Discussion of SATAN on the Net

doug@grinch.hcf.jhu.edu (Doug O'Neal) writes:

>I have not seen SATAN and I have not been able to see the prelease sample
>reports but judging from the release announcement I already have a Perl 4
>script that does 95% of what SATAN does.  The only time it needs root privs
>is when it tries to rsh into a remote system under other user ids.  I would
>hope that SATAN also has an option to run as a non-root user.

Nope. SATAN depends on five programs that need superuser privilege (or
setuid) in order to run. The rsh test is just one of them. The others
are fping, a tcp port scanner, an udp port scanner, and an nfs checker;
all four are already in the public domain. The "root" requirement
should keep the "wannabees" out of the game.


To: ids@uow.edu.au
Date:          Tue, 28 Mar 1995 07:49:37 EST
Subject:       Re: SATAN's Footprint?

> > Anyone got hold of SATAN yet?
> Yes, beta testers. No, others not yet. Yes, I *am* holding my breath
> waiting :-)

I'm getting a demo from a beta tester tomorrow... Dan Farmer's former
major professor, no less.

Any particular questions you want me to ask?

> > Anyone know what to expect if your site is being probed
> > by SATAN?

I was told that your logs will contain much evidence of the presence
of a SATAN scan.   It's not a secret when it arrives...   since this
come from a white hat (as opposed to a black hat) there was no intent
to be secretive about the scan - since its supposed to be a sysadmin
tool.    It also might discourage the black hats from playing with
it...since it is an obtrusive tool.

> > Apart from the expected port scanning, sendmail, telnet,
> > tftp, finger, rpc setup, r-commands, yp, nfs and dns being
> > rattled is there anything else that one should look
> > out for?

It checks binary versions also...to see if you've corrected sendmail,
NFS, login, et al and most of the CERT advisories to see if you've
taken corrective measures.

> This is a very interesting idea. Having SATAN (and ISS and Tiger et al)
> having some kind of signature built it. Thus enabling a sysadm knowing
> what tools are used to attack.

As I said before, this is a sysadmin tool, so the sysadmin should
know if it was used by someone else.  Sysadmins should at least be
even with hackers, if not one step ahead!   Why shouldn't a sysadmin
run crack on his/her passwd file?  Better that he finds the problems
that some unknown person, right?

Prevention is even one level better than detection....

Internet:  mshines@ia.purdue.edu      |  Michael S. Hines
Bitnet:    michaelh@purccvm           |  Sr. Information Systems Auditor
Purdue WIZARD Mail: MSHINES           |  Purdue University
GTE Net Voice: (317) 494-5845         |  1065 Freehafer Hall
GTE Net FAX:   (317) 496-1814         |  West Lafayette, IN 47907-1065

From: awd@ddg.com (Andrew W. Donoho)
Date: Fri, 24 Mar 1995 03:28:47 -0600
Subject: Re: SATAN Irony: Only Intruders can use it...


You wrote:
>It occurs to me that virtually any system administrator with  something  to
>lose  (like  they're  job!)  is in the same boat.  They can't afford to run
>SATAN because to do so would be expose them to potential traps they'd  like
>to avoid.

I think that you're not really examining the problem properly. Why don't
you just you rent a shell account on some ISP and run SATAN there? What do
you care about the ISP machine? If it gets hacked by SATAN, its their
problem and not your job. BTW, that really is the apropriate place to run
it any way, outside of your net like any other hacker tring to break into
your system (and it only costs you $30 bucks a month, much cheaper than a
sacrificial machine). It would probably be the polite thing to do to alert
your host's admins about what you are doing, but other than that, what's
the problem?


- -----
awd@ddg.com - Donoho Design Group, Inc.
awd@gslis.utexas.edu - UT Grad. School of Library and Information Science

From: mshaver@schoolnet.carleton.ca (Mike Shaver)
Date: Wed, 22 Mar 1995 20:02:11 -0500 (EST)
Subject: Re: SATAN


Personally, I don't really understand why everyone is so worried about
SATAN.  Sure, if you have an unsecured network, and are just hoping to
survive by luck and sheer stubbornness, it could cause a problem, but no
more so than a kraker just deciding that he wants something to do.

I've seen the list of attacks that SATAN probes for, and they're not really
new.  All of them should be fixed by now if they're going to be fixed at
all.  I see SATAN as being a very useful *maintenance* tool, though.
Sort of like a networked Tripwire.  You run it on your internal networks to
see what things are like, fix them, and then run it periodically to make
sure that everything *stayed* fixed.

Also, it can help you get a feel for how far an intruder would get into your
soft, chewy centre.  If SATAN shows a line of holes from just inside the FW
to your payroll machine, you've got some work to do.  If the only path it
shows leads from your terminal servers to the public WWW site, then at least
the intruder won't use the SATAN holes. =)

Of course, any kraker with a common hole *not* probed by SATAN is sitting
pretty now.  After April 5th, there will be a *lot* of sysadmins with a bit
of panic (those that found holes), and even more with a false sense of
security (those that didn't).


From: anton@the-wire.com (Anton J Aylward)
Date: Sat, 18 Mar 1995 10:45:55 -0500
Subject: SATAN: Scenario of real threat

SATAN **IS** dangerous, but lets look at the political threat,
not the technological threat.   SATAN has been publicised in a way that
the other 'sniffers' havn't.

        Joe Dowe turns up at the AGM of Voodoo Medical Services Inc.
        He bought a single share and so is a shareholder and entitled to
        attend.  He is a customer of Voodoo.  He also got a copy of SATAN and
        checked out their network.   It was full of holes.   He called
        customer service and MIS,   they had a head-in-the-sand attitude.
        So he is bringing this up before the directors, in public.

        There is the possibility of class action suit.  After all, Voodoo's
        records indicate the result of tests on its customers, something
        which could be - to say the least - socially embarassing.

There are many other scenarioes we can construct based on the major flaw in
Computer Security - management doesn't want to know and doesn't want to
address it, becuase it will show up all manner of problems whch have to be
addressed which they didn't plan for.   Just like the way companies have
fought environmental and emission controlls.

The "good guys" have always been able to build tools like this.
Perl is a wonder for this and many other things.   By definition, the "bad
guys" could have done the same.

The real threat has nothing to do with the technology and a lot to do with
politics and management.

If your management is enlightened and you have sound security policies and
practices, management will welcome this tool to validate the security.
Only those with a guilty concience over short-changing security ("head in
the sand", "it can't happen to me", "we can't afford it".....) need feel

But isn't that always the case when technology moves on?

There are other 'office politics' scenarios I've seen which I could describe.
My point is, its not the hackers who are the threat.  It is the neanderthals
who won't address Information Security properly.
Anton J Aylward
The Strahn and Strachan Group Inc
Information Security Consultants
Voice: (416) 494-8661     Fax: (416) 494-8803

From: rodney@subasic.sciatl.com (Rodney Garner)
Date: Sat, 18 Mar 1995 22:26:19 -0500
Subject: SATAN

I am looking forward to having SATAN in my tool set.  Like ISS, COPS,
TIGER it will be a tool that I will use to keep my networks and
envirement clean.  If I have holes in the network I want to know about
them so I can deal with the problem.


The only threat from SATAN is to those that don't want to admit that
they might have holes in there network and don't want to know about

I don't see anymore of a threat from SATAN than from ISS and Tiger.


From: padgett@tccslr.dnet.mmc.com
      (A. Padgett Peterson, P.E. Information Security)
Date: Fri, 17 Mar 95 22:15:41 -0500
Subject: The Big S

>The real question is whether the good guys will get the release before
>the bad guys and how you tell them apart.

"Good guys" have had it all along, wasn't difficult to find or
reproduce.  Nothing magical any more than the "Mother Fish" (Whale)
virus was despite all the insider hype. One I saw last August was a set
of UNIX scripts with nothing that careful study of the FWTK utilities
wouldn't reveal, however, I prefer to use a PC.

All it means is that a buch of kids are going to be knocking on doors
for a while, doors we all know should be secured. There is no magic or
trade secrets involved.

Sure there are going to be people surprised - the same ones who did not
believe in sniffers, firewalls, or anti-virus programs. Still I haven't
seen any panic over Beholder/Gobbler - in the right hands in the right
place, a *lot* more dangerous IMHO.

So You Who Are Concerned, if you do not have policies and protection 
already, you might as well relax, it's too late 8*).


"Said I didn't like 'em, not that I didn't know how to use one." Tom
Sellick in "Quigley Down Under". 

Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Wed Mar 29 10:19:19 1995