I wrote some extensions to SATAN while I was part of the COAST lab at
Purdue. Some of the probes were written in Expect. One of the reasons
in writing them was to demonstrate the ease at which new probes can be
added to SATAN. The reasons for using Expect are as you mentioned. It is
quick and easy to develop powerful scripts. The Expect probes I wrote
just used the telnet command to connect and interact with remote network
daemons (telnetd, popd, and sendmail). As your scripts show, it takes
very few lines of Expect to build a fairly effective scanner. I am
surprised that there haven't been more Expect-based tools such as these
written.
If anyone is interesting in examining other Expect-based security
scanners or would like some extensions to SATAN, the stuff I wrote is
available at:
ftp://coast.cs.purdue.edu/pub/COAST/tools/SATAN_Extensions.tar.Z*
This package was never really advertised, so not many people are using
it. I haven't touched it since it was released in December 1995. I
still might be able to answer any questions about them.
Keith