This is pretty simple stuff.
In fact, most of it is really old, simple stuff.
In any event, it looks like satan is nothing more than ISS with
a motif, but I'm sure we'll all get a better feel for 'it' after
the 5th. I've already had an opportunity to tinker with the
pre-release, and I can assure you it's not as devastating as
the popular press would depict it. Can you say 'hype'?
[sorry for the lengthy quote]
> Here's a rough outline about what Satan does, for those who may be
> trying to detect this sort of stuff.
> subnet scan
> when it probes a subnet, it runs fping to see what hosts are there.
> fping sends ICMP echo request packets to a bunch o'hosts and waits
> for the replies. its faster than ping since it doesn't wait for the
> reply for one before sending the request to the next. satan calls
> this as 'fping NET.1 NET.2 NET.3 ...NET.255', so when satan probes a
> subnet you should see icmp echo requests for increasing IP
> addresses, starting at 1 (regardless of the real subnet mask, btw,
> satan assumes class c subnet masks).
> host scan
> when it probes a host, i have no idea what order it goes in. i
> don't think that its set - it might change from host to host, and it
> is fluid in that some tests don't get done on every host (eg, if it
> isn't running nfs, it won't test certain nfs things).
> minimal scan
> at the very least, when a host is being probed it will do the dns,
> rpc and showmount probes.
> the dns probe looks up the name/ip address and reads the output of
> "nslookup / set qt=any / $target". It squirrels away info like
> the mail exchange host, name servers for the domain, and HINFO
> the rpc probe does "rpcinfo -p $target" to see what rpc services
> are listed. far as i know, it just saves the data, doesn't
> immeadiately do anything on the net.
> the showmount probe does "showmount -e $target" to see what other
> hosts can mount from the target, and then runs "showmount -a
> $target" to see who has mounted what from the target.
> heavy scan
> at the highest level, it will optionally use an rusers scan (if
> rpcinfo showed that the rusers service was registered), a bootparam
> scan (if registered), finger, and a normal and heavy tcp and udp
> port scans.
> the tcp and udp scans do the following in order:
> normal tcp: 70, 80, ftp, telnet, smtp, nntp and uucp
> normal udp: 53, 177
> heavy tcp: 1-9999
> heavy udp: 1-2050,32767-33500
> the tcp scanner tries to connect to each port in turn, when it
> connects, it sends 'QUIT\r\n' and closes the connection. the udp
> scanner sends a 0 byte.
> So, when satan scans a subnet you will see ICMP echo requests to hosts
> NET.1, NET.2 through NET.255. When satan scans a host, at a bare
> minimum, you will see the "rpcinfo -p" call to the portmapper on the
> target, and the "showmount -e" and "-a" calls to the mountd on the
> You can't depend on seeing more than that, since some tests (like tcp
> and udp port scans) will only be done at high scanning levels, and
> others (like rusers and boot) will only be done if those services were
> listed with the portmapper on the target.
US Sprint tel: 703.689.6828
Managed Network Engineering internet: paul @
Reston, Virginia USA http://www.sprintmrn.com