|
The SAINT User Interface
SAINT was designed to have a very "user friendly" user interface. All
of the SAINT output (except debugging output) and almost
all of the SAINT user interface is written into HTML. This means,
of course, that a user may use any standard Web-browser, such as Netscape
or lynx, to view it.
Subsections in the User Interface section:
The Basics
An HTML browser is required to do report queries. As all of the SAINT
documentation is written in HTML, it is highly suggested that an HTML
browser be used to read it. Or, if you would prefer, it may also be
printed out and read as hard-copy documents. If you have any questions
about the use of your Web browser, please refer to your browser's
documentation.
This section of the SAINT documentation details some of the basic SAINT
design concepts and also how to navigate through the SAINT user interface.
Having said this, though, perhaps the best way to learn the workings
of the program is to simply start pointing and clicking on the different
sections of the HTML user interface with your mouse. The only exception
is the Target Selection screen, where trial and error might not be the
best method because you could inadvertently start a scan.
Data Management
SAINT employs a very simple method for opening and/or creating any
databases that it might need. These databases are where SAINT stores
all of its records, such as hosts identified in a scan (in the all-hosts
file), the current set of facts generated in a scan (in the facts file)
and the actions to be performed next (in the todo file).
See the SAINT database description if you'd like
more information on those files.
All of SAINT's data collection output will be written to the current set of
databases, which are kept in results/<directory name>.
The directory name can be chosen from the Configuration Management
screen, the config/saint.cf file, or from the
command line. A directory called
saint-data will be automatically created if no other name is
chosen.
If you choose the SAINT Data Management from the SAINT Control
Panel, you have three choices; open an existing set of data,
start a new database, or to merge the contents of an on-disk database
with the in-core data.
Note!
Opening or creating a new database will destroy all other in-core
information from other databases or scans. For this reason it is a good
idea to choose a database before collecting data. All queries
will go to the in-core database. New data collection results, etc.
will go into the currently selected on-disk database.
Merging a database concatenates the contents of the chosen on-disk
database to the in-core information. Although care
must be taken to have enough physical memory to contain all the databases,
SAINT becomes more and more interesting as more information is
combined, because more correlation, trust, and patterns can
be detected. In addition, when large databases from different but
connected sites (i.e., users logging in from one site to another or
important data sharing relationships) are combined, better information
may be gleaned from both sites. For instance, a group of system
administrators could exchange SAINT database information with one
another in an attempt to establish a mutually beneficial security
collective. In theory, it would be interesting to combine information
from hundreds of thousands of hosts found on the Internet and then
analyze that information (though the memory and CPU speed required
to do so would be great indeed!)
Gathering Data
Using SAINT to gather information about hosts and/or networks is fairly
easy. Indeed, it may be too easy, as SAINT follows lines of trust
that are often hidden from casual observation. This means, of course,
that you might start a SAINT scan and soon find it probing networks
and hosts that you had no intention of scanning. It goes without saying
that many site administrators take a dim view of any unauthorized
probing of their systems, and will probably view your probe as an attack
of one kind or another. As such, it pays to take precautions when
performing a scan, and SAINT has several built-in features that help
you in this regard.
The easiest and safest way to gather it is by simply selecting a
target host that you'd like to know more about and then probe that host
with the default settings:
no host-to-subnet expansion, and a maximum
proximity level of zero. (These and other settings are discussed
in greater detail in the config/saint.cf
documentation.)
For more information on scanning a target for the first time, see the
tutorial.
Looking at and understanding the results
The SAINT Reporting & Analysis feature has often been described
as "easy to use, hard to describe". Using SAINT in a sane and wise
manner is up to you, but we will attempt to describe this feature in
a clear and concise manner here.
There are three broad categories found in the SAINT Reporting & Analysis
feature (vulnerabilities, information and trust), each with fundamental
differences in their approach and analysis of any data gathered during
a scan. Much of the data gathered and found in each category, though,
is tied together and cross-referenced in the form of hyperlinks.
The categories differ in that each will emphasize and display different
portions of the data. Most queries will present you with an index
that facilitates movement within that query type, as the amount of
information may be quite voluminous. A link will also be provided
back to the table of contents. In addition, any vulnerabilities found
will have either external or internal links to information describing
what it is, what the existence of the vulnerability means with respect
to security and information on how to fix the vulnerability. The
external links might include information found on such security sites
as CERT or CIAC.
Now, let's take a look at the categories of information that may be viewed:
- Vulnerabilities.
What and where are the weak points of a scanned host or network?
- Host Information.
The host information is very important. The host information can show
where the servers are on a network, identify the "important" hosts
on a network, and break the network down into subnets and organizational
domains. In addition, individual hosts may be queried here.
- Trust.
SAINT is able to follow and identify the web of trust between systems,
such as trust established through remote logins and trust established
through shared file systems.
A colored dot will appear next to every host or vulnerability listed
under the above categories. The color of the dot will correspond
to the severity level of the host
or vulnerability.
Vulnerabilities
There are three basic methods for viewing the vulnerability results
found after performing a scan:
- Approximate Danger Level: All of the probes generate a basic
level of danger if they find a potential problem. This method sorts
all of the problems by severity level (e.g. the most serious level
compromises the "root" account on the target host, the least
is a warning to check out a possibly unneeded service.)
- Type of Vulnerability: This method simply shows all of the
vulnerability types found during the probe, plus a corresponding list
of hosts that fall under the vulnerability types.
- Vulnerability Count: This method displays which hosts have the
most problems, as indicated by the sheer number of critical problems,
areas of concern, and potential problems found during the probe.
It is a good idea to experiment with all of these methods when first
learning SAINT. This will help you determine which is the most intuitive
and informative for you, and which best suits your needs. After using
SAINT for some time, it will become easier to determine which type of
query will be ideal for your needs, as determined by the probe that you
are conducting at the time.
Host Information
An enormous amount of information can be gained by examining the various
subcategories of this section - remember, the more intensive the SAINT
probe, the more information will be gathered. Typically this will show
either the numbers of hosts that fall under the specific category with
hypertext links to more specific information about the hosts, or the
actual list of hosts, which can be sorted into different orders
dynamically. The color of the dot next to each host corresponds to
the severity level of the host.
Clicking on links will give you more information on that host, network, piece of
information, or vulnerability, just as expected.
The categories are:
- Class of Service. This category shows the various network services that the
collected group of probed hosts offer - anonymous FTP, WWW, etc.
It is gathered by examining information garnered by rpcinfo and by
scanning TCP ports.
- System Type. This category breaks down the probed hosts by the hardware type
(Sun, SGI, Ultrix, etc.); this is further subdivided by the OS version,
if possible to ascertain. This is determined by NMAP if available, or inferred by
the various network banners of ftp, telnet, and
sendmail.
- Internet Domain. This category shows the various hosts broken down into DNS
domains. This is very useful when trying to understand which domains
are administered well or are more important (either by sheer numbers or
by examining the numbers of servers or key hosts, etc.)
- Subnet. A subnet (as far as SAINT is concerned) is a block of up
to 256 adjacent network addresses, all within the last octet of the IP
address. This is the most common way of breaking up small
organizations, and can be useful for showing the physical location or
concentration of hosts in larger systems.
- Host name. This category allows a query of the current database
of probe information about a specific host.
Trust
This category is a way of
finding out which are the most important hosts on the network. The more hosts that
trust a host (e.g. depend on some service, have logged in from the host, etc.),
the greater the damage that could result if it is compromised. Keep in
mind that a trusted host is an attractive target for attackers; once
this type of host has been broken into, the intruder has a good chance
of breaking into all of its dependent hosts as well.
Severity Levels
All hosts and vulnerabilities reported by SAINT will be listed next
to a colored dot which corresponds to the severity level. The severity
level of a vulnerability indicates the potential for damage
if the vulnerability is indeed exploited by an intruder, and SAINT's level
of confidence that the vulnerability truly exists. The severity level
of a host is the severity level of the most severe vulnerability
found on the host.
The following severity levels are used by SAINT:
- Critical Problems (Red
):
Services that are vulnerable to attack. Attackers exploiting these
services may cause substantial harm.
- Areas of Concern (Yellow
):
Services that may directly or indirectly assist an attacker in
determining passwords or other information that could be used in
an attack.
- Potential Problems (Brown
):
Services that may or may not be vulnerable, depending on the version
and configuration. Further investigation on the part of the
administrator may be necessary.
- Services (Green
):
Services that do not have any vulnerabilities apparent through
remote assessment.
- Other Information (Black
):
No services were found, or other information was found.
An arrow labelled TOP 10 may also be present beside some
vulnerabilities. These are the vulnerabilities which are on the
SANS Top 10 Internet
Security Threats. Since these vulnerabilities account for the
majority of break-ins, they are of particular concern.
If SAINT does report a problem or vulnerability, it means that the problem
is possibly present. For instance, the presence of TCP wrapper, a
packet filter, firewall or other security measures on a target host
could cause SAINT to return a false alarm. Unconfirmed vulnerabilities
usually fall into the brown level, but it is also possible for a red
or yellow vulnerability to be a false alarm. In that same vein,
the presence of a green dot next to a host does not mean that the
host has no security holes. It means only that SAINT did not find any
vulnerabilities in the current scan. Re-scanning at a higher level, or
running additional probes, might uncover vulnerabilities missed during
the previous scan. Also, examining the SAINT database might also
provide clues as to why certain security holes were, or were not,
found. For example, a check of the SAINT database may show that
certain probes were timing out as opposed to actually failing. If
this is the case, the probes should be run again, probably with a higher
timeout value. As always, clicking on the provided links
will provide information on a particular host, piece of information,
or vulnerability.
Hints, Further Tricky Security Implications,
or Getting the Big Picture
It's just as important to understand what the SAINT reports don't
show as well as what they show. It can be very comforting to see SAINT
returning a clean bill of health (i.e. no vulnerabilities found), but
that will often merely mean that more probing should be done. Here are
some general suggestions on how to get the most out of SAINT; this
requires a fairly good understanding of the
config/saint.cf (SAINT configuration) file:
- Probe your own hosts from an EXTERNAL site! This
is a necessity for firewalls, and a very good idea
for sites in general.
- Probe your hosts as heavily as possible, and use a high
$proximity_descent value (2 or 3 are good.)
- Use a very low $max_proximity_level - it is almost never necessary
to use more than 2. However, if you're behind a firewall (e.g.
have no direct IP connectivity from the host that is running the SAINT
scan), you can set this higher. It is very hard to envision any situation
in which you will need to set this value to anything beyond single digits.
Note: Be very careful if you're running SAINT behind a
firewall that allows inside users to have direct IP connectivity to hosts
on the Internet! You are essentially on the Internet as far as SAINT
is concerned.
- Start with light probes and probe more heavily when you see
potential danger spots. Keep tight control over what you scan - don't
scan other people's hosts without permission!
- Use the $only_attack_these and $dont_attack_these
variables to control where your attacks are going.
- Collect all of your user's .rhosts files and make a list of
all external hosts found there. Get permission from the system administrators
of those remote sites and run SAINT against all of them.
- If you have a host which is trusted by many other hosts, or you have a host
which is critical to your organization's operations,
scan them hosts with a "heavy" scan to help
ensure that no one can gain access to these. Unless politically
impossible, scan the entire subnet of these key hosts as well, because
once on a subnet, it's very easy to break into other hosts on the same
subnet.
Using SAINT Remotely
There may be situations in which you need to make SAINT's user interface
available to machines other than the one on which it is running. In
these situations, SAINT's remote mode may be preferred. Remote mode
is ideal when you need to share results with co-workers, when you
wish to run SAINT from a machine without a graphical environment,
or when you wish to run SAINT from a machine whose location makes
physical access inconvenient.
SAINT's remote mode is administered using the following features:
- Host-based access control. The $allow_hosts
variable in config/saint.cf (or the -h
command line option) tells SAINT which
hosts are allowed remote access to SAINT's user interface. The hosts
are specified in the form of a space-separated list of IP addresses.
An entire Class C network can be specified by putting an asterisk (*)
in place of the last octet of the IP address. An asterisk all by
itself will match any IP address, effectively disabling host-based
access control. This is not recommended.
- User authentication. In remote mode, SAINT requires users
to provide a login and password before being granted access to the
graphical user interface. By default, there are two login names:
admin and saint. The accounts are disabled by default,
but they become enabled when you provide a password for them. (You are prompted
to set the password when you start SAINT in remote mode.) The admin
user is allowed to use any part of SAINT. Therefore, the password for admin
should only be given to network administrators, or others who are authorized
to configure and run SAINT scans. The saint user is only allowed to
view reports, tutorials, and documentation. The password for saint may
be given to anyone who is authorized to view the results of the SAINT scan.
Additional users can be added by editing config/passwd. (See below.)
- Server port. The $server_port variable in
config/saint.cf (or the -p
command line option) tells SAINT which TCP port to listen on. Remote
users connect to this port with their web browsers to access SAINT. The
default port is 1414, but it is a good idea to change it to avoid detection
by attackers who might scan the network for the default port.
Use the following steps as a guide to using SAINT remotely:
- In config/saint.cf, set $allow_hosts equal to the IP address(es) of
the remote hosts which are allowed to connect (or use the -h command-line
option)
- Also in config/saint.cf, set $server_port equal to the port you want
SAINT to listen on (or use the -p command-line option)
- Type ./saint -r
- Set the admin and saint passwords at the prompt. If
you have already set the passwords, you may hit enter to leave
them unchanged. But be aware that they travel over the network unencrypted
whenever someone logs in,
so it is a good idea to change them each time you start SAINT in
remote mode.
- From your browser, go to http://host.domain:port,
where host.domain is the fully-qualified host name of the machine
on which SAINT is running, and port is the port number you specified
earlier.
- Log in as either admin or saint using the passwords you
set previously. If login is successful, you can use SAINT remotely at
this point.
- When you are finished using SAINT from that client, click on the
SAINT home button, and then on the log out button at the
bottom of the page. Note: Simply closing the browser does not
log you out. Anyone who opens a new browser on the same host will still
be authenticated until either the client logs out or the SAINT server
process is killed.
- When remote access to SAINT is no longer needed, use the ps
command on the server to find SAINT's process number, and kill the
process using the kill command.
Note to users using proxy firewalls: SAINT in remote mode associates
each user's authentication with his or her apparent client host. That
means that if SAINT is being run outside the firewall, then any
user who authenticates from behind the firewall at any privilege
level (e.g. admin) will effectively
authenticate every host behind the firewall at that privilege level.
Furthermore, any user who logs out from behind the firewall will
log out every user behind the firewall.
The config/passwd file
SAINT's user account information and passwords are stored in the config/passwd
file. Each line corresponds to one login name, and the information is kept in
four fields separated by colons (:). A typical config/passwd file looks like
the following:
admin:7dhc12Ux/W8Oi:0:SAINT Administrator
saint:x:1:SAINT User
The first field is the login name. The second field is the password, which
is encrypted using the same algorithm as a standard UNIX password file.
An "x" in the password field indicates that a password has not been set,
or equivalently, that the account is disabled. The third field is the
user ID. A user ID of zero indicates a privileged account (i.e. the admin
account). Any other user ID indicates a non-privileged account (i.e. the saint
account). The fourth field is a comment field and is not used by SAINT.
Additional accounts can be added by adding a line to config/passwd containing
all four fields. Initially, the password field should be set to "x". The
next time you start SAINT in remote mode, you will be prompted for a password
for this account. The "x" will be replaced with the encrypted password.
The Command-line Interface
The command-line interface is ideal for those without a good HTML browser,
for those who wish to schedule scans using cron, or for those who
would rather not run the HTML browser, as it may consume several megabytes
of valuable memory. All of the probing functionality is accessible via
the UNIX shell prompt. The results will be sent to standard output
in a fixed text format. If graphical data analysis is desired, then
invoke SAINT in the usual manner after the command-line scan
is finished, and go directly to Data Analysis.
The syntax for running SAINT is:
./saint [options] [target1] [target2]...
SAINT runs a scan using the command-line interface if one
or more targets are specified on the command line, or if the
-F option is used to specify a target file. Otherwise, SAINT
invokes the HTML browser and enters interactive mode.
target1, target2, etc. can be host names, IP addresses,
IP subnets, or IP address ranges. As many targets as desired can be
specified on the command line, separated by spaces.
Following is a list of the command line options, what they do, and what SAINT
variables they correspond to.
Further explanations
of the variables that are mentioned here can be found in the
config/saint.cf (SAINT configuration) file.
- -a level
- Attack level (0=light, 1=normal, 2=heavy, 3=heavyplus, 4=top 10, 5=custom). Variable:
$attack_level.
- -A proximity
- Proximity Descent. Variable: $proximity_descent.
- -c 'name = value; name = value...'
- Change SAINT variables.
Use this to overrule configuration variables that do not have their
own command-line option.
- -d directory
- SAINT database (data directory) to read already collected data from,
and to save new data to. Variable: $saint_data.
- -f
- Enable firewall analysis. Variable: $firewall_flag
- -F filename
- Read list of primary targets from file. Variable:
$use_target_file, $target_file
- -g guesses
- Number of passwords to guess against each account.
Variable: $password_guesses
- -h "host1 host2 ..."
- IP addresses which are allowed to use SAINT remotely.
(Used with -r option.) Variable: $allow_hosts
- -i
- Ignore already collected data.
- -l proximity
- Maximal proximity level. Variable: $max_proximity_level.
- -m threads
- Maximum number of probes which can be run
concurrently. 1 disables multitasking. Variable: $maximum_threads
- -n netmask
- Netmask(s) of target hosts. Variable: $target_netmask
- -o list
- Scan only these hosts, domains or networks. Variable:
$only_attack_these.
- -O list
- Don't scan these hosts, domains or networks. Variable:
$dont_attack_these.
- -p port
- TCP port to listen on. (Used with -r option.) Variable:
$server_port.
- -q
- Quiet mode. Do not display results of scan.
- -r
- Remote mode. Variable: $remote_mode
- -s
- Enable subnet expansions. Variable:
$attack_proximate_subnets.
- -S status_file
- SAINT status file (default status_file).
Variable: $status_file.
- -t level
- Timeout length (0 = short, 1 = medium, 2 = long). Variable:
$timeout.
- -u
- Running from an untrusted host. Variable: $untrusted_host = 1
- -U
- Running from a trusted host. Variable: $untrusted_host = 0
- -v
- Turn on debugging output (to stdout). Variable: $debug.
- -V
- Print version number and terminate.
- -z
- Continue with attack level of zero when the level would become negative. The scan continues until
the maximal proximity level is reached. Variable: $sub_zero_proximity = 1
- -Z
- Opposite of the -z option. $sub_zero_proximity = 0
Back to the Reference TOC/Index
|