|
|
| Previous | Table of Contents | Next |
If the network scans don’t reveal any vulnerabilities, the hacker may need to resort to non-network attacks.
The hacker might try a “Wargames” or “war dialer” type of dialing attack to determine modem addresses for the site. The hacker uses a modem to call every single phone extension in an organization until the hacker discovers all modems connected to phone lines. Two popular war dialer programs are “ton loc” and “phone tag.” If the site permits dial-in access, this could lead to an intrusion.
The hacker might try to get physical access to the network, with some sort of site tap. The hacker might try to use people inside the organization, or former employees, to gain information or access. A hacker could interview for a job in the organization, gain some free time during the interview, walk up to a system on the site, and open a hole.
To summarize, the first phase of an attack is to get a login and password on the target systems. This first phase consists of two parts, building up a list of security holes and a database of information on the target. By matching the vulnerability with the opportunity, the hacker can gain access.
Doing a search by hand is tedious and slow, considering that automation is easy with a computer system. One should seriously consider automating the search for network vulnerabilities. SATAN can be used to automate this search.
“Soon will rise up what I expect; and what you are trying to imagine now soon must reveal itself before your eyes.”
—Dante Alighieri, Inferno, Canto XVI, lines 121–123
SATAN is an automated network vulnerability search and report tool that provides an excellent framework for expansion. The authors indicate that SATAN stands for “Security Analysis Tool for Auditing Networks.”
Although a form of the SATAN program can be run from the Unix command line, SATAN is primarily intended to be run through a web browser. Users indicate a target host or network, along with proximity search levels and search depth, and initiate a search. SATAN gathers as much information as possible about these targets and can search nearby hosts, as guided by the proximity rules. (Proximity rules are fully explained later in this chapter. Basically, if a scan of a target system reveals other host names, such as that target’s DNS server, SATAN will consider those hosts to be on a proximity of “1” to the target. SATAN can be configured to make scans of the target and all hosts that are a certain proximity level away from that target.) It then adds search information into a standardized database that it uses for a variety of reports.
SATAN consists of a small PERL kernel, along with a number of C programs that do vulnerability checks, and a large number of PERL support programs that control the searches, store results to database files, generate reports, and emit HTML forms. Along with these executables, a large number of pre-prepared HTML documents and tutorials are included.
The two authors of SATAN are Wietse Venema and Dan Farmer. According to the doc/design.html web page in their SATAN distribution, some of the design goals of SATAN were as follows:
Although early versions of SATAN were already available in late 1993, the advent of web browsers in 1994 seemed to be the big turning point for the direction of the program. By early 1995, the program was already being beta-sited by many people. The creators choose April 5, 1995, Dan Farmer’s birthday, to release SATAN to the world.
The initial publicity over SATAN began in February, 1995, as the mass media took interest in the program. This could have been due to the media’s continuing interest in network security, the unique name of the program, or the flamboyance of one of the creators.
The New York Times wrote, “It discovers vulnerabilities for which we have no solutions.” The Los Angeles Times warned, “SATAN is like a gun, and this is like handing a gun to a 12-year-old.” TV stations (KTVU Channel 2 Oakland) showed five-minute reports on the topic, including interviews with the creators. The San Francisco Chronicle had photos of Dan Farmer, along with the story.
Vendors were flooded by requests for protection, and security bulletins were quickly released, along with patches. The program was distributed by dozens of FTP sites to thousands of users. Protection programs, which enabled users to see if they had been visited by SATAN, were quickly announced and distributed.
Quite quickly, a security hole was found in SATAN, resulting in a revision and redistribution of the program.
Despite claims that SATAN would result in massive criminal activity, the hopes and expectations of the authors were realized. SATAN did not appear to greatly increase the number of intrusions, but it did lead to a strengthening of network security by causing vendors to release patches and users to inspect and tighten up their system security.
Unfortunately, few additional vulnerability searches have been added to SATAN since the initial release, at least to the SATAN distributions available from the primary FTP archives. Individual users have added such probes but are perhaps not forwarding these additions back to the major distributions.
Wietse Venema, Wietse (co-creator of SATAN) Venema released SATAN while working for the Eindhoven University of Technology in the Netherlands. He has written many useful security tools, such as tcp_wrappers; a secure portmap program; a secure rpcbind program; logdaemon, which improves logging and auditing, as well as SATAN. He also coauthored the influential paper Improving the Security of Your Site by Breaking Into It with Dan Farmer (Farmer & Venema, 1993). A complete list of his papers and tools is available via ftp://ftp.win.tue.nl/pub/security/index.html.
Dan Farmer, Dan (co-creator of SATAN) Farmer, along with Gene Spafford at Purdue University, helped to create the COPS security program. As a result of SATAN’s release, he was interviewed on TV and quoted in quite a few newspapers and magazines. His home page says that his girlfriend at the time, Muffy, chose the name SATAN. His home page is at http://www.trouble.org/~zen/satan.
| Previous | Table of Contents | Next |