SAINT(1) SAINT(1)
Aug 30, 2000
NAME
saint - Security Administrator's Integrated Network Tool
SYNOPSIS
saint [ -fiqrsuUvVzZ ] [ -a attack level ] [ -A proximity descent ] [
-c variable list ] [ -d data directory ] [ -F target file ] [ -g
guesses ] [ -h IP addresses ] [ -l max. proximity ] [ -m threads ] [ -n
netmasks ] [ -o pattern ] [ -O pattern ] [ -p port ] [ -S status file ]
[ -t timeout level ] [ targets ]
DESCRIPTION
SAINT is the Security Administrator's Integrated Network Tool. It
scans the specified remote targets for a variety of security
vulnerabilities and reports the results in a number of formats.
Targets can be specified as host names, IP addresses, IP address
ranges, IP address subnets, or any combination of the above in a
space-separated list. If a target is not specified, and neither the -F
nor -V options are present, SAINT enters interactive mode using an
HTML browser.
OPTIONAL SOFTWARE
If nmap is present on the system, SAINT uses it for identifying the
operating system of target hosts, which in some cases is useful for
determining whether or not a service is vulnerable. nmap is also used
to perform smurf and fraggle checks if the subnet expansion option is
chosen.
If samba is present on the system, SAINT uses it for Netbios security
checks.
OPTIONS
The command-line options listed below can be used to override the
default configuration variables which are found in config/saint.cf.
Most variables can also be changed from the graphical user interface
if interactive mode is used.
-a attack level
Sets the attack level for the primary targets. Possible attack
levels are 0 through 4, corresponding to light, medium, heavy,
heavy-plus, and SANS top-10, respectively.
-A proximity descent
Sets the value by which the attack level is decremented when
scanning hosts which were discovered by examining trust
relationships.
-c variable1=value1; variable2=value2 ...
Sets the specified configuration variables.
- 1 - Formatted: December 16, 2025
SAINT(1) SAINT(1)
Aug 30, 2000
-d data directory
Sets the directory where scan data is stored. If the argument
contains slash characters, it is interpreted as an absolute path
name; otherwise, it is a directory under the results directory.
The default is saint-data
-f Enables firewall analysis. In this mode, certain variables are
adjusted to improve performance for scanning through firewalls.
-F target file
Specifies a file containing a list of targets to be used. This
option is an alternative to listing the targets directly on the
command line.
-g number of guesses
Sets the number of password guesses to be tried against any
account discovered by finger or rusers. By default, the order of
guessing is a null password, the login name, the word "password",
the login name backwards, and the login name followed by the
digit "1". The order can be changed by editing the rule set in
rules/todo.
-h IP addresses
Specifies the remote hosts which are allowed to connect to SAINT
when it is running in remote mode. This option is ignored unless
the -r option is also present. The argument is a space-separated
list of IP addresses. An asterisk can be used as a trailing
wildcard to specify multiple hosts or entire networks. A wildcard
alone disables access control.
-i Ignore existing data. With this option, the results of previous
scans will not be read. Without this option, data from previous
scans may appear in scan results.
-l maximum proximity
SAINT will scan any hosts directly or indirectly trusted by the
primary targets, so long as the proximity of the trust from the
primary targets does not exceed the maximum proximity. The
default is "0", which causes only the primary targets to be
scanned. "1" causes only the primary targets and hosts trusted
directly by the primary targets to be scanned.
-m threads
Sets the maximum number of concurrent probes. Higher values will
increase speed but increase the demand on system resources. A
value of "1" disables multitasking.
-n netmasks
Sets all possible netmasks of target hosts. This option is needed
to accurately scan for smurf-type vulnerabilities against
networks which might have non-standard subnetting.
- 2 - Formatted: December 16, 2025
SAINT(1) SAINT(1)
Aug 30, 2000
-o pattern
Limits the scan to the specified hosts. Only hosts whose IP
addresses or host names match the given pattern will be scanned.
-O pattern
Prevents scanning of the specified hosts. Hosts whose IP
addresses or host names match the given pattern will be excluded
from the scan.
-p port
Sets the TCP port on which to listen for connections when running
in remote mode. The default is 1414. This option is ignored
unless the -r option is also present.
-q Quiet mode. Suppresses output. Without this option, the results
are sent to standard output upon completion of a scan in non-
interactive mode.
-r Remote mode. Allows the graphical user interface to be used from
an HTTP browser on a remote host. With this option, SAINT
prompts you to set two passwords before enabling the server. The
saint password controls privileges to the Data Analysis and
Documentation sections of the GUI, while the admin password
controls access to the entire GUI. The -h and -p options (or the
corresponding variables in config/saint.cf) should also be set as
additional security measures.
-s Enable subnet expansion. The entire Class C subnet of each target
will be scanned. This option also enables network probes, such as
smurf.
-S status file
Sets the name of the file in which status information is written.
-t timeout level
Sets the timeout level for each probe. Recognized values are 0,
1, and 2, corresponding to short, medium, and long, respectively.
Each timeout level is equivalent to a certain number of seconds
which is set in config/saint.cf or from the graphical user
interface if interactive mode is in use.
-u Untrusted host mode. Runs the scan under the assumption that the
scanning host is not trusted by the targets.
-U Trusted host mode. Runs the scan under the assumption that the
scanning host is trusted by the targets. This suppresses tests
for vulnerabilities that could be mistaken as vulnerabilities
when they are actually caused by trust, such as NFS and rsh
checks.
- 3 - Formatted: December 16, 2025
SAINT(1) SAINT(1)
Aug 30, 2000
-v Verbose mode.
-V Display version information and exit.
-z Zero proximity mode. When the trust proximity of a potential
target is such that the attack level (as calculated from the
proximity descent and maximum proximity) is below zero, scan it
at attack level zero.
-Z Disables zero proximity mode. When the trust proximity of a
potential target is such that the attack level is below zero, do
not scan it.
INTERACTIVE MODE
When SAINT is started in interactive mode, the graphical user
interface (GUI) is displayed through an HTML browser. (The path to the
browser can be changed by setting the $MOSAIC variable in
config/paths.pl if desired.)
To initiate a scan from the GUI, select target selection. From the
target selection screen, enter the target host or hosts. Targets can
be specified by a host name, IP address, IP address range, IP subnet,
or any combination of the above in a space-separated list.
Alternatively, choose the target file option and enter the name of a
file containing the list of targets. Select the scan level, and choose
the button to start the scan.
The status of the scan will be displayed as each new attack is
launched against a particular target. When the scan finishes, follow
the link to the data analysis screen. The hyperlinks on the data
analysis screen allow the results to be viewed in a variety of
different formats.
The other four sections of the GUI are:
Data Management
This section allows you to create new databases, open existing
databases, and merge databases. A database is essentially a
directory containing scan results. The data management screen
allows you to organize your scans however you see fit.
Configuration Management
Most of the configuration variables can be changed using the HTML
form. This is a user friendly alternative to editing
config/saint.cf by hand or specifying command-line options.
Documentation / Troubleshooting
Everything you need to know about SAINT.
REMOTE MODE
Remote mode allows one or more users to use SAINT without requiring
- 4 - Formatted: December 16, 2025
SAINT(1) SAINT(1)
Aug 30, 2000
physical access to the scanning machine. Any host with an HTML
browser, even non-Unix hosts, can be used as a SAINT client.
Remote mode is administered using the following features:
Host-based access control
The $allow_hosts variable in config/saint.cf (or the -h command
line option) tells SAINT which hosts are allowed remote access to
SAINT's user interface. The hosts are specified in the form of a
space-separated list of IP addresses. An entire Class C network
can be specified by putting an asterisk (*) in place of the last
octet of the IP address. An asterisk all by itself will match any
IP address, effectively disabling host-based access control. This
is not recommended.
User authentication
In remote mode, SAINT requires users to provide a login and
password before being granted access to the graphical user
interface. By default, there are two login names: admin and
saint. The accounts are disabled by default, but they become
enabled when you provide a password for them. (You are prompted
to set the password when you start SAINT in remote mode.) The
admin user is allowed to use any part of SAINT. Therefore, the
password for admin should only be given to network
administrators, or others who are authorized to configure and run
SAINT scans. The saint user is only allowed to view reports,
tutorials, and documentation. The password for saint may be given
to anyone who is authorized to view the results of the SAINT
scan. Additional users can be added by editing config/passwd.
(See below.)
Server port
The $server_port variable in config/saint.cf (or the -p command
line option) tells SAINT which TCP port to listen on. Remote
users connect to this port with their web browsers to access
SAINT. The default port is 1414, but it is a good idea to change
it to avoid detection by attackers who might scan the network for
the default port.
Use the following steps as a guide to using SAINT remotely:
1. In config/saint.cf set $allow_hosts equal to the IP address(es)
of the remote hosts which are allowed to connect (or use the -h
command-line option)
2. Also in config/saint.cf set $server_port equal to the port you
want SAINT to listen on (or use the -p command-line option)
3. Type ./saint -r
- 5 - Formatted: December 16, 2025
SAINT(1) SAINT(1)
Aug 30, 2000
4. Set the admin and saint passwords at the prompt. If you have
already set the passwords, you may hit enter to leave them
unchanged. But be aware that they travel over the network
unencrypted whenever someone logs in, so it is a good idea to
change them each time you start SAINT in remote mode.
5. From your browser, go to http://host.domain:port where
host.domain is the fully-qualified host name of the machine on
which SAINT is running, and port is the port number you specified
earlier.
6. Log in as either admin or saint using the passwords you set
previously. If login is successful, you can use SAINT remotely at
this point.
7. When you are finished using SAINT from that client, click on the
SAINT home button, and then on the log out button at the bottom
of the page. Note: Simply closing the browser does not log you
out. Anyone who opens a new browser on the same host will still
be authenticated until either the client logs out or the SAINT
server process is killed.
8. When remote access to SAINT is no longer needed, use the ps
command on the server to find SAINT's process number, and kill
the process using the kill command.
Note to users using proxy firewalls: SAINT in remote mode associates
each user's authentication with his or her apparent client host. That
means that if SAINT is being run outside the firewall, then any user
who authenticates from behind the firewall at any privilege level
(e.g. admin) will effectively authenticate every host behind the
firewall at that privilege level. Furthermore, any user who logs out
from behind the firewall will log out every user behind the firewall.
MORE INFORMATION
For more information see the SAINT documentation. This is available
either from the graphical user interface or at
http://www.wwdsi.com/saint
- 6 - Formatted: December 16, 2025
