Spiking the Network

Finding your way around the system and the net both.

Get It Try It

The ACP network utility bundle Spike beats Apple's own hands down; that much is known and accepted. Apple's is based on running command line Unix programs behind the scenes; Spike runs on its own code taken in great part from earlier projects on other platforms, the one exception being 'trace' which requires root access to adjust the 'time to live' values for the packets. But even this code is Spike's own.

Block

Block is part of a common task known as 'fingerprinting': for whatever reason finding out who else is on a subnet. If you want to find out who else is at home you simply tick the box for 'ping'.

Should you feel really ambitious you can scan an entire B-class network with 16,777,216 IP addresses.

You can input either an IP or a domain.

DNS

DNS is used to resolve domains, IPs, and LAN machines. But what if it reports back 'connection failed' for a given IP?

All is not lost: simply click on the last tab ('Whois') and try again. Spike is set by default to query the GeekTools service; this service will automatically choose the ARIN service; and you'll get back information from ARIN identifying the IP.

At times you'll get back something like the following.

GeekTools Whois Proxy v5.0.4 Ready.
Final results obtained from whois.arin.net.
Results:
AT&T WorldNet Services WORLDNET-MIS3 (NET-209-64-0-0-1)
                                  209.64.0.0 - 209.65.255.255
AT&T WorldNet Services ATTSVCM-209-64-0-0 (NET-209-64-0-0-2)
                                  209.64.0.0 - 209.64.7.255

Notice what's going on: ARIN is telling you who owns what block and who within a given block has a specific IP range. In the above example it's AT&T who own it all; but given within parentheses are the net block owners.

Take the final example (NET-209-64-0-0-2) and feed that back into Whois again.

GeekTools Whois Proxy v5.0.4 Ready.

Checking server [whois.arin.net]
Results:

OrgName:    AT&T WorldNet Services
OrgID:      ATTW
Address:    200 S. Laurel AVE.
City:       MIDDLETOWN
StateProv:  NJ
PostalCode: 07748
Country:    US

NetRange:   209.64.0.0 - 209.64.7.255
CIDR:       209.64.0.0/21
NetName:    ATTSVCM-209-64-0-0
NetHandle:  NET-209-64-0-0-2
Parent:     NET-209-64-0-0-1

Get & Head

Get and Head are related; both show you the HTTP headers your browser won't show you; Get fetches the entire page whilst Head settles for the headers. And those headers can tell you a lot. You'll most likely be able to see which software the server's running; you might be able to see when a page was last modified; you'll see attempts to plant cookies and other goodies.

HTTP/1.1 200 OK
Server: Apache/2.2.9
Accept-Ranges: bytes
Content-Length: 2399
Connection: close
Content-Type: text/html

You can also set the 'user agent' from a dynamic array storeds in the file agents in the bundle resources directory. Currently 40 user agents are supplied; you're free to add to this array any way you like.

'More'

There's also additional functionality for Get and Head behind the 'more' button. You can set the 'accept' data types, insert cookies to send to the remote server, specify the host if the IP is shared, indicate a 'referer' [sic] URL, and set the HTTP access type (1.0 or 1.1).

Ping

Ping uses ICMP to poll the responses of remote sites. It's similar in function to Trace but implemented differently. It will also show you the fastest, slowest, and average responses. Set the number of pings to zero for a flood. But be nice.

Additional Features

Apple's Network Utility doesn't work very hard for you on Whois queries, offering servers only at internic.net, networksolutions.com, arin.net, nic.mil, ripe.net, apnic.net, and nic.ad.jp. They're not going to get you far. They're baked into the executable; you can add more servers of your own but you have to do this either with defaults or by editing the preferences file directly.

000000000000a608 NUWhoisServers
000000000000a617 whois.nic.ad.jp
000000000000a627 whois.apnic.net
000000000000a637 whois.ripe.net
000000000000a646 whois.nic.mil
000000000000a654 whois.arin.net
000000000000a663 whois.networksolutions.com
000000000000a67e whois.internic.net

<key>NUWhoisServers</key>
<array>
    <string>whois.internic.net</string>
    <string>whois.networksolutions.com</string>
    <string>whois.arin.net</string>
    <string>whois.nic.mil</string>
    <string>whois.ripe.net</string>
    <string>whois.apnic.net</string>
    <string>whois.nic.ad.jp</string>
</array>

Spike comes with an array of (currently) 119 whois servers. This array exists as a standalone (and editable) text file. It's updated regularly from the list supplied by the GeekTools proxy; most importantly you can set your default server so that clicking on the 'reset' button returns you in an instant. [The array is stored in whoises in the bundle's resources directory.]

nic.cl
ns.nic.do
pgebrehiwot.iat.cnr.it
rwhois.reacciun.ve
whois-generic.ausregistry.net.au
whois.abuse.net
whois.adamsnames.tc
whois.afilias-grs.net
whois.afilias.info
whois.afrinic.net
whois.apnic.net
whois.arin.net
whois.arnes.si
whois.au.com
whois.aunic.net
whois.ausregistry.com.au
whois.belizenic.bz
whois.bulkregister.com
whois.cat
whois.cctld.nc
whois.cd
whois.centralnic.com
whois.cira.ca
whois.ck-nic.org.ck
whois.cnnic.net.cn
whois.connect.com.au
whois.crsnic.net
whois.denic.de
whois.dk-hostmaster.dk
whois.dns.be
whois.dns.lu
whois.dns.pl
whois.dns.pt
whois.domain-registry.nl
whois.domain.kg
whois.domain.kz
whois.domainregistry.ie
whois.domainz.net.nz
whois.domreg.lt
whois.dot.tk
whois.edu.cn
whois.educause.net
whois.eu
whois.ficora.fi
whois.frd.ac.za
*whois.geektools.com
whois.iana.org
whois.idnic.net.id
whois.information.aero
whois.inregistry.net
whois.interdomain.net
whois.isi.edu
whois.isles.net
whois.isnet.is
whois.isoc.org.il
whois.ja.net
whois.joker.com
whois.krnic.net
whois.lacnic.net
whois.markmonitor.com
whois.melbourneit.com
whois.metu.edu.tr
whois.museum
whois.namejuice.com
whois.ncst.ernet.in
whois.net.ua
whois.networksolutions.com
whois.neulevel.biz
whois.nic-se.se
whois.nic.ac
whois.nic.ad.jp
whois.nic.ag
whois.nic.as
whois.nic.at
whois.nic.br
whois.nic.cc
whois.nic.cd
whois.nic.ch
whois.nic.coop
whois.nic.cx
whois.nic.cz
whois.nic.fr
whois.nic.gov
whois.nic.hu
whois.nic.ir
whois.nic.it
whois.nic.la
whois.nic.li
whois.nic.lk
whois.nic.mil
whois.nic.mm
whois.nic.mx
whois.nic.name
whois.nic.net.sg
whois.nic.nu
whois.nic.sh
whois.nic.st
whois.nic.tj
whois.nic.tm
whois.nic.uk
whois.nic.us
whois.nomination.net
whois.norid.no
whois.omnis.com
whois.opensrs.net
whois.pknic.net.pk
whois.publicinterestregistry.net
whois.pwhois.org
whois.registry.hm
whois.registrypro.pro
whois.ripe.net
whois.ripn.net
whois.rotld.ro
whois.srs.net.nz
whois.thnic.net
whois.tonic.to
whois.twnic.net.tw
whois.usp.ac.fj
whois.worldsite.ws

Conclusions & Comparisons

Network Utility has 'Netstat' - a feed from the command line netstat; 'Lookup' - which uses dig and nslookup which you already have on disk too; 'Whois' - which is also a feed from the Unix command line program; a very dreary port scan; and 'Finger' - also a command line feed and worse: it's mostly obsolescent today.

000000000000aee3 /usr/sbin/appletalk
000000000000aefd /usr/bin/atlookup
000000000001bf30 /usr/sbin/appletalk
000000000001bf48 /usr/bin/atlookup

000000000000aa39 /usr/bin/dig
000000000000aab5 Lookup has started ...
000000000001babc /usr/bin/dig
000000000001bb48 Lookup has started ...

0000000000009d35 /usr/bin/finger
0000000000009d46 Finger has started ...
000000000001adc8 /usr/bin/finger
000000000001add8 Finger has started ...

000000000000ac80 /usr/sbin/netstat
000000000001bcec /usr/sbin/netstat

0000000000009296 /usr/sbin/traceroute
00000000000092ae Traceroute has started ...
000000000001a23c /usr/sbin/traceroute
000000000001a254 Traceroute has started ...

0000000000009a31 /usr/bin/whois
0000000000009a46 Whois has started ...
000000000001aac4 /usr/bin/whois
000000000001aad8 Whois has started ...

For that caliber of functionality you might as well stay on the command line. This is basically no better than Cocktail.

All of Spike's features are widely used today. Block, Get, and Head are not found in Network Utility and Network Utility counterparts to Spike functions generally pale in comparison. Spike only runs one function from the command line - out of necessity - and then uses its own customised and highly optimised code.