THC-Scan

 < Day Day Up > 



THC-Scan, also written for DOS, took the best parts of ToneLoc and added a few new features. THC-Scan also manages phone numbers through .dat files, although the format is unique. Because the documentation for this tool is complete, we’ll focus on examples that show the similarity of THC-Scan to ToneLoc, that show off a new feature, or that cover any of the unspoken “gotchas” that creep into tools.

Note 

If you receive a “Runtime error 200” error when running any of the THC-Scan tools, you will need to recompile the source (if you can find a Pascal compiler), run it in a DOS emulator (doscmd, dosemu), or try using Windows XP.

The pun-laden THC group, or The Hackers Choice, also has other tools covered in this book. If you are interested in more of their phone-hacking tools, you may wish to try THC-Dialup Login Hacker (recently updated) or THC-PBXHacker (from 1995). Each tool has a very narrow use but might come in handy when testing old dial-up systems.

Implementation: Configuring THC-Scan

THC-Scan is about the most user-friendly DOS-based program we’ve seen. Each option in the configure screen (see Figure 18-8) has a short description for each setting.

click to expand
Figure 18-8: Configuring THC-Scan

Probably the only change you’ll need to make in the MODEM CONFIG menu is to set the correct COM port used by the modem. Figure 18-9 shows this menu.

click to expand
Figure 18-9: Modem configuration options

The MODEM RESPONSES menu allows you to customize the name of possible responses. The interesting column is the program to execute. You can specify an external program, such as HyperTerminal or PCAnywhere. Then, if THC-Scan detects a certain response string, you can launch the specified program with one of the function keys (F1 through F8). Note that you have to specify the program in the EXECUTE CONFIG menu before you can assign it here. Also, you’ll have to use the DOS 8.3 naming convention, so if the file is in C:\Program Files\... remember to call it C:\Progra~1. Figure 18-10 shows the default Modem Response menu.

click to expand
Figure 18-10: Modem responses

You can change the name of the logfiles for the scan, but it’s usually easier to leave this menu in the default (see Figure 18-11) and use the /P option on the command line to instruct THC-Scan to store all of the logfiles in a custom directory.

click to expand
Figure 18-11: Logfiles

Finally, the MISCELLANEOUS menu is important for setting the time delays during and between dials.

Implementation: Running THC-Scan

Every command-line option for ToneLoc, with the exception of /C (alternate configuration file) and /T (only report Tones), works with THC-Scan. One cool feature of THC-Scan is that it can accept phone numbers from a text file, which is handy when you need to dial disparate ranges in multiple exchanges. Specify the text file (following the 8.3 naming convention) after the @ symbol:

C:\thc-scan.exe @num_list.txt

Another feature of THC-Scan is basic support for distributed dialing. This enables you to run a session across multiple computers. THC-Scan comes with a batch file in the /misc directory called netscan.bat, which outputs the necessary command line for each of three, five, or ten different computers in the modem pool. You need to add an environment variable, CLIENT, to specify the client number of the current computer. You can do this from the command line; however, you may need to edit the CLIENTS (plural) and DEEP variables in the netscan.bat file. THC-Scan launches immediately after the batch file, so make sure it is in your path and that the ts.cfg file is correct.

C:\set CLIENT=1 && netscan.bat 9495555 C:\THC-SCAN 1-949555 /M:949555 R:0-3333 /Q C:\set CLIENT=2 && netscan.bat 9495555 C:\THC-SCAN 2-949555 /M:949555 R:3334-6666 /Q C:\set CLIENT=2 && netscan.bat 9495555 C:\THC-SCAN 3-949555 /M:949555 R:6667-9999 /Q
Note 

All .dat file manipulation must be done manually.

In the preceding example, the full phone exchange for 949-555-0000 through -9999 is split across three computers. Notice that most of the work for running the modems and managing the .dat files still has to be done by hand. Nor does this method work for numbers in disparate exchanges. In this aspect, THC-Scan’s support of modem pools is not very robust.

Implementation: Navigating THC-Scan

THC-Scan also provides shortcut keys to interact with a currently running scan. Like ToneLoc, you can mark a number as it is being dialed. Table 18-2 lists these options.

Table 18-2: THC-Scan Description Shortcut Keys

Option

Description

B

BUSY

C

CARRIER

F

FAX

G

GIRL (not a useful designator, merely indicates that the number was answered, but not by a modem)

I

INTERESTING

S

Save a specific comment for the current number

T

TONE

U

UNUSED (This is different than ToneLoc's UNDIALED designator. Indicates that the number is not in service.)

V

VMB (Voice Mail Box)

03

Custom description 1, 2, or 3 (Use one or more of these to describe a number if any of the previous options are insufficient.)

[SPACEBAR]

UNINTERESTING

Of course, you can also manipulate the modem and dialing process. Table 18-3 lists those options.

Table 18-3: THC-Scan Command Shortcut Keys

Option

Description

M
[ENTER]

Redial the current number.

N
[TAB]

Proceed to the next number without marking the current number with a description.

P

Pause the scan. Press any key to continue. Press r to redial, h to hang up, or n to hang up and proceed to the next number.

X
+

Extend the current timeout by 5 seconds.

-

Decrease the current timeout by 5 seconds.

[ESC]

Quit the program.

ALT-O

Run ts-cfg.exe to modify the configuration. Changes take effect immediately.

ALT-S

Toggles the modem speaker on or off.

Implementation: Manipulating THC-Scan .dat Files

The /P and /F options provide file and data management from the command line. If the /P option is provided with the directory, such as /P:555dir, all output (.dat and .log files) will be written to that directory. The /F option provides additional output in a format that you can import into a Microsoft Access database. This lets you create customized reports, derive statistics, and otherwise track large datasets.

Dat-* Tools

You can share data from ToneLoc with THC-Scan. Use the dat-conv.exe tool to convert dat files from ToneLoc format to THC-Scan format. Specify the source .dat file and a name for the new file, as shown in the listing following Table 18-3.

C:\>dat-conv.exe toneloc.dat thcscan.dat DAT Converter for  TONELOC <-> THC-SCAN  v2.00   (c) 1996,98 by van Hauser/THC Mode :  TL –> TS Datfile input : TONELOC.DAT Datfile output: THCSCAN.DAT ID for NOTE   : CUSTOM1 (224) ID for NODIAL : UNDIALED (0)

Dat-manp.exe is an analog to ToneLoc’s tlreplac.exe, plus it also permits numeric identifiers instead of a string, such as referring to UNDIALED numbers as 0 (zero). For example, here’s how to replace BUSY numbers with UNDIALED:

C:\>dat-manp.exe test.dat BUSY UNDIALED DAT Manipulator v2.00   (c) 1996,98 by van Hauser/THC vh@reptile.rug.ac.be Writing .BAK File ... DAT File : TEST.DAT DAT Size : 10000 bytes (+ 32 byte Header) Exchange : 8 (All ring counts) ... with : 0 (transferring rings) Changed  : 479 entries.

You could also refer to the BUSY tag as 8. Other name/numeric combinations are listed in the datfile.doc file that is part of the package’s contents. THC-Scan uses numbers 8–15 to designate busies, incrementing the value for each redial.

Statistics for a .dat file are generated by the dat-stat.exe command:

C:\tools\thc-scan\BIN>DAT-STAT.EXE test.dat DAT Statistics v2.00   (c) 1996,98 by van Hauser/THC vh@reptile.rug.ac.be DAT File : TEST.DAT (created with THC-SCAN version v2.0) Dialmask : <none> UnDialed :  480 ( 5%) Busy     :    0 ( 0%) Uninter. :    2 ( 0%) Timeout  : 3563 (36%) Ringout  : 3683 (37%) Carriers :   29 ( 0%) Tones    :    0 ( 0%) Voice    : 2242 (22%)  [Std:2242/I:0/G:0/Y:0] VMB      :    0 ( 0%) Custom   :    1 ( 0%)  [1:1/2:0/3:0] 0 minutes used for scanning.

start sidebar
Case Study: Improving Remote Access Security

Tera is performing a war-dial test for a financial institution. The institution provided a text file that contained more than 12,000 phone numbers in seven different exchanges in two states and instructed her to “Find our modems.” With 12,000 numbers to go through, she decides to scan them all quickly (using a 20-second timeout) with THC-Scan to see if any high-profile modems appear. Sure enough, one pops up with the attractive banner “IRIX (seecos) Login:”. Tera's been around Unix systems for a while and her first thought is to try the lp user with a blank password. It's an easy trick and quite old (see CERT's advisory at http://www.cert.org/advisories/CA-1995-15.html). After further investigation, she discovers that the system has been kept alive as a secondary system for distributing nightly batch files in case the primary TCP/IP-based services failed. As a result, she has access to sensitive financial data—and never even needed a password!

The first rule of dial-in access security is to use strong passwords. Strong passwords not only imply “nondictionary” words of eight characters or more, but controls on the system to drop the carrier after three or five unsuccessful logins. Many dial-up servers support RADIUS authentication, through which it is easy to apply two-factor authentication. Two-factor authentication, such as S/key or SecurID cards, adds a random factor to the login process that greatly reduces the potential success of someone blindly guessing passwords.

Access can also be controlled by time windows, limiting the modem to accepting calls only during certain days or periods of the day. Some applications also support dial-back security, which stores the user's originating phone number in its authentication database. Then, when the user dials into the server and identifies herself, the server drops the call, dials the call-back number stored in the authentication database, and then completes the login process. Thus, a malicious user would not only have to guess a password, but also use the compromised account from that person's phone. Of course, this also limits how legitimate users can access the dial-in system, but it's a good measure to consider.

The final aspect of securing a dial-in server (and any server in general) is regular auditing of logfiles. If a malicious user has been knocking against passwords for three weeks but hasn't been discovered, it's only a matter of time before the server is compromised. On the other hand, a daily or weekly review of the access logs, or just the failed authentication attempts, would quickly reveal that something is amiss.

end sidebar



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net