The SATAN User Interface

SATAN was designed to have a very "user friendly" user interface. Since it is extremely difficult to create a good user interface from scratch, we stole everyone else's. All of the output (of the non-debugging sort) and nearly all of the interface uses HTML, so as a user you can utilize any number of incredible HTML display programs such as Netscape, Mosaic, lynx (for those stuck with text-only displays), etc.

Subsections in the User Interface section:

The Basics
Gathering Data
Data Management
Looking at and understanding the results
Hints, Further tricky security implications, or Getting The Big Picture (tm)
The Command-line Interface

The Basics

Using an HTML browser is REQUIRED to do report queries. It is highly suggested that you use it to read the documentation, if nothing else to print it out and read it via hard-copy, since it's also all in HTML (later versions of SATAN will almost certainly have non-HTML documentation, but the time pressures of the project eliminated this as a viable option for the first release of SATAN.)

(While all of the program interface and documentation uses hypertext extensively; it's beyond the scope of this document to explain how to use a HTML browser, but all of them come with fairly extensive documentation and are very easy to use.)

This part of the documentation covers some of the basic design concepts and how to move around the SATAN user interface. However, with the exception of the target acquisition part of the program (we don't want you to learn how to probe hosts by trial and error!), the best way to learn how to use the program is to simply start pointing and clicking with your mouse or with the arrow keys on your keyboard.

Gathering Data

Gathering information about hosts is very easy when using SATAN - too easy sometimes, because it follows lines of trust that are often hidden from casual observation, and you'll soon find it scanning networks and hosts that you had no idea were connected to your net. As an intellectual or learning exercise this is wonderful, but many sites take a dim view of you probing (or "attacking", as they'll claim) their site without prior permission. So don't do it.

The easiest and safest way to gather it is by simply selecting a target host that you'd like to know more about and then probe that host (and the subnet as well, if you wish) with the default settings: no host-to-subnet expansion, and a maximum proximity level of zero (see the satan.cf (SATAN configuration) file for more on this.)

See the tutorial on how to scan a target for the first time.

Data Management

SATAN has a very simple way of opening or creating its databases (this is how SATAN keeps all of its records, including the hosts that it's seen (in the "all-hosts" file), the current set of facts (in the "facts" file), and what should be run next ("todo")

If you choose the "SATAN Data Management" from the SATAN Control Panel, you have two choices, to either open an existing set of data or to start a new database.

Note! Opening or creating a new database will remove any other information of other databases or scans that are currently in memory.

If you've opened an old database, you can now query it, run new tests against the hosts, etc.

Looking at and understanding the results

Easy to use, hard to describe. That's how the SATAN Reporting and Analysis works. There are three broad categories, each with fundamental differences in how they approach and analyze the data gathered from scanning. Although they are different categories, since so much information is tied together with hypertext, you can start from any of these categories and find the same information, but with a different emphasis or display on certain parts of the information. Most queries will present the user with an index that facilitates movement within that query type - the amount of information can get quite large - and a link that will lead the user back to the Table of Contents. In addition, vulnerabilities have links to a description of the problem, including what it is, what the implications are with respect to security, as well as how to fix it. If a CERT advisory applies to this particular problem then there is a link to that as well.

Vulnerabilities. This is what most people think of when they think of SATAN - what/where are the weakpoints of the host/network.
Host Information. Very valuable information - this can show where the servers are, what the important hosts are, breakdown the network into subnets, organizational domains, etc. In addition, you can query about any individual host here.
Trust. SATAN can follow the web of trust between systems - trust through remote logins, trust by sharing file systems.

Vulnerabilities

There are three basic ways of looking at the vulnerability results of your scan:

Approximate Danger Level. All of the probes generate a basic level of danger if they find a potential problem; this sorts all the problems by severity level (e.g. the most serious level compromises root on the target host, the least allows an unprivileged file to be remotely read.)
Type of Vulnerability. This simply shows all the types of vulnerabilities found in the probe, plus a corresponding list of hosts that fall under that vulnerability.
Vulnerability Count. This shows which hosts have the most problems, by sheer number of vulnerabilities found by the probe.

Try looking at all of the different ways of looking at any vulnerabilities found by the probe to see what is most intuitive or informative to you; after using the tool for some time, it becomes easier to learn which type of query is the best for the current situation.

Host Information

An enormous amount of information can be gained by examining the various subcategories of this section - remember, the more intensive the SATAN probe, the more information will be gathered. Typically this will show either the numbers of hosts that fall under the specific category with hypertext links to more specific information about the hosts or the actual list of hosts (which can be sorted into different orders on the fly). If there is a host listed with a red dot () next to it, that means the host has a vulnerability that could compromise it. A black dot () means that no vulnerabilities have been found for that particular host yet. Clicking on links will give you more information on that host, network, piece of information, or vulnerability, just as expected.

The categories are:

Class of Service. This shows the various network services that the collected group of probed hosts offer - anonymous FTP, WWW, etc. Gathered by examining information garnered by rpcinfo and by scanning TCP ports.
System Type. Breaks down the probed hosts by the hardware type (Sun, SGI, Ultrix, etc.); this is further subdivided by the OS version, if possible to ascertain. This is inferred by the various network banners of ftp, telnet, and sendmail.
Internet Domain. Shows the various hosts broken down into DNS domains. This is very useful when trying to understand which domains are administered well or are more important (either by sheer numbers or by examining the numbers of servers or key hosts, etc.)
Subnet. A subnet (as far as SATAN is concerned) is a block of up to 256 adjacent network addresses, all within the last octet of the IP address. This is the most common way of breaking up small organizations, and can be useful for showing the physical location or concentration of hosts in larger systems.
Host name. Allows a query of the current database of probe information about a specific host.

Hints, Further Tricky Security Implications, or Getting the Big Picture

It's just as important to understand what the SATAN reports don't show as well as what they show. It can be very comforting to see SATAN returning a clean bill of health (i.e. no vulnerabilities found), but that will often merely mean that more probing should be done. Here are some general suggestions on how to get the most out of SATAN; this requires a fairly good understanding of the satan.cf (SATAN configuration) file:

Probe your own hosts from an EXTERNAL site! This is a necessity for firewalls, and a very good idea for sites in general.
Probe your hosts as heavily as possible, and use a high $proximity_descent value (2 or 3 are good.)
Use a very low $max_proximity_level - it is almost never necessary to use more than 2 or 3. However, if you're behind a firewall (e.g. have no direct IP connectivity from the host that is running the SATAN scan), you can set this higher. There should be almost no reason to ever set this to anything beyond single digits.
Start with light probes and probe more heavily when you see potential danger spots. Keep tight control over what you scan - don't scan other people's hosts without permission!
Use the "$only_attack_these" and "$dont_attack_these" variables to control where your attacks are going.
Collect all of your user's .rhosts files and make a list of all external hosts found there. Get permission from the system administrators of those remote sites and run SATAN against all of them.
If you have a host that a lot of other hosts trust or have critical hosts, make sure that you scan these hosts with a "heavy" scan to help ensure that no one can gain access to these. Unless politically impossible, scan the entire subnet of these key hosts as well, because once on a subnet, it's very easy to break into other hosts on the same subnet.

The Command-line Interface

For those without a good HTML browser, for those die-hard Un*x types that despise GUI's, or for simply firing off probes when you don't want to leave a several megabyte memory hog (your HTML viewer) doing essentially nothing, all of the probing functionality is accessible from your favorite Un*x shell prompt. However, you cannot examine the reports, do queries, or any of a number of other nifty things by simply using the command line. This is because the reporting programs were written to emit HTML code, and even the two hard-core Un*x hackers who wrote this program love (and hate, we must admit) what HTML can do.

Here are the command line options and what they do (SATAN enters interactive mode when no target host is specified); further explanations of the variables that are mentioned here can be found in the satan.cf (SATAN configuration) file.

-a ... the attack level (0=light, 1=normal, 2=heavy) - the $attack_level variable is the default.
-d ... the directory SATAN looks for to read in already collected data (default is $satan_data).
-h ... probe the target host only (equivalent to -s0)
-i ... ignore already collected data.
-l ... maximal proximity level (default $max_proximity_level).
-s metric ... Do subnet expansions? (0=no, 1=primary target) - default is $attack_proximate_subnets.
-t level ... timeout length (0 = short, 1 = medium, 2 = long); values are found in satan.cf.
-v ... turn on debugging output (to stdout.)