 Working with SAINT
Adam Olson
Consistent security auditing is a must for any network of
computer systems. This helps ensure that none of the hosts have been
compromised and data integrity is still intact. To help the audit
process along, a number of tools are available that automate some or
most of the work. This article will focus on a product called the
Security Administrator's Integrated Network Tool, or SAINT, which
aids the administrator in auditing his or her network. SAINT is a
fun and useful tool, based on SATAN, that can probe hosts across a
network for commonly misconfigured services, outdated versions of
software, and bad policy decisions. It has also been certified to
detect the SANS Top 10 Internet Security Threats.
When using SAINT, keep in mind that its use should remain
strictly on boxes that you have permission to scan and audit.
Pointing SAINT at remote networks can be considered an intrusion
attempt.
More on SAINT
A quote on the front of the SAINT Web site reads "Indispensable
for checking system vulnerabilities." After you play around with it,
you can decide what kind of a role it will play in your security
plan, but it is definitely a great tool to have and you will
probably find it very handy.
What vulnerabilities can SAINT actually detect? According to
their Web site, there are just too many to list here. Check out:
http://www.wwdsi.com/cgi-bin/vulns.pl for a detailed list,
including an explanation of each. Some of the most important
vulnerabilities to me are related to Sendmail, POP servers, FTP,
SSH, HTTP, and various vendor-specific vulnerabilities. SAINT can
detect vulnerablities such as the following:
- Guessable read and write SNMP community strings
- SITE EXEC buffer overflows and others in FTP servers
- Problems within NFS configurations
- Tests for mail servers that permit relaying
- Instances of Frontpage that may contain security flaws
- Tests for the presence of root kits
An addition to SAINT is currently in the works and should be
available by the time you read this article. It is called
SAINTwriter and should significantly enhance the reporting
capabilities of SAINT. Check out all the information on that at:
http://www.wwdsi.com/saintwriter/index.html.
Downloading and Compiling
This article refers to the most current release of SAINT, version
3.1.1 beta 2. I chose this version primarily to have the latest and
greatest, but also because this is the version certified for the
SANS Top 10 Internet Security Threats, and because it includes
additional checks for recent problems with BIND (see sidebar). To
download the source code, visit: http://www.wwdsi.com/saint.
A prerequisite piece of software I recommend downloading is
nmap from http://www.insecure.org/nmap. SAINT will
work without it, but this is simply a nice program to have for other
testing as well. nmap is a port scanner with many features
that can glean a great deal of information from networks and
individual hosts.
To install and run SAINT, I ran the following commands on a box
running RedHat 6.2. To unpack the archive:
# zcat saint-3.1.1.beta1.tar.gz | tar xvf -
To compile:
# cd saint-3.1.1
# ./configure
# make
To install the man pages:
# make install
Otherwise, run the program with:
# ./saint
Without any options, SAINT runs with a local HTML interface,
which requires that a browser be installed. If you do not have one,
you can run SAINT with the -H flag, and it will display all
of the options for running it in text mode.
Setting Up for a Scan
Configuration Management
The initial configuration is done under Configuration Management.
To see these options, Click on Config-Mgmt. On this page, you can
modify a number of settings, such as time to wait before timing out,
how many times to guess a password, how intrusive your scan should
be, the proximity of your scan, and many others. For now, let's do
some scanning with the default settings.
Target Selection
To select a host or multiple hosts to scan, click on Target
Selection. The first time you click on target selection, you will
get a message about not contacting Web servers while using SAINT.
Bypass this message by reloading the page.
The areas to address on this page are the host(s) to scan, how
intrusive the scan should be, and whether or not to include firewall
support. To specify the host(s) to scan, either enter the hostname
or specify a file containing a list of hostnames. For this example,
enter in the hostname of your local machine.
Under Scanning Level Selection, you can decide how hard to scan
the host. I recommend not scanning any production systems and when
scanning boxes not in production, pick the scanning level based on
importance of availability. To minimize the risk of stopping a
service, run a Light scan. If you aren't concerned with such things,
run a Heavy+ scan!
Finally, if you are behind a firewall, check Firewall Support so
that your results will be as accurate as possible. Of course, when
running a scan against your local box, this is not a problem. When a
firewall is in the middle of you and the box you are scanning, SAINT
might receive responses back that would otherwise have been
different had a firewall not been involved in the communication.
Making SAINT aware of the firewall's presence allows for a more
accurate scan.
When you're all set, click on Start the scan. Below is what I
received after running a Heavy scan on my local box:
// Program Output
SAINT data collection
Data collection in progress...
11/30/00-17:32:01 bin/timeout 60 bin/fping localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/ddos.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/finger.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/ostype.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 20 bin/dns.saint localhost.localdomain
11/30/00-17:32:01 bin/timeout 60 bin/udpscan.saint
19,53,69,111,137-139,161-162,177,8999,1-18,20-52,54-68,70-110,112-136, \
140-160,163-176,178-1760,1763-2050,32767-33500
localhost.localdomain
11/30/00-17:32:02 bin/timeout 20 bin/rpc.saint localhost.localdomain
11/30/00-17:32:02 bin/timeout 60 bin/tcpscan.saint
12754,15104,16660,20432,27665,33270,1-1525,1527-5404,5406-8887,8889-9999 localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/xhost.saint -d localhost.localdomain:0 localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/sendmail.saint smtp localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/printer.saint localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/relay.saint localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/statd.saint Linux 2.1.122 - 2.2.14 localhost.localdomain
11/30/00-17:32:35 bin/timeout 20 bin/mountd.sara localhost.localdomain
11/30/00-17:32:35 bin/timeout 90 bin/http.saint 1932 localhost.localdomain
11/30/00-17:33:00 SAINT run completed
Data collection completed (1 host(s) visited).
// End Program Output
As you can see, a number of scans were run including UDP, TCP,
DNS, HTTP, and RPC. SAINT will also try to detect the remote
software platform and version. Click on Continue with report and
analysis to get an overview of your scan results.
Analyzing the Results
If you clicked on Continue with report and analysis, you should
now be looking at a screen titled Data Analysis. You can get to the
same screen by clicking on Data Analysis on the menu bar. Your
screen will look like Figure 1.
My favorite link on this page is the Vulnerabilities By
Approximate Danger Level. This page categorizes the vulnerabilities
found in groups named Critical, Major, Potential, and the like. It
is a very easy way to see which vulnerabilities should be addressed
first and which may lead to serious problems. As you can see, the
other options include the same basic information, but categorized in
different ways. You also have the option of viewing vulnerabilities
by type or by quantity. Further down, you can query individual or
groups of hosts based upon a certain attribute. The Vulnerabilities
By Approximate Danger Level page will look like Figure 2.
The vulnerability groups will be ordered on the page based on
their urgency; the most urgent at the top. By drilling down into
each vulnerability that was found, you will find that a description
of each one is provided, Common Vulnerability Exposures (CVE) and
CERT advisories are included, as well as possible resolutions. For
example, clicking on the Root Access via Buffer Overflow link would
result in the output in Figure 3.
You should find plenty of information here that will get you on
your way to closing the vulnerabilities found, either by a software
fix or by just stopping the service. Bringing up the CVE or CERT
advisory will include information on exact exposure, workarounds,
and other pertinent information.
Conclusion
SAINT is a very informative and helpful tool that will aid any
administrator in auditing their network for security
vulnerabilities. The inclusion of detailed vulnerability
descriptions and additional references is extremely useful and
usually allows for a very pointed, direct fix to a possible problem.
For additional information and new versions, visit SAINT's Web site
at: http://www.wwdsi.com/saint.
Adam Olson lives in the Bay Area. He has helped build a
successful ISP (http://www.humboldt1.com),
designed and configured portions of the California Power Network
while working at MCI WorldCom, and is currently working for a
startup in Santa Clara (http://www.quaartz.com). Adam hopes
to one day have a rock band. He can be reached at:
[email protected].
|
