SARA

NAME

sara - network security scanner

SYNOPSIS

sara [options] [primary_target(s)...]

DESCRIPTION

SARA (Security Auditor's Research Assistant), a derivitive of the Security Administrator Tool for Analyzing Networks (SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the http protocol (e.g. Mosaic, Netscape (see NOTE below), etc.)

primary_targets(s) can specify a:

host: (e.g., www.micosoft.com),
range: (e.g., 192.168.0.12-192.168.0.223)
subnet: (e.g., 192.168.0.0/23)

When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface.

When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network.

SARA can generate reports of hosts by type, service, vulnerability and by trust relationship. In addition, it offers tutorials that explain the nature of vulnerabilities and how they can be eliminated.

By default, the behavior of SARA is controlled by a configuration file (config/sara.cf). The defaults can be overruled via command-line options or via buttons etc. in the HTML user interface.

Options:

-a

Attack level (0=light, 1=normal, 2=heavy, 3=extreme, 4=custom). At level 0, SARA collects information about RPC services and from the DNS. At level 1, SARA collects banners of well-known services such as telnet, smtp and ftp, and can usually establish the type of operating system. At level 2, SARA does a more extensive (but still non-intrusive) scan for services. Level 2 scans may result in console error messages. At level 3, some tests may disrupt unpatched Microsoft Windows products (95, 98, NT) but searchs for more exploits including distributed denial of service daemons. Level 4 can be customized to perform specific probes. A sample is provided in the configuration file.

-A proximity_descent

While SARA extracts information from primary targets, it may discover other hosts. The proximity_descent controls by how much the attack level decreases when SARA goes from primary targets to secondary ones, and so on. The -z option determines what happens when the attack level reaches zero.

-c 'name=value; name=value...'

Change the value of arbitrary SARA variables. Example:

-c 'dont_use_dns = 1; dont_use_nslookup = 1'.

The -c option allows you to control configuration and other variables that do not have their own command-line option. The format is a list of name=value pairs separated by semicolons. Variable names have no dollar prefix, and values are not quoted. Whitespace within values is preserved.

-d database

Specifies the name of the database to read from and to save to (default sara_data).

When multiple SARA processes are run in parallel, each process should be given its own database (for example, one database per subnet of 256 hosts). Use the merge facility of the HTML user interface to merge data from different runs.

-D

Run SARA in Daemon mode on the port specified in config/sara.cf. This enbales remote execution of SARA.

-i

Ignore the contents of the database.

-f

Sets the SARA probes (fwping and tcp_scan) to scan a firewalled network.

-F file

Reads the hosts to be scanned from file.

-l proximity

Maximal proximity level. Primary targets have proximity 0, hosts discovered while scanning primaries have proximity level 1, and so on. SARA ignores all hosts that exceed the maximal proximity level.

-o only_attack_these

A list of domain names and/or network numbers of hosts that SARA is permitted to scan. List elements are separated by whitespace or commas. Understands the * shell-like wildcard.

-O dont_attack_these

A list of domain names and/or network numbers that SARA should stay away from. The list has the same format as with the -o option.

-p

Reduce packet density. Useful for slow machines networks.

-P concurrent

Allow multiple concurrent processing. SARA will spawn a maximum of concurrent processes.

-s

Subnet expansion. For each primary target, SARA finds all alive hosts in the target's subnet (a block of 256 addresses).

-S status_file

While collecting data, SARA maintains a status file with the last action taken. The default status file is status_file.

-t level

Timeout level (0 = short, 1 = medium, 2 = long) for each probe.

-T time

Specifies that SARA will start execution at the identified time. Time is specified in days-hour:min (e.g., 1-16:33) will cause SARA to start execution at 1630 localtime tomorrow.

-u

Specifies that SARA is being run from an untrusted host. Access via, for example, the remote shell or network file system services, means that there is a security problem.

-U

Opposite of the -u option. SARA may be run from a possibly trusted host. Access via, for example, the remote shell or network file system services is not necessarily a problem.

-v

Verbose mode. SARA prints on the standard output what it is doing. This is useful for debugging purposes.

-V

SARA prints its version number and terminates.

-z

When scanning non-primary hosts, continue with attack level of zero when the level would become negative. The scan continues until the maximal proximity level is reached.

-Z

Opposite of the -z option.

NOTE

While using older versions of Netscape, the user may experience problems when clicking on the menu buttons. Specifically, Netscape may prompt the user to save a *.pl file. Refer to the online documentation -> FAQ for configuration options to rectify this problem.

FILES

config/* configuration files
rules/* rule bases
results/* data bases

AUTHORS

SARA: Bob Todd

SATAN: Dan Farmer, Wietse Venema