SAINT Professional

Saint Professional is a commercial off-the-shelf (COTS) suite combining two distinct tools rolled into one easy to use management interface, the SAINTscanner and SAINTexploit.  These in combination make it an extensible fully integrated vulnerability assessment and penetration testing toolkit. 

SAINTscanner can be used to:

Identify vulnerabilities on network devices, OS, desktop applications, Web applications, databases etc.

Detect and fix possible weaknesses in a network’s security before they can be exploited by intruders.

Anticipate and prevent common system vulnerabilities.

Demonstrate compliance with current government/ industry regulations (PCI DSS, FISMA, SOX, HIPAA etc.)

Perform configuration audits with policies defined by FDCC & USGCB.

SAINT Professional is available from here.

System Requirements:

Installation:

Once logged in to the customer area, there is a choice to install from source or to utilise a pre-configured virtual machine which is available from here

Once downloaded the Ubuntu based VM boots as normal and once X loads requires the  password: SAINT!!!
to login. 

This password is also required when you start the SAINT application from the terminal. 

Once started SAINT will try and auto update and then auto open the default browser:

The product then needs to be licensed and the key is generated and managed via the SAINT website.  This is achieved by pasting the key using the Configure SAINT Key administrative function, or placed into a file named saint.key placed into the installation directory.

The key is generated in the format:

saint.key
# BEGIN KEY
xxxxxxxf6b17d6x
License: SAINT
License: SAINTexploit
License: dynamic256IP;4316
License: dynamic1C;4316
Expires: 6/27/2011
# END KEY
 

SAINTscanner

SAINTscanner provides the ability to carry out both pre-defined and custom policy based vulnerability assessments.  It is extensible and easy to setup, especially custom policies and options.

Selecting a Policy/ Creating a Custom Scan Policy

Selecting Scan Options allows the user to select a policy to use for the vulnerability scan, each policy then can be adapted to suit, in the example the probe options can be adapted to suit and then the actual policy in this case a Heavy Vulnerability Scan has been selected.

If this does not suit a user may at this point click on Set up custom scan and a list of vulnerability checks are displayed, all currently disabled.  Each required section can be enabled as required or expanded and individual checks carried out.

Carrying Out a Scan

Step 1 Insert IP Range/ Address or Upload Target List   

Step 2 Type in credentials                                         

Step 3 Select Scan Policy Type

Step 4 Determine Firewall settings for Target

Step 5 Select Scan Now

SAINTexploit

As previously mentioned, SAINTexploit can either automate a pen test, provide the tester with the ability to select single exploits to utilise or provide a client-side attack framework with which users once enticed to visit pre-defined and built websites are automatically exploited.  Specially crafted emails can be auto-generated, a user on receipt of these mails may click the varied links and are directed to an already pre-configured exploit server.

Different levels of penetration tests can be carried out:

• Discovery - Identify hosts.

• Information Gathering - Identify hosts, probe and port scan.

• Single Penetration - Both above then exploits stopping at first successful exploit.

• Root Penetration - Exploit then Privilege escalation to admin/ root.

• Full Penetration - Exploits as many vulnerabilities as possible.

• Web Application - Attacks discovered web applications.

Conducting a test is fairly straight forward, once any prior configuration has been carried out, callback ports, timeouts etc. Just select Pen Test then go through the following 4 steps.  Once complete select run pen test now.

Step 1 Insert IP Range/ Address or Upload Target List    Step 3 Select Penetration Test Type

Step 2 Type in credentials                                          Step 4 Determine Firewall settings for Target

Post Exploitation

Once a host has been successfully exploited, navigating to the connections tab provides the ability to directly interact with the session.  SAINTexploit provides four useful tools in this tab to allow interactive access to the session and a disconnect button to close any outstanding connection:

• Command Prompt.

• File and Upload Manager.

• Screenshot Taker

• Tunnel.

Figure 1 Admin Connection to Exploited 2K3 Server.         Figure 2 File Manager on Exploited host.

Gives the ability to perform numerous actions.                Opened via the connections tab, ability to upload/ download/ rename files.

Figure 3 Command Prompt on Exploited host.                  Figure 4 Screenshot Tool against Exploited host.

Opened via the connections tab, run DOS commands.      Opened via the connections tab, grab screenshot for report etc.

Exploit Tools

In addition to the remote, local, and client exploits designed to exploit a command-execution vulnerability on a target, SAINTexploit also includes a number of additional tools.

The following exploit tools are available:

ARP Spoof Exploit Tool – Conducts a man-in-the-middle attack, after poisoning a users ARP cache.

Drive-by Download Tool – Awaits client connections, enumerating OS and installed software then generates and delivers a client-side exploit.

Click logger – This tool runs an exploit server that simply returns an error page and logs which users visited it.

Disable on-board Firewall.

Download connection – This tools allows you to download a file which, when executed, establishes a command connection.

E-mail attachment execution – This tool sends an e-mail attachment which, when executed, establishes a command connection. This tool requires a user to execute the e-mail attachment in order to succeed.

Flash drive/CD autoplay command execution – This tool allows you to create a USB flash drive which, when inserted into a Windows computer, prompts a user to run a program which creates a command connection.

Harvest e-mail addresses – Uses publicly available information such as Internet search engines, network registrars and public key servers to harvest a list of e-mail addresses for automating client type exploits.

Harvest Metadata – This tool searches the Internet for PDF and Microsoft Office files in the given domain, and extracts the metadata from those files.
 

Keystroke Logger.

Password Hash Grabber – This tool grabs the windows SAM file or password hashes of the target.

Perform DNS zone transfer.

Phishing tool – This tool serves an HTML form which collects information from users.
 

Read Outlook/ Outlook Express Address Books.

Retrieve website passwords stored by IE.

Reverse Shell Applet – Delivers a signed java applet, embedded in an HTML page, to the user who is presented with a signed digital certificate which, when accepted, establishes a reverse shell connection back to the exploit server.

Upload command to startup folder – Once uploaded a connection is established the next time the computer starts.

SAINTwriter

SAINTwriter is a component of SAINT that allows you to generate a variety of customised reports. SAINTwriter features eight pre-configured reports, eight report formats (HTML, Frameless HTML, Simple HTML, PDF, XML, text, tab-separated text, and comma-separated text), and over 100 configuration options for custom reports.

• Choose the data set or sets you wish to analyse. Normally, this will be the current data set, which is the default.
• Choose the report format.
• Click on the Continue button to create your report. You will be able to read the report at this point.
• Save the report as required.

Note:- For Trend Analysis reports only: Choose two or more data sets you wish to be included in the trend analysis.

Copies of reports are available here and here

Overall Assessment

I have used several exploit frameworks during the course of my many roles, Core Impact, CANVAS, Metasploit etc. each of which has there own unique selling points, strengths, weaknesses and foibles.  SAINT Professional ranks highly within these offerings. The combination of scanner and exploit framework is an excellent combination providing a one stop facility allowing the tester to carry out the full suite of their potential roles be they compliance, audit, vulnerability assessment or penetration test.  In essence it is extensible, highly useful, easy to learn and very adaptable with the ability to define custom vulnerability assessment policies.

Strengths:

• Integration

• Automation

• Client-side Exploitation

• Social Engineering

• Installation, auto update and support

• Reporting

Weaknesses:

• Penetration Test policy definement

• GUI (albeit cosmetic)

• Reporting

Note: - Reporting is both a strength and weakness, some of the information I felt was quite generic and not fully tailored to the scan/ test carried out however, the different levels of reporting via vulnerability, host, overview, summary etc and formats producible was excellent.

Future Versions

Version 8 of SAINT Professional should be out later this year and from early indications, a number of the points I have made (below) are already being reviewed and worked on together with some exciting enhancements.  Although I really like this product now, especially its integration, I am really looking forward to evaluating and using it in the field.

Suggestions for future versions

After carrying out a fair amount of testing with the product, a few suggestions for improvement to the user experience were identified.  These though are for the most part purely cosmetic in nature and do not detract from the excellent offering from the SAINT Corporation and are solely based on the authors personal preferences and use of the tool to perform multiple tests.

SAINTscanner has a few pre-defined policies and checks that can be enabled and customised i.e. have checks for windows machines, could this be extended to have pre-defined tests for other OS - RHEL, Solaris, Cisco that can be easily enabled.  

A few of the configuration options for example the import of SCAP files allow for manual import and update, however, after the process is complete the open window is left there requiring the user to use the x to close it, no close widget is present, a more rounded solution would to have an auto close on successful completion of the task.

SAINTexploit single penetration test seems to try all available tests against the target dependant on the identified OS and open ports.  Sometimes this may be nugatory effort and also increase the risk against the target trying an exploit against a service, albeit with the same open port that is not running.  It would be beneficial to tune the test if prior knowledge is already known about the varied applications and services the target is running, in a similar way that you can tune SAINTscanner to perform bespoke scans based on custom policies.

SAINTexploit has 4 tools available to the tester from the connections tab, command, screenshot, file manager etc, it may be prudent to enhance and populate this section further with a number of the other tools; password grab et al which would be run once a connection has been gained.  To run this and other tools a tester must navigate to the exploit tools section to execute.

The file explorer window with upload/ download and rename although functional could be enhanced with a norton commander/ explorer type window for drag and drop.

It did not seem possible to copy and paste anything from the SAINTwriter html reports to another browser window/ tab, yet the highlighted text was available directly to the terminal and also across vmware tool bridge to Windows 7 host.

Make available on the Windows platform.

Errors Encountered

During testing a couple of errors were observed in the terminal and within the web browser, these though seemed to be nothing of any major importance and the tool did not seem to display any negative side effects due to them.

SAINTscanner error, heavy scan against a Buffalo LinkStation Live 1TB MultiMedia Network Attached Storage, report generation, display and save:

** (evince:1982): WARNING **: Failed to connect to the session bus: /bin/dbus-launch terminated abnormally without any error message

SAINTexploit error, single penetration test against a Buffalo LinkStation Live 1TB MultiMedia Network Attached Storage:

sh: Syntax error: Unterminated quoted string
sh: Syntax error: Unterminated quoted string

sh: Syntax error: Unterminated quoted string

A new tab was created when the test started and an error message displayed in old tab.

'_' is unprintable in png image
'_' is unprintable in png image
'_' is unprintable in png image