Tutorial: Saint, the "Holy" Networkers Tool
Results 1 to 4 of 4

Thread: Tutorial: Saint, the "Holy" Networkers Tool

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Talking Tutorial: Saint, the "Holy" Networkers Tool

    SAINT (Security Administrator's Integrated Network Tool)

    SAINT is an administrative tool to be used on many *nix platforms. It was developed from the original SATAN (Security Administrator's Tool for Analyzing Networks) and has many "siblings", including SARA (Security Auditor's Research Assistant). At present, SAINT is the most widely used of these tools. SAINT is recognized as both a white hat and black hat tool for scanning and determining vulnerabilities on network systems.

    DISCLAIMER: Be aware that scanning unauthorized networks or computer systems can result in legal action being taken. Do not use SAINT against networks that you are not allowed to do.

    Before configuring SAINT, make sure that Netscape has the proxy settings (if any) that you will be using when testing your network machines. SAINT uses Netscape to show its scans in a user-readable format. Also, you should be logged in as the root user, as certain permissions will be required to do the scans. You can find information about SAINT or the latest version from http://www.wwdsi.com/saint/.

    Ideally, when testing SAINT, you should try it against *nix, Novell, Macintosh, Windows 95/98/ME and NT.

    Steps for installation, configuration, and usage:

    Downloading the files:

    1. Point your browser to: http://www.wwdsi.com/saint/downloads...-3.3.7.tar.gz. You don't have to fill out the info as long as you accept the Terms of Agreement. Hit the I Accept button at the bottom of the screen.
    2. Download SAINT into the directory that you want to keep it in.

    Installing Saint:

    3. Change to the directory to which saint was downloaded.
    4. Type gunzip saint*.gz.
    5. Type tar -xvf saint*.tar.
    6. Change to the directory created, and type cd saint*.
    7. Assuming that your root account uses the bash shell, type ./configure
    This will begin the first part of the compilation of the program. You may see some errors. Generally speaking, these can be ignored. If you cannot do the next step, then you may need to do some troubleshooting.

    8. Type make all.

    This will do the final compilation. Again, you may see some errors. For the most part, these can be ignored.


    Running Saint:

    1. Once the final compilation is complete, type ./saint to launch the program. Netscape will start as a result. You should see a SAINT welcome page.


    Note: If you do not see this, but rather see the firewall notice, you may need to alter your Netscape proxy settings. You can do this by choosing in Netscape Edit -->Preferences --> Advanced -->Proxies. Change the radio button from Manual to Direct Connection. Close Netscape, remove the saint directory and go through steps 6 --> 8 of the Installation process again. If you are still having difficulties, post here with a full description of the problems and we'll have a go at it.

    1. On the SAINT page, select the Configuration Management button.

    2. Select the directory and filename to save data as.

    3. Choose the probe level that you want to run. Light --> would be 1 out of 10 on a scale of probing, and therefore very limited in its activities. Heavy+ --> would be 10 out of 10 on a scale of probing; it is VERY extensive, and could possibly cause some NT servers to crash.

    The probing (or rather scanning) is what determines which ports are open. Through the database that comes with SAINT, certain vulnerabilities can be identified and addressed as to their severity. It is ideal to do the probing with the highest level possible. It is also recommended to get permission first before doing scans, and (ideally) to do scans during non-critical times. Users should be aware that (in some jurisdictions) scanning is still considered malicious behaviour.

    4. Choose the number of password guesses. Remember that the higher the number, the greater the possibility of accounts being locked out.

    5. Choose time-out values. Generally this can be left on the default settings. You would alter this if you know that your network is slightly slower or faster than the network being probed.

    6. Choose the number of threads. If your machine is the latest and greatest with the "mostest", you can alter this. Otherwise, it's best to use the default settings.

    7. Choose the distance you want the scan to go from the original target. This means: if other networks branch off the target network, they in turn will be probed. Generally you should leave this at default 0.

    8. Choose the Probe Level. This refers to whether the probe has completed or not. In general, when the probe has completed, you want it to stop. Thus, generally, you should leave this at the default 0.

    9. Choose the Target type. This refers to whether the target is simply a single computer/host or a subnet. This would normally be "Target Only", as you would have a specific machine in mind, for testing or auditing.

    10. Choose whether your machine is un-trusted or trusted. More than likely, it would be un-trusted. Trusted would apply for those systems that use the host.equiv option.

    11. Choose netmask, if necessary. This applies if the network/host you are targeting is using a non-standard subnet mask.

    12. Choose Pattern. You would indicate the IP network address or domain name of the machine or network you are targeting.

    13. Choose Hosts Not to Probe, if necessary. If you know there are other hosts on the network that you do not want SAINT to probe, enter the IP network address or the domain name here.

    14. Choose nslookup, if a DNS is available. Depending on the firewall status, you may or may not have access to DNS. If it's not available, indicate so.

    15. Choose Ping Hosts. This choice is best when you are not behind a firewall, or if your firewall permits ICMP.

    16. Once all these choices have been made, select the Change Configuration File button.

    17. You will see a warning page about the fact that passwords are transmitted via clear text. Simply click Refresh button. You should be able to continue at this point.

    18. Click Target Selection on the left-hand side.

    19. For primary target, enter the IP address of the target, or the Full Qualified Domain Name (FQDN), such as http://www.mydomain.com. Alternatively, you can have a file that lists all the target IP addresses. Also, choose whether to scan the target only, or to scan the whole subnet. Use caution when scanning the whole subnet, as this creates great volumes of traffic and bandwidth usage.

    20. Select the Scanning Level. Again, light is the minimal scan, while heavy+ is the hardest, most detailed scan. Heavy+ can crash some NT systems.

    21. Select whether the target is behind a firewall or not. Firewalls can have adverse effects on scanning, by limiting packets.

    22. Click the Start Scan button. SAINT will now begin the scanning process. If you get a response of two lines with 0 hosts scanned, then the scan was unsuccessful. You may need to change some of the above settings. Additionally, while the scan is in process, it may stall, due to data collection. Let the scan continue.

    23. Once the scan is complete, you can select Continue with Report and Analysis. You can view the results based on a variety of options: Vulnerabilities, Host Information, and Trust. The most common is to choose Host Information --> By Subnet.

    24. You should see the list of subnets that have been targeted. In the brackets will be the number of actual hosts visited, versus the number of attempts. Click on the subnet for network you scanned.

    25. Select the IP of the computer or network you scanned.

    26. Whatever information that SAINT has gathered will pop up. If there are any vulnerabilities they will come under one of 3 colours:

    Brown: is a minor vulnerability.
    Yellow: serious vulnerability.
    Red: severe vulnerability.

    In addition, there will be a link that will give you further details about the vulnerability. It is based on the CSV standard.


    There. If you have questions, post away.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Member
    Join Date
    Aug 2001
    Posts
    42
    Thank You Ms.Mittens.

    well written.
    Who Cares Wins

  3. #3
    Whaaats Up....

    Im just trying my hand playing with all these tools and testing Firewalls "ON MY OWN NETWORK" running SAINT against a Windows XP machine running SYGATE personal firewall came up with "NO VULNERBILITIES". And Sygate logged the the ATTEMPTS as "MINOR incoming TCP portscan" didnt even have an ALERT message pop-up. I want to try NESSUS next againt My windows XP machine as soon as I get NESSUS to run on LINUX. But i guess after that you would have to start playing with things LIKE crafting your packets with HPING and STUFF wouldnt you? and maybe FIREWALK. I heard you there was a Vulnerbility with SYGATE soo i would start to look into that too?
    Question:

    1> If i didnt know what Firewall the machine was running, how would one figure it out or is it just guessing?

    2>When people are talking about running a scripts or (Arbitrary code) against a vulnerbility what does that exactly mean, for example the new SNORT exploit ( i dont wanna know the EXPLOIT but an idea what they are talking about RUNNING scripts? How you run a script if u dont have access to the shell or command prompt?

    Still going to play with NESSUS and NMAP against the machine.

    P.S>i might not be making any sense with the SCRIPTS part of my question im still in dark with all this stuff..


    Thanks Guys!!!

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted here by Condoor
    Whaaats Up....

    1> If i didnt know what Firewall the machine was running, how would one figure it out or is it just guessing?

    2>When people are talking about running a scripts or (Arbitrary code) against a vulnerbility what does that exactly mean, for example the new SNORT exploit ( i dont wanna know the EXPLOIT but an idea what they are talking about RUNNING scripts? How you run a script if u dont have access to the shell or command prompt?

    Still going to play with NESSUS and NMAP against the machine.

    P.S>i might not be making any sense with the SCRIPTS part of my question im still in dark with all this stuff..


    Thanks Guys!!!
    I don't know if any tools will tell you exactly what firewall is running but you should be able to guess if a firewall is there and what kind of firewall (static packet filtering, dynamic packet filtering, etc.) Different firewall types give different responses.

    The "scripts" or "exploits" usually have a remote component or a local component to them. If it's remote they can run it from another machine to the victim machine and compromise it. You often don't need an account to run a remote attack against a machine. If it's local then they must have local access for it to work.

    As I mentioned in another post, SAINT has gone hugely commercial. SARA still remains free and is exactly like SAINT (the original is SATAN, which both products take their design from).

    Hope this helps.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •