Analyzing SAINT output
Learning how to effectively interpret the results of a SAINT scan is
the most difficult part about using SAINT. This is partly because
there is no "correct" security level. "Good" security is very much
dependent on the policies and concerns of the site or system involved.
In addition, some of the concepts used in SAINT (such as why trust
and network information can be so damaging) and many of the options
that can be chosen (like proximity, proximity descent, attack filters,
etc.) will not be very familiar to many system administrators. It
is important to read and understand the documentation to use the tool
effectively.
From the control panel in the HTML interface, select
Data Analysis. You will then be
prompted with a wealth of choices; when first learning to use
the tool, the Vulnerabilities section will probably
be the one of the most immediate interest. In that section,
the By Approximate Danger Level link is a good place
to start.
If a vulnerability is found, SAINT will provide links
to sources of information about that vulnerability and how to fix it.
If no vulnerabilities are found, congratulations! Note
that this does NOT mean that your host is secure - it
simply means that SAINT could not find any problems. You
might try scanning your targets at a higher level and check this again.
In any case, you should investigate the other categories
(Hosts and Trust) in the reporting page.
While viewing the reports, you will notice that some hosts are listed
with a red dot next to them ( ).
This red dot signifies that the host has critical problems, or harbors
a serious vulnerability or vulnerabilities that could very well
lead to it being compromised by a malicious user. Hosts listed with
red dots require immediate action.
Other hosts, you will notice, will have a yellow dot next to them
( ). The yellow dot tells
you that the machine has one or more areas of concern. In other words,
the machine might host one or more services that may be
exploited by a hacker to gather information that could assist an attack.
Any vulnerability found on this machine should be addressed as soon
as possible.
Upon further examination of the single machine scan report, you may
notice some hosts are listed with a brown dot next to them
( ). This brown dot signifies that
the machine has potential vulnerabilities. These vulnerabilities
may or may not require action, depending upon the version, patch level, and/or
configuration of the services, or upon the local security policy.
And finally, you will notice that a few hosts are listed with a
green dot ( ). Green dots
are simply an indication that a machine is hosting certain services
(such as FTP, HTTP, etc.), and listed services are included for
information purposes only.
The best way to learn what SAINT can do for you is by using it -
scanning networks and examining the results with the Report and
Analysis tools can reveal interesting things about your network.
Remember, anyone has access to this informtion, so act accordingly!
Reading, or at least browsing through the full documentation is
strongly recommended - this tutorial merely covered the very basic
capabilities of SAINT. There are a wealth of possible options that
can be used to unleash SAINT's full potential. Be careful, however,
because it is easy to unwittingly make your neighbors think that you're
trying to attack them with any scans that you run - always be certain that
you have permission to scan any potential hosts that you're thinking
of testing.
Back to the SAINT Documentation Index
|