amap

amap [options] <target> <port(s)/portrange>
amap [options] -i <inputfile>

Examples:
amap 192.168.1.1 80 443 21-23
amap -u -p 10.0.0.5 53
amap -i hosts_and_ports.txt -o results.amap

    The IP address or hostname of the target machine to scan.


    A single port, a comma-separated list of ports, or a port range (e.g., 21-23, 80, 443) to scan on the target.

-i
    Reads target hosts and ports from the specified input file. The file should list 'host port' pairs per line.

-o
    Writes scan results to the specified output file.

-u
    Performs a UDP scan instead of the default TCP scan.

-s
    Enables slow scan mode, which tries more probes and waits longer for responses for potentially more accurate results.

-b
    Performs banner grabbing only, without applying full protocol analysis. Useful for quick initial checks.

-P
    Do not ping hosts before scanning. Useful if ping is blocked or not desired.

-A
    Do not print application data in the output, only the identified protocol.

-B
    Always print banner grabs for identified services.

-V
    Increases verbosity level for more detailed output.

-C
    Do not connect to ports, only use banner grabbing if the connection is already established (e.g., via -l).

-H
    Do not resolve hostnames (no DNS lookups) for targets.

-t
    Sets the TCP connection timeout in milliseconds. Default is usually 5000ms.

-c
    Sets the maximum number of concurrent connections or probes. Default is often 64.

-q
    Suppresses error messages and non-critical output.

-v
    Prints the amap version information.

-h
    Displays the help message with available options.

amap (Asynchronous MApPer) is a powerful network scanning tool designed to identify the application layer protocols running on specified ports, even if they are not standard or are encapsulated. Unlike traditional port scanners that simply report an open port, amap goes further by sending a series of application-layer trigger packets (probes) and analyzing the responses. This allows it to accurately fingerprint the specific service, such as HTTP, SSH, FTP, or even unknown custom protocols, regardless of the port number they are listening on. This capability makes amap an invaluable tool for security auditors, penetration testers, and system administrators who need to gain a precise understanding of the services exposed on a network, especially when dealing with non-standard configurations or obfuscated services. It can handle both TCP and UDP services and includes support for SSL/TLS encrypted protocols. amap offers various scanning modes, from quick default scans to more exhaustive 'slow' scans that try more aggressive probes.

amap can generate a significant amount of network traffic and may be slower than basic port scanners due to its in-depth probing. While effective, its accuracy depends on its internal signature database and the service's adherence to known protocols. It is important to note that using amap against systems without explicit permission is generally considered unethical and potentially illegal. Always ensure you have proper authorization before performing any network scanning.

amap relies on an internal signature database to identify protocols. This database contains patterns of expected responses for various services. While powerful, it means that very new or highly custom protocols might not be identified without external definition files or manual analysis.

Due to its ability to identify actual services regardless of port, amap is crucial in security audits for discovering hidden or unexpected services that could pose security risks. It helps in mapping the true attack surface of a network.

amap was developed by Gordon Lyon (Fyodor), the same creator of the widely popular Nmap security scanner. It emerged as a complementary tool to Nmap, specifically addressing the challenge of accurate application protocol identification on non-standard ports. While Nmap's service detection is robust, amap was designed to be more aggressive and focused on identifying services even when they try to masquerade or use unusual port assignments. It's often used in conjunction with Nmap in advanced penetration testing and network auditing scenarios.

nmap(1), netcat(1), ss(8), lsof(8), fping(8)