Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

docx

advertisement 
Name: Salma Mukhtar Mohamed
1
1. Sam Spade Tool:
Sam Spade Tool is a useful tool helps in obtain information about computers attached to
other networks on the Internet, as well as information about the Internet itself.
Sam Spade runs on all versions of Windows starting with Windows 95 and makes it
simple to do a lot of investigation and analysis quickly, from determining the owner of a
particular IP address block to examining the contents of a Web page. It also has several
features that are specific to the detection of spam and sites that relay spam. Like a real
private detective, Sam Spade doesn't do anything that you couldn't do yourself if you knew
how and had the right tools; this software integrates the capabilities found in ping,
traceroute, time, whois, nslookup, finger, DIG, a packet sniffer, a port scanner, a scripting
language, and more, all with a nice GUI to boot.
Screenshot for the main screen in Sam Spade Tool
The main two drop down menu in the tool bar of Sam Spade is Basics menu and Tools
menu. Each one of them provide user with different functionality of the tool.
2
TOOLS FOR ADDRESS, DOMAIN, AND HOST INFORMATION:
Allow the user to look up information about a remote host or domain, generally for the
purpose of initial reconnaissance or forensic analysis. These tools like:
Screenshot for the Basics menu in Sam Spade Tool
 Ping:
Sends a series of packets to the indicated host to determine if that system is
reachable via the network and provides an estimate of the round trip packet time.
Screenshot for the Ping Feature in Sam Spade Tool
3
 Traceroute:
Traces the route that packets take from the user's system to the specified target
host address, listing all intermediate routers and showing a graph of the hop-byhop delay times. Fast and slow traceroute differ only in the number of attempts
made to learn the route.
Screenshot for the Tracreroute Feature in Sam Spade Tool
 Nslookup
and Decode URL:
Display the IP address and name of a specified host. This can help an investigator
learn about the owner of a system from the domain name or obtain an IP address
with which to further investigate the geographic location of a system.
Screenshot for the Nslookup Feature in Sam Spade Tool
4

Whois:
Provides ownership and contact information for the specified host's domain. This tool is
increasingly convenient as the number of domain name registrars grows. When Network
Solutions was the sole registrar for .com, for example, their whois database was the only
one you needed to search. With about 100 accredited registrars today, you have to do a
search just to find out which registrar to lookup. Sam Spade's whois function does this for
you.
Screenshot for Whois Feature in Sam Spade Tool
 IP Block:
Indicates the owner of the IP address block to which the specified host belongs.
By identifying the owner of an address block, you can start to narrow down where
a host is geographically located and/or learn about the host's upstream Internet
service provider (ISP).
 DIG (Domain
Internet Groper):
like nslookup, looks up DNS information. Sam Spade's DIG function returns all
DNS records associated with a specified host or domain, including the start of
authority (SOA), mail exchange (MX) and name server (NS) records. This
information allows the user to determine where to send e-mail to a host's domain
and how to access the manager of the domain's name space.
5
 Zone Transfer
:
Used to request that a DNS server send all of the information that it has about a
given domain. Properly configured DNS servers will not comply with this request
as a security precaution, but it will work surprisingly often. This is a great way to
test your own name servers.
 Finger:
Obtains host/user information from a system running the finger daemon (TCP port
79). Finger is generally (or should be) disabled at a host because it can give an
attacker a lot of information about users and/or the host itself, but it isn't always
turned off.
Screenshot for the Basics menu in Sam Spade Tool
6
2. TOOLS FOR E-MAIL AND SPAM:
Allow an end user or security administrator to determine the validity of e-mail header
information as well as to fight back against spam. The program also provides an extensive
tutorial on tracking and combating spam. These tools like:
 SMTP Verify
:
Can be used to send a Simple Mail Transfer Protocol (SMTP) VRFY command to
a suspect mail server to confirm the validity of an e-mail address, such as that of
the sender of a spam message (ever notice that most of the return addresses are
bogus?). This function is generally (or should be) disabled at an SMTP server
because it can give an attacker a lot of information about e-mail users. However, it
isn't always turned off and it is worth checking out.
 Blacklist
:
Checks to see if the specified host name/address is listed with the Mail Abuse
Prevention System (MAPS) Realtime Blackhole List (RBL), Dial-up Users List
(DUL) or Relay Spam Stopper (RSS).
 SMTP Relay
Check:
Determines if a specified e-mail server will allow SMTP relaying. Most e-mail
servers are configured to prohibit relaying, but spammers look for SMTP servers
that relay to help them cover their tracks. Many sites block all incoming e-mail
originating from an e-mail server known to relay e-mail because of the spam
potential.
 Parse e-mail
headers:
Allows the user to verify a set of headers from an e-mail message. As shown in
Figure 3, the mail headers can be copied directly from an e-mail message and
pasted into the parse e-mail headers dialog box, where. Sam Spade will then
indicate whether the mail headers appear to be valid or not. Spammers or others
looking to cover their e-mail tracks will often put in false e-mail header
information.
 Abuse Lookup:
Finds the e-mail address to where notifications of possible spam coming from the
specified domain should be sent. Most ISPs maintain an address of the form
abuse@<ISP.net>.
7
3. TOOLS TO EXAMINE A SERVER OR WEB SITE
Several Sam Spade tools allow a user to more closely examine the services available from
another host, with particular attention to obtaining information about Web servers:
 Scan
Addresses:
A minimal port-scanning utility that allows a user to scan a specified set of IP
address to detect open ports (which indicates what Internet services are available).
 Check
Cancels:
Searches for USENET canceled messages. The original intent of cancel was to
allow someone who sent a USENET message to cancel the message it if they
wanted to, and it is now used largely to automatically cancel spam.
 Browse Web:
Actually a bare-bones Web browser. Rather than displaying the rendered
Hypertext Markup Language (HTML) page, however, this function displays the
raw Hypertext Transfer Protocol (HTTP) code (Figure 4), providing such details
about the Web server as the operating system, Web server software, and HTTP
extensions. It is also very useful for debugging CGI scripts or when looking at
potentially malicious Web sites.
Screenshot for Browse Web Feature in Sam Spade Tool
8
 Crawl
Web:
Site allows you to specify a URL and download all accessible pages from a Web
site.
Screenshot for Crawl Web Feature in Sam Spad Tool
4. MISCELLANEOUS TOOLS LIKE:
 Time:
Sets the user's host system time from a network time server.
 Awake:
Provides a "keep alive" function for dial-up connections by connecting to the
configured default Web site once a minute.
NOTE:
Most of feature not works and others make dump to the program and closed. Also there is
many notes on the web confirm that as long as the Sam Spade is an effective tool but there
is a lot of tools more efficient than it.
9
2. TCPDUMP TOOL:


TCPDump can be used to capture some or all packets received by a network
interface. The range of packets captured can be specified by the using a combination
of logical operators and parameters such as source and destination Mac or IP
addresses, protocol types (IP and ethernet) and TCP/UDP port numbers.
TCPDump output has the following output format.
Screenshot for TCPDump Tool
FOR UDP DATAGRAM'S
15:22:41.400299 orac.erg.abdn.ac.uk.1052 > 224.2.156.220.57392: udp 110
Timestamp 15:22:41.400299
Source address orac.erg.abdn.ac.uk
Source port 1052
Destination address 224.2.156.220
Destination port 57392
Protocol udp
Size 110
10
FOR TCP DATAGRAM'S
16:23:01.079553 churchward.erg.abdn.ac.uk.33635 > gordon.erg.abdn.ac.uk.32772: P
12765:12925(160) ack 19829 win 24820 (DF)
Timestamp 16:23:01.079553
Source address churchward.erg.abdn.ac.uk
Source port 33635
Destination address gordon.erg.abdn.ac.uk
Destination port 32772
Indicates that the PUSH flag is set P
Sequence number (also start byte) 12765:
Contained data bytes from sqeuence number upto but not including 12925
Number of user data bytes in datagram (160)
Details of acknowledgements, Window size and Header flags ack 19829 win 24820 (DF)
This may seem primitive to some users, but it provides power and flexibility that is not
available with the common captive interface alternatives.
OPTIONS
The tcpdump utility provides dozens of options, but I'll just cover a few of them here:









-A: Print each packet in ASCII.
-c N: Where the letter N is a number, this option tells tcpdump to exit after N packets.
-i interface: Capture packets on the specified network interface.
-n: Don't resolve addresses to names.
-q: Provide less verbose ("quiet") output so output lines are shorter.
-r filename: Read packets from the specified file rather than a network interface. This is
usually used after raw packets have been logged to a file with the -w option.
-t: Don't print a timestamp on each line of output.
-v: Provide more verbose output. Verbosity can be increased more with -vv, and even
more than that with -vvv.
-w filename: Write raw packets to the specified file.
EXPRESSIONS
The tcpdump utility also supports command-line expressions, used to define filtering rules
so that you get exactly the traffic you want to see, ignoring "uninteresting" packets.
Expressions consist of a number of primitives and, optionally, modifier terms.
11
The following primitives and modifiers do not constitute a comprehensive list, but they are
among the most commonly useful.
PRIMITIVES





dst foo: Specify an address or hostname to limit captured packets to traffic sent to a
particular host.
host foo: Specify an address or hostname to limit captured packets to traffic to and
from a particular host.
net foo: Specify a network or network segment using CIDR (Classless Inter-Domain
Routing) notation to limit packet capture.
proto foo: Specify a protocol to limit captured packets to network traffic using that
protocol.
src foo: Specify an address or hostname to limit captured packets to traffic sent by a
particular host.
MODIFIERS



and: Use this to chain together primitives when you want to limit captured packets to
those that meet the requirements of the expressions on both sides of the and.
not: Use this modifier just before a primitive when you want to limit captured packets
to those that do NOT meet the requirements of the following expression.
or: Use this to chain together primitives when you want to limit captured packets to
those that meet the requirements of one or more of the expressions on either side of the
or.
NOTE:
TCPDump work only on feature to identify the packets and the destination and
source IP and port number with time stamp of packet but the function above not runs
as it’s a trial version.
12
Related documents
Maltese Falcon study guide 1-5
Maltese Falcon study guide 1-5
Ethics reading #1
Ethics reading #1
Let*s Play Math-ketball! Chapter 2 Review Game
Let*s Play Math-ketball! Chapter 2 Review Game
Digging Illustrated
Digging Illustrated
Psychology's Goals Applied to Matchmaking
Psychology's Goals Applied to Matchmaking
Sam and Jennys Dilemma
Sam and Jennys Dilemma
Download
advertisement