SATAN

Presented By

Rick Rossano

4/10/00

OUTLINE

What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future Directions

What is SATAN?

SATAN (Security Analysis Tool for Auditing Networks)

Examines remote hosts & Networks

What is SATAN (cont.)

Gathers information about potential security flaws such as:– Incorrectly set up or configured network services– Poor policy decisions– Well known bugs in:

Systems Network Utilities

What is SATAN (cont.)

Also gathers information about:

– Network topology– Webs of trust (more to come)– Hardware and software resident on network

SATAN is a research tool Not designed to solve any particular problem

Why Build SATAN?

To learn about network security with respect to large networks

To show how insecure the Internet really is

Why Build SATAN (cont.)

Design Goals:– To discover if problem of mapping security of large

networks is solvable

– To find maximum information about network security without being destructive

Why Build SATAN? (cont.)

Design Goals (cont.)

– To make package available to anyone Why? Because limiting access to information about security

problems hinders the abilities of system administrators Weakens the integrity of the Internet

Web of Trust

Definition:– When local resources of a server can be accessed or

compromised by a client with or without proper authorization

Trust is weak if:– Client authentication is weak– Client authentication is outside system administrator’s domain– Security of client is outside system administrator’s domain

At least one case is usually present when a host is trusted

Web of Trust (cont.)

Trust is transitive– A→B and B→C, Therefore A→C.

Trust in networks can bind otherwise disjoint hosts Sites depend on one another Sites could be insecure, compromising sites that trust

them

Leads to a weaker network

How SATAN Works

Has target acquisition program that uses fping to find hosts

Target list then passed to data collection engine

Data collection engine checks if target has been probed yet

If not …

How SATAN Works (cont.)

SATAN examines network services of remote host:

– NFS (Network File System) – file sharing protocol in UNIX

– NIS (Network Information Services) – naming service that allows resources to be added, deleted and modified.

– ftp

– tftp (trivial file transfer protocol) – used with diskless workstations

How SATAN Works (cont.)

SATAN can then:– Report information to user– Use simple rule-based system to investigate

potential security problems

Data collected is then stored SATAN uses HTML browser

– Output can be analyzed or queried by user

Capabilities

So far there has only been limited research SATAN has found the following problems in

networks:– NFS file systems exported to arbitrary hosts– NFS file systems exported to unprivileged hosts– NIS password file access from arbitrary hosts– Arbitrary files accessible via tftp

Capabilities (cont.)

SATAN’s exploratory mode– Where SATAN’s power comes from

– Traverses web of trust and dependency

– Performs analysis of secondary, tertiary hosts, etc.

– Gives more clear picture of overall network security and possible avenues of attack

SATAN’s weaknesses

SATAN is not optimized for speed of execution– Designed for periodic runs over large networks of

over 1000 nodes– Normal scanning time is several hours

SATAN will not run on Mac’s or PC’s unless running UNIX

Has not been tested on other OS’s like Linux

Why Use SATAN?

Mostly designed for system administrators

Intruders will be able to access the same security vulnerability information, which is why it is effective

Will likely uncover previously unknown problems or weaknesses in network

Dangers of SATAN

SATAN can be used by potential intruders and hackers

Works because it uses same techniques

SATAN can be used to probe a network without authorization

Dangers of SATAN (cont.)

Even well intentioned system administrators can let SATAN traverse webs of trust and probe beyond their authority

Could anger neighbors and / or lead to legal problems

Controlling SATAN

Best if run behind firewall

Proximity Level setting determines the number of hops away from target to probe– 1 hop – will only probe hosts adjacent to user in web

of trust

Controlling SATAN (cont.)

Uses targeting exception variables, which specify which hosts the user can, cannot, and must probe

– $don’t_attack_these$ Used to avoid .gov and .mil hosts, for example

– $only_attack_these$ Used to specify a certain network like .edu

Legality of SATAN

So far, no known files charged against anyone for running a security tool

Legality is not yet clear for doing so Running a security tool against a remote site

without permission is “probably” illegal.

Be careful

SATAN’S Future

Hoping to graphically display network maps

Hoping to graphically display webs of trust

MORE TESTING!!!!

QUESTIONS

?