Consistent security auditing is a must for any network of computer
systems. This helps ensure that none of the hosts have been compromised
and data integrity is still intact. To help the audit process along,
a number of tools are available that automate some or most of the
work. This article will focus on a product called the Security Administrator's
Integrated Network Tool, or SAINT, which aids the administrator
in auditing his or her network. SAINT is a fun and useful tool,
based on SATAN, that can probe hosts across a network for commonly
misconfigured services, outdated versions of software, and bad policy
decisions. It has also been certified to detect the SANS Top 10
Internet Security Threats.
When using SAINT, keep in mind that its use should remain strictly
on boxes that you have permission to scan and audit. Pointing SAINT
at remote networks can be considered an intrusion attempt.
More on SAINT
A quote on the front of the SAINT Web site reads "Indispensable
for checking system vulnerabilities." After you play around
with it, you can decide what kind of a role it will play in your
security plan, but it is definitely a great tool to have and you
will probably find it very handy.
What vulnerabilities can SAINT actually detect? According to their
Web site, there are just too many to list here. Check out: http://www.wwdsi.com/cgi-bin/vulns.pl
for a detailed list, including an explanation of each. Some of the
most important vulnerabilities to me are related to Sendmail, POP
servers, FTP, SSH, HTTP, and various vendor-specific vulnerabilities.
SAINT can detect vulnerablities such as the following:
- Guessable read and write SNMP community strings
- SITE EXEC buffer overflows and others in FTP servers
- Problems within NFS configurations
- Tests for mail servers that permit relaying
- Instances of Frontpage that may contain security flaws
- Tests for the presence of root kits
An addition to SAINT is currently in the works and should be available
by the time you read this article. It is called SAINTwriter and
should significantly enhance the reporting capabilities of SAINT.
Check out all the information on that at: http://www.wwdsi.com/saintwriter/index.html.
Downloading and Compiling
This article refers to the most current release of SAINT, version
3.1.1 beta 2. I chose this version primarily to have the latest
and greatest, but also because this is the version certified for
the SANS Top 10 Internet Security Threats, and because it includes
additional checks for recent problems with BIND (see sidebar). To
download the source code, visit: http://www.wwdsi.com/saint.
A prerequisite piece of software I recommend downloading is nmap
from http://www.insecure.org/nmap. SAINT will work without
it, but this is simply a nice program to have for other testing
as well. nmap is a port scanner with many features that can
glean a great deal of information from networks and individual hosts.
To install and run SAINT, I ran the following commands on a box
running RedHat 6.2. To unpack the archive:
# zcat saint-3.1.1.beta1.tar.gz | tar xvf -
# cd saint-3.1.1
To install the man pages:
# make install
Otherwise, run the program with:
Without any options, SAINT runs with a local HTML interface, which
requires that a browser be installed. If you do not have one, you
can run SAINT with the -H flag, and it will display all of
the options for running it in text mode.
Setting Up for a Scan
The initial configuration is done under Configuration Management.
To see these options, Click on Config-Mgmt. On this page, you can
modify a number of settings, such as time to wait before timing
out, how many times to guess a password, how intrusive your scan
should be, the proximity of your scan, and many others. For now,
let's do some scanning with the default settings.
To select a host or multiple hosts to scan, click on Target Selection.
The first time you click on target selection, you will get a message
about not contacting Web servers while using SAINT. Bypass this
message by reloading the page.
The areas to address on this page are the host(s) to scan, how
intrusive the scan should be, and whether or not to include firewall
support. To specify the host(s) to scan, either enter the hostname
or specify a file containing a list of hostnames. For this example,
enter in the hostname of your local machine.
Under Scanning Level Selection, you can decide how hard to scan
the host. I recommend not scanning any production systems and when
scanning boxes not in production, pick the scanning level based
on importance of availability. To minimize the risk of stopping
a service, run a Light scan. If you aren't concerned with such
things, run a Heavy+ scan!
Finally, if you are behind a firewall, check Firewall Support
so that your results will be as accurate as possible. Of course,
when running a scan against your local box, this is not a problem.
When a firewall is in the middle of you and the box you are scanning,
SAINT might receive responses back that would otherwise have been
different had a firewall not been involved in the communication.
Making SAINT aware of the firewall's presence allows for a
more accurate scan.
When you're all set, click on Start the scan. Below is what
I received after running a Heavy scan on my local box:
// Program Output
SAINT data collection
Data collection in progress...
11/30/00-17:32:01 bin/timeout 60 bin/fping localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/ddos.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/finger.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/ostype.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/dns.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 60 bin/udpscan.saint
11/30/00-17:32:02 bin/timeout 20 bin/rpc.saint localhost.localdomain
11/30/00-17:32:02 bin/timeout 60 bin/tcpscan.saint
11/30/00-17:32:35 bin/timeout 20 bin/xhost.saint -d localhost.localdomain:0 localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/sendmail.saint smtp localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/printer.saint localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/relay.saint localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/statd.saint Linux 2.1.122 - 2.2.14 localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/mountd.sara localhost.localdomain
11/30/00-17:32:35 bin/timeout 90 bin/http.saint 1932 localhost.localdomain
11/30/00-17:33:00 SAINT run completed
Data collection completed (1 host(s) visited).
// End Program Output
As you can see, a number of scans were run including UDP, TCP, DNS,
HTTP, and RPC. SAINT will also try to detect the remote software platform
and version. Click on Continue with report and analysis to get an
overview of your scan results.
Analyzing the Results
If you clicked on Continue with report and analysis, you should
now be looking at a screen titled Data Analysis. You can get to
the same screen by clicking on Data Analysis on the menu bar. Your
screen will look like Figure 1.
My favorite link on this page is the Vulnerabilities By Approximate
Danger Level. This page categorizes the vulnerabilities found in
groups named Critical, Major, Potential, and the like. It is a very
easy way to see which vulnerabilities should be addressed first
and which may lead to serious problems. As you can see, the other
options include the same basic information, but categorized in different
ways. You also have the option of viewing vulnerabilities by type
or by quantity. Further down, you can query individual or groups
of hosts based upon a certain attribute. The Vulnerabilities By
Approximate Danger Level page will look like Figure 2.
The vulnerability groups will be ordered on the page based on
their urgency; the most urgent at the top. By drilling down into
each vulnerability that was found, you will find that a description
of each one is provided, Common Vulnerability Exposures (CVE) and
CERT advisories are included, as well as possible resolutions. For
example, clicking on the Root Access via Buffer Overflow link would
result in the output in Figure 3.
You should find plenty of information here that will get you on
your way to closing the vulnerabilities found, either by a software
fix or by just stopping the service. Bringing up the CVE or CERT
advisory will include information on exact exposure, workarounds,
and other pertinent information.
SAINT is a very informative and helpful tool that will aid any
administrator in auditing their network for security vulnerabilities.
The inclusion of detailed vulnerability descriptions and additional
references is extremely useful and usually allows for a very pointed,
direct fix to a possible problem. For additional information and
new versions, visit SAINT's Web site at: http://www.wwdsi.com/saint.
Adam Olson lives in the Bay Area. He has helped build a successful
ISP (http://www.humboldt1.com), designed and
configured portions of the California Power Network while working
at MCI WorldCom, and is currently working for a startup in Santa
Clara (http://www.quaartz.com). Adam hopes to one day have
a rock band. He can be reached at: firstname.lastname@example.org.