The PERL directory contains the heart of the utilities that make up the SATAN program. Notice that the html.pl program acts as SATAN’s web daemon, listening on a TCP port, authenticating HTML page requests, and responding with the appropriate HTML page.
This directory includes the following files:
•perl/config.pl. Rewrites the satan.cf file based on changes made through the web interface
•perl/cops2satan.pl. Converts COPS warning report into SATAN rules (this is experimental and not accessible from the web interface)
•perl/domains.pl. Sifts information by domain names
•perl/get_host.pl. Uses gethostbyaddr() or gethostbyname() to find the fully qualified domain name of a host
•perl/getfqdn.pl. Uses nslookup to find the fully qualified domain name of a host
•perl/hostname.pl. Finds own hostname
•perl/hosttype.pl. Classifies host by banner info
•perl/html.pl. Acts as HTML server with md5 authentication (this is the SATAN Web daemon)
•perl/infer_facts.pl. Generates new facts based on rules
•perl/infer_todo.pl. Generates list of new targets based on todo information
•perl/misc.pl. Contains utility subroutines
•perl/policy-engine.pl. Guides the selection of targets according to policies set in the configuration file
•perl/reconfig.pl. Replaces program names in SATAN with pathnames indicated in file.paths
•perl/run-satan.pl. Sets up list of targets, executes scans against targets, collects facts, processes todo information, and saves data
•perl/satan-data.pl. Includes data management routines
•perl/services.pl. Classifies host by services used and provided
•perl/severities.pl. Classifies vulnerabilities
•perl/shell.pl. Runs a command and uses a timeout to ensure that it finishes
•perl/socket.pl. Executes sys_socket binary
•perl/subnets.pl. Sifts subnet information
•perl/suser.pl. Checks if SATAN is running as root
•perl/targets.pl. Generates target lists, executes target probes, and saves scan information
•perl/todo.pl. Stores and processes information about hosts discovered while scanning a target—“to do” information
•perl/trust.pl. Maintains trust statistics
•perl/status.pl. Maintains time, date, and status file
Note: PERL 5.000 (or later) is required to run SATAN. PERL 5.000 is available from any FTP archive that mirrors the gnu distributions, including the following:
Even though SATAN consists of a large number of PERL, C, and HTML files, building SATAN is quite straightforward and quick. Considering the flexibility of SATAN’s modular design, the ease of use of SATAN’s user interface, and the powerful functionality, SATAN is extremely easy to build. (SATAN’s only possible weakness could be its speed—as a result of the large number of PERL scripts and modularity, SATAN is not as fast as a comparable monolithic binary.)
Note that building SATAN basically consists of modifying pathnames to correspond to your system, and compiling the few binary utilities. The entire process takes only a few minutes.
Follow these steps to build SATAN:
1. Edit the paths.pl and paths.sh files in config/ to point to the actual location of utilities on your system.
2. Edit the config/satan.cf file to correspond to your requirements. Specifically, you should consider adding entries to $only_attack_these and $dont_attack_these. These two variables provide control over what hosts are included in SATAN scans. For example, you might want to run scans only against systems inside notreal.com, so you would use the $only_attack_these variable to limit the scans to hosts inside the notreal.com domain.
Note: You can make modifications to satan.cf from within SATAN using the SATAN Configuration Management screen.
3. Run the reconfig script. It patches scripts with the path for PERL 5.00x and a web browser. If the web browser selected by reconfig is inappropriate, edit the config/paths.pl file to point to the web browser of choice. Notice that the variable for a web browser is called $MOSAIC.
4. Run the make command in the satan-1.1.1/ directory. You need to specify a system type, such as irix5.
5. The authors of SATAN recommend that you unset proxy environment variables or browser proxy settings.
6. Su or log in to root.
7. Run the SATAN script. If no command-line arguments are given, the script invokes a small web (HTML) server, html.pl, and the web browser to talk to this HTML server.
At this point, the primary SATAN screen is displayed and you are ready to use SATAN.
To use SATAN from the command line, you must list command-line arguments as indicated by the satan.8 man page. Note that the authors recommend against using the command-line version of SATAN, because the user interface involves many command-line arguments that can be somewhat confusing. The web interface is much easier to use.
Using SATAN’s HTML Interface
The interactive version of SATAN consists of a sequence of HTML pages that are viewed through the web browser. The general structure consists of a control panel that leads to five different functional areas: data management, target selection, reporting and analysis, configuration management, and documentation. Most screens give a link back to the SATAN Control Panel.
