Mac Geekery

As everyone here should know, Mac OS X ships with a nice little graphical utility to troubleshoot networks: Network Utility. One feature that this tool provides is the ability to scan open ports on remote hosts. Used properly, this can be a beneficial aid to a network or systems administrator. However, in the wrong hands this can be used for black-hat style system cracking (or “hacking” as it is labelled in the popular news media.)

Well, this post contains a tip for system administrators either looking to lock down the port scan facility of Network Utility (but leaving the other functions usable), or a way to increase the power of the port scan facility for their legitimate purposes (I will be the first to admit this could be used by a system cracker, but they probably wouldn’t dirty their elite, script kiddie hands with a GUI app.)

Like most Mac OS X (Cocoa) applications, the Network Utility “application” is actually a folder named “Network Utility.app”, which is treated by a single file by the Finder. Inside this application bundle, are various files and resources used by the program to carry out its functions.

Port scan, like the other facilities built in to Network Utility calls a command-line program to do the work. However, unlike the other facilities, the command line program to do the port scan is “hidden” within the application bundle.

Ok, enough of the chatter. Network Utility calls a program called “stroke”, which resides at /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke. As per standard UNIX behavior, the program gives its usage if it needs arguments:

ebi:~ unixgeek$ /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke 
2005-02-16 21:10:15.265 stroke[374] stroke address startPort endPort
ebi:~ unixgeek$ /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke 192.168.1.10 0 110
Port Scanning host: 192.168.1.10

         Open Port:     22              ssh
ebi:~ unixgeek$

This reveals that my wife’s Mac has remote login (ssh) enabled. An attacker could use this information to try and connect to her computer, guessing common user names and passwords at each attempt. Indeed, there are kits for these script kiddies to run that will do this automatically (look in your logs, you just mind find them - I do on a regular basis).

Since stroke is a command line program, we can easily replace it with a shell script to call a real port scan utility such as nmap, or at the administrators option, any number of things - like notify him that someone is port scanning on his network.

ebi:~ unixgeek$ cd /Applications/Utilities/Network\ Utility.app/Contents/Resources
ebi:.../Resources unixgeek$ ls
Dutch.lproj             Network Utility.icns    pt.lproj
English.lproj           Spanish.lproj           stroke
French.lproj            da.lproj                sv.lproj
German.lproj            fi.lproj                zh_CN.lproj
Italian.lproj           ko.lproj                zh_TW.lproj
Japanese.lproj          no.lproj
ebi:.../Resources unixgeek$ mv stroke stroke.original

Create a shell script with your favorite text editor, named “stroke”, in the Contents/Resources directory of Network Utility.app. Do not forget to make the script executable by everyone: chmod a+rx,go-w stroke Something like this would be amusing:

#!/bin/bash
DIRPATH=`dirname "$0"`
echo -e "Port Scanning host: $1\n"
${DIRPATH}/stroke.original 127.0.0.1 $2 $3 | /usr/bin/tail +2

Which simply port scans the loopback address, but makes the port scan look like the original target was being scanned. This is not the real object of this exercise, but you can easily substitute a real script that either calls nmap with your favorite options or uses “logger” to write to the system.log or secure.log with names and details for the administrator pursuit at some future date.

Edit 2005-02-17 for clarity.