CS 413 Spring 2005 Max Konovalov Sam Spade 1.14 Open Source Security Tool by Steve Atkins University of Alaska Anchorage Department of Mathematical Sciences
This paper describes Sam Spade 1.14 open source security tool and covers the following topics: The main purpose of the software; Licensing and installation; Setup and configuration; Overview of the main features; Conclusion. The software contains numerous useful tools and utilities; however, I covered only the main and the most important features of the software in this paper. The Main Purpose The main purpose of Sam Spade 1.14 is to provide a set of network management and analysis tools for network administrator. Every administrator s computer contains a toolbox full of useful utilities for network management. These can include performance and diagnostic counters, network packet analyzers, remote control programs, administration modules for server software, and a variety of other tools. One of the most important features of Sam Spade is that the software contains most of those popular, commonly used, and helpful tools. Sam Spade is especially useful if a network has a permanent Internet connection. Sam Spade for Windows offers a suite of tools for protecting against spam on mail servers, analyzing and troubleshooting Web servers, and gathering information on Internet hosts. Many of these utilities were previously available only on UNIX machines. Most are aimed at stopping and tracking down spammers. Nevertheless, it is also possible to use Sam Spade to gather some general information about a network. This information helps network administrators to identify areas where hackers can gather too much information about network hosts. Network administrators, IT specialists, system analysts, and system security experts will find Sam Spade 1.14 very helpful and easy to use. Licensing and Installation Sam Spade 1.14 is General Public License (GPL) software. In other words, it is free. Sam Spade 1.14 can be run under Windows 95, 98, ME, NT, 2000, and XP. The installation package is available either from the CD, which comes with the book, or from the Sam Spade Website (http://www.samspade.org/ssw/), where it can be downloaded freely. The installation process is very simple: all it takes is to doubleclick on the spade114.exe file and follow the on-screen instructions. The setup program will do all the work. Setup and Configuration After the installation is complete, it is recommended to adjust a few settings. It is possible to run the software without any specific configuration; however, some of the features will be available only if some values are configured. The setup and configuration is very simple and usually do not take more than couple of minutes. To perform the settings adjustments, open Sam Spade and click Edit Options. This will bring up Options window, as shown on Picture 1. In the Basics tab, enter 2
your default DNS server (or use DHCP), your e-mail address, so that you can do SMTP relay checking, and your ISP s Web server, so that you can use the Awake feature to have Sam Spade send out periodic packets to keep a dial-up connection from being dropped (if you are using a dial-up connection). Picture 1: Basics tab of the Options dialog box After that, click on OK button to save the changes. The basic setup is complete. The Main Features Sam Spade has a nice user interface, as shown on Picture 2. It combines many of the traditional TCP/IP tools with some unique tools that give an administrator a great look at a network. Best of all, these tools are combined in one package. A network administrator will find versions of ping, nslookup, and traceroute. Those Sam Spade versions are intuitive and flexible, especially when compared to the Windows versions of these TCP/IP tools. For example, with the ping feature, you can set the number of echo requests you prefer on the toolbar; then, every time you use ping, it will use that setting. At the command line, you have to use a switch such as ping -n 2 each time you want to set the echo number. 3
Picture 2: Sam Spade user interface Another useful utility of the software is traceroute feature. It is possible to do a fast traceroute or a slow traceroute. The fast traceroute outputs the quick list of hops the packet makes from the originating machine to a designated host. The slow traceroute is more like the traditional traceroute utility. However, both traceroute options provide a nice graph to accompany the information, as shown on Picture 3. 4
Picture 3: Fast traceroute function Sam Spade also includes some traditional UNIX tools, such as whois and finger. Whois is actually the default tool. If you simply enter a domain such as google.com in the Sam Spade toolbar hostname field and hit Enter key, Sam Spade will return the whois information on who owns the domain name, as well as other registration information, such as the technical contact for the domain. In addition to nslookup, Sam Spade offers a more advanced DNS querying tool called dig, which requests all the DNS records for an individual host and/or a domain. An advanced whois tool, called IP block whois, tries to find who owns a block of IP addresses. Sam Spade also provides a set of spam tools: SMTP Verify: Checks to see whether an e-mail address is a true address or if it is being forwarded. SMTP relay check: Measures the security of a mail server. It attempts to relay mail externally. If it is successful, the mail server is vulnerable to being exploited by spammers looking for a third-party machine to relay their mail. E-mail header analysis: Allows you to paste an e-mail address from your mail client into the Sam Spade toolbar and analyze it with all of the standard tools. A sample output of the e-mail parser is shown on Picture 4. Blacklist lookups and Abuse.net query: Both allow you to interact with Web sites (and organizations) that track down and report known spammers. A sample output of the Blacklist lookup is shown on Picture 5. 5
Picture 4: E-Mail header parser output Picture 5: Blacklist lookup output The Sam Spade suite also provides some useful Web site tools. The Crawl Web tool, shown in Picture 6, allows searching a Web site based on specific query parameters you set. It also enables you to download all the documents of an entire Web site. The program includes a Web browser that offers a raw source-code view of a Web site rather than a graphical view. The browser doesn t send any identifying information to the host Web server. In addition, it doesn t support any plug-ins, scripting languages, or other browser add-ons, and it doesn t actually render the 6
HTML into a graphical format. As a result, it allows you to see meta fields, hidden form fields, white-on-white text, and other developer tricks for disguising information. Figure 6: Crawl Web tool Sam Spade also includes some security tools that could send up some red flags if you decide to use them to look at information on other companies, especially large multinational organizations. These tools include a port scanner, a DNS zone transfer tool, and the above-mentioned SMTP relay checker. The port scanner in Sam Spade provides scanning of the TCP/IP ports on computer. By default it scans six common ports; however, if you need to scan any other TCP/IP ports on your system, just click on Advanced button and select the ports you want to scan as shown on Picture 7. If you use the port scanner on another network, be aware that you can set off hacker detection programs. 7
Picture 7: Advanced TCP/IP port scanner The SMTP relay checker we discussed above can also set off alerts for companies that carefully guard against spamming. DNS Zone transfers are extremely useful for testing your own domain to make sure hackers can t gather valuable information about your systems architecture. Once you have enabled zone transfers, go to the fields at the top of the Sam Spade toolbar and enter your fully qualified domain name in the hostname field (on the left side) and enter the IP address of one of your DNS servers in the name server field (on the right side). Then click Tools Zone Transfer. If you see Query refused, you are in good shape. However, if you discover that Zone Transfer has provided a list of your DNS entries, your network is vulnerable. You ll need to disable zone transfers on your DNS servers if you are managing your own name servers, or you ll need to call your ISP and request that it disable zone transfers if it s doing DNS for your Internet servers. In order to use port scanning, SMTP relay checking, and zone transfers, you have to go to Edit Options and then click on the Advanced tab, shown on Picture 8. Here, you can select any of these tools you want to use. Picture 8: Choosing security tools in Advanced tab 8
Summary of the most useful Sam Spade functions is shown in the Table 1. Functions Descriptions This is the same as the built-in Windows and UNIX ping, except you Ping can easily configure the number of pings and the output is a little more verbose. Nslookup Similar to the UNIX command of the same name. Whois Similar to the UNIX command of the same name. IPBlock Trace Finger Blacklist Abuse Scan Addresses Crawl website This command checks the ARIN database for an IP address or set of IP addresses and generates some useful information on it. This data includes the organization that owns those IPs, where they were allocated from an ISP, and different contacts, including a contact to report abuse of they registered one. See figure 2.2 for an example output. Similar to the traceroute command. However, additional information is generated, such as any reverse DNS entry and a graphical display of the latency between hops. Similar to the UNIX command of the same name. Checks to see if your mail server is listed in any of the e-mail black hole lists (databases that contain the addresses of known spammers). If your address somehow gets in there (by leaving your server open to mail relays, for example), then some people won t be able to get mail from you. Looks up the official abuse contact for a set of IP addresses so you can register a complaint if you are having a problem with one of their addresses. Performs a basic port scan for a range of addresses. This very simple port scanner identifies open network ports. Takes a Web site and crawls it, identifying each link and page and any other forms or file it can reach. This is useful for finding all the pages that a Web site references and for looking for files that you weren t aware were there. Table 1: Sam Spade Main Functions Conclusion Sam Spade offers a great all-in-one security analysis suite of TCP/IP and networking tools. Although it is mostly useful for Internet Service Providers and security professionals, it can also be very valuable for network administrators who manage Internet servers and external security (including Firewalls and Access Control Lists on routers). It can also be useful for network consultants when evaluating sites and making recommendations for improving performance and security. 9