Getting SATAN

SATAN is available from the following sites:

•  ftp://ftp.mcs.anl.gov/pub/security/satan-1.1.1.tar.Z

•  ftp://coast.cs.purdue.edu/pub/tools/unix/satan

•  ftp://vixen.cso.uiuc.edu/security/satan-1.1.1.tar.Z

•  ftp://ftp.denet.dk/pub/security/tools/satan/satan-1.1.1.tar.Z

•  ftp://ftp.luth.se/pub/unix/security/satan-1.1.1.tar.Z

•  ftp://ftp.acsu.buffalo.edu/pub/security/satan-1.1.1.tar.Z

•  ftp://ftp.acsu.buffalo.edu/pub/security/satan-1.1.1.tar.gz

•  ftp://ftp.net.ohio-state.edu/pub/security/satan/satan-1.1.1.tar.Z

•  ftp://ftp.cerf.net/pub/software/unix/security/satan/

•  ftp://coombs.anu.edu.au/pub/security/satan/

•  ftp://ftp.wi.leidenuniv.nl/pub/security/

•  ftp://ftp.cs.ruu.nl/pub/SECURITY/satan-1.1.1.tar.Z

•  ftp://ftp.cert.dfn.de/pub/tools/net/satan/satan-1.1.1.tar.gz

•  ftp://cnit.nsk.su/pub/security/satan/satan-1.1.1.tar.Z

•  ftp://ftp.orst.edu/pub/packages/satan/satan-1.1.1.tar.Z

•  ftp://ciac.llnl.gov/pub/ciac/sectools/unix/satan/satan-1.1.1.tar.Z

•  ftp://ftp.nvg.unit.no/pub/security/tue/satan-1.1.1.tar.Z

•  ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z

After you have downloaded SATAN to your system via ftp, use uncompress satan-1.1.1.tar.Z (or compress -d) and then tar xvf satan-1.1.1.tar to extract all the SATAN files.

At this point, the SATAN directory should look like this:

Changes    TODO       html/      perllib/   rules/     satan.ps
Makefile*  bin/       include/   reconfig*  satan      src/
README     config/    perl/      repent*    satan.8

Examining the SATAN Files

A more detailed look at the files and directories included in the SATAN distribution provides an insight into how SATAN works and how it can be extended.

The satan-1.1.1 Directory

The top-level directory contains the following programs:

•  Makefile: Compiles the C programs in the src directory

•  satan: The master SATAN program, written in PERL

•  README: A one-page guide to getting SATAN running

•  TODO: Wish list for future enhancements

•  satan.8: A man page for the command-line version of SATAN

•  satan.ps: A drawing of the SATAN character

•  reconfig: Fixes pathnames using file.paths, PERL location

•  repent: Changes all occurrences of SATAN to SANTA

•  Changes: List of changes to SATAN program

Note that SATAN creates a satan-1.1.1/results directory to store the results. This directory is only root searchable and readable.

The include Directory

The include directory is created only for Linux. Some distributions of Linux require the 44BSD /usr/include/netinet files to compile. SATAN creates the following two directories but does not put any files into them. If the top-level make for Linux is unable to find ip.h, it assumes that all the netinet files are missing and tells the user to put the netinet files from 44BSD into the following directory:

•  include/netinet/

The rules Directory

The rules directory is critical to the functioning of SATAN. It includes the inference rules that govern the future actions of SATAN, based on previous results, as well as making assumptions based on information gathering. It includes the following files:

•  rules/facts: Deduces new facts based on existing data

•  rules/hosttype: Recognizes hosts based on banners

•  rules/services: Classifies host by available services

•  rules/todo: Specifies what rules to try next

•  rules/trust: Classifies trust based on the database records

•  rules/drop: Specifies which facts to ignore, such as NFS export cdroms

The config Directory

SATAN users need to customize the pathnames to system utilities in the appropriate files in the config directory. In addition, the SATAN configuration file, satan.cf, is located here. This configuration file controls the default behavior of SATAN, indicating the scan type, the content of each scan, the proximity search variables, and timeouts.

This directory includes the following files:

•  config/paths.pl: Path variables for PERL files

•  config/paths.sh: Path variables for shell execution

•  config/satan.cf: SATAN configuration file

•  config/version.pl: SATAN version file

•  config/services: An /etc/services file, just in case

The PERLlib Directory

The PERLlib directory includes two files from the PERL5.000 distribution that are sometimes not included on all PERL5.000 FTP sites. Just in case, SATAN includes them in this directory. It includes the following files:

•  PERLlib/ctime.pl: Includes time functions

•  PERLlib/getopts.pl: Gets command-line options

•  PERLlib/README: Explains why these PERL files are included

The bin Directory

The bin directory contains the actual executables used by SATAN to investigate remote systems. After the top-level make is executed, all the binaries resulting from builds in the src directory are deposited into this directory. All the distributed .satan files are PERL scripts, and many of them invoke the binaries resulting from src/ builds. Each .satan executable generates a SATAN database record if it finds a piece of information about the remote host.

SATAN refers to each .satan program as a tool. Users can execute each of these PERL scripts by hand to investigate the particular vulnerabilities. Many of them include verbose (-v) options to indicate exactly what they are doing. Users who wish to add extra security checks can create similar files and place them here with the .satan extension.