Bugtraq mailing list archives
Re: SATAN ATTACKS EVERYWHERE
From: ley () cert dfn de (Wolfgang Ley)
Date: Mon, 10 Apr 1995 00:42:01 +0200
Hey, are we still here?? Looks like we survived the numerous attacks from hordes of hackers armed with SATAN with the only desire to pillage and pilfer everyone's networks. The Internet has survived another mega hype negative story! For some reason, I really can't see tons of hackers using SATAN for several reasons:
0. SATAN was never designed to be a tool to exploit security problems on other sites.
1. It is HUGE. It eats up tons of disk and ram space. When I tried to load up SATAN's demo information on a 16 meg machine here, it crashed from not having enough RAM. It requires 32 megs . (And I thought Windows was a memory hog). Like the administrator won't notice he only has 1 meg of ram left.
I have never seen a "real" Unix system with 16 meg total memory (phys. memory and swap space). I'm not talking about your poor PC running linux or something like that... SATAN itself is not "HUGE". Maybe you are talking about an interactive session using an X11-html-viewer and you are including perl5 into your count? The memory SATAN needs depends on the size of your network. If you have a network with several thousand computers you will have at least one with more than 16 meg total memory (including swap) and a free disk space of a few (lets say 50) megs - don't you?
2. It requires installing other packages like perl. Most hackers aren't able to run anything unless it's a no brainer script. "Gee the bad thing is we've been hacked and someone used SATAN, the good thing is that we got perl5 and a web browser installed."
Perhaps you are talking about wannbe-hackers that are trying to break into other systems (crackers). Hackers (in the original term people with deep knowledge about computers) won't have problems installing perl... Every normal sys-admin is able to install perl - it's one of the easiest to install packages that are available.
3. Since you have to use a web browser, you have to either run SATAN from the console (umm, really stupid hacker scanning from his own machine) or redirect the X Display to his own machine (still really stupid). Who knows, I wouldn't be suprised if some hacker wanna-be does use SATAN. Maybe CERT can tell us if they have seen a dramatic increase in breakins now that SATAN is released?
Have you ever tried to read the documentation? Ever used SATAN? Of course you can use satan as a shell-command to collect the data. There are also HTML-viewers that do not need X (like lynx) and work very well together with satan.
Hey, I am glad that SATAN really isn't the ideal hacker tool, but I wanted to point out (contrary to News Media) that SATAN is not the tool that will shut down the Internet.
Hmm. My very personal opinion is that you not tried to be objective nor did you read the full documentation and understood the principles of SATAN. But now we are comming to the real reason of your posting:
On a side note, I have released ISS 1.3 which is available on ftp.iss.net /pub/iss/iss13.tar.gz which includes many more checks than what SATAN has specified. Also, it doesn't require installing any other outside packages, is in C, and doesn't require large amounts of ram nor disk space.
Ok. Let's check. 1. Includes more checks? This is not a problem. The main goal of the current release of SATAN was to bring out the package right now so it can't be stopped, to get feedback for bug-fixes and (later) add more tests. It would be interesting to see new versions of ISS as soon as new checks are being shipped with SATAN. So why haven't you released this iss version with more tests before? 2. Doesn't require installing other packages? Oh - nice. How will it work on my Solaris 2.x machine (out of the box) that has no C-compiler? SATAN also includes another very important part (missing in ISS): the "web of trust". By using this you can "get the whole picture" instead of highliting only single problems. This part isn't yet powerful enough but the authors are still working especially on this topic. Another point: You first said that satan is huge, requires additional packages, etc. and than said that your product is better in this categories. Also you said because of the disadvantages of SATAN in this points crackers won't use it. Later on you are advertising your tool... Who should use it? The crackers or the sysadmins? You completly ignored the very good documentation of SATAN! Also compare the data presentation of ISS and SATAN and the user interface... Also I don't think that Dan and Wietse are those guys who are thinking: first we release a small package for public use and than (after getting feedback and imporving the product) don't give the results of the feedback back to the community but instead sell the product as binary only for a very high price... Bye, Wolfgang Ley. -- ---------------------------------------------------------------------- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley () cert dfn de Phone: +49 40 54715-262 Fax: +49 40 54715-241 PGP-Key available via finger ley () concert cert dfn de or any key-server
Current thread:
- Linux/SATAN Adam Machanic (Oct 21)
- Re: Linux/SATAN Michael Galante (Apr 06)
- Re: Linux/SATAN Josh Wilmes (Oct 30)
- SATAN ATTACKS EVERYWHERE Christopher Klaus (Jul 23)
- Re: SATAN ATTACKS EVERYWHERE Leo Bicknell (Apr 07)
- Problem with SATAN/VMS David R. Sears (Apr 07)
- Re: Problem with SATAN/VMS Andreas Siegert (Apr 07)
- Re: Problem with SATAN/VMS Timothy Newsham (Apr 08)
- All.Net's security testing service Baltzer, Craig (Apr 07)
- Re[2]: Technical Observations on SATAN: Issue: VMS and TCP/I Nayfield, Rod (Apr 07)
- Re: SATAN ATTACKS EVERYWHERE Wolfgang Ley (Apr 09)
- Re: SATAN ATTACKS EVERYWHERE Christopher Klaus (Jul 25)
- Re: Linux/SATAN Michael Galante (Apr 06)
- Re: Shadowed PW file under Linux Cenon B.C. Marana Jr. (Apr 07)
- Re: Shadowed PW file under Linux John F. Haugh II (Apr 09)
- Re: Shadowed PW file under OSF/1 Cenon B.C. Marana Jr. (Apr 09)
- Re: Shadowed PW file under OSF/1 Software Test Account (Apr 11)
- Sys V. shedges () cactus netinterior com (Apr 11)
- ANOTHER hole in NCSA httpd1.3R Paul Phillips (Apr 11)
- UUCP/sendmail configs.. Cenon B.C. Marana Jr. (Apr 09)
- Obtaining NIS domainname from Gatorbox Ken Weaverling (Apr 10)