packages icon



 SAINT(1)                                                           SAINT(1)
                                Aug 30, 2000



 NAME
      saint - Security Administrator's Integrated Network Tool

 SYNOPSIS
      saint [ -fiqrsuUvVzZ ] [ -a attack level ] [ -A proximity descent ] [
      -c variable list ] [ -d data directory ] [ -F target file ] [ -g
      guesses ] [ -h IP addresses ] [ -l max. proximity ] [ -m threads ] [ -n
      netmasks ] [ -o pattern ] [ -O pattern ] [ -p port ] [ -S status file ]
      [ -t timeout level ] [ targets ]

 DESCRIPTION
      SAINT is the Security Administrator's Integrated Network Tool. It
      scans the specified remote targets for a variety of security
      vulnerabilities and reports the results in a number of formats.

      Targets can be specified as host names, IP addresses, IP address
      ranges, IP address subnets, or any combination of the above in a
      space-separated list. If a target is not specified, and neither the -F
      nor -V options are present, SAINT enters interactive mode using an
      HTML browser.

 OPTIONAL SOFTWARE
      If nmap is present on the system, SAINT uses it for identifying the
      operating system of target hosts, which in some cases is useful for
      determining whether or not a service is vulnerable.  nmap is also used
      to perform smurf and fraggle checks if the subnet expansion option is
      chosen.

      If samba is present on the system, SAINT uses it for Netbios security
      checks.

 OPTIONS
      The command-line options listed below can be used to override the
      default configuration variables which are found in config/saint.cf.
      Most variables can also be changed from the graphical user interface
      if interactive mode is used.

      -a attack level
           Sets the attack level for the primary targets. Possible attack
           levels are 0 through 4, corresponding to light, medium, heavy,
           heavy-plus, and SANS top-10, respectively.

      -A proximity descent
           Sets the value by which the attack level is decremented when
           scanning hosts which were discovered by examining trust
           relationships.

      -c variable1=value1; variable2=value2 ...
           Sets the specified configuration variables.





                                    - 1 -           Formatted:  July 1, 2022






 SAINT(1)                                                           SAINT(1)
                                Aug 30, 2000



      -d data directory
           Sets the directory where scan data is stored.  If the argument
           contains slash characters, it is interpreted as an absolute path
           name; otherwise, it is a directory under the results directory.
           The default is saint-data

      -f   Enables firewall analysis. In this mode, certain variables are
           adjusted to improve performance for scanning through firewalls.

      -F target file
           Specifies a file containing a list of targets to be used. This
           option is an alternative to listing the targets directly on the
           command line.

      -g number of guesses
           Sets the number of password guesses to be tried against any
           account discovered by finger or rusers.  By default, the order of
           guessing is a null password, the login name, the word "password",
           the login name backwards, and the login name followed by the
           digit "1". The order can be changed by editing the rule set in
           rules/todo.

      -h IP addresses
           Specifies the remote hosts which are allowed to connect to SAINT
           when it is running in remote mode. This option is ignored unless
           the -r option is also present. The argument is a space-separated
           list of IP addresses. An asterisk can be used as a trailing
           wildcard to specify multiple hosts or entire networks. A wildcard
           alone disables access control.

      -i   Ignore existing data. With this option, the results of previous
           scans will not be read. Without this option, data from previous
           scans may appear in scan results.

      -l maximum proximity
           SAINT will scan any hosts directly or indirectly trusted by the
           primary targets, so long as the proximity of the trust from the
           primary targets does not exceed the maximum proximity. The
           default is "0", which causes only the primary targets to be
           scanned. "1" causes only the primary targets and hosts trusted
           directly by the primary targets to be scanned.

      -m threads
           Sets the maximum number of concurrent probes. Higher values will
           increase speed but increase the demand on system resources. A
           value of "1" disables multitasking.

      -n netmasks
           Sets all possible netmasks of target hosts. This option is needed
           to accurately scan for smurf-type vulnerabilities against
           networks which might have non-standard subnetting.



                                    - 2 -           Formatted:  July 1, 2022






 SAINT(1)                                                           SAINT(1)
                                Aug 30, 2000



      -o pattern
           Limits the scan to the specified hosts. Only hosts whose IP
           addresses or host names match the given pattern will be scanned.

      -O pattern
           Prevents scanning of the specified hosts. Hosts whose IP
           addresses or host names match the given pattern will be excluded
           from the scan.

      -p port
           Sets the TCP port on which to listen for connections when running
           in remote mode. The default is 1414.  This option is ignored
           unless the -r option is also present.

      -q   Quiet mode. Suppresses output. Without this option, the results
           are sent to standard output upon completion of a scan in non-
           interactive mode.

      -r   Remote mode. Allows the graphical user interface to be used from
           an HTTP browser on a remote host.  With this option, SAINT
           prompts you to set two passwords before enabling the server. The
           saint password controls privileges to the Data Analysis and
           Documentation sections of the GUI, while the admin password
           controls access to the entire GUI. The -h and -p options (or the
           corresponding variables in config/saint.cf) should also be set as
           additional security measures.

      -s   Enable subnet expansion. The entire Class C subnet of each target
           will be scanned. This option also enables network probes, such as
           smurf.

      -S status file
           Sets the name of the file in which status information is written.

      -t timeout level
           Sets the timeout level for each probe. Recognized values are 0,
           1, and 2, corresponding to short, medium, and long, respectively.
           Each timeout level is equivalent to a certain number of seconds
           which is set in config/saint.cf or from the graphical user
           interface if interactive mode is in use.

      -u   Untrusted host mode. Runs the scan under the assumption that the
           scanning host is not trusted by the targets.

      -U   Trusted host mode. Runs the scan under the assumption that the
           scanning host is trusted by the targets.  This suppresses tests
           for vulnerabilities that could be mistaken as vulnerabilities
           when they are actually caused by trust, such as NFS and rsh
           checks.





                                    - 3 -           Formatted:  July 1, 2022






 SAINT(1)                                                           SAINT(1)
                                Aug 30, 2000



      -v   Verbose mode.

      -V   Display version information and exit.

      -z   Zero proximity mode. When the trust proximity of a potential
           target is such that the attack level (as calculated from the
           proximity descent and maximum proximity) is below zero, scan it
           at attack level zero.

      -Z   Disables zero proximity mode. When the trust proximity of a
           potential target is such that the attack level is below zero, do
           not scan it.

 INTERACTIVE MODE
      When SAINT is started in interactive mode, the graphical user
      interface (GUI) is displayed through an HTML browser. (The path to the
      browser can be changed by setting the $MOSAIC variable in
      config/paths.pl if desired.)

      To initiate a scan from the GUI, select target selection. From the
      target selection screen, enter the target host or hosts. Targets can
      be specified by a host name, IP address, IP address range, IP subnet,
      or any combination of the above in a space-separated list.
      Alternatively, choose the target file option and enter the name of a
      file containing the list of targets. Select the scan level, and choose
      the button to start the scan.

      The status of the scan will be displayed as each new attack is
      launched against a particular target.  When the scan finishes, follow
      the link to the data analysis screen. The hyperlinks on the data
      analysis screen allow the results to be viewed in a variety of
      different formats.

      The other four sections of the GUI are:

      Data Management
           This section allows you to create new databases, open existing
           databases, and merge databases.  A database is essentially a
           directory containing scan results.  The data management screen
           allows you to organize your scans however you see fit.

      Configuration Management
           Most of the configuration variables can be changed using the HTML
           form. This is a user friendly alternative to editing
           config/saint.cf by hand or specifying command-line options.

      Documentation / Troubleshooting
           Everything you need to know about SAINT.

 REMOTE MODE
      Remote mode allows one or more users to use SAINT without requiring



                                    - 4 -           Formatted:  July 1, 2022






 SAINT(1)                                                           SAINT(1)
                                Aug 30, 2000



      physical access to the scanning machine.  Any host with an HTML
      browser, even non-Unix hosts, can be used as a SAINT client.

      Remote mode is administered using the following features:


      Host-based access control
           The $allow_hosts variable in config/saint.cf (or the -h command
           line option) tells SAINT which hosts are allowed remote access to
           SAINT's user interface. The hosts are specified in the form of a
           space-separated list of IP addresses. An entire Class C network
           can be specified by putting an asterisk (*) in place of the last
           octet of the IP address. An asterisk all by itself will match any
           IP address, effectively disabling host-based access control. This
           is not recommended.

      User authentication
           In remote mode, SAINT requires users to provide a login and
           password before being granted access to the graphical user
           interface. By default, there are two login names: admin and
           saint. The accounts are disabled by default, but they become
           enabled when you provide a password for them. (You are prompted
           to set the password when you start SAINT in remote mode.) The
           admin user is allowed to use any part of SAINT. Therefore, the
           password for admin should only be given to network
           administrators, or others who are authorized to configure and run
           SAINT scans. The saint user is only allowed to view reports,
           tutorials, and documentation. The password for saint may be given
           to anyone who is authorized to view the results of the SAINT
           scan. Additional users can be added by editing config/passwd.
           (See below.)

      Server port
           The $server_port variable in config/saint.cf (or the -p command
           line option) tells SAINT which TCP port to listen on. Remote
           users connect to this port with their web browsers to access
           SAINT. The default port is 1414, but it is a good idea to change
           it to avoid detection by attackers who might scan the network for
           the default port.

      Use the following steps as a guide to using SAINT remotely:

      1.   In config/saint.cf set $allow_hosts equal to the IP address(es)
           of the remote hosts which are allowed to connect (or use the -h
           command-line option)

      2.   Also in config/saint.cf set $server_port equal to the port you
           want SAINT to listen on (or use the -p command-line option)

      3.   Type ./saint -r




                                    - 5 -           Formatted:  July 1, 2022






 SAINT(1)                                                           SAINT(1)
                                Aug 30, 2000



      4.   Set the admin and saint passwords at the prompt. If you have
           already set the passwords, you may hit enter to leave them
           unchanged. But be aware that they travel over the network
           unencrypted whenever someone logs in, so it is a good idea to
           change them each time you start SAINT in remote mode.

      5.   From your browser, go to http://host.domain:port where
           host.domain is the fully-qualified host name of the machine on
           which SAINT is running, and port is the port number you specified
           earlier.

      6.   Log in as either admin or saint using the passwords you set
           previously. If login is successful, you can use SAINT remotely at
           this point.

      7.   When you are finished using SAINT from that client, click on the
           SAINT home button, and then on the log out button at the bottom
           of the page. Note: Simply closing the browser does not log you
           out. Anyone who opens a new browser on the same host will still
           be authenticated until either the client logs out or the SAINT
           server process is killed.

      8.   When remote access to SAINT is no longer needed, use the ps
           command on the server to find SAINT's process number, and kill
           the process using the kill command.

      Note to users using proxy firewalls: SAINT in remote mode associates
      each user's authentication with his or her apparent client host. That
      means that if SAINT is being run outside the firewall, then any user
      who authenticates from behind the firewall at any privilege level
      (e.g.  admin) will effectively authenticate every host behind the
      firewall at that privilege level. Furthermore, any user who logs out
      from behind the firewall will log out every user behind the firewall.

 MORE INFORMATION
      For more information see the SAINT documentation. This is available
      either from the graphical user interface or at
      http://www.wwdsi.com/saint
















                                    - 6 -           Formatted:  July 1, 2022