SUMMARY cop,tiger,satan where to find ?

From: Haim Stotsky (stots@elbit.co.il)
Date: Mon Jul 15 1996 - 13:57:03 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello all,
I know that its a little late the SUMMARY but ....
its better then no SUMMARY at all ....

I'v got a lot of very good answers and i thank very much to all of you
who send me so much information - thank again.

the original question asked about cops tiger & satan
and i picked up 3 answers that give all the information you should know :

Some interesting security packages:

> SATAN: ftp.win.tue.nl: /pub/security
> tripwire: monitoring of file changes
> nic.funet.fi: /pub/networking/security
> cops: security holes general checker
> ftp.sunet.se: /pub/usenet/comp.sources.unix.volume21/cops
> TAMU: security holes general checker
> net.tamu.edu: /pub/security/TAMU
> CRACK: password quality checker
> sunic.sunet.se: /pub/networking/security/tools/crack
> ISS: subnetwork security checker
> usc.edu: /archive/usenet/sources/comp.sources.misc/volume39/iss
> sudo: restricts root privileges to registered users
> veronica.cs.wisc.edu: /src/sudo
> sush: grants priviledges for unix commands
> sunic.sunet.se: /SRC/sec8/sush
> tcpd: monitors and filter inetd services
> cert.org: /pub/tools/tcp_wrappers

+ SATAN info from CERT:

> From cert-advisory-request@cert.org Mon Apr 3 20:02:56 1995
> Date: Mon, 3 Apr 1995 11:58:17 -0400
> From: CERT Advisory <cert-advisory@cert.org>
> To: cert-advisory@cert.org
> Subject: CERT Advisory - SATAN
>
> =============================================================================
> CA-95:06 CERT Advisory
> April 3, 1995
> Security Administrator Tool for Analyzing Networks (SATAN)
> -----------------------------------------------------------------------------
>
> The CERT Coordination Center staff has examined beta version 0.51 of the
> Security Administrator Tool for Analyzing Networks (SATAN). This advisory
> contains information based on our review of this pre-release version. When the
> official release is available, we will distribute an updated advisory. SATAN
> is scheduled for release on April 5, 1995, at 14:00 GMT.
>
> 1. What is SATAN?
> ------------------
> SATAN is a testing and reporting tool that collects a variety of information
> about networked hosts. The currently available documentation can be found at
> ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z
>
> SATAN gathers information about specified hosts and networks by examining
> network services (for example, finger, NFS, NIS, ftp, and rexd). It can then
> report this data in a summary format or, with a simple rule-based system,
> investigate potential security problems. Problems are described briefly and
> pointers provided to patches or workarounds. In addition to reporting
> vulnerabilities, SATAN gathers general network information (network topology,
> network services run, types of hardware and software being used on the
> network). As described in the SATAN documentation, SATAN has an exploratory
> mode that allows it to probe hosts that have not been explicitly specified.
> Thus, SATAN could probe not only targeted hosts, but also hosts outside your
> administrative domain.
>
> Section 4 below lists the vulnerabilities currently probed by SATAN.
>
>
> 2. Potential Impact of SATAN
> ----------------------------
> SATAN was designed as a security tool for system and network administrators.
> However, given its wide distribution, ease of use, and ability to scan remote
> networks, SATAN is also likely to be used to locate vulnerable hosts for
> malicious reasons. It is also possible that sites running SATAN for a
> legitimate purpose will accidentally scan your system via SATAN's exploratory
> mode.
>
> Although the vulnerabilities SATAN identifies are not new, the ability to
> locate them with a widely available, easy-to-use tool increases the level of
> threat to sites that have not taken steps to address those vulnerabilities. In
> addition, SATAN is easily extensible. After it is released, modified versions
> might scan for other vulnerabilities as well and might include code to
> compromise systems.
>
>
> 3. How to Prepare for the Release of SATAN
> ------------------------------------------
>
> * Examine your systems for the vulnerabilities described below and implement
> security fixes accordingly.
>
> * In addition to reading the advisories cited for specific vulnerabilities
> below, consult the following documents for guidance on improving the
> security of your systems:
> ftp://info.cert.org/tech_tips/security_info
> ftp://info.cert.org/tech_tips/anonymous_ftp
> ftp://info.cert.org/tech_tips/packet_filtering
>
> * Contact your vendor for information on available security patches, and
> ensure that all patches have been installed at your site.
>
> * Use the tools listed in Section 5 to assist you in assessing and improving
> the security of your systems.
>
>
> 4. Vulnerabilities Probed by SATAN
> ----------------------------------
> Listed below are vulnerabilities that beta version 0.51 of SATAN tests for,
> along with references to CERT advisories and other documents where applicable.
>
> Administrators should verify the state of their systems and perform corrective
> actions as necessary. We cannot stress enough the importance of good network
> configuration and the need to install all available patches.
>
> 1. NFS export to unprivileged programs
> 2. NFS export via portmapper
> 3. Unrestricted NFS export
>
> See CERT advisory CA-94:15 and CA-94:15.README for security measures you
> can take to address NFS vulnerabilities.
>
> The following advisories also address problems related to NFS:
> CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability
> CA-94:02.README
> CA-93:15.SunOS.and.Solaris.vulnerabilities
> CA-92:15.Multiple.SunOS.vulnerabilities.patches
> CA-92:12.REVISED.SunOS.rpc.mountd.vulnerability
> CA-91:21.SunOS.NFS.Jumbo.and.fsirand
>
> 4. NIS password file access
> See CERT advisory CA-92:13 for information about SunOS 4.x machines using
> NIS, and CA-93:01 for information about HP machines.
>
> 5. rexd access
> We recommend filtering the rexd service at your firewall and commenting
> out rexd in the file /etc/inetd.conf.
>
> See CERT advisory CA-92:05 for more information about IBM AIX machines
> using rexd, and CA-91:06 for information about NeXT.
>
> 6. Sendmail vulnerabilities
> See CERT advisory CA-95:05 and CA-95:05.README for the latest information
> we have published about sendmail.
>
> 7. TFTP file access
> See CERT advisory CA-91:18 for security measures that address TFTP access
> problems. In addition, CA-91:19 contains information for IBM AIX users.
>
> 8. Remote shell access
> We recommend that you comment out rshd in the file /etc/inetd.conf or
> protect it with a TCP wrapper.
>
> 9. Unrestricted X server access
> We recommend filtering X at your firewall. Additional advice about
> packet filtering is available by anonymous FTP from
> ftp://info.cert.org:/pub/tech_tips/anonymous_ftp
>
> 10. Writable FTP home directory
> See CERT advisory CA-93:10.
> Guidance on anonymous FTP configuration is also available from
> ftp://info.cert.org:/pub/tech_tips/anonymous_ftp
>
> 11. wu-ftpd vulnerability
> See CA-93:06, CA-94:07, and CA-94:07.README for more information about
> ftpd.
>
>
> Note: In addition to our FTP archive at info.cert.org, CERT documents are
> available from the following sites, and others which you can locate
> by using archie:
>
> ftp://coast.cs.purdue.edu:/pub/mirrors/cert.org/cert_advisories
> ftp://unix.hensa.ac.uk:/pub/uunet/doc/security/cert_advisories
> ftp://ftp.luth.se:/pub/misc/cert/cert_advisories
> ftp://ftp.switch.ch:/network/security/cert_advisories
> ftp://corton.inria.fr:/CERT/cert_advisories
> ftp://ftp.inria.fr:/network/cert_advisories
> ftp://nic.nordu.net:/networking/security/cert_advisories
>
> 5. Currently Available Tools
> -----------------------------
> The following tools are freely available now and can help you improve your
> site's security before SATAN is released.
>
> COPS and ISS can be used to check for vulnerabilities and configuration
> weaknesses.
>
> COPS is available from ftp://info.cert.org:/pub/tools/cops/*
>
> ISS is available from
> ftp://ftp.uu.net:/usenet/comp.sources.misc/volume39/iss
> CERT advisory CA-93:14 and CA-93:14.README contain information about ISS.
>
> TCP wrappers can provide access control and flexible logging to most network
> services. These features can help you prevent and detect network attacks. This
> software is available by anonymous FTP from
>
> ftp://info.cert.org:/pub/tools/tcp_wrappers/*
>
> The TAMU security package includes tools to check for vulnerabilities and
> system configuration weaknesses, and it provides logging and filtering of
> network services. This software is available by anonymous FTP from
>
> ftp://net.tamu.edu:/pub/security/TAMU/*
>
> The Swatch log file monitor allows you to identify patterns in log file entries
> and associate them with actions. This tool is available from
>
> ftp://ee.stanford.edu:/pub/sources/swatch.tar.Z
>
>
> 6. Detecting Probes
> -------------------
> One indication of attacks by SATAN, and other tools, is evidence of a heavy
> scan of a range of ports and services in a relatively short time. Many UNIX
> network daemons do not provide sufficient logging to determine if SATAN is
> probing the system. TCP wrappers, the TAMU tools, and Swatch can provide the
> logging you need.
>
>
> 7. Using SATAN
> ---------------
> Running SATAN on your systems will provide you with the same information an
> attacker would obtain, allowing you to correct vulnerabilities. If you choose
> to run SATAN, we urge you to read the documentation carefully. Also,
> note the following:
>
> * It is easy to accidentally probe systems you did not intend to. If this
> occurs, the probed site may view the probe(s) as an attack on their
> system(s).
>
> * Take special care in setting up your configuration file, and in selecting the
> probe level when you run SATAN.
>
> * Explicitly bound the scope of your probes when you run SATAN. Under "SATAN
> Configuration Management," explicitly limit probes to specific hosts and
> exclude specific hosts.
>
> * When you run SATAN, ensure that other users do not have read access to your
> SATAN directory.
>
> * In some cases, SATAN points to CERT advisories. If the link does not work
> for you, try getting the advisories by anonymous FTP.
>
>
> 8. Getting more information about SATAN
> ---------------------------------------
> As noted above, SATAN documentation is available from
> ftp://ftp.win.tue.nl/pub/security/satan_doc.tar.Z
>
> Additional documents are available through a mail server set up by one of the
> authors.
>
> Send mail to
> majordomo@wzv.win.tue.nl
>
> Put the following text in the body (not subject):
> get satan mirror-sites
> get satan release-plan
> get satan description
> get satan admin-guide-to-cracking.101
>
> The last document contains "Improving the Security of Your Site by Breaking
> Into It," a 1993 paper in which the authors give their rationale for creating
> SATAN.
>
> ---------------------------------------------------------------------------
> The CERT Coordination Center staff thanks Dan Farmer and Wieste Venema for the
> the opportunity to examine pre-release versions of SATAN. We also appreciate
> the interaction with the response teams at AUSCERT, CIAC, and DFN-CERT, and
> feedback from Eric Allman.
> ---------------------------------------------------------------------------
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident
> Response and Security Teams (FIRST).
>
> If you wish to send sensitive incident or vulnerability information to
> CERT staff by electronic mail, we strongly advise that the e-mail be
> encrypted. The CERT Coordination Center can support a shared DES key, PGP
> (public key available via anonymous FTP on info.cert.org), or PEM (contact
> CERT staff for details).
>
> Internet E-mail: cert@cert.org
> Telephone: +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
> and are on call for emergencies during other hours.
> Fax: +1 412-268-6989
>
> Postal address: CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh, PA 15213-3890
> USA
>
> CERT advisories and bulletins are posted on the USENET newsgroup
> comp.security.announce. If you would like to have future advisories and
> bulletins mailed to you or to a mail exploder at your site, please send mail
> to cert-advisory-request@cert.org.
>
> Past advisories, CERT bulletins, information about FIRST representatives, and
> other information related to computer security are available for anonymous
> FTP from info.cert.org.
>
>
>
> Copyright 1995 Carnegie Mellon University
> This material may be reproduced and distributed without permission provided it
> is used for noncommercial purposes and the copyright statement is included.
>
> CERT is a service mark of Carnegie Mellon University.
>
>

>From Pierre SIDLER
Sidler.Pierre@ch.swissbank.com

=====================================================

-----
Notes on SATAN
-----

Some quick answers to frequently asked questions so far:

o To uncompress the archives, you'll need to use the Un*x uncompress program
if it ends in ".Z", or the GNU unzip if it ends in ".gz".

o perl5 is available via anonymous ftp from ftp.netlabs.com

o Perl problems, like it not compiling, core dumping, etc., should be
posted to comp.lang.perl.

o SATAN *won't* run on a PC or Mac, unless you're running some version
of unix on it. There are no plans for porting it to them, either.

o ctime.pl is bundled with perl5; if you've installed that, you should
have it - look for it in the library subdirectories.

o DEC/Ultrix apparently doesn't have "rpcgen". You'll need to run it
on another machine and drag the resulting source code over (we'll
figure out something else soon for a more permanent solution.)

o SATAN alternet configuration files are broken. Sorry ;-(

o Merging databases are *only* in memory. Currently there is no way to
do this in the GUI.

o SATAN needs to be run as root to run some programs/probes that require
root access. Examining the documentation or running reports on already
collected data can be done by any user.

-----

AVAILABILITY:

SATAN should be available on the following sites, in no particular
order (this list is still under construction):

and on ftp.win.tue.nl as /pub/security/satan-1.0.tar.Z

-----

GENERAL INFORMATION:

SATAN was written because we realized that computer systems are
becoming more and more dependent on the network, and at the same
becoming more and more vulnerable to attack via that same network.

The rationale for SATAN is given in a paper posted in december 1993
(ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.101.Z, flat text
compressed with the UNIX compress command).

SATAN is a tool to help systems administrators. It recognizes several
common networking-related security problems, and reports the problems
without actually exploiting them.

For each type or problem found, SATAN offers a tutorial that explains
the problem and what its impact could be. The tutorial also explains
what can be done about the problem: correct an error in a configuration
file, install a bugfix from the vendor, use other means to restrict
access, or simply disable service.

SATAN collects information that is available to everyone on with access
to the network. With a properly-configured firewall in place, that
should be near-zero information for outsiders.

We have done some limited research with SATAN. Our finding is that on
networks with more than a few dozen systems, SATAN will inevitably find
problems. Here's the current problem list:

   NFS file systems exported to arbitrary hosts
   NFS file systems exported to unprivileged programs
   NFS file systems exported via the portmapper
   NIS password file access from arbitrary hosts
   Old (i.e. before 8.6.10) sendmail versions
   REXD access from arbitrary hosts
   X server access control disabled
   arbitrary files accessible via TFTP
   remote shell access from arbitrary hosts
   writable anonymous FTP home directory

These are well-known problems. They have been subject of CERT, CIAC, or
other advisories, or are described extensively in practical security
handbooks. The problems have been exploited by the intruder community
for a long time.

We realize that SATAN is a two-edged sword - like many tools, it can be
used for good and for evil purposes. We also realize that intruders
(including wannabees) have much more capable (read intrusive) tools
than offered with SATAN. We have those tools, too, but giving them
away to the world at large is not the goal of the SATAN project.

>From dan and Wietse

satan@flying.fish.com

========================================

Hi!

I know you (or we! =) ) are a little bit far!, but here in M'exico
we are running an ftp with a lot of security tools (cops, tiger,
SATAN, tripwire, tcp-wrappers, PGP, etc.) this ftp is part of our
Computer Security Area!, I'm sure that near of your site might be
another ftp if your concern is the distance.

ftp.super.unam.mx

I hope this might help you, and good luck!

Best regards!
PS. Visit our WWW page for more information! =)
------------
From Sergio Avila
http://www.super.unam.mx/seguridad
National University Autonomous of Mexico
-----------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:05 CDT