by August 3, 2004 0 comments



SARA (Security Auditor’s Research Assistant) is a security analysis and reporting tool that can remotely probe most OSs and detect security vulnerabilities in them. It can scan everything from various versions of Windows (both server and desktop) to various Unix flavors, and even Mac OS X. In all cases, it looks for TCP, UDP and RPC-based services, and provides detailed and useful vulnerability reports along with solutions for fixing them. SARA can also work with popular community products, such as Nmap, and provide accurate information to the administrator about vulnerable machines. You can even use it to test systems sitting behind a firewall.

Direct
Hit!
Applies to: System administrators
USP: Can scan most OSs, which include various server and desktop versions of Windows, various Unixes and even MacOS
Links:
www-arc.com/sara/
 
On PCQ Xtreme DVD: Unlimited OSs/sara

Installing SARA is simple, though it can run only on Unix-based platforms. We ran it on a ‘Full Install’ of PCQ Linux 2004. When installing on Linux, make sure you’re logged in as root. Copy sara-5.0.5b.tgz.tar file from this month’s CD to the /root folder. Now open a terminal window and fire the following commands.

# cd 
# tar -zxvf sara-5.0.5b.tgz
# cd sara-5.0.5b
# ./configure 
# make 
#./reconfig 

You can run the program by typing ./sara in the terminal window. If everything goes smoothly, then the program will launch itself in the default Web browser of the Linux machine. From here, you can define the target you want to scan, which could be a single host, subnet or a complete IP range. You can also choose from seven levels of scanning-from light, normal, heavy and extreme to the three custom-definable ones. The light-scanning level only collects basic data about the RPC services from a DNS server. The heavy scanning probes for services such as telnet, FTP and SMTP. The extreme-scanning level even tells you whether a machine has the latest updates and patches installed.

You can access SARA through a Web browser, meaning you can scan hosts from anywhere on the network

You can define whether the host is behind a firewall or not, which can be useful to check how well your firewalls are protecting your machines. The scanning time depends upon the level you’ve chosen, and the results are presented in the same browser window. These, however, are difficult to understand, for which SARA gives you the option to create a neat report of the scan. For this, click on the Data Analysis hyperlink. That will open the vulnerability section, which lets you create reports of vulnerabilities by approximate danger level, type of vulnerability and vulnerability count. There’s a Report Writer link at the bottom of this page that generates the complete HTML report. This is color coded, showing the biggest vulnerabilities in red and moderate ones in yellow. It even gives suggestions on how to fix these vulnerabilities and, wherever possible, provides links to URLs from where you can download the fixes. 

Running SARA remotely
The above method lets you run SARA from the Linux machine where you have installed it. However, since you can access SARA through a Web browser, you would ideally want to be able to run it remotely. This is also possible, but requires you to change a few settings. First of all, from sara.5.0.5b/config folder, open the sara.cf file using a text editor and change the following settings.

$allow_scan = 1;
$allowable_hosts = “192.168.0.*” 

The first option allows remote users to initiate scanning. The second option is where you define who all can use SARA remotely. In this, you can allow machines from a complete IP subnet or specific IP addresses to access SARA remotely. For security reasons, you should allow access only to specific IP addresses instead of the entire subnet. Specific IP addresses need to be separated by commas. 

Next, you can also define specific user accounts that will be able to access SARA remotely. For this, simply give the ‘./add_user’ command from a terminal and provide a username and password. 

Finally, you need to configure the DNS settings on your Linux server. Issue the ‘redhat-config-network’ command from the terminal window. This will open a GUI network configuration tool. Here, select the DNS tab and set the ‘Hostname’ to sara (or any desired name you want). Then, select the Host tab and click on New. This will open a dialog box, where you’ll need to add the IP address of your Linux machine in the ‘address’ field, and set ‘Hostname’ and ‘Alias’ fields to sara. Save the configuration and close the tool. 

SARA gives a fine break-up of vulnerabilities it discovers on a particular host

If the same Linux server is being used as the local DNS server by all your clients, then there are no problems. However, if the clients use a separate DNS server, then you’ll need to ensure that the entries you made above are also replicated on that DNS server. Alternatively, if you want to access SARA only from specific machines, then you can make this change in the ‘hosts’ file of that machine.

Finally, you’ll need to run SARA in daemon mode by giving the ./sara —D command from a terminal window. Once it’s up and running, just go to a remote client, fire up a Web browser and type the IP address or hostname with port number 666. You should get a pop-up window to provide a username and password. You can see the status of all activities of the remote client from the Linux machine that’s running SARA. This will show you which machine is accessing it remotely and whether it’s running a remote scan. 

There are also several other useful switches that you can use with the SARA command. These include the following. 

# ./sara —n SARA uses Nmap to pull out accurate data from the target
# ./sara —p To reduce packet density, which is useful on slow or busy networks
# ./sara —u To specify that SARA is being run from an un-trusted host
# /sara —f To run SARA on firewalled networks

Anindya Roy and Sanjay Majumder

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<