The SATAN User Interface

SATAN was designed to have a very "user friendly" user interface. Since it is extremely difficult to create a good user interface from scratch, we stole everyone else's. All of the output (of the non-debugging sort) and nearly all of the interface uses HTML, so as a user you can utilize any number of incredible HTML display programs such as Netscape, Mosaic, lynx (for those stuck with text-only displays), etc.

Subsections in the User Interface section:

The Basics

Using an HTML browser is REQUIRED to do report queries. It is highly suggested that you use it to read the documentation, if nothing else to print it out and read it via hard-copy, since it's also all in HTML (later versions of SATAN will almost certainly have non-HTML documentation, but the time pressures of the project eliminated this as a viable option for the first release of SATAN.)

(While all of the program interface and documentation uses hypertext extensively; it's beyond the scope of this document to explain how to use a HTML browser, but all of them come with fairly extensive documentation and are very easy to use.)

This part of the documentation covers some of the basic design concepts and how to move around the SATAN user interface. However, with the exception of the target acquisition part of the program (we don't want you to learn how to probe hosts by trial and error!), the best way to learn how to use the program is to simply start pointing and clicking with your mouse or with the arrow keys on your keyboard.

Gathering Data

Gathering information about hosts is very easy when using SATAN - too easy sometimes, because it follows lines of trust that are often hidden from casual observation, and you'll soon find it scanning networks and hosts that you had no idea were connected to your net. As an intellectual or learning exercise this is wonderful, but many sites take a dim view of you probing (or "attacking", as they'll claim) their site without prior permission. So don't do it.

The easiest and safest way to gather it is by simply selecting a target host that you'd like to know more about and then probe that host (and the subnet as well, if you wish) with the default settings: no host-to-subnet expansion, and a maximum proximity level of zero (see the (SATAN configuration) file for more on this.)

See the tutorial on how to scan a target for the first time.

Data Management

SATAN has a very simple way of opening or creating its databases (this is how SATAN keeps all of its records, including the hosts that it's seen (in the "all-hosts" file), the current set of facts (in the "facts" file), and what should be run next ("todo")

If you choose the "SATAN Data Management" from the SATAN Control Panel, you have two choices, to either open an existing set of data or to start a new database.

Note! Opening or creating a new database will remove any other information of other databases or scans that are currently in memory.

If you've opened an old database, you can now query it, run new tests against the hosts, etc.

Looking at and understanding the results

Easy to use, hard to describe. That's how the SATAN Reporting and Analysis works. There are three broad categories, each with fundamental differences in how they approach and analyze the data gathered from scanning. Although they are different categories, since so much information is tied together with hypertext, you can start from any of these categories and find the same information, but with a different emphasis or display on certain parts of the information. Most queries will present the user with an index that facilitates movement within that query type - the amount of information can get quite large - and a link that will lead the user back to the Table of Contents. In addition, vulnerabilities have links to a description of the problem, including what it is, what the implications are with respect to security, as well as how to fix it. If a CERT advisory applies to this particular problem then there is a link to that as well.
  1. Vulnerabilities. This is what most people think of when they think of SATAN - what/where are the weakpoints of the host/network.
  2. Host Information. Very valuable information - this can show where the servers are, what the important hosts are, breakdown the network into subnets, organizational domains, etc. In addition, you can query about any individual host here.
  3. Trust. SATAN can follow the web of trust between systems - trust through remote logins, trust by sharing file systems.

There are three basic ways of looking at the vulnerability results of your scan:

Try looking at all of the different ways of looking at any vulnerabilities found by the probe to see what is most intuitive or informative to you; after using the tool for some time, it becomes easier to learn which type of query is the best for the current situation.

Host Information

An enormous amount of information can be gained by examining the various subcategories of this section - remember, the more intensive the SATAN probe, the more information will be gathered. Typically this will show either the numbers of hosts that fall under the specific category with hypertext links to more specific information about the hosts or the actual list of hosts (which can be sorted into different orders on the fly). If there is a host listed with a red dot () next to it, that means the host has a vulnerability that could compromise it. A black dot () means that no vulnerabilities have been found for that particular host yet. Clicking on links will give you more information on that host, network, piece of information, or vulnerability, just as expected.

The categories are:

Hints, Further Tricky Security Implications, or Getting the Big Picture

It's just as important to understand what the SATAN reports don't show as well as what they show. It can be very comforting to see SATAN returning a clean bill of health (i.e. no vulnerabilities found), but that will often merely mean that more probing should be done. Here are some general suggestions on how to get the most out of SATAN; this requires a fairly good understanding of the (SATAN configuration) file:

The Command-line Interface

For those without a good HTML browser, for those die-hard Un*x types that despise GUI's, or for simply firing off probes when you don't want to leave a several megabyte memory hog (your HTML viewer) doing essentially nothing, all of the probing functionality is accessible from your favorite Un*x shell prompt. However, you cannot examine the reports, do queries, or any of a number of other nifty things by simply using the command line. This is because the reporting programs were written to emit HTML code, and even the two hard-core Un*x hackers who wrote this program love (and hate, we must admit) what HTML can do.

Here are the command line options and what they do (SATAN enters interactive mode when no target host is specified); further explanations of the variables that are mentioned here can be found in the (SATAN configuration) file.