Security Analysis Tool for Analyzing Networks
The following is the summary of a presentation that I gave to the CS 385 Networks about Satan, on April 15, 1997. Most of the information came from three sites, which I have listed at the bottom, under LINKS.
Much of this outline follows the Satan Mini-FAQ.
This page is pretty dated and some of the information is incorrect. Some day I'll update it.
Feel free to send E-mail if you need help or are seriously trying to set this application up.
What it is
Satan was released in early April of 1995. It is a set up scripts that can be run from a UNIX system on/against a network to detect security risks. It looks for errors in configuration or from having an old release of an operating system. It is different from COPS, in that you run COPS on a system you have access to to look for holes. Satan is run remotely from your own system against another system or entire networks. You don't have to have access to this system or network to test it.
Some key areas it can discover problems include:
- NFS file systems exported to arbitrary hosts
- NFS file systems exported to unprivileged programs
- NFS file systems exported via the portmapper
- NIS password file access from arbitrary hosts
- Old (i.e. before 8.6.10) sendmail versions
- REXD access from arbitrary hosts
- X server access control disabled
- arbitrary files accessible via TFTP
- remote shell access from arbitrary hosts
- writeable anonymous FTP home directory
- various problems with finger
Not only will it help detect the security problems, it has 13 "tutorials" where it explains the hole, impact of not fixing the problem, and how to fix the problem.
Brief History
Satan was written by Dan Farmer, and Wietse Venema. Wietse Venema is a Dutch researcher, and has written many papers and applications, which are available from his web site. Dan Farmer's home page has disappeared, but you can get a good idea of what he is like by reading an article that appeared in the San Jose Mercury News on April 5th, 1995. This site is not always reachable, so I put a local copy here. Dan had worked for Sun, and got tired of recommending fixes for security, being turned down, then having to fix the problem created by someone exploiting the security hole.
In 1993 they wrote a paper on security, entitled
admin guide to cracking, this was the basis for Satan.(This is a flat text compressed with the UNIX compress command.)
If "SATAN" offends
There is an easy solution if the term "Satan" offends you, or if you think you will have a hard time selling the idea to management of running "Satan". There is a perl script included in the Satan package called repent. By running this before you make the package, it will change all the occurences of the word "Satan" to "Santa" and convert the graphic image to a picture of Santa Clause.
How it works
- fpings range of IP addresses(any number of hosts)
- Probes those systems (does not actually break in)
- Saves data
- Offers tutorial on how to fix security holes
Goals
They wanted to force System Administrators, and Hardware/Software vendors, to deal with security flaws.
What you need
- System Requirements - SunOS 4.1.3_U1, SunOS 5.3 (solaris), Irix 5.3 (SparcStation 4/75, 5, Indigo 2), HP-UX 9.x or Linux (not officially supported on Linux)
20 MB disks, 14-35 Megs Ram
- Software: Besides Satan, you need the following:
Perl 5,
Mosaic
or Netscape
I had some problems trying to get it to work with Linux. One was that my distribution of Linux was from Slackware,
and did not include fping.
The Redhat distribution does include it, and if you download just the fping from Redhat, you need RPM, the Red Hat Package Manager, from them to unpack and install it. Also, with Netscape, I could not get it to start the perl scripts, even following the suggestions from Wietse Venema. I would suggest you try Mosaic first, if you are doing a Linux system.
As for getting Satan, you can find the best list of FTP sites at Utrecht University in the Netherlands. This list is maintained by their CIS Department.
Dangers of Satan
- The wrong people could be using it
- There are legal aspect of scanning your neighbor
- "Right" people using it on wrong systems (again - the neighbors)
Be aware that Satan is easy to configure, and you have to be pretty dumb to "accidentally" scan someone you should not.
Defense against Satan
- Run it on yourself, both from the outside and inside. By running it from the outside, you can asses your risk to outside attack. By running it inside, you get a feel for how open things are, and if you have a serious risk internally.
- Use Courtney. Shortly after Satan came out, someone released an application called Cortney, which is designed to detect if Satan was run against you. Unfortunately, Cortney will only detect aggressive attacks against you. The best route to detect an attack is to use TCP WRAPPERS, available from Wietse Venema.
Good stuff
What I liked about Satan:
- It's completely FREE
- The authors are very competent in what they do, so you get an excellent application
- It's easy to use, since it is a Graphical User Interface
- All the code is included, so you can look and see what it is really doing
- The tutorials, which help you either fix the problem, or assess how bad the risk is of not fixing something.
Cautions
- Attacks - legal ramifications of scanning folks that you should not be
- Can lock up some systems - read the FAQ's before you use it.
Links:
"Official" Satan Web Site with mini-FAQ.
Full FAQ, but dated information.
FTP sites to get Satan from.
Web Master for this page:datamonk@svn.net
Home page of author: datamonk
On line 19 Apr 97 Last modified 19 Apr 97
http://svn.net/datamonk/satan.html
Copyright© 1997 E Grauff