a powerful application mapper
amap [Mode] [Options]
Amap is a scanning tool that allows you to identify the applications that are running on a specific port or ports. This is achieved by con‐ necting to the port(s) and sending trigger packets. These trigger pack‐ ets will typically be an application protocol handshake. Many network daemons will only respond to the correct handshake (i.e. SSL). Amap then looks up the response in a list and prints out any match it finds. Amap supports tcp and udp protocols, regular and SSL-enabled ASCII and binary protocols and a variety of options are at your disposal to con‐ trol the behaviour of the tool. It can take an nmap machine readable output file as its input file and can log to a file and screen. Why use our tool? Well, when portscanning a host, you will be presented with a list of open ports. In many cases, the port number tells you what application is running. Port 25 is usually SMTP, port 80 mostly HTTP. However, this is not always the case, and especially when deal‐ ing with proprietary protocols running on non-standard ports you will not be able to determine what application is running. With amap, you will be able to identify that SSL server running on port 3445 and some oracle listener on port 23. Also, it will actually do an SSL connect if you want and then try to identify the SSL-enabled protocol! Please also see amapcrap -h for an additional tool for ports who do not give any output.
amap can be run in three different modes: -A Map applications: send triggers and analyse responses (default). All options can be used in this mode. -B Just grab banners, do not send triggers. Only a few commandline options are used from the set when run this mode. They are maked below as "(Banner)" -P No banner, application, stuff - be a (full connect) port scan‐ ner! Only a few commandline options are used from the set when run this mode. They are maked below as "(Portscan)" -W This is the Web Online Update mode. When specifying this option, all other options except -D are ignored, and the application fingerprints and triggers are updated from the thc.org web site.
Options can also be seen by typing 'amap -h'. Here follows an explana‐
tion of all options.
HOSTS AND PORTS (all modes)
amap is (C) 2003 by vanHauser and DJ.RevMoon (of THC - www.thc.org) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2. This guarantees your right to use, modify, and redistribute amap under certain conditions. Source is provided to this software because we believe users have a right to know exactly what a program is going to do before they run it. This also allows you to audit the software for security holes. Source code also allows you to port amap to new platforms, fix bugs, and add new features. You are highly encouraged to send your applica‐ tion triggers and responses to us. Please send triggers and responses (either as a tcpdump file or in our own format) to email@example.com. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER‐ CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details (it is in the COPYING file of the amap distribution). It should also be noted that amap has been known to crash certain poorly written applications, TCP/IP stacks, and even operating systems. Amap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge here that Amap may crash your systems or networks and we disclaim all liability for any damage or problems Amap could cause.
There are bound to be numerous bugs in amap. Please tell us if you find any. Please email to firstname.lastname@example.org. AMAP(1)