Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fathom 0.95 - Release for public testing

From: David Fifield <david () bamsoftware com>
Date: Mon, 28 Jun 2010 21:40:38 -0600
On Sat, Jun 26, 2010 at 03:54:28PM -0500, Tom Sellers wrote:

I just finished polishing up some code that I have been working on and
using for some time and thought I would share it.  It is essentially
Ruby code that uses Kris Katterjohn's Nmap::Parser (1) to perform
searches against Nmap XML output.  The tool, fathom, can search XML
logs for hosts with certain port, service, operating system, NSE
script name or NSE script output. Results can be excluded based on
port number as well as service, product or OS string. The result is
returned in bare (IP only), tab delimited and CSV formats.

For those of you that play around with or use fathom I would greatly
appreciate any and all feedback you feel like sending regardless of
the topic (functionality, code quality, installation, site, etc).


At first I thought this wasn't working, because there wasn't any output.
I found out it's because the program is looking for a "logs" directory
when I expected it to look in the current directory. I make it work with
the -l option.

$ cd ~/nmap/ndiff/test-scans
$ ruby ~/fathom/fathom.rb -o bsd

$ ruby ~/fathom/fathom.rb -l . -o bsd

10.137.81.38            FreeBSD 6.2-RELEASE     03/24/09 17:34:11
10.196.172.89   utkjlegbx-701.example.com       FreeBSD 6.2-RELEASE     03/24/09 17:34:11
10.227.126.44           m0n0wall 1.3b11 - 1.3b15 FreeBSD-based firewall 03/24/09 17:34:11
10.137.81.38            FreeBSD 6.2-RELEASE     03/25/09 16:35:27
10.196.172.89   cdgzhwik-216.example.com        FreeBSD 6.2-RELEASE     03/25/09 16:35:27
10.227.126.44           m0n0wall 1.3b11 - 1.3b15 FreeBSD-based firewall 03/25/09 16:35:27
$ ruby ~/fathom/fathom.rb -p 445 -l .

10.210.225.168  mtlhxcs-302.example.com 445/tcp netbios-ssn                    03/25/09 16:35:27
$ ruby ~/fathom/fathom.rb -s ssl -l .

10.89.230.125   bthpafeg-852.example.com        8443/tcp        http    Apache SSL-only mode httpd                      
03/24/09 17:34:11
10.227.126.44           80/tcp  http    Apache httpd    2.2.6   (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 
PHP/5.2.5 with Suhosin-Patch    03/24/09 17:34:11
10.89.230.125   bthpafeg-852.example.com        8443/tcp        http    Apache SSL-only mode httpd                      
03/25/09 16:35:27
10.227.126.44           80/tcp  http    Apache httpd    2.2.6   (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 
PHP/5.2.5 with Suhosin-Patch    03/25/09 16:35:27

The order of options appears to matter. Putting -l before --metrics
works, but the other order doesn't.

$ ruby ~/fathom/fathom.rb -l . --metrics 3

The logs contain information on 120 hosts.

OS statistics:

Count  OS
   40
    6  Cisco 2821 router
    6  HP 4000M ProCurve switch (J4121A)

Port statistics:

Count  Port
   22  80/tcp
   16  21/tcp
   16  23/tcp

Service statistics:

Count  Service
   30  http
   22  tcpwrapped
   16  telnet


$ ruby ~/fathom/fathom.rb --metrics 3 -l .

The logs contain information on 0 hosts.

OS statistics:

Count  OS

Port statistics:

Count  Port

Service statistics:

Count  Service

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: