. Like ToneLoc, you can mark a number as it is being dialed . Table 18-2 lists these options.
| Shortcut Key | Description |
|---|---|
| B | BUSY |
| C | CARRIER |
| F | FAX |
| G | GIRL (not a useful designator, merely indicates that the number was answered , but not by a modem) |
| I | INTERESTING |
| S | Saves a specific comment for the current number |
| T | TONE |
| U | UNUSED (This is different than ToneLoc's UNDIALED designator. Indicates that the number is not in service.) |
| V | VMB (Voice Mail Box) |
| 03 | Custom description 1, 2, or 3 (Use one or more of these to describe a number if any of the previous options are insufficient.) |
| [SPACEBAR] | UNINTERESTING |
Of course, you can also manipulate the modem and dialing process. Table 18-3 lists those options.
| Shortcut Key | Description |
|---|---|
| M | Redials the current number. |
| N | Proceeds to the next number without marking the current number with a description. |
| P | Pauses the scan. Press any key to continue. Press r to redial, h to hang up, or n to hang up and proceed to the next number. |
| X | Extends the current timeout by five seconds. |
| ˆ | Decreases the current timeout by five seconds. |
| [ESC] | Quits the program. |
| ALT-O | Runs ts-cfg.exe to modify the configuration. Changes take effect immediately. |
| ALT-S | Toggles the modem speaker on or off. |
Implementation: Manipulating THC-Scan .dat Files
The /P and /F options provide file and data management from the command line. If the /P option is provided with the directory, such as /P:555dir , all output (.dat and .log files) will be written to that directory. The /F option provides additional output in a format that you can import into a Microsoft Access database. This lets you create customized reports , derive statistics, and otherwise track large datasets.
Dat-* Tools
You can share data from ToneLoc with THC-Scan. Use the dat-conv.exe tool to convert .dat files from ToneLoc format to THC-Scan format. Specify the source .dat file and a name for the new file, as shown in the following listing.
C:\>dat-conv.exe toneloc.dat thcscan.dat DAT Converter for TONELOC <-> THC-SCAN v2.00 (c) 1996,98 by van Hauser/THC Mode : TL -> TS Datfile input : TONELOC.DAT Datfile output: THCSCAN.DAT ID for NOTE : CUSTOM1 (224) ID for NODIAL : UNDIALED (0)
Dat-manp.exe is an analog to ToneLoc's tlreplac.exe, plus it also permits numeric identifiers instead of a string, such as referring to UNDIALED numbers as 0 (zero). For example, here's how to replace BUSY numbers with UNDIALED:
C:\>dat-manp.exe test.dat BUSY UNDIALED DAT Manipulator v2.00 (c) 1996,98 by van Hauser/THC vh@reptile.rug.ac.be Writing .BAK File ... DAT File : TEST.DAT DAT Size : 10000 bytes (+ 32 byte Header) Exchange : 8 (All ring counts) ... with : 0 (transferring rings) Changed : 479 entries.
You could also refer to the BUSY tag as 8. Other name/numeric combinations are listed in the datfile.doc file that is part of the package's contents. THC-Scan uses numbers 815 to designate busies, incrementing the value for each redial.
Statistics for a .dat file are generated by the dat-stat.exe command:
C:\tools\thc-scan\BIN\DAT-STAT.EXE test.dat DAT Statistics v2.00 (c) 1996,98 by van Hauser/THC vh@reptile.rug.ac.be DAT File : TEST.DAT (created with THC-SCAN version v2.0) Dialmask : <none> UnDialed : 480 (5%) Busy : 0 (0%) Uninter. : 2 (0%) Timeout : 3563 (36%) Ringout : 3683 (37%) Carriers : 29 (0%) Tones : 0 (0%) Voice : 2242 (22%) [Std:2242/I:0/G:0/Y:0] VMB : 0 (0%) Custom : 1 (0%) [1:1/2:0/3:0] 0 minutes used for scanning.
| | ||
EAN: 2147483647
Pages: 175