SAINT - Secuirty Administrator's Integrated Network Tool

Saint is a network vulnerability scanner derived from Satan. It can be used as either a command line tool, or with a point and click GUI via a web browser. It requires perl5, and to work fully, also requires nmap, samba, and a web browser. It runs on most UNIX systems, including Linux, FreeBSD, and Solaris. It's available from: http://www.wwdsi.com/saint/

The targets of the scan can be either a range of IP addresses or a subnet. After a scan is complete, various reports are generated in HTML. These list the vulnerabilities each of the targets are suspected of having, as well as the results of a port scan. Included are links to descriptions of the vulnerabilities, and instructions on how to fix them. Saint can run at four different intensity levels, from a light scan to a very heavy scan. At the heaviest level, Saint may cause certain OSes, such as NT, to crash.

The way Saint tests for a vulnerability depends on what the vulnerability is, but Saint never acutally exploits a hole to test for it. As a result, Saint will sometimes report that a vulnerability may be present, even though it may not be. This is especially true when Saint says that a program may be vulnerable based on it's version, but that program has already been patched. It scans for these 23 of NASA's top 50 vulnerabilities:

Back Orifice
NetBus
defrexec
deftel
Aglimpse
Campas
CGI Textcounter
PHPBufferOverflow
vulnphf
tftp
popimap
rexd
rpcstatd
ToolTalkOverflow
Writable NetBIOS
CgiPerlMailPrograms
ColdFusionEvaluator
Handler Check
httpd
IIS RDS
Uploader
Webdist
xcheck

Pros

• Web-based interface makes it easy to use.
• Generates easy to read vulnerability reports, including instructions on how to fix them.
• Scans for lots of vulnerabilities.

Cons

• If the tools it relies on aren't already installed, it can possibly take some time and effort to set it up.

Rating: Recommended. It finds lots of vulnerabilities, and is easy to use.

Axes

• Static vs Dynamic: Dynamic, because Saint is used to check the status of a running machine.
• Library vs Instrumenting: Saint falls under Library, since it doesn't change any code.
• Testing vs Production: I'll file Saint under Production since it's most often used to look for vulnerability on a production system, but it could just as easily be used to test a new system configuration before the system is put into production.
• Opaque vs Clear vs Cloudy: Saint is Opaque, since it only sees the parts of the system accessible from the network.
• List vs Heuristic: Saint falls under List, since it checks for vulnerabilities listed in its database.
• Conservative vs Liberal: Since Saint never exercises a vulnerability, it sometimes reports false positives, so it falls under Conservative.
• Concurrent vs Single: Saint falls under Concurrent.
• Saint falls under Advice, since it gives detailed information about each vulnerability that it finds.