SAINT 7 : User Documentation

iii

Table of Contents Introduction .................................................................................................................................. 13

Getting Started .......................................................................................................................... 13

How to Install the SAINT software ........................................................................................ 13

How to Install SAINTmanager ................................................................................................ 15

How to Obtain a Key .............................................................................................................. 16

Running SAINT ....................................................................................................................... 16

Starting SAINTmanager ....................................................................................................... 19

Starting Nodes ....................................................................................................................... 22

Logging into WebSAINT ......................................................................................................... 24

Logging into WebSAINT PRO ................................................................................................. 26

System Requirements ............................................................................................................... 28

Operating Systems ................................................................................................................. 28

SAINTmanager Requirements ............................................................................................... 30

Using SAINT ................................................................................................................................... 33

Sessions ..................................................................................................................................... 33

Opening and Creating Sessions ............................................................................................. 33

Merging Sessions ................................................................................................................... 34

Deleting Sessions ................................................................................................................... 34

Backing Up and Restoring Sessions ....................................................................................... 34

Sanitize Sessions .................................................................................................................... 34

SAINTmanager Enterprise Session ........................................................................................ 35

Global vs. Node-Specific Sessions .......................................................................................... 35

How to Run a Scan ........................................................................................................................ 36

Target Selection ......................................................................................................................... 36

Free-Form Target Selection ................................................................................................... 37

Target File .............................................................................................................................. 37

Target File Uploads ................................................................................................................ 38

Subnet Expansion .................................................................................................................. 38

Data Preservation ...................................................................................................................... 38

Scanning Policies ....................................................................................................................... 38

Host Discovery ........................................................................................................................... 42

SAINT User Documentation (v7)

iv

SAINT Discovery Configuration .............................................................................................. 42

Nmap Discovery Configuration .............................................................................................. 44

Authentication ........................................................................................................................... 44

How to Authenticate to Windows Targets ............................................................................ 46

How to Authenticate to Linux, Unix, or Mac ......................................................................... 47

How to Authenticate to Oracle Database Servers................................................................. 48

How to Authenticate to Microsoft SQL Server ...................................................................... 48

How to Authenticate to MySQL Databases ........................................................................... 48

HTTP Basic Authentication .................................................................................................... 49

How to Authenticate to Web Applications............................................................................ 49

How to Authenticate to Web Applications using an Existing Session ID .............................. 51

Starting the Scan ....................................................................................................................... 52

Interactive Control Panel .......................................................................................................... 52

Resuming an Interrupted Scan .................................................................................................. 53

Nodes to Scan ............................................................................................................................ 54

SCAP Support ................................................................................................................................ 55

Configuration Settings Options ................................................................................................. 55

Target Settings .......................................................................................................................... 56

OVAL Checks ............................................................................................................................ 56

How to Import OVAL Checks ................................................................................................. 58

OVAL External Variables ........................................................................................................ 59

How to Run OVAL Checks ...................................................................................................... 59

How to View OVAL Scan Results ............................................................................................ 59

XCCDF Checks ............................................................................................................................ 60

How to Import XCCDF Benchmarks ....................................................................................... 60

Viewing XCCDF Benchmarks .................................................................................................. 61

How to Run XCCDF Profiles ................................................................................................... 61

How to View XCCDF Scan Results .......................................................................................... 61

CyberScope Reporting ........................................................................................................... 66

Policy Editor ........................................................................................................................... 67

How to Run Exploits ...................................................................................................................... 71

How to Browse Exploits ............................................................................................................ 71

How to Run Exploits On Demand .............................................................................................. 72

Table of Contents

v

Remote vs. Local Exploits .......................................................................................................... 72

Client Exploits ............................................................................................................................ 73

E-mail Forgery ........................................................................................................................... 73

Exploit Servers ........................................................................................................................... 74

SAINTexploit Tools .................................................................................................................... 74

How to Run an Automated Penetration Test ............................................................................ 78

Data Analysis ................................................................................................................................. 81

Reports ...................................................................................................................................... 81

Vulnerabilities ........................................................................................................................... 81

Host Information ....................................................................................................................... 82

Trust .......................................................................................................................................... 82

Exploits ...................................................................................................................................... 83

Severity Levels ........................................................................................................................... 83

Confirmed vs. Inferred Vulnerabilities .................................................................................. 84

Exploit Availability ................................................................................................................. 84

Exploit Severity Levels ........................................................................................................... 85

Exclusions .................................................................................................................................. 86

Creating an Exclusion ............................................................................................................. 86

Viewing Excluded Vulnerabilities .......................................................................................... 86

Removing an Exclusion .......................................................................................................... 86

Exclusion Management ......................................................................................................... 87

SAINTmanager Overview page .................................................................................................. 88

SAINTwriter ................................................................................................................................... 90

How to Generate Pre-configured Reports ................................................................................ 90

How to Generate Custom Reports ............................................................................................ 93

How to View/Delete Saved Reports ........................................................................................ 103

How to Create a SAINT Report with your Logo/Header ......................................................... 104

How to Create your logo/header for an HTML Report ....................................................... 105

How to Create your logo/header for a PDF Report ............................................................. 105

How to Generate a SAINT Report using your logo/header ................................................. 105

How to Generate PCI Compliance Reports ............................................................................. 106

Generating a PCI Compliance Report .................................................................................. 107

How to Generate a FISMA Vulnerability Assessment Report ................................................. 108


vi

How to Generate a HIPAA Vulnerability Assessment Report ................................................. 108

How to Generate SAINTwriter Reports from the Command-line ........................................... 109

Configuration .............................................................................................................................. 111

Configuration Files .................................................................................................................. 111

Global vs. Session Configuration ......................................................................................... 111

Startup Options ....................................................................................................................... 112

Default Session .................................................................................................................... 112

Vulnerability ID Format ....................................................................................................... 112

Frames Support ................................................................................................................... 112

SAINTmanager/Node Startup Options .................................................................................... 113

User Creation Default Session Name .................................................................................. 113

Session Security ................................................................................................................... 113

Archive Window .................................................................................................................. 114

Auto-Refresh Scan Status Page ........................................................................................... 114

SSL Port ................................................................................................................................ 114

Allowed Nodes ..................................................................................................................... 115

Ticket Due Offset ................................................................................................................. 115

Test Node Alive .................................................................................................................... 116

Node Down E-Mail ............................................................................................................... 116

Ticket Assignment E-Mail .................................................................................................... 116

Overdue Ticket E-Mail ......................................................................................................... 117

Host Weight ......................................................................................................................... 117

LDAP Authentication ........................................................................................................... 117

Scanning Options ..................................................................................................................... 118

IAVA ..................................................................................................................................... 118

Fast Exclusions ..................................................................................................................... 119

Target Netmask ................................................................................................................... 120

SNMP Communities ............................................................................................................. 121

How to Specify Timeouts ..................................................................................................... 121

Individual Probe Timeouts ................................................................................................... 122

How to Enable/Disable Multitasking (running more than one probe at a time) ................ 123

Credentials Management .................................................................................................... 124

Anti-Virus Definitions........................................................................................................... 124

Table of Contents

vii

How to Enable/Disable NTLMv2 .......................................................................................... 125

File Content Checks ............................................................................................................. 125

How to Configure Password Guessing ................................................................................. 126

How to Set Password Policy Checks .................................................................................... 128

Ports to Scan ........................................................................................................................ 129

Ports for Authentication Test (registry and SSH ports) ....................................................... 130

Ports to Scan for Host Type Detection ................................................................................ 130

Scan Level ............................................................................................................................ 131

How to Set Up a Custom Scan ............................................................................................. 131

Scan Policy Definitions ......................................................................................................... 134

Web Server Depth ............................................................................................................... 136

Software Inventory .............................................................................................................. 137

TCP Send Strings .................................................................................................................. 137

How to Enable/Disable Dangerous Checks ......................................................................... 138

What is Exhaustive Scanning? ............................................................................................. 138

How to Send an E-mail Alert upon Scan Completion .......................................................... 139

SYSLOG ................................................................................................................................. 140

NMAP ................................................................................................................................... 141

TCP Port Scan Variables ....................................................................................................... 141

How to Configure Target Restrictions ................................................................................. 143

Proximity .............................................................................................................................. 143

Trusted or Untrusted Hosts ................................................................................................. 145

Workarounds ....................................................................................................................... 145

Discovery Method ............................................................................................................... 147

Exploit Credentials ............................................................................................................... 149

Shell Type and Ports ............................................................................................................ 149

How to Set the Connectback Address ................................................................................. 151

File Manager Options .......................................................................................................... 152

Connection Notifications ..................................................................................................... 153

SAINTmanager Scanning Options ............................................................................................ 153

Node Name Reporting ......................................................................................................... 153

Other Variables .................................................................................................................... 154

Custom Vulnerability Checks ...................................................................................................... 156


viii

How to Create Custom Checks ................................................................................................ 156

Running Custom Checks .......................................................................................................... 158

Viewing and Editing Custom Checks ....................................................................................... 158

Scheduling Scans ......................................................................................................................... 159

How to Schedule a New Scan .................................................................................................. 159

crontab and at ......................................................................................................................... 161

How to Delete Scheduled Scans .............................................................................................. 161

Set Schedule Scan Window ..................................................................................................... 161

SAINTexploit Connections ........................................................................................................... 164

Connections Manager ............................................................................................................. 164

Command Prompt ................................................................................................................... 165

How to Invoke the Command Prompt................................................................................. 165

File Manager ............................................................................................................................ 165

How to Invoke the File Manager ......................................................................................... 166

Screen Capture ........................................................................................................................ 167

How to Perform a Screen Capture ...................................................................................... 167

Exploit Tunneling ..................................................................................................................... 167

How to Run Exploits through a Tunnel ................................................................................ 168

Disconnecting .......................................................................................................................... 168

How to Close the Connection .............................................................................................. 168

GUI Modes .................................................................................................................................. 169

Standalone Mode .................................................................................................................... 169

Remote Mode.......................................................................................................................... 169

How to Start SAINT in Remote Mode (command-line method) ......................................... 170

The config/passwd file ......................................................................................................... 172

Apache Mode (or another web server) ................................................................................... 173

Command-Line Mode ................................................................................................................. 175

SAINTmanager Management ...................................................................................................... 179

Rules .................................................................................................................... 179

Table of Contents

ix

Nodes ................................................................................................................. 179

Users .................................................................................................................. 180

Roles ........................................................................................................................................ 180

Named Target Restrictions ...................................................................................................... 184

Sessions ................................................................................................................................... 184

All Session Access Management ............................................................................................. 184

SAINTmanager Ticketing System .............................................................................................. 185

Ticket Creation ........................................................................................................................ 185

Ticket Reporting ...................................................................................................................... 185

How to Generate Pre-configured Reports ........................................................................... 186

How to Generate Custom Reports ...................................................................................... 187

Ticket Report Results ........................................................................................................... 189

How to Delete a Ticket ........................................................................................................ 189

How to Assign, Defer, Close, Re-open a Ticket .................................................................... 190

How to Assign Tickets .......................................................................................................... 190

How to Close a Ticket .......................................................................................................... 192

How to Reopen a Ticket ....................................................................................................... 194

Ticket Assignment Rules .......................................................................................................... 195

How to Create a Ticket Assignment Rule ............................................................................ 195

How to Apply a Ticket Rule to Existing Tickets .................................................................... 198

Using WebSAINT PRO ................................................................................................................ 201

FAQs ............................................................................................................................................ 203

General FAQ ......................................................................................................................... 203

Technical FAQ ...................................................................................................................... 213

Troubleshooting ...................................................................................................................... 218

Installation and configuration problems ............................................................................. 218

Run-time problems .............................................................................................................. 219

Installation and configuration problems ............................................................................. 219

Run-time problems .............................................................................................................. 219


x

Vulnerability Info. ....................................................................................................................... 227

CVE Index ............................................................................................................................... 227

CPE Dictionary ...................................................................................................................... 227

CVSS Dictionary ....................................................................................................................... 227

CCE Dictionary ...................................................................................................................... 228

Architecture ................................................................................................................................ 229

Architecture Overview ............................................................................................................ 229

Magic cookie generator .......................................................................................................... 230

Policy engine ........................................................................................................................... 230

Target acquisition .................................................................................................................... 230

Range and subnet scans .......................................................................................................... 231

Data acquisition ....................................................................................................................... 231

Inference engine ..................................................................................................................... 231

File Structure ............................................................................................................................... 232

Database Format ......................................................................................................................... 234

facts ......................................................................................................................................... 234

Target ................................................................................................................................... 234

Service .................................................................................................................................. 235

Status ................................................................................................................................... 235

Severity ................................................................................................................................ 235

Trustee and Trusted ............................................................................................................ 236

Canonical Service Output .................................................................................................... 237

Text ...................................................................................................................................... 237

Technical Details .................................................................................................................. 237

all-hosts ................................................................................................................................... 237

todo ......................................................................................................................................... 238

cve ........................................................................................................................................... 238

pentest .................................................................................................................................... 239

Rule Sets ...................................................................................................................................... 241

rules/cve .................................................................................................................................. 241

rules/drop ................................................................................................................................ 242

rules/facts ................................................................................................................................ 242

rules/hosttype ......................................................................................................................... 243

Table of Contents

xi

rules/information .................................................................................................................... 243

rules/services .......................................................................................................................... 244

rules/software ......................................................................................................................... 245

rules/todo ................................................................................................................................ 245

rules/trust ................................................................................................................................ 246

Vulnerability Hierarchy ............................................................................................................... 247

Vulnerability Categories .......................................................................................................... 247

The vulns.dat file ..................................................................................................................... 248

Probes ......................................................................................................................................... 250

How to Add a SAINT Probe ...................................................................................................... 250

How to Add a Vulnerability Tutorial (Information File) .......................................................... 252

Exploit Plug-ins ............................................................................................................................ 253

General Information ................................................................................................................ 253

Tutorial Information ................................................................................................................ 253

Type and Class ......................................................................................................................... 254

Parameters .............................................................................................................................. 254

Conditions ............................................................................................................................... 255

Shell Type ................................................................................................................................ 255

Exploit Code............................................................................................................................. 256

Index ............................................................................................................................................ 257

13

Introduction Getting Started

How to Install the SAINT software

How to Install SAINT on Linux or Unix

1. Ensure your system meets the system requirements for SAINT.

2. Select the "Customer Login" button located in the top right corner of the SAINT Web site at http://www.saintcorporation.com/. After you log in there will be a download button on the left side of your mySAINT page. Note that you must choose the correct operating system and architecture for your system in order for SAINT to work.

3. Unzip the downloaded file (saintexploit-install-x.x.gz, where x.x is the version of SAINT you downloaded):

gunzip saintexploit-install-x.x.gz

4. Note: The downloaded file is gzipped. If your browser dropped the .gz extension from the filename, then first rename it so it ends in .gz.

5. Set executable mode on the file:

chmod a+x saintexploit-install-x.x

6. Switch to the root user and install SAINT by entering:

./saintexploit-install-x.x

7. If your operating system does not allow you to log into the root account, instead enter:

sudo ./saintexploit-install-x.x


14

8. The installation program will: a. Display the license agreement and require you to confirm your understanding

and acceptance of it b. Install SAINT c. Run PERL reconfig to identify the location of SAINT-required support applications d. Install the SAINT man page, if you desire.

9. Enter the SAINT directory:

cd saint-x.x

10. (You will also need to place your key file into this directory before running a scan.)

11. Edit the config/saint.cf file, if so desired.

How to Install SAINT on Mac OS X

1. Select the "Customer Login" button located in the top right corner of the SAINT Web site at http://www.saintcorporation.com/ and select the "Download" button on your mySAINT page. At the platform selection menu, choose Mac OS X.

2. Once downloaded, the SAINT x.x.x.dmg will mount to the desktop and open showing the SAINTx.x.x.pkg file. Double-click on the SAINT x.x.x.pkg file. The SAINT installer will start.

3. Read the Introduction and then click Continue.

4. Read the Software License Agreement and then click Continue. 5. Click Agree to agree to the license terms. 6. Click Install to perform a standard installation. 7. At the password prompt insert the Name and Password for the user with administrative

privileges on the machine and click OK. 8. At the terminal prompt, again enter the password for the user with administrative

privileges on the machine and then press the enter key. 9. You may close all open terminal windows once you see [Process completed]

displayed in the terminal. 10. The install wizard will display The installation was successful. click Close.

Introduction

15

How to Install SAINT on Ubuntu

1. Double-click on the file saintexploit-x.x.arch.deb (where x.x is the version and arch is the architecture).

2. Choose 'Install.'

3. In the Terminal, use the space bar to page through the license agreement, and type 'yes' to accept the agreement.

4. Start SAINT from the Applications menu.

How to Install SAINT on Red Hat / Fedora / SUSE

1. Double-click on the file saintexploit-x.x-arch.rpm (where x.x is the version number and arch is the architecture.)

2. When installation completes, start SAINT from the Applications menu.

How to Install SAINTmanager

Before installing SAINTmanager, ensure your system meets the system requirements for SAINTmanager. In particular, MySQL 4.1.21 (or higher) should be installed and running, and OpenSSL should be installed. Have the MySQL database root password ready when asked for it by the install program. To install SAINTmanager on Linux or Unix, follow the general directions above for SAINT, but substitute "sm" for "saint" and "2.0-x.x" for "x.x" in the download file (sm-install-2.0-x.x.gz), install file (sm-install-2.0-x.x) and top-level directory (sm-2.0-x.x) names. The SAINTmanager install program will guide you through subsequent steps, including initializing the SAINTmanager database in MySQL and generating an SSL certificate for encrypting SAINTmanager/node communications. (If installing from the .deb or .rpm packages, these steps are performed the first time SAINTmanager is run, not during installation.) The login and password for the saintmanager database are stored in the config/mysqlset file. If you installed SAINTmanager before 1.0-6.0.3, you should run scripts/makepem from the sm-1.0-x.x directory to generate your own certificate (ssl_server.pem) for encrypting SAINTmanager/node communications over SSL. Having your own certificate is more secure than using the one provided with SAINTmanager because the latter is the same for all SAINTmanager customers. Later installations of SAINTmanager do this automatically as part of the install program.


16

How to Obtain a Key

A license key is required to use SAINT. Follow the steps below to configure your key:

1. If you are a free-trial user, a key will be sent to you via e-mail. Otherwise, go to http://www.saintcorporation.com, log in with your user name and password, click on Generate Key, and follow the instructions for creating a key. Note that you can add addresses to your key at any later time if you do not use the full capacity of your license. However, once you have generated your key, addresses cannot be removed from it. If you have purchased a license for individual hosts and you don't know all of their IP addresses, you can use SAINT's discovery scan level to generate a list of live hosts on your network:

a. Run SAINT by typing ./saint in the saint directory and choose Scan. b. Enter the range of possible IP addresses (e.g., against your Class C address range)

as the primary target. c. Select discovery for the scan level. d. Start the scan.

Note: You may have to repeat this scan at various times and on different days to ensure you have picked up all the hosts on your network.

e. Use the list of IP addresses in the resulting file live_hosts_file to generate the key.

2. Choose Configure SAINT Key from the pull-down menu under the Home icon in SAINT and paste the key into the text box, or place the key in your saint directory and name it saint.key. (If you have two customer accounts and want to use both keys together, paste the second key in the Alternate Key box or name the second file saint_alt.key.) At this point you can begin using SAINT.

If you run a SAINT scan that includes hosts or networks which are not included in your key, then you will see a message on the stderr output of the console where you started SAINT, indicating that those hosts were not scanned. SAINTmanager requires a different key than regular SAINT. If you are a SAINTmanager customer with a valid account, you can generate a key the same way you do for SAINT. The key should be named saint.key and placed in your sm-1.0-x.x directory.

Running SAINT

You will need PERL version 5.00 or above to get SAINT running properly. It is also recommended to have Samba utilities, Xprobe2, OpenSSL, and OpenSSH installed on the system running SAINT. See system requirements for information on obtaining these tools.

Introduction

17

Once SAINT is installed, SAINT is used by following these steps:

1. For standalone usage (Desktop method) If SAINT was installed from a Linux DEB or RPM package, choose SAINT from the Applications menu. (It may appear under a sub-menu such as Other in some Linux versions.) Otherwise, if the SAINT installation program created a SAINT icon on your desktop, double-click on the icon. For standalone usage (command prompt method) Log in as root and run ./saint to begin using SAINT from the HTML interface. (If there is no root account, run sudo ./saint instead.) Skip to step 3. For remote mode/command-line usage See remote mode.

2. Use the up and down arrow keys to highlight Start SAINT, then press Enter:

3. Choose Options to change the default scan configuration, if desired.

4. Choose Scan to select the Primary Targets, Authentication, Scanning Level, and Host Discovery, and to start the scan.

a. Under Add target(s), type in the IP address of the host that you're running SAINT from, and click on the Add button, as shown in the following image:


18

b. Select Scan the target host(s) only, or, if you have the inclination, authority, and time (it can take several minutes to scan a single host at the higher scan levels), select Scan all hosts in the target hosts' subnet(s).

c. Under the Scanning Level tab select the Show all scan levels link, as depicted in the screen capture below. Select a Normal scan to start out with. The more intensive the scan the more time it takes to complete.

d. Scroll to the bottom of the page and select the Scan Now button to begin

scanning.

5. When the scan finishes, choose the Data icon to view the results. Look at the Vulnerabilities section first, and then examine the other sections, Host Information and Trust. For more information, see data analysis.

Introduction

19

Finger Wars Caveat Please remember, if you have tcpd wrappers installed on the SAINT platform, or some other mechanism that does reverse fingering, turn off the feature before running the SAINT program! This must be done as there is a reasonable chance that a target of the probe may also have this feature enabled. If the SAINT platform and a target of the SAINT probe both have reverse fingering enabled, the result will be a "finger war". In other words, an infinite loop of fingers between the SAINT platform and the probe target will be generated. If this happens, both machines will quickly be overwhelmed by the resulting mail and/or logs generated. After running the SAINT probe, remember to turn the reverse fingering feature back on, of course! Finally, always be certain that you have permission to scan any potential hosts that you're thinking of testing. It is easy to unwittingly make your neighbors think that you're trying to attack them with any scans that you run.

Starting SAINTmanager

The SAINTmanager architecture consists of the SAINTmanager management console and one or more SAINT platforms (called nodes) which are controlled by the manager. This section provides instructions for starting the SAINTmanager management console. See starting nodes for information on how to start a node. SAINTmanager always operates in remote mode.

How to start SAINTmanager (Desktop method)

1. If SAINTmanager was installed from a Linux DEB or RPM package, choose SAINTmanager from the Applications menu. (It may appear under a sub-menu such as Other in some Linux versions.) Otherwise, if the SAINTmanager installation program created a SAINTmanager icon on your desktop, double-click on the icon.

2. Use the arrow keys to highlight Start SAINTmanager, and press Enter:


20

3. Enter a space-separated list of one or more IP addresses which are allowed to connect to the web interface, and press Enter. Use an asterisk (*) for the last octet(s) to match any IP address in a network. Then highlight OK and press Enter:

4. Enter a space-separated list of one or more IP addresses which are allowed to be nodes for SAINTmanager, and press Enter. Again, use an asterisk (*) for the last octet(s) to match any IP address in a network. Then highlight OK and press Enter:

Introduction

21

5. If SAINTmanager was installed from a .deb or .rpm package, and this is the first time running SAINTmanager, then follow the prompts to initialize the database and create an SSL certificate.

6. Open a browser and load the URL http://SAINTmanager_IP:port. The port is 1414 or whatever port number was previously specified. (For the desktop method, this port and the node connection port can be changed by selecting Options after step 1.)

7. The first SAINTmanager screen is the login window. The default administrative user name is 'superadmin' and the password is 'saintmanager'. Note: To ensure security, it is strongly advised that you change the password after the first start-up.

8. When SAINTmanager is no longer needed, stop the server as follows: Invoke SAINT from the Applications menu or the desktop icon as done in step 1. Then use the up and down arrow keys to highlight Stop SAINTmanager and press Enter.

How to start SAINTmanager (Command Prompt method)

1. Enter the following command as root: ./saint -M -h "host1 host2 ..." The -M option stands for manager. host1 host2 are hosts that are allowed to connect. (Precede the above command with sudo if there is no root account.) If you wish to specify port numbers, the following command can be used instead: ./saint M h host1 host2 p 1414 E 1515


22

By default, SAINTmanager listens for incoming browser connections on port 1414, but this can be changed using the p flag or the $server_port variable in config/saint.cf. Likewise, the default port for incoming SSL connections from SAINT nodes is port 1515, but this can be changed using the -E flag or the $ssl_server_port variable. See SSL Port for more information.

2. Follow steps 5 through 7 above.

3. Use the configuration management page (or change the $allowed_nodes variable in config/saint.cf) to identify the IP addresses of nodes that are allowed to connect to SAINTmanager. See allowed nodes for more information.

4. When SAINTmanager is no longer needed, stop the server by entering the following command as root: ./saint k If there is no root account, type sudo ./saint k.

Starting Nodes

Any SAINT scanner installation can be started as a node for SAINTmanager. The node automatically attempts to connect to the management console when it starts. It may connect only if SAINTmanager has allowed it to. See allowed nodes for more information on allowing nodes. Once a node connects, it is automatically added to SAINTmanagers node table. You may wish later to modify the name by which the node is known or set a node administrator. See nodes for information on nodes.

How to Start a Node (Desktop method)

1. If SAINT was installed from a Linux DEB or RPM package, choose SAINT from the Applications menu. (It may appear under a sub-menu such as Other in some Linux versions.) Otherwise, if the SAINT installation program created a SAINT icon on your desktop, double-click on the icon.

2. Use the arrow keys to highlight Connect to SAINTmanager, and press Enter:

Introduction

23

3. Enter the IP address of SAINTmanager. Then highlight OK and press Enter:

SAINTmanager should already be running on the specified IP address in order for the connection to complete. If not, the node will re-attempt to connect periodically. (If you specified a non-standard port for connections from nodes when starting SAINTmanager, choose Options after step 1 to specify the same port.)

4. When the node is no longer needed, invoke SAINT from the Applications menu or desktop icon as done in step 1. Then use the up and down arrow keys to highlight Disconnect from SAINTmanager, and press Enter.


24

How to Start a Node (Command prompt method)

Log in as root and enter the following command (if there is no root account, precede the command with sudo: ./saint -N -H SAINTmanager_IP The -N option stands for node. The -H option specifies SAINTmanager's IP address. If you specified a non-standard port for connections from nodes when you started SAINTmanager, specify the same port in the $ssl_server_port setting in config/saint.cf, or start the node as follows: ./saint -N -H SAINTmanager_IP E port where port is the port number for connections from nodes to SAINTmanager. (This is not the same as the web interface port.)

Logging into WebSAINT

WebSAINT is an online SaaS (Software as a Service) vulnerability scanner that enables the system administrator to evaluate the security environment of a single computer, multiple computers, or an entire network, without having a separate/local installation of SAINTs vulnerability scanning software or SAINTbox. Access to WebSAINT is available through the following steps once your IP addresses have been registered and a valid user ID and password has been received. You can access WebSAINT from either of the following locations: Through the Public Web site:

1. Open a browser window and navigate to the SAINT Corporation public site at http://www.saintcorporation.com

2. Select the "Customer Login" button located in the top right corner of the SAINT Web site, as shown below

Introduction

25

3. Select the "WebSAINT login" link to be redirected to WebSAINT. The WebSAINT Login page will be displayed, as shown below:

4. Enter your SAINT User ID and Password 5. Click the Login button

Direct access to the WebSAINT login page:

1. Open a browser window and navigate to WebSAINT login page at https://secure.saintcorporation.com/websaint/login.html

2. Enter your SAINT User ID and Password 3. Click the Login button

SAINT will authenticate your access and launch WebSAINT, displaying the Home screen, as shown below:


26

Logging into WebSAINT PRO

WebSAINT PRO is the online SaaS (Software as a Service) solution that includes vulnerability scanning, penetration testing, and Web application scanning along with the full functionality of SAINT scanner and exploit technology. WebSAINT PRO is a fully functional Web-hosting model, and does not require you to install SAINT software or hardware. A license key is required to use WebSAINT PRO. If a key hasnt been generated, follow the instruction in the Generating a Key section of this document for additional assistance. To log into WebSAINT PRO:

1. Open a browser window and navigate to the SAINT Corporation public site at http://www.saintcorporation.com

2. Select the "Customer Login" button at the top right of the page.

Introduction

27

3. Enter your User ID and password to access the mySAINT customer site as shown below:

4. Click the dark blue "WebSAINT Pro Login" button located in the left column and the SAINT home page will be loaded. The loader will refresh your browser and display activity messages, and then load the main SAINT application in your active browser window.


28

System Requirements

Operating Systems

SAINT is supported for the following operating systems:

Linux CentOS 6; Debian; Fedora 15; Mandriva 2010; Red Hat Enterprise Linux 5, 6; SuSe; Ubuntu 9.04, 10.04

Unix Free BSD Mac OS X Snow Leopard 10.6.5-10.6.8; OS X Lion 10.7

The Oracle instant client, which enables Oracle Database account checks and exploits, is included with SAINT and functional on the following operating systems:

Linux with glibc 2.3 or higher (x86 or x86_64) Mac OS X 10.4 or higher (x86)

Web Browsers

The following web browsers are recommended:

Internet Explorer 7 and higher Mozilla Firefox 6.0 and higher Up-to-date Opera Up-to-date Safari

It is also strongly recommended that you use a JavaScript and PopUp enabled browser.

Disk Space

SAINT itself requires about 150 MB to download and install. However, if PERL and a web browser are not already installed on the system, up to 70 MB of additional disk space could be required to install these packages. The exact requirement depends on the operating system type and the browser version. Additional space is required for storing the results of scans and generating SAINTwriter reports. More space will also be required to install the optional utilities (Nmap, Samba, Xprobe2, OpenSSL, OpenSSH) if they are to be used by SAINT. Of course, if the optional utilities are already installed, it isn't necessary to reinstall them. The optional utilities mentioned above would be used by SAINT on SAINT nodes, but are generally not necessary on the SAINTmanager host. The exception is OpenSSL, which SAINTmanager uses to encrypt communications with the nodes. An additional application required on the SAINTmanager host is MySQL 4.1.21 (or higher) database. Both MySQL and OpenSSL are often provided as part of the regular installation package for Linux and MacOS/X.

Introduction

29

The amount of disk space required varies depending on the operating system, the download format, and amount of data being stored in the database.

Memory

The amount of memory needed to properly run the SAINT program varies depending upon the number of hosts to be scanned, the selected level of multithreading, and other factors. 512 MB is sufficient for most purposes, but additional RAM should be considered for optimal performance if there are large-scale scanning requirements.

Other Required Software Tools

SAINT requires PERL 5.004 or higher in order to run. If the graphical user interface is to be used, SAINT also requires a graphical HTML browser such as Firefox or Safari or a text browser such as Lynx. Microsoft Internet Explorer is also an option if SAINT is to be used in remote mode with a Windows client. In addition to the required software tools, there are three additional tools which are highly recommended, and several more which are optional:

Samba utilities, if installed on the scanning system, is used to check for readable and writable Microsoft shares and to check remote file time stamps. (Not required on Mac OS 10.7 (Lion) and higher, where SAINT uses the native Mac OS smbutil and mount_smbfs commands instead of Samba utilities.)

OpenSSL 0.9.7 or higher, if installed on the scanning system, is used to encrypt Windows authentication credentials and to check for vulnerabilities in SSL web servers. If OpenSSL is not available or is outdated, SAINT displays a warning that it will use plaintext Windows authentication. SAINT links to the OpenSSL libraries at run-time, so if compiling OpenSSL by hand, be sure to build shared libraries.

OpenSSH, if installed on the scanning system, is used to gain shell access to targets which run a secure shell server. The presence of OpenSSH helps detect host types, missing patches, and weak passwords.

Optional Standard UNIX and Linux command-line tools, including dig, finger, ftp, nslookup, rup, rusers, showmount, telnet, tftp, xhost, and ypwhich. For more information about installing these tools on Linux systems, see Linux Configuration.

Optional Xprobe2, if installed on the scanning system, is used for improved host type detection. If Nmap and Xprobe2 are both available, SAINT will use whichever yields more reliable results for any given target.


30

Optional Crypt-PasswdMD5 1.3 or higher. If installed on the scanning system, this PERL module enables support for unique passwords longer than eight characters. The login screen alerts you if your system does not natively provide this capability and this module is not installed. Note that passwords created before installation of this module need to be re-created to preserve the information beyond eight characters.

Optional Various PERL modules, such as Compress-Zlib, IO-Socket-SSL, Crypt-DES, and Digest-MD4. These modules are used by some SAINTexploit plug-ins. See the Limitations section of an individual exploit's information page to see which PERL modules, if any, are required to run that exploit. PERL modules are available from www.cpan.org.

Optional The MySQL client, if installed on the scanning system, allows authentication to MySQL database servers for performing local vulnerability checks.

If any of the above software tools are missing from your system, they can be downloaded from the links above. Most Linux vendors also provide packages containing some of these tools.

Linux Configuration

SAINT can run on any Linux system which meets all of the requirements described above. The Linux distributions which are most commonly used for running SAINT include Red Hat, Mandriva, SuSE, and Ubuntu. When configuring a Linux system for use with SAINT, install whichever packages contain the required and recommended software tools used by SAINT. The following package lists may be used as a guide.

Ubuntu 10.04: libcrypt-des-perl, libcrypt-passwdmd5-perl, libdigest-crc-perl, libdigest-hmac-perl, libdigest-md4-perl, libio-pty-perl, libio-socket-ssl-perl, libstring-crc32-perl, libwww-mechanize-perl, finger, nfs-common, nis, nmap, openssh-client, openssl, rsh-client, rstat-client, rusers, samba-common, smbclient, smbfs, tftp

OpenSuSE 11.3: bind-utils, cifs-utils, finger, nfs-client, nmap, openssh, perl-Crypt-DES, perl-IO-Socket-SSL, perl-IO-Tty, samba-client, tftp, ypbind, yp-tools

SAINTmanager Requirements

Installing and running SAINTmanager requires the following:

Linux 2.2 or higher (x86) PERL 5.004 or higher in order to run. OpenSSL 0.9.7 or higher, to encrypt communications with the nodes. MySQL 4.1.21 or higher database server to store information.

Introduction

31

DBI to interface PERL with MySQL, and DBD:mysql (2.9004 or higher), the MySQL driver for DBI. You can run scripts/show_dbi_drivers.pl to see which drivers you currently have installed for DBI.

Optional Perl-LDAP if using LDAP authentication

PERL, MySQL, and OpenSSL are often provided as part of the regular installation package for Linux and Mac OS/X. SAINTmanager stores information in a MySQL database. The MySQL server must be installed and running before installing SAINTmanager. Note that most Linux vendors package the MySQL server separately from the MySQL client. SAINTmanager does not require that MySQL listen for connections from remote hosts. To ensure security, enter "skip-networking" under "[mysqld]" in the MySQL configuration file (often /etc/my.cnf) to disable connections from remote hosts.

33

Using SAINT Sessions Whenever SAINT runs, it enters an operating environment called a session. The session contains all configuration settings, scan policies, and data associated with the current set of targets. New sessions can be created for new sites or alternate configurations, and existing sessions can be re-opened whenever needed. A default session called saint-data is created by default when SAINT first runs. The default session to open whenever SAINT is invoked can be specified from the Options screen, the config/saint.cf file, or from the command line using the -d option.

Opening and Creating Sessions

From the Sessions icon on the graphical user interface, the Open/Create tab provides three options open an existing session, create a new session, or open an archived data set within the current session, as shown in the screen capture below.

To create a session, select the Open/Create tab, enter the name of the new session and click on the Open/Create button. Creating a new session will clear the data in memory and initialize the target list and configuration to be the same as the existing session. To open a session, select the Open/Create tab, enter the name of an existing saved session and click the Open/Create button, or simply click on the session name listed under Existing Sessions. Opening a session will load the saved session into memory for subsequent data analysis, reconfiguration, or re-scanning.


34

Merging Sessions

Merging a session opens a chosen saved session while concatenating the data in the current session. To merge a session, click on the Merge tab, enter the name of the saved session and click on Merge, or select the session name listed under Existing Sessions. After merging the data, SAINT will provide the option of saving the merged data to a new or existing session. If the data is not saved, the merged data will reside in memory only, and will need to be merged again if needed when SAINT is run again at a later time.

Deleting Sessions

When a session is no longer needed, it can be deleted. To delete a session, click the Delete tab, enter the name of the session and click Delete, or select the session name listed under Existing Sessions. The next page will show a message indicating that the session has been deleted, after which you can delete more sessions, if desired. Note that the session that is currently open cannot be deleted. If you want to delete the current session, then first open a different session. It is also possible to delete selected data sets from a session without deleting the entire session. Sessions containing archived data sets are indicated by a plus icon in the Existing Sessions list. Clicking the plus icon opens a list of archived data sets, identified by the scan date and time, under the session name. Click any data set to delete it, or click the minus icon to close the list.

Backing Up and Restoring Sessions

It is a good practice to create a session backup file periodically and save it to removable media or another computer. This helps ensure that the archived data, target lists, scan configurations, and scan policies can be restored if they are accidentally deleted, or the computer running SAINT becomes inoperable. It may also be useful to have a session backup file if it is necessary to transfer sessions to a different computer. To create a session backup file, select the Home icon and choose Backup from the Administrative Functions drop down menu. Then click Download Backup File to download the backup file, and save it in any desired location. To restore sessions from the backup file, go to the Home icon and choose Restore from the Administrative Functions menu. Enter the path to the backup file. (The Browse button, if supported by your browser, can help you locate the backup file.) Then, click the Restore button.

Sanitize Sessions

For security reasons, sometimes we prefer that data does not contain the real IP addresses and host names that we scanned. Sanitize session will allow you to replace the real IP addresses and host names in the data with fake ones. To sanitize a session, click the Sanitize tab, enter the name of the session and click on Sanitize, or select the session name listed under Existing

35

Sessions. Note that the session that is currently open cannot be sanitized. If you want to sanitize the current session, then first open a different session. The Sanitize Session tab will provide the option of saving the original data in a backup file. When you click Submit, you will be asked again if you want to proceed or not. Clicking the OK button will save the original data in the Results directory with a .bak extension and will activate the sanitize process. You may want to move the saved file to a different location since the next time you sanitize the session and you have checked the Yes to save option, the saved file will be overwritten. Please note that restoring the original data will be done manually. You can also tell SAINT the number of octets to replace and what to replace them with.

SAINTmanager Enterprise Session

SAINTmanager enterprise session contains data from all the scans initiated by SAINTmanager on all the nodes in order to provide an enterprise-wide view of the organization's vulnerabilities. This special session is like regular SAINT sessions in that you can perform analysis and generate reports on the data, set up exclusions, etc. However, you cannot directly initiate a scan from within the enterprise session. You can control some features regarding how often to archive the enterprise session using the configuration setup. In order to support SAINTwriter trend analysis, the enterprise session is actually implemented as two sessions: enterprise and enterprise_trend, though this implementation is transparent to the user. The enterprise session contains the latest scan results for all hosts that have been scanned and has no archived data sets. The enterprise_trend session is used only for trend analysis. It contains scan results for hosts that have been scanned within the current scan window (see $scan_window variable). It has archived data sets for each previous scan window that had results. Generating a SAINTwriter trend analysis report from the enterprise session will actually base the report on the enterprise_trend session.

Global vs. Node-Specific Sessions

The enterprise session described above is one example of a global session. The other global sessions are almost identical to regular SAINT sessions, e.g., the saint-data session. You set up their configuration, initiate scans, generate reports, and perform analysis on them in essentially the same way as regular SAINT sessions. However, each non-enterprise global session can apply to multiple nodes. As data becomes available from scans on particular nodes, those data sets are brought back to SAINTmanager and stored in node-specific sessions with names like nodename.sessionname where nodename is the name of the node, and sessionname is the name of the global session. Then the data from the node-specific sessions (e.g., nodename.saint-data) are merged into the global (e.g., saint-data). The node-specific sessions cannot be used to perform scans or setup configuration, though you can set up exclusions for the vulnerability data sets.


36

How to Run a Scan Initiating a SAINT scan is done from the Scan section of the graphical user interface. Starting a scan involves choosing the target range and scan policy and optionally authenticating to a Windows domain.

Target Selection The first step in the scan setup process is to click on the Scan icon and select your primary targets. As shown in the image below, targets can be added to the selected targets list by choosing either a single IP address, an IP address range, a class C subnet, a DNS host name, a URL, a target file or an import from SAINT key function from the Add target(s) drop down menu. If you import From SAINT Key, all addresses in the license key will be added to the target list. Targets can be removed from the list by selecting the target in the selected targets box, and clicking on the Delete button. Be careful of the Delete All button; this button will clear the entire target list.

SAINTmanager provides for selecting different target sets for each node. The node drop down menu allows the user to choose which node's targets to display/edit. Just above the node drop down menu, the Show node/targets table link can be used to display a table showing the current nodes and targets selected for each.

37

Free-Form Target Selection

Free-form target selection is available for users who prefer to enter their targets in a text box. To use this form of target selection, follow the free-form target selection link on the Scan screen. Check the button beside the first box, and enter the desired targets into that box. SAINT allows target selection in several formats:

Host names one or more host names, separated by spaces. SAINT must be able to resolve the host names, either using a DNS server or the /etc/hosts file, or an error will result.

IP addresses one or more IP addresses, separated by spaces.

Subnets one or more class C subnets, represented as only the first three octets. SAINT will expand the subnet to include every IP address beginning with the given three octets.

IP address ranges one or more IP address ranges. Each range consists of a beginning and ending IP address, separated by a dash. SAINT will expand the range to include the starting and ending addresses and every address in between.

URLs one or more URLs, such as http://hostname:port/path. SAINT will scan the target specified in the hostname portion of the URL, specifically including the web program(s) found on the specified port and path.

CIDR network addresses a network address followed by a slash and a prefix length. For example: 192.30.250.0/18.

Any combination of the above, separated by spaces.

Note: All of these with the exception of Subnets can be used with both IPv4 and IPv6 addresses.

Target File

Alternatively, SAINT allows the targets to be specified in a file. To use this option, select from file from the Add target(s) drop down menu, and then enter the name of a file containing the target list in the box and click on the Add button. Or, if you are using free-form target selection, choose the button beside the second box and enter the name of a file containing the target list. The target list should be in the same format described above. Either newlines or spaces may be used as separators.


38

Target File Uploads

For users who are running SAINT in remote mode, it may be more convenient to upload a target file rather than entering a long list of targets. Unlike the target file option which allows you to specify a target file located on the computer running SAINT, the target file upload feature allows you to specify a target file located on the same machine as your web browser. The target file should be a plain text file with targets listed in the same format as for free-form target selection, using newlines or spaces as field separators. To upload a target file, follow the Upload Target File link on the Scan page. Then specify the path to a target file on your local computer. (Depending on what type of web browser you are using, a button may be provided to allow you to browse the folders on your local computer and select the desired file.) Click on the Upload button to add the contents of the chosen file to the list of selected targets.

Subnet Expansion

SAINT also gives you the option of scanning all hosts in each target's Class C subnet, instead of only the target itself; that is, every possible target with the same first three octets in its IP address. This option has the same effect as entering a subnet in the target selection box as described above, with the added benefit that it will allow SAINT to perform tests on broadcast addresses, such as Smurf and Fraggle (IP-directed broadcast) vulnerabilities.

Data Preservation In any given session, SAINT keeps only the data from the most recent scan in memory. This data is known as the current data set. Older data sets are saved to disk so that they can be analyzed later and compared using SAINTwriter's trend analysis reports. The collection of older data sets is known as the archive. When setting up a scan, if the session already contains current data which may be overwritten by the upcoming scan, SAINT will provide you with two options. The first option is to preserve the data in the session's archive. The second option is to merge new scan data with the current data. If this option is chosen, the new data will overwrite any existing data for the same target, and any existing data for targets that are not scanned will remain in place.

Scanning Policies SAINT can probe hosts at various levels of intensity. The default scanning policy is set in the configuration file, but can be overridden on the Scan page. Lighter attacks will be faster and harder to detect, but will not gather as much information as heavier attacks.

Discovery This is the least intrusive scan. SAINT identifies hosts which are alive and reports their IP addresses in live_hosts_file. This scan policy may be useful to determine

39

which host IP addresses should be used to generate a SAINT key.

Port scan For this policy, SAINT will identify live hosts and check for services listening on TCP or UDP ports. The range of ports to check is determined by the ports to scan settings on the Options page.

Auth Test For this policy, SAINT performs authentication against the targets using the credentials specified in either the credentials manager or the Windows/Linux/Unix/Mac input boxes under the authentication tab. Use the Auth Test report format to view results in SAINTwriter. See the Auth Test scan policy port configuration option for more information.

Vulnerability Scan For this policy, also known as the heavy policy, SAINT will check for services listening on TCP or UDP ports. Any services detected will then be scanned for any known vulnerabilities. This scan policy includes SAINT's entire set of vulnerability checks, and is the scan policy that should be used in most situations.

Custom This scanning policy allows the user to run any combination of SAINT probes. Which of the user-defined scan policies to use is selected by choosing Custom from the "filter by category" drop down. Custom scan policies can be set up from the Scan page by clicking the "custom scan policy editor" link after filtering scan policies by Custom. See custom scan setup for more information on creating a custom scan policy.

Web Crawl For this policy, SAINT detects web directories on the targets. It does so by first scanning ports for web services, and then finding directories by following HTML links starting from the home page.

SQL/XSS For this policy, SAINT checks for SQL injection and cross-site scripting vulnerabilities on web servers. This includes both generic tests, where SAINT finds HTML forms and tests all parameters for SQL injection and cross-site scripting, and checks for known SQL injection and cross-site scripting vulnerabilities.

Windows Patch For this policy, SAINT checks for missing Windows patches. Since most of the checks for Windows patches require authentication, Windows domain authentication is recommended with this policy.

Content Search For this policy, SAINT searches files on Windows and Linux/Mac targets for credit card numbers, social security numbers, or any other specified patterns. See SAINT Configuration for more information on configuring SAINT's file content searching feature. Authentication is required for this policy and if scanning a Linux/Mac target, SSHD must be enabled.

PCI For this policy, SAINT scans all TCP ports (1-65535) and common UDP ports, and then scans any services for any known vulnerabilities, with increased focus on PCI DSS


40

requirements. This policy is similar to the Vulnerability Scan policy, but includes more TCP ports, enforces a spider depth of at least 5, enables certain low severity checks which are normally disabled, and reduces the restrictiveness of certain other checks.

FISMA This scan policy provides support for security controls related to Continuous Monitoring, as well as performing Risk Assessments. Selecting this scan policy ensures that probes scan for the entire set of vulnerability checks, with the Exhaustive option. SAINT also provides a pre-configured report template that describes the supported controls and reports results at a summary and detailed level. See How to Generate a FISMA Vulnerability Assessment Report for more information about using this report template.

HIPAA This scan policy provides support to HIPAA security requirements related to both Risk Analysis and overall Risk Management. Selecting this scan policy ensures that probes scan for the entire set of vulnerability checks, with the Exhaustive option. SAINT also provides a pre-configured report template that describes the supported controls and reports results at a summary and detailed level. See How to Generate a HIPAA Vulnerability Assessment Report for more information about using this report template.

NERC CIP The NERC CIP compliance scanning policy reports the results of an exhaustive vulnerability scan on selected hosts. SAINT also provides a NERC CIP report template to use the results of this scan policy that describes the applicable NERC CIP security controls, as well as a pre-formatted report with executive level graphs/charts and detailed level scan results.

SOX The SOX scan policy runs all available vulnerability checks against selected targets, and supports financial organizations internal risk management strategies, as well as facilitating provisions in Section 404 of the Sarbanes-Oxley Act, requiring a management report annually on the effectiveness of internal controls for financial reporting and that external auditors confirm managements assessment.

41

Anti-virus (AV) information For this policy, information is collected about installed AV software, such as last scan date, enabled, definition file dates, and other information useful for auditing requirement 5 of the PCI DSS. Information is currently gathered for Windows versions for many of the most popular AV software products in use today, such as: McAfee, Symantec, AVG, F-Secure, MS Forefront, and Trend Micro. Note that some results are only reported if they are considered vulnerabilities while others are always reported. For example, if available, the last scan date is always reported while a check to determine if updates or the AV software itself is enabled, only gets reported if its disabled. Authentication is needed to run this scanning policy. Facts containing the string '(Master)' mean that an anti-virus server/manager/admin is installed on the target. For more information, see Configuration options; also see the knowledge base on the mySAINT customer web site.

Normal For this policy, SAINT collects information from the DNS (Domain Name System), tries to identify the operating system, and tries to establish what RPC (Remote Procedure Call) services the host offers and what file systems it shares via the network. The policy also includes probes for the presence of common network services such as finger, remote login, ftp, WWW, Gopher, e-mail, and a few others. With this information, SAINT finds out the general character of a host (file server, diskless workstation) and establishes the operating system type and, where possible, the software release version.

Top 20 This is a special scanning policy designed specifically to detect vulnerabilities which were among the SANS Top 20 Most Critical Internet Security Vulnerabilities. Although no longer maintained by SANS, this policy has been retained as a legacy scan level for those customers who wish to continue monitoring based on these vulnerabilities.

Win Password Guess This policy conducts password guess checks against Windows targets using the password guess and password dictionary configuration options. Authentication is recommended so SAINT can enumerate accounts.

Microsoft Patch Tuesday This policy checks for the latest published Microsoft patch Tuesday vulnerabilities (second Tuesday of each month). This policy is updated by SAINT, typically by noon Wednesday, following Bulletin availability from Microsoft.

Web (OWASP Top 10) This policy checks for vulnerabilities in web servers and web applications, such as SQL injection, cross-site scripting, unpatched web server software, weak SSL ciphers, and other OWASP Top 10 vulnerabilities. It also enables file content checks. Authentication is recommended or required for some of the checks included in this policy. See the FAQ for more information about OWASP Top 10 coverage.

IAVA This compliance policy executes a full port scan for all vulnerabilities reported in the Information Assurance Vulnerability Alert (IAVA).


42

Operating System Password Guess This policy includes all SAINT password guessing features designed to guess the operating system password. This policy includes checks for default FTP passwords, as well as dictionary-based password guessing via Telnet, SSH, and FTP. Authentication is recommended to ensure user account enumeration.

Software Inventory This policy generates a list of software installed on Windows targets. Authentication is required. For more information, see Configuration.

The following three options can be used to modify some of the scan policies described above.

Exhaustive An exhaustive scan will take extra steps to be as thorough as possible. This option affects the vulnerability, PCI, and custom scan policies. For more information on exhaustive scans, see SAINT Configuration.

Extreme By default, SAINT takes a conservative approach and does not run checks which could have harmful side effects, but this makes it impossible to confirm certain vulnerabilities. However, if an extreme scan is run, the scan may include "dangerous" checks, in which attacks designed to crash services are launched in order to confirm that the target is or is not vulnerable. This option affects the vulnerability and custom scan policies. For more information see Dangerous Checks.

Heavy port scan With this option, the scan will include a heavy port scan, rather than scanning only common ports. This option affects the port scan and vulnerability scan policies. For more information on the heavy port scan, see Ports to Scan.

Host Discovery SAINT can perform host discovery two ways: using SAINT's built-in discovery engine, or with Nmap. The SAINT method is simpler to configure, while Nmap is much faster and allows for more customization.

SAINT Discovery Configuration

In order to avoid wasting time scanning hosts which do not exist or are unreachable, SAINT attempts to discover live hosts at the start of a scan. The method used to discover live hosts varies depending upon whether a firewall

Technology

SAINT 7 : User Documentation