packages icon



 SATAN(8)                                                           SATAN(8)




 NAME
      satan - network security scanner

 SYNOPSIS
      satan [options] [primary_target(s)...]

 DESCRIPTION
      SATAN (Security Administrator Tool for Analyzing Networks) remotely
      probes systems via the network and stores its findings in a database.
      The results can be viewed with any Level 2 HTML browser that supports
      the http protocol (e.g.  Mosaic, Netscape, etc.)

      When no primary_target(s) are specified on the command line, SATAN
      starts up in interactive mode and takes commands from the HTML user
      interface.

      When primary_target(s) are specified on the command line, SATAN
      collects data from the named hosts, and, possibly, from hosts that it
      discovers while probing a primary host. A primary target can be a host
      name, a host address, or a network number. In the latter case, SATAN
      collects data from each host in the named network.

      SATAN can generate reports of hosts by type, service, vulnerability
      and by trust relationship. In addition, it offers tutorials that
      explain the nature of vulnerabilities and how they can be eliminated.

      By default, the behavior of SATAN is controlled by a configuration
      file (config/satan.cf). The defaults can be overruled via command-line
      options or via buttons etc.  in the HTML user interface.

      Options:

      -a   Attack level (0=light, 1=normal, 2=heavy). At level 0, SATAN
           collects information about RPC services and from the DNS. At
           level 1, SATAN collects banners of well-known services such as
           telnet, smtp and ftp, and can usually establish the type of
           operating system.  At level 2, SATAN does a more extensive (but
           still non-intrusive) scan for services.  Level 2 scans may result
           in console error messages.

      -A proximity_descent
           While SATAN extracts information from primary targets, it may
           discover other hosts.  The proximity_descent controls by how much
           the attack level decreases when SATAN goes from primary targets
           to secondary ones, and so on. The -z option determines what
           happens when the attack level reaches zero.

      -c 'name=value; name=value...'
           Change the value of arbitrary SATAN variables. Example:

              -c 'dont_use_dns = 1; dont_use_nslookup = 1'.



                                    - 1 -        Formatted:  October 7, 2024






 SATAN(8)                                                           SATAN(8)




           The -c option allows you to control configuration and other
           variables that do not have their own command-line option. The
           format is a list of name=value pairs separated by semicolons.
           Variable names have no dollar prefix, and values are not quoted.
           Whitespace within values is preserved.

      -d database
           Specifies the name of the database to read from and to save to
           (default satan_data).

           When multiple SATAN processes are run in parallel, each process
           should be given its own database (for example, one database per
           subnet of 256 hosts). Use the merge facility of the HTML user
           interface to merge data from different runs.

      -i   Ignore the contents of the database.

      -l proximity
           Maximal proximity level. Primary targets have proximity 0, hosts
           discovered while scanning primaries have proximity level 1, and
           so on.  SATAN ignores all hosts that exceed the maximal proximity
           level.

      -o only_attack_these
           A list of domain names and/or network numbers of hosts that SATAN
           is permitted to scan. List elements are separated by whitespace
           or commas. Understands the * shell-like wildcard.

      -O dont_attack_these
           A list of domain names and/or network numbers that SATAN should
           stay away from. The list has the same format as with the -o
           option.

      -s   Subnet expansion. For each primary target, SATAN finds all alive
           hosts in the target's subnet (a block of 256 addresses).

      -S status_file
           While collecting data, SATAN maintains a status file with the
           last action taken. The default status file is status_file.

      -t level
           Timeout level (0 = short, 1 = medium, 2 = long) for each probe.

      -u   Specifies that SATAN is being run from an untrusted host. Access
           via, for example, the remote shell or network file system
           services, means that there is a security problem.

      -U   Opposite of the -u option.  SATAN may be run from a possibly
           trusted host. Access via, for example, the remote shell or
           network file system services is not necessarily a problem.




                                    - 2 -        Formatted:  October 7, 2024






 SATAN(8)                                                           SATAN(8)




      -v   Verbose mode.  SATAN prints on the standard output what it is
           doing. This is useful for debugging purposes.

      -V   SATAN prints its version number and terminates.

      -z   When scanning non-primary hosts, continue with attack level of
           zero when the level would become negative. The scan continues
           until the maximal proximity level is reached.

      -Z   Opposite of the -z option.

 FILES
      config/* configuration files
      rules/* rule bases
      results/* data bases

 AUTHORS
      Dan Farmer, Wietse Venema




































                                    - 3 -        Formatted:  October 7, 2024