Sam Spade: A Multifunction Information Toolkit
An edited version of this paper with the title "Sam Spade, Systems Detective" originally appeared in the September 2001 issue of Information Security Magazine (www.infosecuritymag.com). Copyright © 2001. All rights reserved.
Systems and security administrators have a number of useful tools at their disposal to obtain information about computers attached to other networks on the Internet, as well as information about the Internet itself. Ping, traceroute, whois and nslookup are among the essential utilities for even rudimentary maintenance and testing. But the native Windows environment includes only a few of these tools and they are, by and large, individual command line utilities and one has to go to third parties to obtain many of the missing utilities. Sam Spade is a nice piece of software that combines many of these common tools -- and several more uncommon ones -- into a single, integrated, Windows-compatible package.
Jack of All Trades
Sam Spade runs on all versions of Windows starting with Windows 95 and makes it simple to do a lot of investigation and analysis quickly, from determining the owner of a particular IP address block to examining the contents of a Web page. It also has several features that are specific to the detection of spam and sites that relay spam. Like a real private detective, Sam Spade doesn't do anything that you couldn't do yourself if you knew how and had the right tools; this software integrates the capabilities found in ping, traceroute, time, whois, nslookup, finger, DIG, a packet sniffer, a port scanner, a scripting language, and more, all with a nice GUI to boot.
FIGURE 1. The Sam Spade command console.
Figure 1 shows the Sam Spade command console. The various tools can be accessed via the pulldown menus, and several from the icons on the left side of the window.
FIGURE 2. Sam Spade configuration dialog box.
Although most of Sam Spade's features will run immediately upon installation, the more interesting and useful features require some minimal configuration. The configuration dialog box (Figure 2) is accessible from the Edit, Options pulldown menu. Key features to configure are your default name server, e-mail address, and Web site on the Basics tab; the network news server on the News tab; and e-mail information for abuse e-mails on the Mail tab. Users can also configure a time server (Miscellaneous tab), log file locations (Logfiles tab), and scripting file locations (Scripting tab). Advanced users can also specify whether DNS zone transfers, port scanning, and/or e-mail relay checking is allowed (Advanced tab).
Although most of Sam Spade's features will run immediately upon installation, some functions require configuration, including your default name server, e-mail address, Web site, network news server, time server, and log file locations. Users can also specify whether DNS zone transfers, port scanning, and/or e-mail relay checking are allowed;. these may be useful features for a knowledgeable user but can be mistaken as an attack by a remote system, so their use should be limited.
All of the functions become available when the user enters a host name, domain name, or e-mail address in the address window, seen at the upper left of the main console screen. One of the advantages of this bundle of tools in one package is that once you enter a name or address, you can merely click on different tools to quickly obtain information.
Tools for Address, Domain, and Host Information
The bulk of Sam Spade's utilities allow the user to look up information about a remote host or domain, generally for the purpose of initial reconnaissance or forensic analysis:
- Ping sends a series of packets to the indicated host to determine if that system is reachable via the network and provides an estimate of the round trip packet time.
- Traceroute traces the route that packets take from the user's system to the specified target host address, listing all intermediate routers and showing a graph of the hop-by-hop delay times. Fast and slow traceroute differ only in the number of attempts made to learn the route.
- Nslookup and Decode URL display the IP address and name of a specified host. This can help an investigator learn about the owner of a system from the domain name or obtain an IP address with which to further investigate the geographic location of a system.
- Whois provides ownership and contact information for the specified host's domain. This tool is increasingly convenient as the number of domain name registrars grows. When Network Solutions was the sole registrar for .com, for example, their whois database was the only one you needed to search. With about 100 accredited registrars today, you have to do a search just to find out which registrar to lookup. Sam Spade's whois function does this for you.
- IP Block indicates the owner of the IP address block to which the specified host belongs. By identifying the owner of an address block, you can start to narrow down where a host is geographically located and/or learn about the host's upstream Internet service provider (ISP).
- DIG (Domain Internet Groper), like nslookup, looks up DNS information. Sam Spade's DIG function returns all DNS records associated with a specified host or domain, including the start of authority (SOA), mail exchange (MX) and name server (NS) records. This information allows the user to determine where to send e-mail to a host's domain and how to access the manager of the domain's name space.
- Zone Transfer is used to request that a DNS server send all of the information that it has about a given domain. Properly configured DNS servers will not comply with this request as a security precaution, but it will work surprisingly often. This is a great way to test your own name servers.
- Finger obtains host/user information from a system running the finger daemon (TCP port 79). Finger is generally (or should be) disabled at a host because it can give an attacker a lot of information about users and/or the host itself, but it isn't always turned off.
Tools for E-mail and Spam
Several of the Sam Spade utilities are targeted at e-mail, allowing an end user or security administrator to determine the validity of e-mail header information as well as to fight back against spam. The program also provides an extensive tutorial on tracking and combating spam. These tools include:
- SMTP Verify can be used to send a Simple Mail Transfer Protocol (SMTP) VRFY command to a suspect mail server to confirm the validity of an e-mail address, such as that of the sender of a spam message (ever notice that most of the return addresses are bogus?). This function is generally (or should be) disabled at an SMTP server because it can give an attacker a lot of information about e-mail users. However, it isn't always turned off and it is worth checking out.
- Blacklist checks to see if the specified host name/address is listed with the Mail Abuse Prevention System (MAPS) Realtime Blackhole List (RBL), Dial-up Users List (DUL) or Relay Spam Stopper (RSS). More information about this function can be found at the MAPS Web site at www.mail-abuse.org.
- SMTP Relay Check determines if a specified e-mail server will allow SMTP relaying. Most e-mail servers are configured to prohibit relaying, but spammers look for SMTP servers that relay to help them cover their tracks. Many sites block all incoming e-mail originating from an e-mail server known to relay e-mail because of the spam potential.
FIGURE 3. E-mail header parsing and verification.
- Parse e-mail headers allows the user to verify a set of headers from an e-mail message. As shown in Figure 3, the mail headers can be copied directly from an e-mail message and pasted into the parse e-mail headers dialog box, where. Sam Spade will then indicate whether the mail headers appear to be valid or not. Spammers or others looking to cover their e-mail tracks will often put in false e-mail header information.
- Abuse Lookup finds the e-mail address to where notifications of possible spam coming from the specified domain should be sent. Most ISPs maintain an address of the form abuse@<ISP.net>.
- Check Cancels searches for USENET canceled messages. The original intent of cancel was to allow someone who sent a USENET message to cancel the message it if they wanted to, and it is now used largely to automatically cancel spam.
Tools to Examine a Server or Web Site
Several Sam Spade tools allow a user to more closely examine the services available from another host, with particular attention to obtaining information about Web servers:
- Scan Addresses is a minimal port-scanning utility that allows a user to scan a specified set of IP address to detect open ports (which indicates what Internet services are available).
FIGURE 4. Web page display from Sam Spade.
- Browse Web is actually a bare-bones Web browser. Rather than displaying the rendered Hypertext Markup Language (HTML) page, however, this function displays the raw Hypertext Transfer Protocol (HTTP) code (Figure 4), providing such details about the Web server as the operating system, Web server software, and HTTP extensions. It is also very useful for debugging CGI scripts or when looking at potentially malicious Web sites.
- Crawl Web site allows you to specify a URL and download all accessible pages from a Web site.
Sam Spade's additional tools include:
- Time sets the user's host system time from a network time server.
- Awake provides a "keep alive" function for dial-up connections by connecting to the configured default Web site once a minute.
- S-Lang is an embedded S-Lang interpreter. S-Lang is an application library designed to allow a developer to create multi-platform software and available applications include a simple text editor, a scriptable newsreader, an Internet Relay Chat (IRC) bot and client, an e-mail reader and a lot more. (A complete description of S-Lang is well beyond the scope of this article. Additional information about S-Lang is available at the S-Lang Web site at www.s-lang.org.)
I wanted to write about Sam Spade because it is one of the most common security tools that I use. It is versatile and it quickly provides a lot of the basic information that I need at the beginning of any analysis that I am going to do. Indeed, I don't try to fight back against every spam message I get nor do I check out the HTML code from every Web site I visit, but I do use those tools when I need them.
Sam Spade, however, is but one tool in my toolkit. What it does, it does well, but it doesn't do everything. If I am doing serious port scanning, I usually use nmap. If I really want to see the packets on the line, even from a Web site, I run to tcpdump or Sniffer. And I really do wish Sam Spade would tell me who owns an individual IP address block. Nevertheless, Sam Spade is a great tool; it is my 11-in-1 LeatherMan® security utility.
Sam Spade v1.14 is available at no cost from the Sam Spade Web site at www.samspade.org/ssw. Most of these functions are also available directly via a Web interface at the same site (www.samspade.org).
ABOUT THE AUTHOR: Gary C. Kessler is an Assistant Professor and program director of the Computer Networking major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is email@example.com.