Security Administrator's Tool for Auditing Networks
By Fuzebox
Table Of Contents
• Disclaimer
• Introduction
• Installation
• Running SATAN
• Examining Results
• Conclusion
Disclaimer: SATAN is to be used as a tool for auditing your own network and/or computer system(s). Abuse of SATAN is strongly unrecommended. Remember, you can be traced, and you can be caught, no matter what precautions you take. Now, with all that aside, let me begin the...
Introduction
Happy Birthday Hackaddict! Our favorite e-zine has reached the ripe old age of 1. Remember, not very many e-zines do this. So, I'd like to contribute with what I consider one killer article. SATAN is not a religious figure, icon, or misrepresentation of society. It is an acronym for Security Administrator's Tool for Auditing Networks. It was written by two UNIX gurus by the names of Dan Farmer and Wietse Venema. It was written in what can only be called a culteral mosaic of C, perl, sh, awk, HTML, and a few others I think. It's purpose is to audit and analyze networks for security bugs and holes.
*** NOTE: You need root to run SATAN. Yes, this sucks, but it's incentive to install UNIX on your own machine. (or hack a server)
Installation
*** NOTE: There are three programs you need aside from SATAN itself: perl, fping, and mosaic (or any other HTML browser). As is stated later, mosaic is not mandatory, but perl and fping are. If you don't have them, you can find them on the Internet.
1) Make sure you have the compressed SATAN file in your home directory.
2) Decompress it by typing the following:
% tar zxf SATAN-1.1.1.tar.Z
3) Delete the compressed file if you want to.
4) Enter the satan directory, and then the config directory.
5) Edit the "satan.cf" file and change the attributes to your liking. The config file is heavily commented, so it's pretty self-explanatory.
6) Now go into the main satan directory, and type "make" and your system type. If you're not sure what your system type is, just type "make" and it will tell you your options. If the wind is right and the planets are aligned just so, you might actually get it to compile properly.
7) Pat yourself on the back and then get a drink of water, because if you thought this was hard, you'll probably pass out in the next section.
Running SATAN
Ok, so I lied. This part isn't actually too hard. You type "satan <hostname>" and it will start scanning. However, there are options and stuff you have to consider (although most of these are already set in your satan.cf file):
-a the attack level (0=light, 1=normal, 2=heavy) - the $attack_level variable is the default.
-d the directory SATAN looks for to read in already collected data (default is $satan_data).
-s Do subnet expansions? (0=no, 1=primary target) - default is $attack_proximate_subnets.
-t timeout length (0 = short, 1 = medium, 2 = long); values are found in satan.cf.
-v turn on debugging output (to stdout.)
Now SATAN will run (provided you are root). You better have something else to do, because depending on your CPU and connection, this could take a while.
Uh oh, no I'm in trouble. I left something out. Well, you are really supposed to run satan through an HTML browser, such as Netscape, Mosaic, or Lynx. However, I don't like to do this, because I think that using unix paramters is much more 31337 and I can pretend I'm a Haxor-d00d to all my friends. But anyway, play around with this if you want to.
Examining Results
When SATAN is finished scannning, it will put all the results into the directory that is specified in the satan.cf file. These are in HTML format, so you should run them through Lynx or something (Unless you have an HTML-Stripper or enjoy readin HTML). What I do is I stick 'em in some inconspicious-looking part of my public_html directory (like in "public_html/images/gifs/data/results" or something so I can look at them at home but no one else will think of looking for them.) The results are quite simple to understand. They are split into three categories:
Vulnerabilities
You will see a list of the vulnerabilities scanned for, such as finger, tftp, ftp, rlogin, etc. If a vulnerability was found, there will be a nice red dot next to it. If it was clean, there will be a black one.
Host Information
You may think "Who cares?", but the answer is: You should. The host information has all sorts of juicy info that might come in handy, such as services (what is running on what port), connected hosts, unregistered hosts (no domain), server and operating system information, and a whole slew of other good stuff.
Trust
One of the reasons systems get broken into is because of too much trust. You may have heard of the dangers of the ".rhosts" programs, which are based on trust. This section explains what trust is on the system and how much is used.
Conclusion
SATAN is not only a great program for "staking out" a server you want to hack, but also works extremely well for what it is designed for: Administers. I ran it on a server I co-admin, (but before I could finish the other co-admin got suspicious and banned me :). Since it simulates real attacks, I could not only read the results to see what is wrong with the server, but check the server logs as well to see what such attacks look like. (But I guess that's what the first "A" stands for... Administration.)
Anyway, I thought this article was pretty good and in writing it I actually had to make sure I knew what I was doing before I could write it. But anyway in closing I'd just like to remind you that it is illegal to run SATAN, but so is lots of other stuff in this magazine. And if you were opposed to that sort of stuff, you shouldn't be reading it anyway!
