-----------------------------------------------------------------------------
         CATTscanner v 0.61 User Documentation - Atlanta.CON Release  

                  http://www.uberhax0r.net/cattscanner/

         by Optyx <optyx@uberhax0r.net> - Uberhax0r Communications

-----------------------------------------------------------------------------

1 - Basics
  1 - What is CATTscanner?
  2 - Where can I get a copy?
  3 - Configuration

2 - Features
  1 - Portscanning
    1 - TCP (0.6)
    2 - UDP (0.6)
  2 - Reverse DNS (0.6)
  3 - Mapping
    1 - NFS (0.6)
    2 - RPC (0.6)
    3 - NBT (0.6)
  4 - Version Queries
    1 - FTP (0.6)
    2 - SMTP (0.6)
    3 - POP3 (0.6)
    4 - IMAP (0.6)    
  5 - Output
    1 - HTML (0.6)
  6 - MultiThreaded 
   
3 - Where is CATTscanner going in future versions?

4 - Closing
  1 - Comments
  2 - Lame thanks and greets

-----------------------------------------------------------------------------
1.1 - What is CATTscanner?
-----------------------------------------------------------------------------

CATTscanner or Configurable Autonomous Threaded Topography scanner is a 
compilation of common networking tools rewritten into one massively
configurable, massively portable, independent, fast package.  

What does this mean?

  This means that every feature implemented in CATTscanner can be turned on
or off, almost every value can be set from number of threads spawned to 
connection timeouts, all by running 'cattconf' or editing the cattscan.conf
by hand.

  CATTscanner is also written in 100% ANSI C and uses no external libraries
(well except for libc, but all C programs do) so it will compile on most
every operating system and platform.

  CATTscanner is also multi-threaded and the number of threads it spawns
is configurable.

-----------------------------------------------------------------------------
1.2 - Where can I get a copy?
-----------------------------------------------------------------------------

The official CATTscanner distribution site is:
   http://www.uberhax0r.net/cattscanner/

-----------------------------------------------------------------------------
1.3 - Configuration
-----------------------------------------------------------------------------

Currently there are two ways to configure CATTscanner

   Method #1:
               Run './cattconf' in the CATTscanner directory after building
               the package

   Method #2:  
               Edit the cattscan.conf (or whatever config file you want)

-----------------------------------------------------------------------------
2.1.1 - TCP (0.6)
-----------------------------------------------------------------------------

This is a basic TCP connect() port scan, whose port range can be configured
by setting the 'startport' and 'endport' lines in the config file to a
numerical value.  An added feature to this scan is service owner
identification, which can be set by setting the 'ident' value in the config
file to 1.

Note: In the future I'd like to add a random connect pattern feature to this
      portion of CATTscanner so that sequential port connections could be
      turned off.

Found in:  portscan.c

-----------------------------------------------------------------------------
2.1.2 - UDP (0.6)
-----------------------------------------------------------------------------

Note: currently broke as hell

Found in:  portscan.c

-----------------------------------------------------------------------------
2.2 - Reverse DNS lookups (0.6)
-----------------------------------------------------------------------------

This feature takes the ip and resolves it to a domain name.
Reverse DNS can be enabled by setting the 'revdns' value in the config file
to 1

Note:  For some reason this feature causes instability in linux builds.
       Solution:  If CATTscanner segfaults when you run it with revdns
                  enabled, disable it.

Found in:  revdns.c

-----------------------------------------------------------------------------
2.3.1 - NFS mapping (0.6)  
-----------------------------------------------------------------------------

All this does is connect to the rpc.mountd on the target host and get a list
of all of the NFS exports.  This feature can be turned on by setting the
'nfsmap' value in the config file to 1

Found in:  nfsmap.c

-----------------------------------------------------------------------------
2.3.2 - RPC mapping (0.6)
-----------------------------------------------------------------------------

This feature connects to the rpc.portmapper on the target host and gets a 
list of all of the rpc services registered to that machine.  This feature
can be turned on by setting the 'rpcmap' value in the config file to 1

Found in:  rpcmap.c

-----------------------------------------------------------------------------
2.3.3 - NBT mapping (0.6)
-----------------------------------------------------------------------------

This feature connects to the netbios port on the target host the same way
that 'nbtstat -a' does on a win32 computer and retrieves its host 
information and parses the information to give readable results.  This
feature can be turned on by setting the 'nbtmap' value in the config file to
1

Found in:  nbtmap.c

-----------------------------------------------------------------------------
2.4.1 - FTP version query (0.6)
-----------------------------------------------------------------------------

This features connects to the ftp port on the target host and reads the first
line the host sends to it, which usually (99% of the time) includes the ftpd
name and version.  This feature can be enabled by setting the 'ftpver' value
in the config file to 1

Found in:  vercheck.c

-----------------------------------------------------------------------------
2.4.2 - SMTP version query (0.6)
-----------------------------------------------------------------------------

This feature is similiar to the above feature only it connects to the smtp 
port.
It can be enabled by setting the 'smtpver' value to 1 in the config file.

Found in:  vercheck.c

-----------------------------------------------------------------------------
2.4.3 - POP3 version query (0.6)
-----------------------------------------------------------------------------

This feature is similar to the above feature only it connects to the pop3
port.
It can be enabled by setting the 'popver' value to 1 in the config file.

Found in:  vercheck.c

-----------------------------------------------------------------------------
2.4.4 - IMAP verison query (0.6)
-----------------------------------------------------------------------------

This feature is similar to the above feature only it connects to the imap
port.
It can be enabled by setting the 'popver' value to 1 in the config file.

Found in:  vercheck.c

-----------------------------------------------------------------------------
2.5.1 - HTML output (0.6)
-----------------------------------------------------------------------------

This feature causes CATTscanner to output to interlinked html files.  The
output directory can be specified in the config file by setting the value
'datadir' to a string up to 64 characters long.

Found in:  cattscan.c

-----------------------------------------------------------------------------
2.6 - Configurably Multithreaded (0.6)
-----------------------------------------------------------------------------

By setting the 'threads' value in the configuration file to a numerical value
you can specify the number of threads CATTscanner spawns

Found in: cattscan.c
 
-----------------------------------------------------------------------------
3 - Future features in CATTscanner
-----------------------------------------------------------------------------

What I would like to implement in later releases but currently can't due
to time constraints on the release of CATTscanner (Atlanta.CON, awww yeah):

LiveScan - Place the cattscan binary in your cgi-bin and cattscan.conf in
           your conf directory for your httpd.  Then scanning hosts as you
           click on the webpages will be available.  Only hosts specified
           in cattscan.conf will be allowed to be scanned and only hosts
           specified in the config file will be allowed to use the scanner

Diff     - This utility will tell you the difference in the network from
           the last time you scanned it.  So if any services have changed
           or any new machines popped up, it will tell you.

FTPmap   - Connects to the ftp and recursively goes down the directory tree
           with filepermissions and sizes.

SMBmap   - Connects to the netbios/samba port and gets a list of shares
           on that machine.

If anyone can think of a feature they would like CATTscanner to have, feel
free to email me at optyx@uberhax0r.net.

-----------------------------------------------------------------------------
4.1 - Comments
-----------------------------------------------------------------------------

I began writing this software because I hated how so many scanning packages
were bulky, poorly coded, and used an exorbinant amount of libraries..  
My main goals were portability, autonomy, and readability of the code.

Parts of this code were excerpted from other peoples previous work as
commented:

nfsmap.c - Sun Microsystems - showmount -e 
rpcmap.c - Sun Microsystems - rpcinfo -p
nbtmap.c - Microsoft and some code that Todd Sabin modified from smbclient
           and failed to comment where it got it from...  shame...

The rest of the code I did myself, and all code I borrowed, I rewrote in
ANSI C if it wasn't compliant.

-----------------------------------------------------------------------------
4.2 - Lame thanks and greets
-----------------------------------------------------------------------------

First of all, I'd like to thank DFused, Hugme, Rhia, and Drag0n for letting 
me speak at Atlanta.CON to release this package.  Next, I'd like to thank
Sir Dystic and Luminare for coming to Atlanta for this con.  
Quick greets to Freqout, Iridium, bw, Gauss, Afsy, Lizzie, js, Frank t12, 
tfish, and all the #cdc people. 
Also thanks to OverCode for helping me debug this code.

Oh, and huge thanks to kel, ced and his kids, chantal and luisa, valsmith
and his son, and the other people that donated rad artwork for the 
CATTscanner page. 
