The Control Panel

The SATAN Control Panel is your primary control menu for using SATAN (see fig. 8.1). There you find links to HTML pages that enable you to do the following:

•  Manage the data gathered by SATAN

•  Choose target systems and run scans

•  Generate reports and analyze data

•  Modify the default configuration for searches

•  Gain access to SATAN’s documentation and tutorials

Figure 8.1  The SATAN Control Panel.

In addition to the major options listed, a few links permit the user to FTP the latest version of SATAN from a Dutch FTP archive, to change the name of the program to SANTA (if the name SATAN offends you), to find information about the artwork in the program, and to find information about the authors of the program.

Data Management

Each SATAN scan of a target system generates a series of database records that are stored in a database file. The default name of the database file is satan-data. For maintaining large amounts of data, SATAN enables you to specify the name of the database file. If you choose the SATAN Data Management option from the SATAN Control Panel, your web browser displays the screen shown in figure 8.2. The screen shows you the names of the existing databases and enables you to do the following:

•  Open an existing database.

•  Create a new database.

•  Merge current data with an existing database.

Figure 8.2  The SATAN Data Management screen.

Notice that the URL in the Location field of figure 8.2 includes a TCP port number and a 32-byte value. The port number corresponds to the port that the SATAN HTML daemon (html.pl) is listening on, and the 32-byte value is the password that permits access. The password is generated by an md5 hash function and should be unique to your system.

Target Selection

When you are ready to run a SATAN scan, choose the SATAN Target Selection option on the SATAN Control Panel. By selecting that option, you are first presented with the screen shown in figure 8.3—the SATAN Target Selection screen. From here, you can specify the following:

•  The name of the system to scan (that is, cat.cup.hp.com)

•  Whether SATAN should scan all hosts on the same subnet

•  The level of the scan (light, normal, or heavy)

Figure 8.3  The SATAN target selection screen.

After specifying this information, you can now initiate the scan. As the scan proceeds, you see the name of each component scan program (mostly .satan scripts) being executed, along with parameters, on the SATAN Data Collection screen shown in figure 8.4. Note that each component scan program is invoked using the timeout program. This timeout program acts as a wrapper around the actual program, using the first argument as the maximum number of seconds that the program is permitted to run before the timeout causes the program to execute. The signal that the timeout program sends, and the timeout values, can be configured using the satan.cf file or the SATAN Configuration Management screen. Notice from figure 8.4 that the scan of this single host took about 38 seconds.

Figure 8.4  The SATAN data collection screen

After the scan completes, you can select the View Primary Target Results option from the SATAN Data Collection screen to get to the SATAN Results screen, shown in figure 8.5. The SATAN Results screen provides a summary of information about the host, as well as a list of vulnerability information. These results are based on the database records generated by the scan.

Figure 8.5  The SATAN Results screen.

Reporting and Data Analysis

After running scans on several hosts, you might want to generate reports or analyze the data from multiple hosts. By choosing the SATAN Reporting & Data Analysis option from the SATAN Control Panel, you are presented with the screen shown in figure 8.6. From this SATAN Reporting and Analysis screen, you can generate reports on all the scan results by the following criteria:

•  Approximate danger level

•  Type of vulnerability

•  Vulnerability count

•  Class of service

•  System type

•  Internet domain

•  Subnet

•  Host name

Figure 8.6  The SATAN Reporting and Analysis screen.

You can also generate a list of trusted hosts and trusting hosts. By selecting the By Type of Vulnerability option on the SATAN Reporting and Analysis screen, you get the SATAN Vulnerabilities - By Type report shown in figure 8.7. This screen is very useful if you are trying to eliminate security problems of a certain type. For example, if you thought that hackers were actively attacking systems running rexd, this screen would be very useful in helping you to determine the scope of the problem.

Figure 8.7  The SATAN Vulnerabilities - By Type report.

Configuration Management

By choosing the SATAN Configuration Management option from the SATAN Control Panel, you can modify the configuration set in satan.cf. Using the screens shown in figures 8.8 and 8.9, you can modify the following parameters:

•  The directory to keep the data in

•  The default probe level

•  The timeout value for each network probe

•  The kill signal sent to tool processes at timeout

•  The maximum proximity amount (maximal proximity)

•  The proximity descent value

•  Whether to stop when the probe level hits 0

•  Whether to scan the entire subnet of the target

•  Whether the intruder system is trusted

•  Limits on what hosts to probe (by domain name or subnet address)

•  Limits on what hosts cannot be probed

•  Two workarounds: one tells SATAN to use nslookup (for NIS environments) or gethostbyname() lookups (for DNS environments), and one that tells SATAN to use or not use ping (because ping depends on ICMP, environments where ICMP does not work will want to avoid ICMP—not many systems fall into this category).

Figure 8.8  The SATAN Configuration Management screen, part 1.

Figure 8.9  The SATAN Configuration Management screen, part 2.