LinuxCommandLibrary

amap

Identify applications and services on network ports

SYNOPSIS

amap [-1BbuSsvq] [-m num] [-d num] [-p proto] [-t T] [-T num] [-o output] [-A] [-n] host port [port port ...]

PARAMETERS

-1
    One-shot scan mode (quick probe)

-B
    Grab and display service banner

-b
    Grab and interpret banner

-u
    Scan using UDP protocol

-S
    Attempt SSL/TLS connection

-s
    TCP SYN scan (requires root)

-v
    Verbose output

-q
    Quiet mode (no progress info)

-m num
    Minimum match percentage (default 80)

-d num
    Debug level (0-3)

-p proto
    Force protocol (tcp/udp)

-t T
    Timeout in seconds per probe

-T num
    Number of scan threads

-o output
    Output file (stdout default)

-A
    Append to output file

-n
    Display numeric IP addresses

DESCRIPTION

amap is a powerful application-layer fingerprinting tool designed to identify services and applications running on specific network ports, even on non-standard ones. Unlike traditional port scanners like nmap, which rely primarily on port numbers and banner grabbing, amap uses a database of application-specific probes to actively interrogate services with custom payloads, heuristics, and response matching. This makes it highly effective for stealthy reconnaissance in penetration testing and security audits.

It supports both TCP and UDP protocols, with options for SYN scanning, banner grabbing, SSL/TLS probing, and multi-threading for speed. Users define probe signatures in XML-like files (app defs), allowing extensibility for new applications. Matches are scored by percentage confidence, helping distinguish similar services.

Common use cases include mapping internal networks, evading firewalls, and verifying service versions. However, it requires root privileges for raw socket operations and can generate significant traffic. Output is human-readable or parseable, with options for file logging.

CAVEATS

Requires root for raw sockets (SYN/UDP); generates detectable traffic; app definitions must be current; not in standard distro repos (use THC-Amap package); UDP scans unreliable on firewalls.

APP DEFINITIONS

Probe signatures stored in /usr/share/amap/appdefs/. Custom defs added as .def files with probe/response patterns.

EXAMPLE USAGE

amap -b -p tcp 192.168.1.1 80 443 or amap -u -S target.com 53 for DNS/UDP.

HISTORY

Developed by THC (The Hacker's Choice) around 2002 as an advanced alternative to nmap service detection. Maintained sporadically; last major updates in early 2010s. Integrated into some Kali Linux distros for pentesting.

SEE ALSO

nmap(1), netcat(1), hping3(8)

Copied to clipboard