amap

amap [options] target

-h
    Help: Display this help text.

-b
    Banner grabbing mode.

-i file
    Read targets from file.

-t timeout
    Connection timeout in seconds.

-q
    Quiet mode. Only display identified applications.

-v
    Verbose mode. Show all probes and responses.

-d
    Debug mode. Shows more detailed information.

-m
    Try all prober modules on each target port.

-g
    Try all SSL/TLS probes.

-H
    Hostname to send.

-P protocol
    use only certain protocol. TCP or UDP

target
    The target host or network. Can be a hostname, IP address, or network range.

amap is a powerful tool used for identifying network applications and services running on a target host. It goes beyond simple port scanning by actively probing identified ports with various protocol-specific requests to determine the application actually listening. This "application mapping" is crucial for accurate security assessments, penetration testing, and general network reconnaissance. Unlike tools that rely solely on port numbers or banners, amap attempts to determine the application by analyzing its responses to carefully crafted probes. It uses a database of known signatures to identify the service.
amap is highly configurable, allowing you to specify the target host, port ranges, probing techniques, and the level of verbosity. It can also be used to identify SSL/TLS enabled services. The results provide more reliable application identification than passive methods.

amap can be noisy and potentially trigger intrusion detection systems. It is crucial to use it responsibly and with proper authorization. Accuracy depends on the quality of its signature database. Some applications may be misidentified or remain unidentified. The active probing can potentially destabilize poorly written services.

The target can be a single hostname or IP address, or a network range specified in CIDR notation (e.g., 192.168.1.0/24). Multiple targets can be specified in a file using the -i option, one target per line.

amap was developed to provide a more accurate application identification tool than relying solely on port numbers or banner grabbing. It improves by actively attempting to identify the listening service using protocol specific interactions. It has been used widely in penetration testing and security audits since its initial release. It has been improved with new signatures and probes for many different applications

nmap(1), netcat(1)