Subsections in the User Interface section:
Using an HTML browser is REQUIRED to do report queries.
It is highly suggested that you use it to read the
documentation, if nothing else to print it out and read it via
hard-copy, since it's also all in HTML (later versions of SATAN will
almost certainly have non-HTML documentation, but the time pressures of
the project eliminated this as a viable option for the first release of
(While all of the program interface and documentation uses hypertext extensively; it's beyond the scope of this document to explain how to use a HTML browser, but all of them come with fairly extensive documentation and are very easy to use.)
This part of the documentation covers some of the basic design concepts and how to move around the SATAN user interface. However, with the exception of the target acquisition part of the program (we don't want you to learn how to probe hosts by trial and error!), the best way to learn how to use the program is to simply start pointing and clicking with your mouse or with the arrow keys on your keyboard.
Gathering information about hosts is very easy when using SATAN - too
easy sometimes, because it follows lines of trust that are often hidden
from casual observation, and you'll soon find it scanning networks and
hosts that you had no idea were connected to your net. As an
intellectual or learning exercise this is wonderful, but many sites take
a dim view of you probing (or "attacking", as they'll claim) their site
without prior permission. So don't do it.
The easiest and safest way to gather it is by simply selecting a target host that you'd like to know more about and then probe that host (and the subnet as well, if you wish) with the default settings: no host-to-subnet expansion, and a maximum proximity level of zero (see the satan.cf (SATAN configuration) file for more on this.)
See the tutorial on how to scan a target for the first time.
SATAN has a very simple way of opening or creating its databases (this
is how SATAN keeps all of its records, including the hosts that it's seen
(in the "all-hosts" file), the current set of facts (in the
"facts" file), and what should be run next ("todo")
If you choose the "SATAN Data Management" from the SATAN Control Panel, you have two choices, to either open an existing set of data or to start a new database.
Note! Opening or creating a new database will remove any other information of other databases or scans that are currently in memory.
If you've opened an old database, you can now query it, run new tests against the hosts, etc.
Looking at and understanding the results
Easy to use, hard to describe. That's how the SATAN Reporting and
Analysis works. There are three broad categories, each with
fundamental differences in how they approach and analyze the data
gathered from scanning. Although they are different categories, since
so much information is tied together with hypertext, you can start from
any of these categories and find the same information, but with a
different emphasis or display on certain parts of the information. Most
queries will present the user with an index that facilitates movement
within that query type - the amount of information can get quite large -
and a link that will lead the user back to the Table of Contents. In
addition, vulnerabilities have links to a description of the problem,
including what it is, what the implications are with respect to
security, as well as how to fix it. If a CERT advisory applies to this
particular problem then there is a link to that as well.
There are three basic ways of looking at the vulnerability results of your scan:
An enormous amount of information can be gained by examining the various subcategories of this section - remember, the more intensive the SATAN probe, the more information will be gathered. Typically this will show either the numbers of hosts that fall under the specific category with hypertext links to more specific information about the hosts or the actual list of hosts (which can be sorted into different orders on the fly). If there is a host listed with a red dot () next to it, that means the host has a vulnerability that could compromise it. A black dot () means that no vulnerabilities have been found for that particular host yet. Clicking on links will give you more information on that host, network, piece of information, or vulnerability, just as expected.
The categories are:
Hints, Further Tricky Security Implications,
or Getting the Big Picture
It's just as important to understand what the SATAN reports don't
show as well as what they show. It can be very comforting to see SATAN
returning a clean bill of health (i.e. no vulnerabilities found), but
that will often merely mean that more probing should be done. Here are
some general suggestions on how to get the most out of SATAN; this
requires a fairly good understanding of the
satan.cf (SATAN configuration) file:
The Command-line Interface
For those without a good HTML browser, for those die-hard Un*x types
that despise GUI's, or for simply firing off probes when you don't want
to leave a several megabyte memory hog (your HTML viewer) doing
essentially nothing, all of the probing functionality is accessible from
your favorite Un*x shell prompt. However, you cannot
examine the reports, do queries, or any of a number of other nifty
things by simply using the command line. This is because the reporting
programs were written to emit HTML code, and even the two hard-core Un*x
hackers who wrote this program love (and hate, we must admit) what HTML
Here are the command line options and what they do (SATAN enters interactive mode when no target host is specified); further explanations of the variables that are mentioned here can be found in the satan.cf (SATAN configuration) file.