# Rules that determine what facts should be ignored. Each rule is applied once
# for each 'a' SATAN fact. A rule is a PERL condition that has full access to
# the $target..$text globals and to all functions.
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# Don't complain about /cdrom being exported to the world.
#
$text =~ /exports \/cdrom/i
"remote login" or
# "file sharing".
#
# Empty lines and text after a "#" character are ignoredsatan-1.1.1/satan................................................................................... 600 . 465 . 506 . 5645 5742457415 6751. .............................................
vel drops by this much each proximity level change
$proximity_descent = 1;
# when we go below zero attack, do we stop (0) or go on (1)?
$sub_zero_proximity = 0;
# a question; do we attack subnets when we nuke a target?
# 0 = no; 1 = primary target subnet
$attack_proximate_subnets = 0;
#
# Does SATAN run on an untrusted host? (0=no; 1=yesatan-1.1.1/perllib/getopts.pl...................................................................... 600 . 465 . 506 . 1673 5742456565 11375. ...................................................
................................................;# getopts.pl - a better getopt.pl
;# Usage:
;# do Getopts('a:bc'); # -a takes arg. -b & -c not. Sets opt_* as a
;# # side effect.
sub Getopts {
local($argumentative) = @_;
local(@args,$_,$first,$rest);
local($errs) = 0;
local($[) = 0;
@args = split( / */, $argumentative );
while(@ARGV && ($_ = $ARGV[0]) =~ /^-(.)(.*)/) {
.($first,$rest) = ($1,$2);
.$pos = index($argumentative,$first);
.if($pos >= $[) {
. if($args[$pos+1] eq ':') {
..shift(@ARGV);
..if($rest eq '') {
.. ++$errs unless @ARGV;
.. $rest = shift(@ARGV);
..}
..eval "\$opt_$first = \$rest;";
. }
. else {
..eval "\$opt_$first = 1";
..if($rest eq '') {
.. shift(@ARGV);
..}
..else {
.. $ARGV[0] = "-$rest";
..}
. }
.}
.else {
. print STDERR "Unknown option: $first\n";
. ++$errs;
. if($rest ne '') {
..$ARGV[0] = "-$rest";
. }
. else {
..shift(@ARGV);
. }
.}
}
$errs == 0;
}
1;
defined.
# There's no portable way to find the system default timsatan-1.1.1/perllib/README.......................................................................... 600 . 465 . 506 . 225 5742457361 10176. .........................................
# Execute a bootparam WHOAMI request and report the results.
#
$running_under_satan = 1;
require 'config/paths.pl';
require 'perl/misc.pl';
require 'perl/fix_hostname.pl';
die "usage: $0 client server" unless ($#ARGV == 1);
$target = $client = $ARGV[0];
$server = $ARGV[1];
# fields for satan...
$severity="x";
$status="a";
$service = "boot";
open(BOOT, "$BOOT $client $server|");
while (<BOOT>) {
.chop;
.if (/domain_name:\s+(\S+)/) {
..$service_output = "domain $1";
..$target = $server; &satan_print;
..$target = $client; &satan_print;
.}
.if (/client_name:\s+(\S+)/) {
..$client = &fix_hostname($1, $server);
..$service_output = "client $client";
..$target = $client; &satan_print;
.}
.if (/router_addr:\s+(\S+)/) {
..$service_output = "router $1";
..$target = $client; &satan_print;
.}
}
close(BOOT);
# print something out if nothing has happened so far...
# if rpcinfo returns !0, then flag it; else, nothing interesting showed up.
if ($service_output eq "") {
.$severity="";
.if ($?) {
..$text="boot error #$?";
.} else {
..$text="No boot output of interest";
.}
.&satan_print();
}
rst = \$rest;";
. }
. else {
..eval "\$opt_$first = 1";
..if($rest eq '') {
.. shift(@ARGV);
..}
..else {
.. $ARGV[0] = "-$rest";
..}
. }
.}
.else {
. print STDERR "Unknown option: $first\n";
. ++$errs;
. if($rest ne '') {
..$ARGV[0] = "-$rest";
. }
. else {
..shift(@ARGV);
. }
.}
}
$errs == 0;
}
1;
defined.
# There's no portable way to find the system default timsatan-1.1.1/bin/dns.satan........................................................................... 700 . 465 . 506 . 5012 5742457416 10272. .........................................
Unfortunately SATAN isn't as portable as we would like it to be, but it
still will run on a fairly large number of Un*x machines. One
of the main problems we had is that for it to do all of the tasks that
we wanted and to actually be able to release it within any reasonable
time frame, we had to both rely on msatan-1.1.1/html/docs/the_main_parts.html........................................................... 600 . 465 . 506 . 32571 5740013366 13504. .................................................................
SATAN's primary design goal was to be an information gathering and
sorting tool. System administrators will probably get the most out
of using it, but it might prove useful for anyone who wants to learn
and understand more about network security.
</BODY>
</HTML>
rules, these rules help SATAN to classify the
data that was collected by the tools on NFS servisatan-1.1.1/html/docs/satan.cf.html................................................................. 600 . 465 . 506 . 24762 5741743422 12213. ....................................................
Neil Gaiman (author of the extraordinary comic book
<CITE><STRONG>Sandman</STRONG></CITE>)
was ever so kind enough to donate a custom image for the
SATAN project. We're <STRONG>very</STRONG> grateful to him for putting
the perfect, final touch on our system.
<HR>
<a href="../images/satan-full.gif">
<IMG SRC="../images/satan-almost-full.gif" ALT="[SECOND SATAN IMAGE]"> </a>
</BODY>
</HTML>
<I>$dont_attack_these</I>, which you
can set to a list of domains and/or networks that
SATAN should <STRONG><I>never</I></STRONG> attack.
Looking at the last part of the configuration file gives further
examples of this:
<PRE>
#
# If $only_attack_these is non-null, *only* hit sites if they are of this
# type. You can specify a domain (podunk.edu) or network number
# (192.9.9). You can specify any combination of domains and satan-1.1.1/html/docs/dangers.html.................................................................. 600 . 465 . 506 . 13762 5737562740 12146. .....................................
<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Vulnerabilities - By Counts </H1>
<hr>
<h3> Hosts by descending vulnerability counts. </h3>
EOF
$_sort_order = "severity";
@_hosts = keys %severity_host_count;
do "$html_root/reporting/sort_hosts.pl";
print CLIENT $@ if $@;
print CLIENT <<EOF
No vulnerability information found.
EOF
.if @_hosts == 0;
print CLIENT <<EOF;
<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
</BODY>
</HTML>
EOF
/ul>
.<strong>Note: hosts may appear in multiple categories. </strong>
EOF
} else {
print CLIENT <<EOF
No vulnerability information found.
EOF
}
print CLIENT <<EOF
<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>satan-1.1.1/html/reporting/satan_results_danger.pl.................................................. 600 . 465 . 506 . 6603 5737771155 15440. .......................................
Hints, Further tricky security implications, or Getting The Big Picture (tm)</A>
Would be a <STRONG>very</STRONG> good idea.
<hr>
<a href=../../satan_documentation.html> Back to the Documentation TOC</a>
ll give you more information on that host, network, piece of
information, or vulnerability, just as expected.
<p>
From the control panel in the HTML interface, select
<I>SATAN Reporting & Data Analysis</I>. You will then be
prompted with a wealth of choices; when first learning to use
the tool, the <I>Vulnerabilities</I> section will probably
be the one of the most immediate interest. In that section,
the <I>By Approximate Danger Level</I> link is a goodsatan-1.1.1/html/tutorials/first_time/make.html..................................................... 600 . 465 . 506 . 1446 5737553410 14651. ................................................
....................<title>Scanning for the first time with SATAN</title>
<H1><IMG SRC="../../images/satan.gif"> Scanning for the first time with SATAN</H1>
<HR>
<p>
To "scan", in SATAN-ese, means to probe or test a remote host's security.
SATAN has the ability to scan a great number of hosts on a network;
fortunately or unfortunately, you may not have the authority or permission
to scan all of the hosts. SATAN should never be used to scan hosts that
you haven't gotten explicit permission from the owner of the host that
it is permissible to scan it.
<p>
<STRONG> Remember - you should run SATAN as "root"!</STRONG>
<p>
Assuming that you have the authority to do so, it is very simple to start
scanning:
<p>
<OL>
<li> From the control panel in the HTML interface, select
.<I>Run SATAN</I>. It will prompt you with
.<I>Primary target selection</I>; type in the host that you're
.running SATAN from if it already isn't in the prompt box.
<li> Select <I>Scan the target host only</I>, or, if you would prefer
.and have the authorization and the time (it can take several minutes
.to scan a single host at the higher scan levels), select
.<I>Scan all hosts in the primary (i.e. the target's) subnet</I>.
<li> Select a <I>Normal</I> scan to start out with. The more intensive
.the scan the more time it takes to complete.
<li> Select <I>Start the scan</I> to commence the scanning.
</OL>
<p>
That's it! If you have any problems (remember, SATAN is currently only
supported on SunOS 4.x and IRIX 5.x), you should read the full
documentation on <A HREF="../../docs/getting_started.html">
using SATAN for the first time.</a>
<p>
You should now go to <A HREF="analyzing.html"> Analyzing the output</A>
to see how to get and to interpret the results of your scan.
ace, select
<I>SATAN Reporting & Data Analysis</I>. You will then be
prompted with a wealth of choices; when first learning to use
the tool, the <I>Vulnerabilities</I> section will probably
be the one of the most immediate interest. In that section,
the <I>By Approximate Danger Level</I> link is a goodsatan-1.1.1/html/tutorials/vulnerability_tutorials.pl............................................... 600 . 465 . 506 . 1242 5737241027 16225. ................................................
<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Configuration Management </H1>
<hr>
<B>Configuration file changed</B>
<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
</BODY>
</HTML>
EOF
sword <i>everytime</i> you start it
up under an HTML client, so if you are suspicious, simply restart
the program.
<p>
SATAN never sends its current password over thsatan-1.1.1/html/admin/satan_cf_form.pl............................................................. 600 . 465 . 506 . 12243 5741745515 13122. .......................................................
<h2>Patterns specifying hosts to limit the probe to</h2>
If you only want to probe hosts within a specisatan-1.1.1/src/boot/bootparam_prot.x............................................................... 600 . 465 . 506 . 5713 5727104345 12661. .......................................................
# Interval is the minimum amount of time between sending a ping packet to
# any host.
#
# Timeout is the minimum amount of time between sending a ping packet to
# a particular host.
#
# Retry is the number of ping packets to send to a host before giving up.
#
DEFAULTS= -DDEFAULT_INTERVAL=25 \
-DDEFAULT_TIMEOUT=2500 \
-DDEFAULT_RETRY=3
#
# some systems need thsatan-1.1.1/src/fping/README.VMS.................................................................... 600 . 465 . 506 . 12606 5731724671 11150. ...............................................................................
- made links from tutorials to admin-guide-to-cracking
- now show the current database name in the "open database" text field.
- added -u (running from untrusted host) option and $untrusted variable.
- changed wording of worldwide exports in nfs-chk.satan
- moved umask 077 to main satan
- tcpscan now continues after ICMP_UNREACH_NET or ICMP_UNREACH_PROTOCOL.
- network targets didn't work anymore.
- added "view primary target results" link.
- target acq screen: added explanation of "normal" and "heavy" scans.
- trust reports now sort by trust type as default.
- added -A (proximity descent) and -z (sub zero proximity) options.
- used wrong hostname variable in sort-by-trust-type reports.
- dropped proximity stuff from the target acquisition screen.
- fixed references to old timeout variable names in the admin html pages.
- more trust classification rules.
- added ';' after shell built-ins in Makefile (for HP-UX make).
Satan beta 0.5
- rescan is now default: before scanning, SATAN always drops old
information on primary hosts. Too many problems with todo rules
being skipped at a low attack level, and never being triggered
again whe the attack level was increased.
- wrote a UNIX man page so we can tell them to Read the fine manual.
- data mgt moved to the top - if you collect data first it does not
make sense to change databases later.
- added "back to SATAN report analysis" links to the report screens.
- worked around strange behavior when host or domain names end in au.
fix: all dynamic URLs now end in a comma.
- some error screens had a non-standard layout.
- replacing TYPE=NAME by TYPE="name" made things work better with Mosaic.
- tcp_scan will calm down when the kernel runs out of file descriptors.
- fixed extraneous Add-fact/todo/target messages in verbose logs.
- fixed defective duplicate filter in danger level report.
- added OSF to the list of mainstream systems (weird...)
- save database to temp files, then rename. This avoids data loss
when the program is interrupted while saving. We should append
new stuff only but I'm not going to change the inference engine
in the last hour before the final beta.
- all shell commands go through one routine so nothing escapes timeouts.
- added SONY NEWS machines to hosttype, fixed apple type, now picks up BSDI
OS version
- added an AUTHOR file in src/fping, to point to the current maintainer.
- fixed reconfig to not look at dirs that don't exist, echo correct message,
look for remsh & if it exists, use it instead of rsh. Changed top line
to be a better way (you might check this out; this was suggested by
tom christianson & larry wall, so I trust it.)
- changed the satan.probes.html documentation significantly; minor change
to satan_documentation to reflect this.
- added grep into paths.sh
- moved data management menu item below targeting and results on main
control panel (html/satan.pl) - I really want to have targeting first,
then analysis, then the rest!
- created a wu-archive ftp tutorial
- small change in analysis.pl; "Widely" seems redundant, nuked it.
- added question about multiple fingers to FAQ
- not scanned hosts are now called "not scanned" instead of "unknown type".
- added sort-by-trust-type links to the trusted and trusting host displays
- documented the trust rule base.
- fixed typo in trusting host sort order.
- restored control panel order: choose data base before collecting data.
- port scanners now take service names from config/services so that our
inference rules will be more robust. The system services tables are
used for everything not found in SATAN's service tables.
- began cleaning up the html. Combining both quoting and italics on the
same word is just too much.
- some hosts would stay "unknown type" after rescanning. Fix: add an UNKNOWN
pattern to rules/hosttype that matches both "" and "unknown type".
- deleted the html/query subdirectory
- SATAN now maintains a per-host last access time, displayed with host details.
- faux-fping took only one argument and always did subnet expansion.
I replaced it by an fping-compatible one-liner.
- updated docs about current locations of files.
- subtle bugs eliminated by using explicit loop controls instead of $_.
- subnet expansion did not update attack levels of already known hosts.
- reconfig no longer needs to have #!/path/to/perl.
- get_targets moved to bin.
- fixed rsh.satan to not depend on remote location of commands
- can now merge data bases (GUI only).
- fix_hostname.pl could map IP addresses to unqualified hostnames.
- SATAN could skip hosts that were dead on a previous run.
- added support to rescan primary hosts (ignore old primary host results).
- added -o option for 'scan only these'.
- added -O option for 'skip these'.
- added -c option for alternate config file.
Satan 0.40 beta:
- slightly changed -V flag to satan; prints out version, found in version.pl
- removed *box*.gif *triangle*.gif from images directory
- removed all but black, red, pink, and purple dots from dots dir
- swept through all html files with a fairly fine-toothed comb and
programs, fixed all syntax errors that I could find. This is mostly,
actually, the html/docs & html/tutorials dirs.removed "lines" subdirectory
- all tool etc. file names are now controlled from config files.
- now handles combinations of `scan only these' and `don't scan' exceptions.
- now accepts multiple exceptions for `scan only these' and `don't scan'.
- configuration GUI screen now shows current exception patterns.
- syntax of exeption patterns changed from regexps to shell style.
it was symply too painful to get right.
- config file edit script used the raw HTML attribute list with %hex codes.
- generic editing of %hex codes emitted by web viewers.
- GUI will now show a trace (with time stamps) of what satan is doing.
- configurable pathnames in sh scripts moved to central file.
- lots of dead links in the docs fixed.
- big one: separate directories for config, commands, rules, scripts.
- added "make setuid" target to the main Makefile.
- status file is now updated when satan terminates.
- status file cannot be specified on the command line (for parallel runs).
Satan 0.36 beta:
- added "continue with report and analysis" link to data management.
- added a rules/trust file to classify trust relationships by type.
- put back the "widely trusting hosts" link in the report table of contents.
- added a $dont_use_ping flag (config file, docs and GUI) so you can make
SATAN believe that hosts are always reachable.
Satan 0.34 beta:
- print an error when get_targets fails instead of mysteriously terminating.
- all hostnames should now be translated to lowercase
- zap all prixy environment variables except no_proxy.
- numerical $dont_attack_these and $only_attack_these patterns now work.
- the boot.satan will now fire only when the client hostname resolves
- DNS: added a $dont_use_nslookup flag (config file, docs and GUI).
- made the rpcinfo tool more accurate.
- use safe_finger instead of plain finger (thanks Lionel).
- updated the documentation (fping is bundled, attack level probe lists).
- fixed some list problems that Mosaic could choke on.
- re-wrote the satan.cf attack level lists as per Lionel's suggestion.
This makes the portscanner implementation much cleaner. Tools are now
listed _with_ arguments, so no more automatic ".satan" tricks.
- rules.services claimed all gopher or www servers on non-standard ports.
- fixed output flushing in *.satan tools.
Satan 0.33 beta:
- minor portscan.satan fix (will rewrite this according to Lionel's suggestion).
- more reconfig fixes (would replace perl5 by perl55)
- more shell command filtering
- fixed timeout order in satan script
- portability fixes for the tcp/udp port scanner (hp-ux)
Satan 0.3 beta:
- found why SATAN would no longer look up the host IP of unprobed hosts.
- Doesn't die when reading malformed data
- slight fix to nfs-chk.satan
- cleaned up some html stuff/dead links
- Added a test for pre 2.4 wustl ftp servers
- Ever so small correction to reconfig... (I'm going to rewrite this in perl.)
Satan 0.2 beta:
- will now tell via the GUI how many hosts were visited.
- GUI now shows status (unreachable) and scanning level info in the
per-host report.
- fixed the reconfig script so it won't mangle perl path names anymore
- will now tell you to become root or to make fping, tcp_scan etc. set-uid.
- added a -V (version) command-line option. Unfortunately, PERL still
dumps core on IRIX 5.3 when SATAN is given a command-line option.
- added a $running_under_html flag for GUI diagnostics
Satan 0.1 beta:
- fping is now completely integrated with satan.
- better support of recursive `make -n'.
- queries by host now support FQDN completion.
- several broken html links fixed.
- final solution for the sys/socket.ph problem.
- Web client will now connect to hostname instead of 127.0.0.1.
- nfs-chk tries both privileged and unprivileged client ports in the same run.
- cleanup nslookup [x.x.x.x] result when cannot find a host.
moved all but black, red, pink, and purple dots from dots dir
- swept through all html files with a fairly fine-toothed comb and
programs, fixed all syntax errors that I could find. This is mostly,
actually, the html/docs & html/tutorials dirs.removed "lines" subdirectory
- all tool etc. file names are now controlled from config files.
- now handles combinations of `scan only these' and `don't scan' exceptions......................................................................................................................................................................................