Re: Fathom 0.97 - Full Toolkit release, bug fixes, new features

[Tom Sellers <nmap () fadedcode net>]

On 11/22/10 11:06 PM, David Fifield wrote:
> On Sun, Nov 07, 2010 at 05:31:51PM -0600, Tom Sellers wrote:


<snip>

> > Release:     http://www.fadedcode.net/fathom/index.htm#Fathom0.97
> > Changelog:   http://www.fadedcode.net/fathom/downloads.htm#Changelog
> >
> > New functionality:
> >
> >     * Addition of scan-full.sh, scan-recon.sh and scan-noping-full.sh
> >       shell scripts. Each of these scripts performs a particular type
> >       of single target scan. They can be executed manually for a
> >       specific target, or called by the sweep scripts.
>
> Fathom is a great example of how to run Nmap scans on a recurring basis.
> I also appreciate the insight into how you do your scans.

Thanks for the compliment!


> This documentation is good (I was looking for it on the main page but
> it's on the downloads page):
>
> http://www.fadedcode.net/fathom/downloads.htm#BasicSetup

In the next release I will be improving and consolidating the documentation.
The full documentation will be on the website as well as included with the
scripts.


> >     * Addition of report.sh shell script. This script accepts an IP
> >       address as input and simply echoes the contents of that IP's
> >       .nmap file to the console if it exists. This simplifies quick
> >       lookups of data for single hosts.
>
> I like this report.sh option.

It's one of the benefits of outputting the results in all formats. ;)


> > Changes to prior functionality:
> >
> >     * fathom.rb - Added -m / --mac-address to search by MAC address or
> >       MAC vendor string. This will use results from nbstat.nse if the
> >       MAC data isn't present but nbstat data is. Thanks to Ron Bowes
> >       (www.skullsecurity.org) for this idea.
>
> This is a nice idea. This is another argument for better structured NSE
> output. Scripts should be able to represent addresses and other data
> without requiring special knowledge in tools like Fathom.

One thing that has come up out of this work and has been discussed by
a few of us in #nmap on freenode is that scripts need the ability to
set certain host values that nmap generates.  The MAC address is an
excellent example of this.  If your target is several hops away nmap
cannot figure out the MAC but there are several scripts such as nbstat.nse
and the snmp scripts that can.  If they could set these values (under
tight controls) such as the way that port version/status/service could
be set this would be very useful.  Another example of a field that
could be set this way would be the OS when nbstat.nse detects it.  I
think the major concern there would be normalization of the data.


> I was surprised at the results of this search:
>
> $ ruby fathom.rb -m ab
>
> 192.168.0.190                                            00:16:CB:AE:D4:AC Apple Computer       2010/11/22 20:35:41

I will check this out this weekend.  I have a bugfix version that I am *hopefully*
going to release by Sunday.  The bug fix deals with searching for SSL tunneled
services.  For example, https only finds services where a port was detected on
port 443 AND version detection was not performed (as it then becomes HTTP with
tunnel=ssl in the XML).  The side benefit is that now fathom has a single flag
to search for ALL services using SSL as well as a stand alone script in development
to deal with SSL services.  The dedicated SSL script will allow searching for
certs by expiration date, creation date, issuer, bit strength, etc.


> > For those of you that play around with or use Fathom I would greatly
> > appreciate any and all feedback you feel like sending regardless of
> > the topic (functionality, code quality, installation, site, etc).
>
> I expected the Ruby and shell scripts to be executable. If that's
> possible to do in a zip file it would be nice. The scripts even require
> it:
>
> # sh sweep-recon.sh
> 11/22/2010 08:49:49 PM Scanning 192.168.0.0
> sweep-recon.sh: line 18: ./scan-recon.sh: Permission denied
> 11/22/2010 08:49:49 PM Scanning 192.168.0.1
> sweep-recon.sh: line 18: ./scan-recon.sh: Permission denied
> 11/22/2010 08:49:49 PM Scanning 192.168.0.10
> sweep-recon.sh: line 18: ./scan-recon.sh: Permission denied

Thanks for the feedback on that.  I will make sure that the documentation
addresses this.  I may provide a utility to set the bits on all the
scripts as well.

Thanks tons for the feedback!

Tom Sellers
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/