3. iii
Table of Contents
Introduction .................................................................................................................................. 13
Getting Started.......................................................................................................................... 13
How to Install the SAINT software ........................................................................................ 13
How to Install SAINTmanager................................................................................................ 15
How to Obtain a Key.............................................................................................................. 16
Running SAINT ....................................................................................................................... 16
Starting SAINTmanager® ....................................................................................................... 19
Starting Nodes ....................................................................................................................... 22
Logging into WebSAINT......................................................................................................... 24
Logging into WebSAINT PRO ................................................................................................. 26
System Requirements ............................................................................................................... 28
Operating Systems................................................................................................................. 28
SAINTmanager Requirements ............................................................................................... 30
Using SAINT................................................................................................................................... 33
Sessions ..................................................................................................................................... 33
Opening and Creating Sessions ............................................................................................. 33
Merging Sessions................................................................................................................... 34
Deleting Sessions................................................................................................................... 34
Backing Up and Restoring Sessions....................................................................................... 34
Sanitize Sessions.................................................................................................................... 34
SAINTmanager Enterprise Session ........................................................................................ 35
Global vs. Node-Specific Sessions.......................................................................................... 35
How to Run a Scan ........................................................................................................................ 36
Target Selection......................................................................................................................... 36
Free-Form Target Selection................................................................................................... 37
Target File .............................................................................................................................. 37
Target File Uploads................................................................................................................ 38
Subnet Expansion .................................................................................................................. 38
Data Preservation...................................................................................................................... 38
Scanning Policies ....................................................................................................................... 38
Host Discovery........................................................................................................................... 42
4. SAINT User Documentation (v7)
iv
SAINT Discovery Configuration.............................................................................................. 42
Nmap Discovery Configuration.............................................................................................. 44
Authentication........................................................................................................................... 44
How to Authenticate to Windows Targets............................................................................ 46
How to Authenticate to Linux, Unix, or Mac......................................................................... 47
How to Authenticate to Oracle Database Servers................................................................. 48
How to Authenticate to Microsoft SQL Server...................................................................... 48
How to Authenticate to MySQL Databases........................................................................... 48
HTTP Basic Authentication .................................................................................................... 49
How to Authenticate to Web Applications............................................................................ 49
How to Authenticate to Web Applications using an Existing Session ID .............................. 51
Starting the Scan ....................................................................................................................... 52
Interactive Control Panel .......................................................................................................... 52
Resuming an Interrupted Scan.................................................................................................. 53
Nodes to Scan............................................................................................................................ 54
SCAP Support ................................................................................................................................ 55
Configuration Settings Options................................................................................................. 55
Target Settings .......................................................................................................................... 56
OVAL® Checks............................................................................................................................ 56
How to Import OVAL Checks ................................................................................................. 58
OVAL External Variables........................................................................................................ 59
How to Run OVAL Checks...................................................................................................... 59
How to View OVAL Scan Results............................................................................................ 59
XCCDF Checks............................................................................................................................ 60
How to Import XCCDF Benchmarks....................................................................................... 60
Viewing XCCDF Benchmarks.................................................................................................. 61
How to Run XCCDF Profiles ................................................................................................... 61
How to View XCCDF Scan Results.......................................................................................... 61
CyberScope Reporting........................................................................................................... 66
Policy Editor........................................................................................................................... 67
How to Run Exploits...................................................................................................................... 71
How to Browse Exploits ............................................................................................................ 71
How to Run Exploits On Demand.............................................................................................. 72
5. Table of Contents
v
Remote vs. Local Exploits.......................................................................................................... 72
Client Exploits............................................................................................................................ 73
E-mail Forgery ........................................................................................................................... 73
Exploit Servers........................................................................................................................... 74
SAINTexploit Tools .................................................................................................................... 74
How to Run an Automated Penetration Test............................................................................ 78
Data Analysis................................................................................................................................. 81
Reports...................................................................................................................................... 81
Vulnerabilities ........................................................................................................................... 81
Host Information....................................................................................................................... 82
Trust .......................................................................................................................................... 82
Exploits ...................................................................................................................................... 83
Severity Levels........................................................................................................................... 83
Confirmed vs. Inferred Vulnerabilities .................................................................................. 84
Exploit Availability ................................................................................................................. 84
Exploit Severity Levels ........................................................................................................... 85
Exclusions .................................................................................................................................. 86
Creating an Exclusion............................................................................................................. 86
Viewing Excluded Vulnerabilities .......................................................................................... 86
Removing an Exclusion.......................................................................................................... 86
Exclusion Management ......................................................................................................... 87
SAINTmanager Overview page.................................................................................................. 88
SAINTwriter................................................................................................................................... 90
How to Generate Pre-configured Reports ................................................................................ 90
How to Generate Custom Reports............................................................................................ 93
How to View/Delete Saved Reports........................................................................................ 103
How to Create a SAINT Report with your Logo/Header ......................................................... 104
How to Create your logo/header for an HTML Report ....................................................... 105
How to Create your logo/header for a PDF Report............................................................. 105
How to Generate a SAINT Report using your logo/header................................................. 105
How to Generate PCI Compliance Reports ............................................................................. 106
Generating a PCI Compliance Report.................................................................................. 107
How to Generate a FISMA Vulnerability Assessment Report................................................. 108
6. SAINT User Documentation (v7)
vi
How to Generate a HIPAA Vulnerability Assessment Report ................................................. 108
How to Generate SAINTwriter Reports from the Command-line........................................... 109
Configuration .............................................................................................................................. 111
Configuration Files .................................................................................................................. 111
Global vs. Session Configuration ......................................................................................... 111
Startup Options....................................................................................................................... 112
Default Session .................................................................................................................... 112
Vulnerability ID Format ....................................................................................................... 112
Frames Support ................................................................................................................... 112
SAINTmanager/Node Startup Options.................................................................................... 113
User Creation Default Session Name .................................................................................. 113
Session Security................................................................................................................... 113
Archive Window .................................................................................................................. 114
Auto-Refresh Scan Status Page ........................................................................................... 114
SSL Port................................................................................................................................ 114
Allowed Nodes..................................................................................................................... 115
Ticket Due Offset ................................................................................................................. 115
Test Node Alive.................................................................................................................... 116
Node Down E-Mail............................................................................................................... 116
Ticket Assignment E-Mail .................................................................................................... 116
Overdue Ticket E-Mail ......................................................................................................... 117
Host Weight......................................................................................................................... 117
LDAP Authentication ........................................................................................................... 117
Scanning Options..................................................................................................................... 118
IAVA ..................................................................................................................................... 118
Fast Exclusions..................................................................................................................... 119
Target Netmask ................................................................................................................... 120
SNMP Communities............................................................................................................. 121
How to Specify Timeouts..................................................................................................... 121
Individual Probe Timeouts................................................................................................... 122
How to Enable/Disable Multitasking (running more than one probe at a time)................ 123
Credentials Management.................................................................................................... 124
Anti-Virus Definitions........................................................................................................... 124
7. Table of Contents
vii
How to Enable/Disable NTLMv2.......................................................................................... 125
File Content Checks ............................................................................................................. 125
How to Configure Password Guessing................................................................................. 126
How to Set Password Policy Checks .................................................................................... 128
Ports to Scan........................................................................................................................ 129
Ports for Authentication Test (registry and SSH ports)....................................................... 130
Ports to Scan for Host Type Detection ................................................................................ 130
Scan Level ............................................................................................................................ 131
How to Set Up a Custom Scan ............................................................................................. 131
Scan Policy Definitions......................................................................................................... 134
Web Server Depth ............................................................................................................... 136
Software Inventory.............................................................................................................. 137
TCP Send Strings.................................................................................................................. 137
How to Enable/Disable Dangerous Checks ......................................................................... 138
What is Exhaustive Scanning? ............................................................................................. 138
How to Send an E-mail Alert upon Scan Completion.......................................................... 139
SYSLOG................................................................................................................................. 140
NMAP................................................................................................................................... 141
TCP Port Scan Variables....................................................................................................... 141
How to Configure Target Restrictions ................................................................................. 143
Proximity.............................................................................................................................. 143
Trusted or Untrusted Hosts................................................................................................. 145
Workarounds....................................................................................................................... 145
Discovery Method ............................................................................................................... 147
Exploit Credentials............................................................................................................... 149
Shell Type and Ports ............................................................................................................ 149
How to Set the Connectback Address................................................................................. 151
File Manager Options .......................................................................................................... 152
Connection Notifications..................................................................................................... 153
SAINTmanager Scanning Options............................................................................................ 153
Node Name Reporting......................................................................................................... 153
Other Variables.................................................................................................................... 154
Custom Vulnerability Checks ...................................................................................................... 156
8. SAINT User Documentation (v7)
viii
How to Create Custom Checks................................................................................................ 156
Running Custom Checks.......................................................................................................... 158
Viewing and Editing Custom Checks ....................................................................................... 158
Scheduling Scans......................................................................................................................... 159
How to Schedule a New Scan.................................................................................................. 159
crontab and at......................................................................................................................... 161
How to Delete Scheduled Scans.............................................................................................. 161
Set Schedule Scan Window..................................................................................................... 161
SAINTexploit Connections........................................................................................................... 164
Connections Manager ............................................................................................................. 164
Command Prompt................................................................................................................... 165
How to Invoke the Command Prompt................................................................................. 165
File Manager............................................................................................................................ 165
How to Invoke the File Manager ......................................................................................... 166
Screen Capture........................................................................................................................ 167
How to Perform a Screen Capture ...................................................................................... 167
Exploit Tunneling..................................................................................................................... 167
How to Run Exploits through a Tunnel................................................................................ 168
Disconnecting.......................................................................................................................... 168
How to Close the Connection.............................................................................................. 168
GUI Modes .................................................................................................................................. 169
Standalone Mode.................................................................................................................... 169
Remote Mode.......................................................................................................................... 169
How to Start SAINT in Remote Mode (command-line method) ......................................... 170
The config/passwd file......................................................................................................... 172
Apache Mode (or another web server)................................................................................... 173
Command-Line Mode ................................................................................................................. 175
SAINTmanager Management...................................................................................................... 179
Rules .................................................................................................................... 179
9. Table of Contents
ix
Nodes ................................................................................................................. 179
Users .................................................................................................................. 180
Roles........................................................................................................................................ 180
Named Target Restrictions...................................................................................................... 184
Sessions ................................................................................................................................... 184
All Session Access Management ............................................................................................. 184
SAINTmanager® Ticketing System .............................................................................................. 185
Ticket Creation ........................................................................................................................ 185
Ticket Reporting ...................................................................................................................... 185
How to Generate Pre-configured Reports........................................................................... 186
How to Generate Custom Reports ...................................................................................... 187
Ticket Report Results........................................................................................................... 189
How to Delete a Ticket ........................................................................................................ 189
How to Assign, Defer, Close, Re-open a Ticket.................................................................... 190
How to Assign Tickets.......................................................................................................... 190
How to Close a Ticket .......................................................................................................... 192
How to Reopen a Ticket....................................................................................................... 194
Ticket Assignment Rules.......................................................................................................... 195
How to Create a Ticket Assignment Rule ............................................................................ 195
How to Apply a Ticket Rule to Existing Tickets.................................................................... 198
Using WebSAINT PRO®
................................................................................................................ 201
FAQs............................................................................................................................................ 203
General FAQ......................................................................................................................... 203
Technical FAQ ...................................................................................................................... 213
Troubleshooting...................................................................................................................... 218
Installation and configuration problems............................................................................. 218
Run-time problems.............................................................................................................. 219
Installation and configuration problems............................................................................. 219
Run-time problems.............................................................................................................. 219
11. Table of Contents
xi
rules/information.................................................................................................................... 243
rules/services .......................................................................................................................... 244
rules/software......................................................................................................................... 245
rules/todo................................................................................................................................ 245
rules/trust................................................................................................................................ 246
Vulnerability Hierarchy ............................................................................................................... 247
Vulnerability Categories.......................................................................................................... 247
The vulns.dat file..................................................................................................................... 248
Probes ......................................................................................................................................... 250
How to Add a SAINT Probe...................................................................................................... 250
How to Add a Vulnerability Tutorial (Information File) .......................................................... 252
Exploit Plug-ins............................................................................................................................ 253
General Information................................................................................................................ 253
Tutorial Information................................................................................................................ 253
Type and Class......................................................................................................................... 254
Parameters.............................................................................................................................. 254
Conditions ............................................................................................................................... 255
Shell Type ................................................................................................................................ 255
Exploit Code............................................................................................................................. 256
Index............................................................................................................................................ 257
12.
13. 13
Introduction
Getting Started
How to Install the SAINT software
How to Install SAINT on Linux or Unix
1. Ensure your system meets the system requirements for SAINT.
2. Select the "Customer Login" button located in the top right corner of the SAINT Web site
at http://www.saintcorporation.com/. After you log in there will be a download button
on the left side of your mySAINT page. Note that you must choose the correct operating
system and architecture for your system in order for SAINT to work.
3. Unzip the downloaded file (saintexploit-install-x.x.gz, where x.x is the version
of SAINT you downloaded):
gunzip saintexploit-install-x.x.gz
4. Note: The downloaded file is gzipped. If your browser dropped the .gz extension from
the filename, then first rename it so it ends in .gz.
5. Set executable mode on the file:
chmod a+x saintexploit-install-x.x
6. Switch to the root user and install SAINT by entering:
./saintexploit-install-x.x
7. If your operating system does not allow you to log into the root account, instead enter:
sudo ./saintexploit-install-x.x
14. SAINT User Documentation (v7)
14
8. The installation program will:
a. Display the license agreement and require you to confirm your understanding
and acceptance of it
b. Install SAINT
c. Run PERL reconfig to identify the location of SAINT-required support applications
d. Install the SAINT man page, if you desire.
9. Enter the SAINT directory:
cd saint-x.x
10. (You will also need to place your key file into this directory before running a scan.)
11. Edit the config/saint.cf file, if so desired.
How to Install SAINT on Mac OS X
1. Select the "Customer Login" button located in the top right corner of the SAINT Web site
at http://www.saintcorporation.com/ and select the "Download" button on your
mySAINT page. At the platform selection menu, choose Mac OS X.
2. Once downloaded, the SAINT x.x.x.dmg will mount to the desktop and open showing
the SAINTx.x.x.pkg file. Double-click on the SAINT x.x.x.pkg file. The SAINT installer will
start.
3. Read the Introduction and then click Continue.
4. Read the Software License Agreement and then click Continue.
5. Click Agree to agree to the license terms.
6. Click Install to perform a standard installation.
7. At the password prompt insert the Name and Password for the user with administrative
privileges on the machine and click OK.
8. At the terminal prompt, again enter the password for the user with administrative
privileges on the machine and then press the enter key.
9. You may close all open terminal windows once you see “[Process completed]”
displayed in the terminal.
10. The install wizard will display “The installation was successful.” click Close.
15. Introduction
15
How to Install SAINT on Ubuntu
1. Double-click on the file saintexploit-x.x.arch.deb (where x.x is the version and arch is the
architecture).
2. Choose 'Install.'
3. In the Terminal, use the space bar to page through the license agreement, and type 'yes'
to accept the agreement.
4. Start SAINT® from the Applications menu.
How to Install SAINT on Red Hat / Fedora / SUSE
1. Double-click on the file saintexploit-x.x-arch.rpm (where x.x is the version number and
arch is the architecture.)
2. When installation completes, start SAINT® from the Applications menu.
How to Install SAINTmanager
Before installing SAINTmanager, ensure your system meets the system requirements for
SAINTmanager. In particular, MySQL 4.1.21 (or higher) should be installed and running, and
OpenSSL should be installed. Have the MySQL database root password ready when asked for it
by the install program.
To install SAINTmanager on Linux or Unix, follow the general directions above for SAINT, but
substitute "sm" for "saint" and "2.0-x.x" for "x.x" in the download file (sm-install-2.0-x.x.gz),
install file (sm-install-2.0-x.x) and top-level directory (sm-2.0-x.x) names. The SAINTmanager
install program will guide you through subsequent steps, including initializing the
SAINTmanager database in MySQL and generating an SSL certificate for encrypting
SAINTmanager/node communications. (If installing from the .deb or .rpm packages, these steps
are performed the first time SAINTmanager is run, not during installation.) The login and
password for the ‘saintmanager’ database are stored in the config/mysqlset file.
If you installed SAINTmanager before 1.0-6.0.3, you should run scripts/makepem from the sm-
1.0-x.x directory to generate your own certificate (ssl_server.pem) for encrypting
SAINTmanager/node communications over SSL. Having your own certificate is more secure than
using the one provided with SAINTmanager because the latter is the same for all SAINTmanager
customers. Later installations of SAINTmanager do this automatically as part of the install
program.
16. SAINT User Documentation (v7)
16
How to Obtain a Key
A license key is required to use SAINT. Follow the steps below to configure your key:
1. If you are a free-trial user, a key will be sent to you via e-mail. Otherwise, go to
http://www.saintcorporation.com, log in with your user name and password, click on
Generate Key, and follow the instructions for creating a key. Note that you can add
addresses to your key at any later time if you do not use the full capacity of your license.
However, once you have generated your key, addresses cannot be removed from it.
If you have purchased a license for individual hosts and you don't know all of their IP
addresses, you can use SAINT's discovery scan level to generate a list of live hosts on
your network:
a. Run SAINT by typing ./saint in the saint directory and choose Scan.
b. Enter the range of possible IP addresses (e.g., against your Class C address range)
as the primary target.
c. Select discovery for the scan level.
d. Start the scan.
Note: You may have to repeat this scan at various times and on different days to
ensure you have picked up all the hosts on your network.
e. Use the list of IP addresses in the resulting file live_hosts_file to generate the
key.
2. Choose Configure SAINT Key from the pull-down menu under the Home icon in SAINT
and paste the key into the text box, or place the key in your saint directory and name it
saint.key. (If you have two customer accounts and want to use both keys together,
paste the second key in the Alternate Key box or name the second file saint_alt.key.)
At this point you can begin using SAINT.
If you run a SAINT scan that includes hosts or networks which are not included in your key, then
you will see a message on the stderr output of the console where you started SAINT, indicating
that those hosts were not scanned.
SAINTmanager requires a different key than regular SAINT. If you are a SAINTmanager customer
with a valid account, you can generate a key the same way you do for SAINT. The key should be
named saint.key and placed in your sm-1.0-x.x directory.
Running SAINT
You will need PERL version 5.00 or above to get SAINT running properly. It is also recommended
to have Samba utilities, Xprobe2, OpenSSL, and OpenSSH installed on the system running
SAINT. See system requirements for information on obtaining these tools.
17. Introduction
17
Once SAINT is installed, SAINT is used by following these steps:
1. For standalone usage (Desktop method) – If SAINT was installed from a Linux DEB or
RPM package, choose SAINT from the Applications menu. (It may appear under a sub-
menu such as “Other” in some Linux versions.) Otherwise, if the SAINT installation
program created a SAINT icon on your desktop, double-click on the icon.
For standalone usage (command prompt method) – Log in as root and run ./saint to
begin using SAINT from the HTML interface. (If there is no root account, run “sudo
./saint” instead.) Skip to step 3.
For remote mode/command-line usage – See remote mode.
2. Use the up and down arrow keys to highlight Start SAINT, then press Enter:
3. Choose Options to change the default scan configuration, if desired.
4. Choose Scan to select the Primary Targets, Authentication, Scanning Level, and Host
Discovery, and to start the scan.
a. Under Add target(s), type in the IP address of the host that you're running SAINT
from, and click on the Add button, as shown in the following image:
18. SAINT User Documentation (v7)
18
b. Select Scan the target host(s) only, or, if you have the inclination, authority, and
time (it can take several minutes to scan a single host at the higher scan levels),
select Scan all hosts in the target hosts' subnet(s).
c. Under the Scanning Level tab select the Show all scan levels link, as depicted in
the screen capture below. Select a Normal scan to start out with. The more
intensive the scan the more time it takes to complete.
d. Scroll to the bottom of the page and select the Scan Now button to begin
scanning.
5. When the scan finishes, choose the Data icon to view the results. Look at the
Vulnerabilities section first, and then examine the other sections, Host Information and
Trust. For more information, see data analysis.
19. Introduction
19
Finger Wars Caveat – Please remember, if you have tcpd wrappers installed on the SAINT
platform, or some other mechanism that does reverse fingering, turn off the feature before
running the SAINT program! This must be done as there is a reasonable chance that a target of
the probe may also have this feature enabled. If the SAINT platform and a target of the SAINT
probe both have reverse fingering enabled, the result will be a "finger war". In other words, an
infinite loop of fingers between the SAINT platform and the probe target will be generated. If
this happens, both machines will quickly be overwhelmed by the resulting mail and/or logs
generated. After running the SAINT probe, remember to turn the reverse fingering feature back
on, of course!
Finally, always be certain that you have permission to scan any potential hosts that you're
thinking of testing. It is easy to unwittingly make your neighbors think that you're trying to
attack them with any scans that you run.
Starting SAINTmanager®
The SAINTmanager architecture consists of the SAINTmanager management console and one or
more SAINT platforms (called “nodes”) which are controlled by the manager. This section
provides instructions for starting the SAINTmanager management console. See starting nodes
for information on how to start a node.
SAINTmanager always operates in remote mode.
How to start SAINTmanager (Desktop method)
1. If SAINTmanager was installed from a Linux DEB or RPM package, choose SAINTmanager
from the Applications menu. (It may appear under a sub-menu such as “Other” in some
Linux versions.) Otherwise, if the SAINTmanager installation program created a
SAINTmanager icon on your desktop, double-click on the icon.
2. Use the arrow keys to highlight Start SAINTmanager, and press Enter:
20. SAINT User Documentation (v7)
20
3. Enter a space-separated list of one or more IP addresses which are allowed to connect
to the web interface, and press Enter. Use an asterisk (*) for the last octet(s) to match
any IP address in a network. Then highlight OK and press Enter:
4. Enter a space-separated list of one or more IP addresses which are allowed to be nodes
for SAINTmanager, and press Enter. Again, use an asterisk (*) for the last octet(s) to
match any IP address in a network. Then highlight OK and press Enter:
21. Introduction
21
5. If SAINTmanager was installed from a .deb or .rpm package, and this is the first time
running SAINTmanager, then follow the prompts to initialize the database and create an
SSL certificate.
6. Open a browser and load the URL http://SAINTmanager_IP:port. The port is 1414 or
whatever port number was previously specified. (For the desktop method, this port and
the node connection port can be changed by selecting Options after step 1.)
7. The first SAINTmanager screen is the login window. The default administrative user
name is 'superadmin' and the password is 'saintmanager'.
Note: To ensure security, it is strongly advised that you change the password after the
first start-up.
8. When SAINTmanager is no longer needed, stop the server as follows: Invoke SAINT from
the Applications menu or the desktop icon as done in step 1. Then use the up and down
arrow keys to highlight Stop SAINTmanager and press Enter.
How to start SAINTmanager (Command Prompt method)
1. Enter the following command as root: ./saint -M -h "host1 host2 ..."
The -M option stands for manager. host1 host2 are hosts that are allowed to connect.
(Precede the above command with sudo if there is no root account.)
If you wish to specify port numbers, the following command can be used instead:
./saint –M –h “host1 host2 …” –p 1414 –E 1515
22. SAINT User Documentation (v7)
22
By default, SAINTmanager listens for incoming browser connections on port 1414, but
this can be changed using the –p flag or the $server_port variable in config/saint.cf.
Likewise, the default port for incoming SSL connections from SAINT nodes is port 1515,
but this can be changed using the -E flag or the $ssl_server_port variable. See SSL
Port for more information.
2. Follow steps 5 through 7 above.
3. Use the configuration management page (or change the $allowed_nodes variable in
config/saint.cf) to identify the IP addresses of nodes that are allowed to connect to
SAINTmanager. See allowed nodes for more information.
4. When SAINTmanager is no longer needed, stop the server by entering the following
command as root: ./saint –k If there is no root account, type sudo ./saint –
k.
Starting Nodes
Any SAINT scanner installation can be started as a node for SAINTmanager. The node
automatically attempts to connect to the management console when it starts. It may connect
only if SAINTmanager has allowed it to. See allowed nodes for more information on allowing
nodes. Once a node connects, it is automatically added to SAINTmanager’s node table. You may
wish later to modify the name by which the node is known or set a node administrator. See
nodes for information on nodes.
How to Start a Node (Desktop method)
1. If SAINT was installed from a Linux DEB or RPM package, choose SAINT from the
Applications menu. (It may appear under a sub-menu such as “Other” in some Linux
versions.) Otherwise, if the SAINT installation program created a SAINT icon on your
desktop, double-click on the icon.
2. Use the arrow keys to highlight Connect to SAINTmanager, and press Enter:
23. Introduction
23
3. Enter the IP address of SAINTmanager. Then highlight OK and press Enter:
SAINTmanager should already be running on the specified IP address in order for the
connection to complete. If not, the node will re-attempt to connect periodically. (If you
specified a non-standard port for connections from nodes when starting SAINTmanager,
choose Options after step 1 to specify the same port.)
4. When the node is no longer needed, invoke SAINT from the Applications menu or
desktop icon as done in step 1. Then use the up and down arrow keys to highlight
Disconnect from SAINTmanager, and press Enter.
24. SAINT User Documentation (v7)
24
How to Start a Node (Command prompt method)
Log in as root and enter the following command (if there is no root account, precede the
command with sudo:
./saint -N -H SAINTmanager_IP
The -N option stands for node. The -H option specifies SAINTmanager's IP address. If you
specified a non-standard port for connections from nodes when you started SAINTmanager,
specify the same port in the $ssl_server_port setting in config/saint.cf, or start the node
as follows:
./saint -N -H SAINTmanager_IP –E port
where port is the port number for connections from nodes to SAINTmanager. (This is not the
same as the web interface port.)
Logging into WebSAINT
WebSAINT is an online SaaS (Software as a Service) vulnerability scanner that enables the
system administrator to evaluate the security environment of a single computer, multiple
computers, or an entire network, without having a separate/local installation of SAINT’s
vulnerability scanning software or SAINTbox. Access to WebSAINT is available through the
following steps once your IP addresses have been registered and a valid user ID and password
has been received.
You can access WebSAINT from either of the following locations:
Through the Public Web site:
1. Open a browser window and navigate to the SAINT Corporation public site at
http://www.saintcorporation.com
2. Select the "Customer Login" button located in the top right corner of the SAINT Web
site, as shown below
25. Introduction
25
3. Select the "WebSAINT login" link to be redirected to WebSAINT. The WebSAINT Login
page will be displayed, as shown below:
4. Enter your SAINT User ID and Password
5. Click the Login button
Direct access to the WebSAINT login page:
1. Open a browser window and navigate to WebSAINT login page at
https://secure.saintcorporation.com/websaint/login.html
2. Enter your SAINT User ID and Password
3. Click the Login button
SAINT will authenticate your access and launch WebSAINT, displaying the Home screen, as
shown below:
26. SAINT User Documentation (v7)
26
Logging into WebSAINT PRO
WebSAINT PRO is the online SaaS (Software as a Service) solution that includes vulnerability
scanning, penetration testing, and Web application scanning along with the full functionality of
SAINT scanner and exploit technology. WebSAINT PRO is a fully functional
Web-hosting model, and does not require you to install SAINT software or hardware.
A license key is required to use WebSAINT PRO. If a key hasn’t been generated, follow the
instruction in the Generating a Key section of this document for additional assistance.
To log into WebSAINT PRO:
1. Open a browser window and navigate to the SAINT Corporation public site at
http://www.saintcorporation.com
2. Select the "Customer Login" button at the top right of the page.
27. Introduction
27
3. Enter your User ID and password to access the mySAINT customer site as shown below:
4. Click the dark blue "WebSAINT Pro Login" button located in the left column and the
SAINT home page will be loaded. The loader will refresh your browser and display
activity messages, and then load the main SAINT application in your active browser
window.
28. SAINT User Documentation (v7)
28
System Requirements
Operating Systems
SAINT is supported for the following operating systems:
• Linux – CentOS 6; Debian; Fedora 15; Mandriva 2010; Red Hat Enterprise Linux 5, 6;
SuSe; Ubuntu 9.04, 10.04
• Unix – Free BSD
• Mac – OS X Snow Leopard 10.6.5-10.6.8; OS X Lion 10.7
The Oracle instant client, which enables Oracle Database account checks and exploits, is
included with SAINT and functional on the following operating systems:
• Linux with glibc 2.3 or higher (x86 or x86_64)
• Mac OS X 10.4 or higher (x86)
Web Browsers
The following web browsers are recommended:
• Internet Explorer 7 and higher
• Mozilla Firefox 6.0 and higher
• Up-to-date Opera
• Up-to-date Safari
It is also strongly recommended that you use a JavaScript and PopUp enabled browser.
Disk Space
SAINT itself requires about 150 MB to download and install. However, if PERL and a web
browser are not already installed on the system, up to 70 MB of additional disk space could be
required to install these packages. The exact requirement depends on the operating system
type and the browser version. Additional space is required for storing the results of scans and
generating SAINTwriter reports. More space will also be required to install the optional utilities
(Nmap, Samba, Xprobe2, OpenSSL, OpenSSH) if they are to be used by SAINT. Of course, if the
optional utilities are already installed, it isn't necessary to reinstall them.
The optional utilities mentioned above would be used by SAINT on SAINT nodes, but are
generally not necessary on the SAINTmanager host. The exception is OpenSSL, which
SAINTmanager uses to encrypt communications with the nodes. An additional application
required on the SAINTmanager host is MySQL 4.1.21 (or higher) database. Both MySQL and
OpenSSL are often provided as part of the regular installation package for Linux and MacOS/X.
29. Introduction
29
The amount of disk space required varies depending on the operating system, the download
format, and amount of data being stored in the database.
Memory
The amount of memory needed to properly run the SAINT program varies depending upon the
number of hosts to be scanned, the selected level of multithreading, and other factors. 512 MB
is sufficient for most purposes, but additional RAM should be considered for optimal
performance if there are large-scale scanning requirements.
Other Required Software Tools
SAINT requires PERL 5.004 or higher in order to run. If the graphical user interface is to be used,
SAINT also requires a graphical HTML browser such as Firefox or Safari or a text browser such as
Lynx. Microsoft Internet Explorer is also an option if SAINT is to be used in remote mode with a
Windows client.
In addition to the required software tools, there are three additional tools which are highly
recommended, and several more which are optional:
• Samba utilities, if installed on the scanning system, is used to check for readable and
writable Microsoft shares and to check remote file time stamps. (Not required on Mac
OS 10.7 (Lion) and higher, where SAINT uses the native Mac OS smbutil and
mount_smbfs commands instead of Samba utilities.)
• OpenSSL 0.9.7 or higher, if installed on the scanning system, is used to encrypt Windows
authentication credentials and to check for vulnerabilities in SSL web servers. If OpenSSL
is not available or is outdated, SAINT displays a warning that it will use plaintext
Windows authentication. SAINT links to the OpenSSL libraries at run-time, so if
compiling OpenSSL by hand, be sure to build shared libraries.
• OpenSSH, if installed on the scanning system, is used to gain shell access to targets
which run a secure shell server. The presence of OpenSSH helps detect host types,
missing patches, and weak passwords.
• Optional – Standard UNIX and Linux command-line tools, including dig, finger, ftp,
nslookup, rup, rusers, showmount, telnet, tftp, xhost, and ypwhich. For more
information about installing these tools on Linux systems, see Linux Configuration.
• Optional – Xprobe2, if installed on the scanning system, is used for improved host type
detection. If Nmap and Xprobe2 are both available, SAINT will use whichever yields
more reliable results for any given target.
30. SAINT User Documentation (v7)
30
• Optional – Crypt-PasswdMD5 1.3 or higher. If installed on the scanning system, this PERL
module enables support for unique passwords longer than eight characters. The login
screen alerts you if your system does not natively provide this capability and this
module is not installed. Note that passwords created before installation of this module
need to be re-created to preserve the information beyond eight characters.
• Optional – Various PERL modules, such as Compress-Zlib, IO-Socket-SSL, Crypt-DES, and
Digest-MD4. These modules are used by some SAINTexploit plug-ins. See the Limitations
section of an individual exploit's information page to see which PERL modules, if any,
are required to run that exploit. PERL modules are available from www.cpan.org.
• Optional – The MySQL client, if installed on the scanning system, allows authentication
to MySQL database servers for performing local vulnerability checks.
If any of the above software tools are missing from your system, they can be downloaded from
the links above. Most Linux vendors also provide packages containing some of these tools.
Linux Configuration
SAINT can run on any Linux system which meets all of the requirements described above. The
Linux distributions which are most commonly used for running SAINT include Red Hat,
Mandriva, SuSE, and Ubuntu.
When configuring a Linux system for use with SAINT, install whichever packages contain the
required and recommended software tools used by SAINT. The following package lists may be
used as a guide.
• Ubuntu 10.04: libcrypt-des-perl, libcrypt-passwdmd5-perl, libdigest-crc-perl, libdigest-
hmac-perl, libdigest-md4-perl, libio-pty-perl, libio-socket-ssl-perl, libstring-crc32-perl,
libwww-mechanize-perl, finger, nfs-common, nis, nmap, openssh-client, openssl, rsh-
client, rstat-client, rusers, samba-common, smbclient, smbfs, tftp
• OpenSuSE 11.3: bind-utils, cifs-utils, finger, nfs-client, nmap, openssh, perl-Crypt-DES,
perl-IO-Socket-SSL, perl-IO-Tty, samba-client, tftp, ypbind, yp-tools
SAINTmanager Requirements
Installing and running SAINTmanager requires the following:
• Linux 2.2 or higher (x86)
• PERL 5.004 or higher in order to run.
• OpenSSL 0.9.7 or higher, to encrypt communications with the nodes.
• MySQL 4.1.21 or higher database server to store information.
31. Introduction
31
• DBI to interface PERL with MySQL, and DBD:mysql (2.9004 or higher), the MySQL driver
for DBI. You can run scripts/show_dbi_drivers.pl to see which drivers you currently
have installed for DBI.
• Optional – Perl-LDAP if using LDAP authentication
PERL, MySQL, and OpenSSL are often provided as part of the regular installation package for
Linux and Mac OS/X.
SAINTmanager stores information in a MySQL database. The MySQL server must be installed
and running before installing SAINTmanager. Note that most Linux vendors package the MySQL
server separately from the MySQL client. SAINTmanager does not require that MySQL listen for
connections from remote hosts. To ensure security, enter "skip-networking" under "[mysqld]"
in the MySQL configuration file (often /etc/my.cnf) to disable connections from remote hosts.
32.
33. 33
Using SAINT
Sessions
Whenever SAINT runs, it enters an operating environment called a session. The session contains
all configuration settings, scan policies, and data associated with the current set of targets. New
sessions can be created for new sites or alternate configurations, and existing sessions can be
re-opened whenever needed.
A default session called saint-data is created by default when SAINT first runs. The default
session to open whenever SAINT is invoked can be specified from the Options screen, the
config/saint.cf file, or from the command line using the -d option.
Opening and Creating Sessions
From the Sessions icon on the graphical user interface, the Open/Create tab provides three
options – open an existing session, create a new session, or open an archived data set within
the current session, as shown in the screen capture below.
To create a session, select the Open/Create tab, enter the name of the new session and click on
the Open/Create button. Creating a new session will clear the data in memory and initialize the
target list and configuration to be the same as the existing session.
To open a session, select the Open/Create tab, enter the name of an existing saved session and
click the Open/Create button, or simply click on the session name listed under Existing Sessions.
Opening a session will load the saved session into memory for subsequent data analysis,
reconfiguration, or re-scanning.
34. SAINT User Documentation (v7)
34
Merging Sessions
Merging a session opens a chosen saved session while concatenating the data in the current
session. To merge a session, click on the Merge tab, enter the name of the saved session and
click on Merge, or select the session name listed under Existing Sessions. After merging the
data, SAINT will provide the option of saving the merged data to a new or existing session. If the
data is not saved, the merged data will reside in memory only, and will need to be merged
again if needed when SAINT is run again at a later time.
Deleting Sessions
When a session is no longer needed, it can be deleted. To delete a session, click the Delete tab,
enter the name of the session and click Delete, or select the session name listed under Existing
Sessions. The next page will show a message indicating that the session has been deleted, after
which you can delete more sessions, if desired. Note that the session that is currently open
cannot be deleted. If you want to delete the current session, then first open a different session.
It is also possible to delete selected data sets from a session without deleting the entire session.
Sessions containing archived data sets are indicated by a plus icon in the Existing Sessions list.
Clicking the plus icon opens a list of archived data sets, identified by the scan date and time,
under the session name. Click any data set to delete it, or click the minus icon to close the list.
Backing Up and Restoring Sessions
It is a good practice to create a session backup file periodically and save it to removable media
or another computer. This helps ensure that the archived data, target lists, scan configurations,
and scan policies can be restored if they are accidentally deleted, or the computer running
SAINT becomes inoperable. It may also be useful to have a session backup file if it is necessary
to transfer sessions to a different computer.
To create a session backup file, select the Home icon and choose Backup from the
Administrative Functions drop down menu. Then click Download Backup File to download the
backup file, and save it in any desired location.
To restore sessions from the backup file, go to the Home icon and choose Restore from the
Administrative Functions menu. Enter the path to the backup file. (The Browse button, if
supported by your browser, can help you locate the backup file.) Then, click the Restore button.
Sanitize Sessions
For security reasons, sometimes we prefer that data does not contain the real IP addresses and
host names that we scanned. Sanitize session will allow you to replace the real IP addresses and
host names in the data with fake ones. To sanitize a session, click the Sanitize tab, enter the
name of the session and click on Sanitize, or select the session name listed under Existing
35. 35
Sessions. Note that the session that is currently open cannot be sanitized. If you want to
sanitize the current session, then first open a different session.
The Sanitize Session tab will provide the option of saving the original data in a backup file.
When you click Submit, you will be asked again if you want to proceed or not. Clicking the OK
button will save the original data in the Results directory with a .bak extension and will activate
the sanitize process. You may want to move the saved file to a different location since the next
time you sanitize the session and you have checked the Yes to save option, the saved file will be
overwritten. Please note that restoring the original data will be done manually.
You can also tell SAINT the number of octets to replace and what to replace them with.
SAINTmanager Enterprise Session
SAINTmanager enterprise session contains data from all the scans initiated by SAINTmanager
on all the nodes in order to provide an enterprise-wide view of the organization's
vulnerabilities. This special session is like regular SAINT sessions in that you can perform
analysis and generate reports on the data, set up exclusions, etc. However, you cannot directly
initiate a scan from within the enterprise session. You can control some features regarding how
often to archive the enterprise session using the configuration setup.
In order to support SAINTwriter trend analysis, the enterprise session is actually implemented
as two sessions: enterprise and enterprise_trend, though this implementation is transparent to
the user. The enterprise session contains the latest scan results for all hosts that have been
scanned and has no archived data sets. The enterprise_trend session is used only for trend
analysis. It contains scan results for hosts that have been scanned within the current scan
window (see $scan_window variable). It has archived data sets for each previous scan window
that had results. Generating a SAINTwriter trend analysis report from the enterprise session will
actually base the report on the enterprise_trend session.
Global vs. Node-Specific Sessions
The enterprise session described above is one example of a global session. The other global
sessions are almost identical to regular SAINT sessions, e.g., the saint-data session. You set up
their configuration, initiate scans, generate reports, and perform analysis on them in essentially
the same way as regular SAINT sessions. However, each non-enterprise global session can apply
to multiple nodes. As data becomes available from scans on particular nodes, those data sets
are brought back to SAINTmanager and stored in node-specific sessions with names like
nodename.sessionname where nodename is the name of the node, and sessionname is the
name of the global session. Then the data from the node-specific sessions (e.g.,
nodename.saint-data) are merged into the global (e.g., saint-data). The node-specific sessions
cannot be used to perform scans or setup configuration, though you can set up exclusions for
the vulnerability data sets.
36. SAINT User Documentation (v7)
36
How to Run a Scan
Initiating a SAINT scan is done from the Scan section of the graphical user interface. Starting a
scan involves choosing the target range and scan policy and optionally authenticating to a
Windows domain.
Target Selection
The first step in the scan setup process is to click on the Scan icon and select your primary
targets. As shown in the image below, targets can be added to the selected targets list by
choosing either a single IP address, an IP address range, a class C subnet, a DNS host name, a
URL, a target file or an import from SAINT key function from the Add target(s) drop down
menu. If you import From SAINT Key, all addresses in the license key will be added to the target
list. Targets can be removed from the list by selecting the target in the selected targets box, and
clicking on the Delete button. Be careful of the Delete All button; this button will clear the
entire target list.
SAINTmanager provides for selecting different target sets for each node. The node drop down
menu allows the user to choose which node's targets to display/edit. Just above the node drop
down menu, the Show node/targets table link can be used to display a table showing the
current nodes and targets selected for each.
37. 37
Free-Form Target Selection
Free-form target selection is available for users who prefer to enter their targets in a text box.
To use this form of target selection, follow the free-form target selection link on the Scan
screen. Check the button beside the first box, and enter the desired targets into that box.
SAINT allows target selection in several formats:
• Host names – one or more host names, separated by spaces. SAINT must be able to
resolve the host names, either using a DNS server or the /etc/hosts file, or an error
will result.
• IP addresses – one or more IP addresses, separated by spaces.
• Subnets – one or more class C subnets, represented as only the first three octets. SAINT
will expand the subnet to include every IP address beginning with the given three
octets.
• IP address ranges – one or more IP address ranges. Each range consists of a beginning
and ending IP address, separated by a dash. SAINT will expand the range to include the
starting and ending addresses and every address in between.
• URLs – one or more URLs, such as http://hostname:port/path. SAINT will scan the target
specified in the hostname portion of the URL, specifically including the web program(s)
found on the specified port and path.
• CIDR network addresses – a network address followed by a slash and a prefix length.
For example: 192.30.250.0/18.
• Any combination of the above, separated by spaces.
Note: All of these with the exception of Subnets can be used with both IPv4 and IPv6
addresses.
Target File
Alternatively, SAINT allows the targets to be specified in a file. To use this option, select from
file from the Add target(s) drop down menu, and then enter the name of a file containing the
target list in the box and click on the Add button. Or, if you are using free-form target selection,
choose the button beside the second box and enter the name of a file containing the target list.
The target list should be in the same format described above. Either newlines or spaces may be
used as separators.
38. SAINT User Documentation (v7)
38
Target File Uploads
For users who are running SAINT in remote mode, it may be more convenient to upload a
target file rather than entering a long list of targets. Unlike the target file option which allows
you to specify a target file located on the computer running SAINT, the target file upload
feature allows you to specify a target file located on the same machine as your web browser.
The target file should be a plain text file with targets listed in the same format as for free-form
target selection, using newlines or spaces as field separators. To upload a target file, follow the
Upload Target File link on the Scan page. Then specify the path to a target file on your local
computer. (Depending on what type of web browser you are using, a button may be provided
to allow you to browse the folders on your local computer and select the desired file.) Click on
the Upload button to add the contents of the chosen file to the list of selected targets.
Subnet Expansion
SAINT also gives you the option of scanning all hosts in each target's Class C subnet, instead of
only the target itself; that is, every possible target with the same first three octets in its IP
address. This option has the same effect as entering a subnet in the target selection box as
described above, with the added benefit that it will allow SAINT to perform tests on broadcast
addresses, such as Smurf and Fraggle (IP-directed broadcast) vulnerabilities.
Data Preservation
In any given session, SAINT keeps only the data from the most recent scan in memory. This data
is known as the current data set. Older data sets are saved to disk so that they can be analyzed
later and compared using SAINTwriter's trend analysis reports. The collection of older data sets
is known as the archive.
When setting up a scan, if the session already contains current data which may be overwritten
by the upcoming scan, SAINT will provide you with two options. The first option is to preserve
the data in the session's archive. The second option is to merge new scan data with the current
data. If this option is chosen, the new data will overwrite any existing data for the same target,
and any existing data for targets that are not scanned will remain in place.
Scanning Policies
SAINT can probe hosts at various levels of intensity. The default scanning policy is set in the
configuration file, but can be overridden on the Scan page. Lighter attacks will be faster and
harder to detect, but will not gather as much information as heavier attacks.
• Discovery – This is the least intrusive scan. SAINT identifies hosts which are alive and
reports their IP addresses in live_hosts_file. This scan policy may be useful to determine
39. 39
which host IP addresses should be used to generate a SAINT key.
• Port scan – For this policy, SAINT will identify live hosts and check for services listening
on TCP or UDP ports. The range of ports to check is determined by the ports to scan
settings on the Options page.
• Auth Test – For this policy, SAINT performs authentication against the targets using the
credentials specified in either the credentials manager or the Windows/Linux/Unix/Mac
input boxes under the authentication tab. Use the Auth Test report format to view
results in SAINTwriter. See the Auth Test scan policy port configuration option for more
information.
• Vulnerability Scan – For this policy, also known as the heavy policy, SAINT will check for
services listening on TCP or UDP ports. Any services detected will then be scanned for
any known vulnerabilities. This scan policy includes SAINT's entire set of vulnerability
checks, and is the scan policy that should be used in most situations.
• Custom – This scanning policy allows the user to run any combination of SAINT probes.
Which of the user-defined scan policies to use is selected by choosing Custom from the
"filter by category" drop down. Custom scan policies can be set up from the Scan page
by clicking the "custom scan policy editor" link after filtering scan policies by
Custom. See custom scan setup for more information on creating a custom scan policy.
• Web Crawl – For this policy, SAINT detects web directories on the targets. It does so by
first scanning ports for web services, and then finding directories by following HTML
links starting from the home page.
• SQL/XSS – For this policy, SAINT checks for SQL injection and cross-site scripting
vulnerabilities on web servers. This includes both generic tests, where SAINT finds HTML
forms and tests all parameters for SQL injection and cross-site scripting, and checks for
known SQL injection and cross-site scripting vulnerabilities.
• Windows Patch – For this policy, SAINT checks for missing Windows patches. Since most
of the checks for Windows patches require authentication, Windows domain
authentication is recommended with this policy.
• Content Search – For this policy, SAINT searches files on Windows and Linux/Mac
targets for credit card numbers, social security numbers, or any other specified patterns.
See SAINT Configuration for more information on configuring SAINT's file content
searching feature. Authentication is required for this policy and if scanning a Linux/Mac
target, SSHD must be enabled.
• PCI – For this policy, SAINT scans all TCP ports (1-65535) and common UDP ports, and
then scans any services for any known vulnerabilities, with increased focus on PCI DSS
40. SAINT User Documentation (v7)
40
requirements. This policy is similar to the Vulnerability Scan policy, but includes more
TCP ports, enforces a spider depth of at least 5, enables certain low severity checks
which are normally disabled, and reduces the restrictiveness of certain other checks.
• FISMA – This scan policy provides support for security controls related to Continuous
Monitoring, as well as performing Risk Assessments. Selecting this scan policy ensures
that probes scan for the entire set of vulnerability checks, with the Exhaustive option.
SAINT also provides a pre-configured report template that describes the supported
controls and reports results at a summary and detailed level. See How to Generate a
FISMA Vulnerability Assessment Report for more information about using this report
template.
• HIPAA – This scan policy provides support to HIPAA security requirements related to
both Risk Analysis and overall Risk Management. Selecting this scan policy ensures that
probes scan for the entire set of vulnerability checks, with the Exhaustive option. SAINT
also provides a pre-configured report template that describes the supported controls
and reports results at a summary and detailed level. See How to Generate a HIPAA
Vulnerability Assessment Report for more information about using this report template.
• NERC CIP – The NERC CIP compliance scanning policy reports the results of an
“exhaustive” vulnerability scan on selected hosts. SAINT also provides a NERC CIP report
template to use the results of this scan policy that describes the applicable NERC CIP
security controls, as well as a pre-formatted report with executive level graphs/charts
and detailed level scan results.
• SOX – The SOX scan policy runs all available vulnerability checks against selected
targets, and supports financial organizations’ internal risk management strategies, as
well as facilitating provisions in Section 404 of the Sarbanes-Oxley Act, requiring a
management report annually on the effectiveness of internal controls for financial
reporting and that external auditors confirm management’s assessment.
41. 41
Anti-virus (AV) information – For this policy, information is collected about installed AV
software, such as last scan date, enabled, definition file dates, and other information
useful for auditing requirement 5 of the PCI DSS. Information is currently gathered for
Windows versions for many of the most popular AV software products in use today,
such as: McAfee, Symantec, AVG, F-Secure, MS Forefront, and Trend Micro. Note that
some results are only reported if they are considered vulnerabilities while others are
always reported. For example, if available, the last scan date is always reported while a
check to determine if updates or the AV software itself is enabled, only gets reported if
it’s disabled. Authentication is needed to run this scanning policy. Facts containing the
string '(Master)' mean that an anti-virus server/manager/admin is installed on the
target. For more information, see Configuration options; also see the knowledge base
on the mySAINT customer web site.
• Normal – For this policy, SAINT collects information from the DNS (Domain Name
System), tries to identify the operating system, and tries to establish what RPC (Remote
Procedure Call) services the host offers and what file systems it shares via the network.
The policy also includes probes for the presence of common network services such as
finger, remote login, ftp, WWW, Gopher, e-mail, and a few others. With this
information, SAINT finds out the general character of a host (file server, diskless
workstation) and establishes the operating system type and, where possible, the
software release version.
• Top 20 – This is a special scanning policy designed specifically to detect vulnerabilities
which were among the SANS Top 20 Most Critical Internet Security Vulnerabilities.
Although no longer maintained by SANS, this policy has been retained as a “legacy” scan
level for those customers who wish to continue monitoring based on these
vulnerabilities.
• Win Password Guess – This policy conducts password guess checks against Windows
targets using the password guess and password dictionary configuration options.
Authentication is recommended so SAINT can enumerate accounts.
• Microsoft Patch Tuesday – This policy checks for the latest published Microsoft patch
Tuesday vulnerabilities (second Tuesday of each month). This policy is updated by
SAINT, typically by noon Wednesday, following Bulletin availability from Microsoft.
• Web (OWASP Top 10) – This policy checks for vulnerabilities in web servers and web
applications, such as SQL injection, cross-site scripting, unpatched web server software,
weak SSL ciphers, and other OWASP Top 10 vulnerabilities. It also enables file content
checks. Authentication is recommended or required for some of the checks included in
this policy. See the FAQ for more information about OWASP Top 10 coverage.
• IAVA – This compliance policy executes a full port scan for all vulnerabilities reported in
the Information Assurance Vulnerability Alert (IAVA).
42. SAINT User Documentation (v7)
42
• Operating System Password Guess – This policy includes all SAINT password guessing
features designed to guess the operating system password. This policy includes checks
for default FTP passwords, as well as dictionary-based password guessing via Telnet,
SSH, and FTP. Authentication is recommended to ensure user account enumeration.
• Software Inventory – This policy generates a list of software installed on Windows
targets. Authentication is required. For more information, see Configuration.
The following three options can be used to modify some of the scan policies described above.
• Exhaustive – An exhaustive scan will take extra steps to be as thorough as possible. This
option affects the vulnerability, PCI, and custom scan policies. For more information on
exhaustive scans, see SAINT Configuration.
• Extreme – By default, SAINT takes a conservative approach and does not run checks
which could have harmful side effects, but this makes it impossible to confirm certain
vulnerabilities. However, if an extreme scan is run, the scan may include "dangerous"
checks, in which attacks designed to crash services are launched in order to confirm that
the target is or is not vulnerable. This option affects the vulnerability and custom scan
policies. For more information see Dangerous Checks.
• Heavy port scan – With this option, the scan will include a heavy port scan, rather than
scanning only common ports. This option affects the port scan and vulnerability scan
policies. For more information on the heavy port scan, see Ports to Scan.
Host Discovery
SAINT can perform host discovery two ways: using SAINT's built-in discovery engine, or with
Nmap. The SAINT method is simpler to configure, while Nmap is much faster and allows for
more customization.
SAINT Discovery Configuration
In order to avoid wasting time scanning hosts which do not exist or are unreachable, SAINT
attempts to discover live hosts at the start of a scan. The method used to discover live hosts
varies depending upon whether a firewall is in place.
• No Firewall Support – The No Firewall Support option is the default, and should be
selected if no firewall is in place. With this option, SAINT attempts to send an ICMP echo
request (ping) to each host. When the host does not respond, SAINT assumes the host is
down and skips further probes.
43. 43
• Firewall Support – If you are scanning targets that are behind a firewall from a system
that is not behind the firewall, or in any other case where ICMP does not work, choose
one of the Firewall Support options. With these options, SAINT does not rely on ICMP
for discovering live targets. Instead, there are two alternate options:
• TCP Discovery – This option causes SAINT to use TCP for discovering live targets.
Each potential target in the specified target range will be scanned for a few
standard TCP ports. If there is a response, either that the port is open or that the
connection was refused by the target, then the host is considered to be alive.
• ARP Ping Discovery – With this option, SAINT will consider a potential target to
be alive if the IP address can be resolved to a MAC address using the ARP
protocol. The benefits of this method are that it still works even when ICMP
pings and TCP ports are blocked, and it is the fastest discovery method. But it
only works for targets that are on the same local network as the scanner.
• Combined Firewall Support – If you do not know whether your targets are behind a
firewall, or if some targets may be behind a firewall while others are not, then choose
the Combined Firewall Support option. This option uses all of the above discovery
methods. It is the slowest option, but also the most likely to succeed in discovering all
live targets.
• Extensive Firewall Support – This option skips the discovery process altogether and
does a complete scan of every target address, regardless of whether it is alive. Hence,
Extensive Firewall Support can lead to a very slow scan, especially if a large target range
was entered. Use this option only when the targets do not respond either to pings or to
TCP requests to closed ports, and do not consistently have any of the standard ports
open.
For more information on configuring the standard ports, select Scanning Options under the
Options icon, and then select Workarounds from the drop down Category list. The firewall
support options are intended only to work around discovery issues, and do not allow SAINT to
scan targets behind firewalls which perform network address translation, or IP address
masquerading. Hosts behind such firewalls will still be invisible from the outside and thus
cannot be scanned from the outside.
44. SAINT User Documentation (v7)
44
Nmap Discovery Configuration
TCP SYN Scan: Sends empty TCP packets with the SYN flag set. Live hosts will reply with either a
RST or SYN/ACK TCP packet. An optional list of comma-separated ports may be supplied. If
omitted, the default Nmap ports will be used.
TCP ACK Scan: Sends empty TCP packets with the ACK flag set. Live hosts will reply with a RST
packet. Some firewalls prevent hosts from replying to SYN requests to closed ports, but may
still respond to ACK packets. An optional list of comma-separated ports may be supplied. If
omitted, the default Nmap ports will be used.
ICMP Echo/Timestamp/Address Mask: Sends ICMP Echo (type 8), Timestamp (type 13), or
Address Mask (type 17) request.
UDP Ping: Sends UDP packets to the given ports. Empty packets will be sent to most ports;
however, ports specified in the config/nmap/nmap-payloads will send the corresponding
packets, which will be more likely to illicit a response.
SCTP INIT Ping: Sends an SCTP packet with the minimal INIT chunk. Live hosts will reply with an
ABORT chunk if the port is closed, or an INIT-ACK chunk if it is open. An optional list of comma-
separated ports may be supplied. If omitted, the default Nmap ports will be used.
IP Protocol Ping: Sends an IP packet with the specified protocol number set. An optional list of
comma-separated protocol list may be supplied. If omitted, the default Nmap protocols will be
used.
ARP/ND Ping: Uses NMAP to handle ARP requests instead of the host operating system. This is
useful for scanning local LANs and may improve performance. If IPv6 targets are used, then
ICMPv6 Neighbor Discovery is used instead of ARP.
Authentication
In order to conduct the most thorough and accurate scan possible, SAINT gives you the option
of authenticating to targets. Authentication allows SAINT to access the registry, file attributes,
or package lists on the remote target. There are two benefits to authentication. First, an
authenticated scan is able to detect additional vulnerabilities, such as client vulnerabilities and
missing hotfixes, which could not otherwise be detected by probing network services. Second,
an authenticated scan is sometimes able to check for fixes whose presence could not otherwise
be determined, thereby reducing false alarms.
Besides authentication to operating systems, authentication to specific services offer additional
benefits. Authentication to web servers allows access to pages within web applications which
may be affected by vulnerabilities such as SQL injection or cross-site scripting. Authentication to
45. 45
database services allows inspection of objects within the database system for security
weaknesses.
If you wish to run an authenticated scan, enter a valid login and password in the Authentication
section of the Scan Setup page. You may use either one user/password combination for each
authentication type on all targets or specify a user/password combination for each target and
authentication type using the credentials manager.
The credentials manager allows you to create credentials files on a per session basis. The
credentials file format is as follows:
platform|target|username|password
where platform may equal any of the following:
'B' = windows/linux/mac
'W' = windows
46. SAINT User Documentation (v7)
46
'L' = linux
'O' = oracle
‘X’ = windows non-admin
'M' = Microsoft SQL Server
'Y' = MySQL
'H' = HTTP basic authentication
Example Files:
W|127.0.0.1|user|pass
B|127.0.0.4|admin|pw
L|127.0.0.10|root|abc123
L|127.0.0.5|somekey:someuser|x4y5z6
Note that the passwords will be encoded and never displayed in plain text. You may also specify
an IP range using a dash ‘-‘ character.
The credentials manager has three methods of modifying/adding credentials:
• Standard - Wizard directed credentials creation using form fields
• FreeForm - Allows you to specify credentials by free hand.
o Passwords will be encoded when you hit save
o Make sure you have saved all credentials before exiting
o Delete credentials by removing a credential record and hitting save again
• Upload - From here you may upload a credentials file that is already in credentials file
format.
How to Authenticate to Windows Targets
For authentication to Windows targets, use an account with administrative privileges on the
domain for the Windows Admin credentials, and an account with typical user privileges for the
Windows Non-Admin credentials. The Windows Admin credentials are used to detect Windows
updates, registry settings, and program versions. The Windows Non-Admin credentials are used
to evaluate file share access controls. It is not necessary to specify the domain; SAINT will
assume the specified account is in the same domain as the target, or a local account if the
target is not a member of a domain. (To use a local account even if the target is a member of a
domain, specify the account name as "local:login", where login is the login name. Do not put a
space after the colon.)
If you wish to verify that the Windows Admin login and password are correct, click on the Check
Login button beside the login and password boxes. Clicking on this button will display a green
Login OK message within a few seconds if SAINT was able to authenticate to the target using
those credentials. If there are multiple primary targets selected, SAINT will use only the first
one for this test. Targets must be specified individually, not as ranges, CIDR blocks, or subnets,
47. 47
in order to use this feature.
Warning: The encrypted Windows authentication functions require the crypto library which
comes with OpenSSL. If the OpenSSL libraries are missing or outdated on the scanning system, a
warning message will appear when SAINT starts, and passwords will be sent over the network
in clear text.
Keep in mind that SAINT's detection of Windows updates should be used as a baseline
assessment only. SAINT detects Windows updates using simple checks for the presence of
registry keys and file time stamps, which cannot always account for updates that have been
incorrectly installed, uninstalled, rendered ineffective due to incorrect order of installation, or
other unusual situations. For a more thorough evaluation of Windows updates, it would be
advisable to use one of several available patch management tools.
How to Authenticate to Linux, Unix, or Mac
For authentication to Linux, Unix, and Macintosh targets, any active user account on the system
may be used. The SSH service must be running on the remote target in order for authentication
on Linux, Unix, and Macintosh targets to function. If you choose not to authenticate, SAINT will
still conduct its full set of unprivileged vulnerability checks, omitting only those few which
require authentication. You also have the option to use SSH public key authentication to Linux,
Unix, and Macintosh targets. The public key should be added to the “authorized_keys” file on
the target system. Choose “Manage SSH Private Keys” from the Authentication tab on the Scan
status page to save the corresponding private key. Refresh the Scan Status page to see the SSH
private key in the “Choose private key” drop down menu on the Authentication tab.
48. SAINT User Documentation (v7)
48
How to Authenticate to Oracle Database Servers
For authentication to Oracle Database servers, a fully privileged account such as SYS or SYSTEM
should be used. The scanning system must meet the requirements for the Oracle Instant Client
in order for Oracle authentication to succeed. See the system requirements for more
information about the Oracle Instant Client. Oracle authentication allows the scan to detect
local Oracle vulnerabilities such as users or roles with ANY privileges or users with the DBA role.
Note that Oracle authentication is not necessary to check for Oracle security patches. Windows
or Linux/Unix authentication is required for that.
Besides specifying the Oracle login and password, it is also possible to specify the SID of the
database instance to be scanned. The SID is needed in order to authenticate to the database. If
the SID is omitted, SAINT will attempt to determine the SID of the remote database; however,
determining the SID of the remote database is not always possible. Therefore, it is advisable to
specify the SID if known. The SID can be specified even if the login and password are not, in
order to assist the password guessing attempts.
How to Authenticate to Microsoft SQL Server
Authentication to Microsoft SQL Server allows scanning for local database vulnerabilities such
as privilege elevation through stored procedures (CVE-2002-0721) and privilege elevation
through web tasks (CVE-2002-1145). Authentication to Microsoft SQL Server requires the
database to be configured to use mixed-mode authentication, and to allow remote connections
using TCP. A fully privileged account such as "sa" should be used. (Security Warning: The
Microsoft SQL Server password will be sent over the network using weak encryption.)
Note that Microsoft SQL Server authentication is not required in order to detect whether SQL
Server patches have been applied. Windows authentication should be used for that.
How to Authenticate to MySQL Databases
Authentication to MySQL databases allows scanning for local database vulnerabilities, such as
users having excessive privileges. The mysql client program must be installed on the SAINT host
in order for this feature to be used. Also, authentication to MySQL requires the database to be
listening over the network, and for access to be allowed from the SAINT host. A fully privileged
database account such as "root" should be used to authenticate.
Note that MySQL authentication isn't required for determining vulnerabilities in the MySQL
software itself. Those vulnerabilities are inferred without authentication from the MySQL
version number found in the network response from the MySQL service. Unix/Linux
authentication may be helpful for reducing false positives however.
49. 49
HTTP Basic Authentication
HTTP Basic authentication refers to web servers hosting password-protected directories. HTTP
Basic authentication typically results in a pop-up dialog box prompting the user to enter a login
and password, as shown in the example image below.
Note that HTTP Basic authentication is not the same as form-based authentication, where the
user is prompted to enter a login and password directly into a web page.
When entering HTTP Basic authentication credentials, be aware that the password will possibly
be sent over the network without encryption.
How to Authenticate to Web Applications
SAINT also supports form-based authentication to web applications. However, instead of
specifying the login and password directly on the Scan page, you must actually authenticate to
the application before starting the scan. Once you have successfully authenticated, your session
ID is saved. During the scan, this session ID is sent with each HTTP request to spider the web
application and test for vulnerabilities.
To authenticate to a web application using form-based authentication:
1. Go to the Scan page
50. SAINT User Documentation (v7)
50
2. Click on Authentication
3. Click on Enter Web Credentials
4. A pop-up window will appear. Enter the URL of the login page for your web application:
5. Click on Go to Login Page. This will take you to the login page for your web application.