|
The SAINT User Interface
SAINT was designed to have a very "user friendly" user interface. All
of the SAINT output (except debugging output) and almost
all of the SAINT user interface is written into HTML. This means,
of course, that a user may use any standard Web-browser, such as Netscape
or lynx, to view it.
Subsections in the User Interface section:
The Basics
An HTML browser is required to do report queries. As all of the SAINT
documentation is written in HTML, it is highly suggested that an HTML
browser be used to read it. Or, if you would prefer, it may also be
printed out and read as hard-copy documents. If you have any questions
about the use of your Web browser, please refer to your browser's
documentation.
This section of the SAINT documentation details some of the basic SAINT
design concepts and also how to navigate through the SAINT user interface.
Having said this, though, perhaps the best way to learn the workings
of the program is to simply start pointing and clicking on the different
sections of the HTML user interface with your mouse. The only exception
is the Target Selection screen, where trial and error might not be the
best method because you could inadvertently start a scan.
Data Management
SAINT employs a very simple method for opening and/or creating any
databases that it might need. These databases are where SAINT stores
all of its records, such as hosts identified in a scan (in the all-hosts
file), the current set of facts generated in a scan (in the facts file)
and the actions to be performed next (in the todo file).
See the SAINT database description if you'd like
more information on those files.
All of SAINT's data collection output will be written to the current set of
databases, which are kept in results/<directory name>.
The directory name can be chosen from the Configuration Management
screen, the config/saint.cf file, or from the
command line. A directory called
saint-data will be automatically created if no other name is
chosen.
If you choose the SAINT Data Management from the SAINT Control
Panel, you have three choices; open an existing set of data,
start a new database, or to merge the contents of an on-disk database
with the in-core data.
Note!
Opening or creating a new database will destroy all other in-core
information from other databases or scans. For this reason it is a good
idea to choose a database before collecting data. All queries
will go to the in-core database. New data collection results, etc.
will go into the currently selected on-disk database.
Merging a database concatenates the contents of the chosen on-disk
database to the in-core information. Although care
must be taken to have enough physical memory to contain all the databases,
SAINT becomes more and more interesting as more information is
combined, because more correlation, trust, and patterns can
be detected. In addition, when large databases from different but
connected sites (i.e., users logging in from one site to another or
important data sharing relationships) are combined, better information
may be gleaned from both sites. For instance, a group of system
administrators could exchange SAINT database information with one
another in an attempt to establish a mutually beneficial security
collective. In theory, it would be interesting to combine information
from hundreds of thousands of hosts found on the Internet and then
analyze that information (though the memory and CPU speed required
to do so would be great indeed!)
Gathering Data
Using SAINT to gather information about hosts and/or networks is fairly
easy. Indeed, it may be too easy, as SAINT follows lines of trust
that are often hidden from casual observation. This means, of course,
that you might start a SAINT scan and soon find it probing networks
and hosts that you had no intention of scanning. It goes without saying
that many site administrators take a dim view of any unauthorized
probing of their systems, and will probably view your probe as an attack
of one kind or another. As such, it pays to take precautions when
performing a scan, and SAINT has several built-in features that help
you in this regard.
The easiest and safest way to gather it is by simply selecting a
target host that you'd like to know more about and then probe that host
with the default settings:
no host-to-subnet expansion, and a maximum
proximity level of zero. (These and other settings are discussed
in greater detail in the config/saint.cf
documentation.)
For more information on scanning a target for the first time, see the
tutorial.
Looking at and understanding the results
The SAINT Reporting & Analysis feature has often been described
as "easy to use, hard to describe". Using SAINT in a sane and wise
manner is up to you, but we will attempt to describe this feature in
a clear and concise manner here.
There are three broad categories found in the SAINT Reporting & Analysis
feature (vulnerabilities, information and trust), each with fundamental
differences in their approach and analysis of any data gathered during
a scan. Much of the data gathered and found in each category, though,
is tied together and cross-referenced in the form of hyperlinks.
The categories differ in that each will emphasize and display different
portions of the data. Most queries will present you with an index
that facilitates movement within that query type, as the amount of
information may be quite voluminous. A link will also be provided
back to the table of contents. In addition, any vulnerabilities found
will have either external or internal links to information describing
what it is, what the existence of the vulnerability means with respect
to security and information on how to fix the vulnerability. The
external links might include information found on such security sites
as CERT or CIAC.
Now, let's take a look at the categories of information that may be viewed:
- Vulnerabilities.
What and where are the weak points of a scanned host or network?
- Host Information.
The host information is very important. The host information can show
where the servers are on a network, identify the "important" hosts
on a network, and break the network down into subnets and organizational
domains. In addition, individual hosts may be queried here.
- Trust.
SAINT is able to follow and identify the web of trust between systems,
such as trust established through remote logins and trust established
through shared file systems.
A colored dot will appear next to every host or vulnerability listed
under the above categories. The color of the dot will correspond
to the severity level of the host
or vulnerability.
Vulnerabilities
There are three basic methods for viewing the vulnerability results
found after performing a scan:
- Approximate Danger Level: All of the probes generate a basic
level of danger if they find a potential problem. This method sorts
all of the problems by severity level (e.g. the most serious level
compromises the "root" account on the target host, the least
is a warning to check out a possibly unneeded service.)
- Type of Vulnerability: This method simply shows all of the
vulnerability types found during the probe, plus a corresponding list
of hosts that fall under the vulnerability types.
- Vulnerability Count: This method displays which hosts have the
most problems, as indicated by the sheer number of critical problems,
areas of concern, and potential problems found during the probe.
It is a good idea to experiment with all of these methods when first
learning SAINT. This will help you determine which is the most intuitive
and informative for you, and which best suits your needs. After using
SAINT for some time, it will become easier to determine which type of
query will be ideal for your needs, as determined by the probe that you
are conducting at the time.
Host Information
An enormous amount of information can be gained by examining the various
subcategories of this section - remember, the more intensive the SAINT
probe, the more information will be gathered. Typically this will show
either the numbers of hosts that fall under the specific category with
hypertext links to more specific information about the hosts, or the
actual list of hosts, which can be sorted into different orders
dynamically. The color of the dot next to each host corresponds to
the severity level of the host.
Clicking on links will give you more information on that host, network, piece of
information, or vulnerability, just as expected.
The categories are:
- Class of Service. This category shows the various network services that the
collected group of probed hosts offer - anonymous FTP, WWW, etc.
It is gathered by examining information garnered by rpcinfo and by
scanning TCP ports.
- System Type. This category breaks down the probed hosts by the hardware type
(Sun, SGI, Ultrix, etc.); this is further subdivided by the OS version,
if possible to ascertain. This is determined by NMAP if available, or inferred by
the various network banners of ftp, telnet, and
sendmail.
- Internet Domain. This category shows the various hosts broken down into DNS
domains. This is very useful when trying to understand which domains
are administered well or are more important (either by sheer numbers or
by examining the numbers of servers or key hosts, etc.)
- Subnet. A subnet (as far as SAINT is concerned) is a block of up
to 256 adjacent network addresses, all within the last octet of the IP
address. This is the most common way of breaking up small
organizations, and can be useful for showing the physical location or
concentration of hosts in larger systems.
- Host name. This category allows a query of the current database
of probe information about a specific host.
Trust
This category is a way of
finding out which are the most important hosts on the network. The more hosts that
trust a host (e.g. depend on some service, have logged in from the host, etc.),
the greater the damage that could result if it is compromised. Keep in
mind that a trusted host is an attractive target for attackers; once
this type of host has been broken into, the intruder has a good chance
of breaking into all of its dependent hosts as well.
Severity Levels
All hosts and vulnerabilities reported by SAINT will be listed next
to a colored dot which corresponds to the severity level. The severity
level of a vulnerability indicates the potential for damage
if the vulnerability is indeed exploited by an intruder, and SAINT's level
of confidence that the vulnerability truly exists. The severity level
of a host is the severity level of the most severe vulnerability
found on the host.
The following severity levels are used by SAINT:
- Critical Problems (Red
):
Services that are vulnerable to attack. Attackers exploiting these
services may cause substantial harm.
- Areas of Concern (Yellow
):
Services that may directly or indirectly assist an attacker in
determining passwords or other information that could be used in
an attack.
- Potential Problems (Brown
):
Services that may or may not be vulnerable, depending on the version
and configuration. Further investigation on the part of the
administrator may be necessary.
- Services (Green
):
Services that do not have any vulnerabilities apparent through
remote assessment.
- Other Information (Black
):
No services were found, or other information was found.
If SAINT does report a problem or vulnerability, it means that the problem
is possibly present. For instance, the presence of TCP wrapper, a
packet filter, firewall or other security measures on a target host
could cause SAINT to return a false alarm. Unconfirmed vulnerabilities
usually fall into the brown level, but it is also possible for a red
or yellow vulnerability to be a false alarm. In that same vein,
the presence of a green dot next to a host does not mean that the
host has no security holes. It means only that SAINT did not find any
vulnerabilities in the current scan. Re-scanning at a higher level, or
running additional probes, might uncover vulnerabilities missed during
the previous scan. Also, examining the SAINT database might also
provide clues as to why certain security holes were, or were not,
found. For example, a check of the SAINT database may show that
certain probes were timing out as opposed to actually failing. If
this is the case, the probes should be run again, probably with a higher
timeout value. As always, clicking on the provided links
will provide information on a particular host, piece of information,
or vulnerability.
Hints, Further Tricky Security Implications,
or Getting the Big Picture
It's just as important to understand what the SAINT reports don't
show as well as what they show. It can be very comforting to see SAINT
returning a clean bill of health (i.e. no vulnerabilities found), but
that will often merely mean that more probing should be done. Here are
some general suggestions on how to get the most out of SAINT; this
requires a fairly good understanding of the
config/saint.cf (SAINT configuration) file:
- Probe your own hosts from an EXTERNAL site! This
is a necessity for firewalls, and a very good idea
for sites in general.
- Probe your hosts as heavily as possible, and use a high
$proximity_descent value (2 or 3 are good.)
- Use a very low $max_proximity_level - it is almost never necessary
to use more than 2. However, if you're behind a firewall (e.g.
have no direct IP connectivity from the host that is running the SAINT
scan), you can set this higher. It is very hard to envision any situation
in which you will need to set this value to anything beyond single digits.
Note: Be very careful if you're running SAINT behind a
firewall that allows inside users to have direct IP connectivity to hosts
on the Internet! You are essentially on the Internet as far as SAINT
is concerned.
- Start with light probes and probe more heavily when you see
potential danger spots. Keep tight control over what you scan - don't
scan other people's hosts without permission!
- Use the $only_attack_these and $dont_attack_these
variables to control where your attacks are going.
- Collect all of your user's .rhosts files and make a list of
all external hosts found there. Get permission from the system administrators
of those remote sites and run SAINT against all of them.
- If you have a host which is trusted by many other hosts, or you have a host
which is critical to your organization's operations,
scan them hosts with a "heavy" scan to help
ensure that no one can gain access to these. Unless politically
impossible, scan the entire subnet of these key hosts as well, because
once on a subnet, it's very easy to break into other hosts on the same
subnet.
The Command-line Interface
The command-line interface is ideal for those without a good HTML browser,
for those who wish to schedule scans using cron, or for those who
would rather not run the HTML browser, as it may consume several megabytes
of valuable memory. All of the probing functionality is accessible via
the UNIX shell prompt. The results will be sent to standard output
in a fixed text format. If graphical data analysis is desired, then
invoke SAINT in the usual manner after the command-line scan
is finished, and go directly to Data Analysis.
The syntax for running SAINT is:
./saint [options] [target1] [target2]...
SAINT runs a scan using the command-line interface if one
or more targets are specified on the command line, or if the
-F option is used to specify a target file. Otherwise, SAINT
invokes the HTML browser and enters interactive mode.
target1, target2, etc. can be host names, IP addresses,
IP subnets, or IP address ranges. As many targets as desired can be
specified on the command line, separated by spaces.
Following is a list of the command line options, what they do, and what SAINT
variables they correspond to.
Further explanations
of the variables that are mentioned here can be found in the
config/saint.cf (SAINT configuration) file.
- -a level
- Attack level (0=light, 1=normal, 2=heavy, 3=heavyplus). Variable:
$attack_level.
- -A proximity
- Proximity Descent. Variable: $proximity_descent.
- -c 'name = value; name = value...'
- Change SAINT variables.
Use this to overrule configuration variables that do not have their
own command-line option.
- -d directory
- SAINT database (data directory) to read already collected data from,
and to save new data to. Variable: $saint_data.
- -f
- Enable firewall analysis. Variable: $firewall_flag
- -F filename
- Read list of primary targets from file. Variable:
$use_target_file, $target_file
- -g guesses
- Number of passwords to guess against each account.
Variable: $password_guesses
- -i
- Ignore already collected data.
- -l proximity
- Maximal proximity level. Variable: $max_proximity_level.
- -o list
- Scan only these hosts, domains or networks. Variable:
$only_attack_these.
- -O list
- Don't scan these hosts, domains or networks. Variable:
$dont_attack_these.
- -q
- Quiet mode. Do not display results of scan.
- -s
- Enable subnet expansions. Variable:
$attack_proximate_subnets.
- -S status_file
- SAINT status file (default status_file).
Variable: $status_file.
- -t level
- Timeout length (0 = short, 1 = medium, 2 = long). Variable:
$timeout.
- -u
- Running from an untrusted host. Variable: $untrusted_host = 1
- -U
- Running from a trusted host. Variable: $untrusted_host = 0
- -v
- Turn on debugging output (to stdout). Variable: $debug.
- -V
- Print version number and terminate.
- -z
- Continue with attack level of zero when the level would become negative. The scan continues until
the maximal proximity level is reached. Variable: $sub_zero_proximity = 1
- -Z
- Opposite of the -z option. $sub_zero_proximity = 0
Back to the Reference TOC/Index
|