SAINT Documentation
WWDSI
SAINT Home
--------

The SAINT User Interface

SAINT was designed to have a very "user friendly" user interface. All of the SAINT output (except debugging output) and almost all of the SAINT user interface is written into HTML. This means, of course, that a user may use any standard Web-browser, such as Netscape or lynx, to view it.

Subsections in the User Interface section:


The Basics

An HTML browser is required to do report queries. As all of the SAINT documentation is written in HTML, it is highly suggested that an HTML browser be used to read it. Or, if you would prefer, it may also be printed out and read as hard-copy documents. If you have any questions about the use of your Web browser, please refer to your browser's documentation.

This section of the SAINT documentation details some of the basic SAINT design concepts and also how to navigate through the SAINT user interface. Having said this, though, perhaps the best way to learn the workings of the program is to simply start pointing and clicking on the different sections of the HTML user interface with your mouse. The only exception is the Target Selection screen, where trial and error might not be the best method because you could inadvertently start a scan.

Data Management

SAINT employs a very simple method for opening and/or creating any databases that it might need. These databases are where SAINT stores all of its records, such as hosts identified in a scan (in the all-hosts file), the current set of facts generated in a scan (in the facts file) and the actions to be performed next (in the todo file). See the SAINT database description if you'd like more information on those files.

All of SAINT's data collection output will be written to the current set of databases, which are kept in results/<directory name>. The directory name can be chosen from the Configuration Management screen, the config/saint.cf file, or from the command line. A directory called saint-data will be automatically created if no other name is chosen.

If you choose the SAINT Data Management from the SAINT Control Panel, you have three choices; open an existing set of data, start a new database, or to merge the contents of an on-disk database with the in-core data.

Note! Opening or creating a new database will destroy all other in-core information from other databases or scans. For this reason it is a good idea to choose a database before collecting data. All queries will go to the in-core database. New data collection results, etc. will go into the currently selected on-disk database.

Merging a database concatenates the contents of the chosen on-disk database to the in-core information. Although care must be taken to have enough physical memory to contain all the databases, SAINT becomes more and more interesting as more information is combined, because more correlation, trust, and patterns can be detected. In addition, when large databases from different but connected sites (i.e., users logging in from one site to another or important data sharing relationships) are combined, better information may be gleaned from both sites. For instance, a group of system administrators could exchange SAINT database information with one another in an attempt to establish a mutually beneficial security collective. In theory, it would be interesting to combine information from hundreds of thousands of hosts found on the Internet and then analyze that information (though the memory and CPU speed required to do so would be great indeed!)

Gathering Data

Using SAINT to gather information about hosts and/or networks is fairly easy. Indeed, it may be too easy, as SAINT follows lines of trust that are often hidden from casual observation. This means, of course, that you might start a SAINT scan and soon find it probing networks and hosts that you had no intention of scanning. It goes without saying that many site administrators take a dim view of any unauthorized probing of their systems, and will probably view your probe as an attack of one kind or another. As such, it pays to take precautions when performing a scan, and SAINT has several built-in features that help you in this regard.

The easiest and safest way to gather it is by simply selecting a target host that you'd like to know more about and then probe that host with the default settings: no host-to-subnet expansion, and a maximum proximity level of zero. (These and other settings are discussed in greater detail in the config/saint.cf documentation.)

For more information on scanning a target for the first time, see the tutorial.

Looking at and understanding the results

The SAINT Reporting & Analysis feature has often been described as "easy to use, hard to describe". Using SAINT in a sane and wise manner is up to you, but we will attempt to describe this feature in a clear and concise manner here.

There are three broad categories found in the SAINT Reporting & Analysis feature (vulnerabilities, information and trust), each with fundamental differences in their approach and analysis of any data gathered during a scan. Much of the data gathered and found in each category, though, is tied together and cross-referenced in the form of hyperlinks. The categories differ in that each will emphasize and display different portions of the data. Most queries will present you with an index that facilitates movement within that query type, as the amount of information may be quite voluminous. A link will also be provided back to the table of contents. In addition, any vulnerabilities found will have either external or internal links to information describing what it is, what the existence of the vulnerability means with respect to security and information on how to fix the vulnerability. The external links might include information found on such security sites as CERT or CIAC.

Now, let's take a look at the categories of information that may be viewed:

  • Vulnerabilities. What and where are the weak points of a scanned host or network?
  • Host Information. The host information is very important. The host information can show where the servers are on a network, identify the "important" hosts on a network, and break the network down into subnets and organizational domains. In addition, individual hosts may be queried here.
  • Trust. SAINT is able to follow and identify the web of trust between systems, such as trust established through remote logins and trust established through shared file systems.

A colored dot will appear next to every host or vulnerability listed under the above categories. The color of the dot will correspond to the severity level of the host or vulnerability.

Vulnerabilities

There are three basic methods for viewing the vulnerability results found after performing a scan:

  • Approximate Danger Level: All of the probes generate a basic level of danger if they find a potential problem. This method sorts all of the problems by severity level (e.g. the most serious level compromises the "root" account on the target host, the least is a warning to check out a possibly unneeded service.)
  • Type of Vulnerability: This method simply shows all of the vulnerability types found during the probe, plus a corresponding list of hosts that fall under the vulnerability types.
  • Vulnerability Count: This method displays which hosts have the most problems, as indicated by the sheer number of critical problems, areas of concern, and potential problems found during the probe.

It is a good idea to experiment with all of these methods when first learning SAINT. This will help you determine which is the most intuitive and informative for you, and which best suits your needs. After using SAINT for some time, it will become easier to determine which type of query will be ideal for your needs, as determined by the probe that you are conducting at the time.

Host Information

An enormous amount of information can be gained by examining the various subcategories of this section - remember, the more intensive the SAINT probe, the more information will be gathered. Typically this will show either the numbers of hosts that fall under the specific category with hypertext links to more specific information about the hosts, or the actual list of hosts, which can be sorted into different orders dynamically. The color of the dot next to each host corresponds to the severity level of the host. Clicking on links will give you more information on that host, network, piece of information, or vulnerability, just as expected.

The categories are:

  • Class of Service. This category shows the various network services that the collected group of probed hosts offer - anonymous FTP, WWW, etc. It is gathered by examining information garnered by rpcinfo and by scanning TCP ports.
  • System Type. This category breaks down the probed hosts by the hardware type (Sun, SGI, Ultrix, etc.); this is further subdivided by the OS version, if possible to ascertain. This is determined by NMAP if available, or inferred by the various network banners of ftp, telnet, and sendmail.
  • Internet Domain. This category shows the various hosts broken down into DNS domains. This is very useful when trying to understand which domains are administered well or are more important (either by sheer numbers or by examining the numbers of servers or key hosts, etc.)
  • Subnet. A subnet (as far as SAINT is concerned) is a block of up to 256 adjacent network addresses, all within the last octet of the IP address. This is the most common way of breaking up small organizations, and can be useful for showing the physical location or concentration of hosts in larger systems.
  • Host name. This category allows a query of the current database of probe information about a specific host.

Trust

This category is a way of finding out which are the most important hosts on the network. The more hosts that trust a host (e.g. depend on some service, have logged in from the host, etc.), the greater the damage that could result if it is compromised. Keep in mind that a trusted host is an attractive target for attackers; once this type of host has been broken into, the intruder has a good chance of breaking into all of its dependent hosts as well.

Severity Levels

All hosts and vulnerabilities reported by SAINT will be listed next to a colored dot which corresponds to the severity level. The severity level of a vulnerability indicates the potential for damage if the vulnerability is indeed exploited by an intruder, and SAINT's level of confidence that the vulnerability truly exists. The severity level of a host is the severity level of the most severe vulnerability found on the host.

The following severity levels are used by SAINT:

  • Critical Problems (Red ): Services that are vulnerable to attack. Attackers exploiting these services may cause substantial harm.
  • Areas of Concern (Yellow ): Services that may directly or indirectly assist an attacker in determining passwords or other information that could be used in an attack.
  • Potential Problems (Brown ): Services that may or may not be vulnerable, depending on the version and configuration. Further investigation on the part of the administrator may be necessary.
  • Services (Green ): Services that do not have any vulnerabilities apparent through remote assessment.
  • Other Information (Black ): No services were found, or other information was found.

If SAINT does report a problem or vulnerability, it means that the problem is possibly present. For instance, the presence of TCP wrapper, a packet filter, firewall or other security measures on a target host could cause SAINT to return a false alarm. Unconfirmed vulnerabilities usually fall into the brown level, but it is also possible for a red or yellow vulnerability to be a false alarm. In that same vein, the presence of a green dot next to a host does not mean that the host has no security holes. It means only that SAINT did not find any vulnerabilities in the current scan. Re-scanning at a higher level, or running additional probes, might uncover vulnerabilities missed during the previous scan. Also, examining the SAINT database might also provide clues as to why certain security holes were, or were not, found. For example, a check of the SAINT database may show that certain probes were timing out as opposed to actually failing. If this is the case, the probes should be run again, probably with a higher timeout value. As always, clicking on the provided links will provide information on a particular host, piece of information, or vulnerability.

Hints, Further Tricky Security Implications, or Getting the Big Picture

It's just as important to understand what the SAINT reports don't show as well as what they show. It can be very comforting to see SAINT returning a clean bill of health (i.e. no vulnerabilities found), but that will often merely mean that more probing should be done. Here are some general suggestions on how to get the most out of SAINT; this requires a fairly good understanding of the config/saint.cf (SAINT configuration) file:
  • Probe your own hosts from an EXTERNAL site! This is a necessity for firewalls, and a very good idea for sites in general.
  • Probe your hosts as heavily as possible, and use a high $proximity_descent value (2 or 3 are good.)
  • Use a very low $max_proximity_level - it is almost never necessary to use more than 2. However, if you're behind a firewall (e.g. have no direct IP connectivity from the host that is running the SAINT scan), you can set this higher. It is very hard to envision any situation in which you will need to set this value to anything beyond single digits. Note: Be very careful if you're running SAINT behind a firewall that allows inside users to have direct IP connectivity to hosts on the Internet! You are essentially on the Internet as far as SAINT is concerned.
  • Start with light probes and probe more heavily when you see potential danger spots. Keep tight control over what you scan - don't scan other people's hosts without permission!
  • Use the $only_attack_these and $dont_attack_these variables to control where your attacks are going.
  • Collect all of your user's .rhosts files and make a list of all external hosts found there. Get permission from the system administrators of those remote sites and run SAINT against all of them.
  • If you have a host which is trusted by many other hosts, or you have a host which is critical to your organization's operations, scan them hosts with a "heavy" scan to help ensure that no one can gain access to these. Unless politically impossible, scan the entire subnet of these key hosts as well, because once on a subnet, it's very easy to break into other hosts on the same subnet.

The Command-line Interface

The command-line interface is ideal for those without a good HTML browser, for those who wish to schedule scans using cron, or for those who would rather not run the HTML browser, as it may consume several megabytes of valuable memory. All of the probing functionality is accessible via the UNIX shell prompt. The results will be sent to standard output in a fixed text format. If graphical data analysis is desired, then invoke SAINT in the usual manner after the command-line scan is finished, and go directly to Data Analysis.

The syntax for running SAINT is:

   ./saint [options] [target1] [target2]...
SAINT runs a scan using the command-line interface if one or more targets are specified on the command line, or if the -F option is used to specify a target file. Otherwise, SAINT invokes the HTML browser and enters interactive mode.

target1, target2, etc. can be host names, IP addresses, IP subnets, or IP address ranges. As many targets as desired can be specified on the command line, separated by spaces.

Following is a list of the command line options, what they do, and what SAINT variables they correspond to. Further explanations of the variables that are mentioned here can be found in the config/saint.cf (SAINT configuration) file.

-a level
Attack level (0=light, 1=normal, 2=heavy, 3=heavyplus). Variable: $attack_level.

-A proximity
Proximity Descent. Variable: $proximity_descent.

-c 'name = value; name = value...'
Change SAINT variables. Use this to overrule configuration variables that do not have their own command-line option.

-d directory
SAINT database (data directory) to read already collected data from, and to save new data to. Variable: $saint_data.

-f
Enable firewall analysis. Variable: $firewall_flag

-F filename
Read list of primary targets from file. Variable: $use_target_file, $target_file

-g guesses
Number of passwords to guess against each account. Variable: $password_guesses

-i
Ignore already collected data.

-l proximity
Maximal proximity level. Variable: $max_proximity_level.

-o list
Scan only these hosts, domains or networks. Variable: $only_attack_these.

-O list
Don't scan these hosts, domains or networks. Variable: $dont_attack_these.

-q
Quiet mode. Do not display results of scan.

-s
Enable subnet expansions. Variable: $attack_proximate_subnets.

-S status_file
SAINT status file (default status_file). Variable: $status_file.

-t level
Timeout length (0 = short, 1 = medium, 2 = long). Variable: $timeout.

-u
Running from an untrusted host. Variable: $untrusted_host = 1

-U
Running from a trusted host. Variable: $untrusted_host = 0

-v
Turn on debugging output (to stdout). Variable: $debug.

-V
Print version number and terminate.

-z
Continue with attack level of zero when the level would become negative. The scan continues until the maximal proximity level is reached. Variable: $sub_zero_proximity = 1

-Z
Opposite of the -z option. $sub_zero_proximity = 0

Back to the Reference TOC/Index