AMAP(1)AMAP(1)NAMEamap - a powerful application mapper
SYNOPSISamap [Mode] [Options] <target> <port/portrange> [<port> ...]
DESCRIPTION
Amap is a scanning tool that allows you to identify the applications
that are running on a specific port or ports. This is achieved by con‐
necting to the port(s) and sending trigger packets. These trigger pack‐
ets will typically be an application protocol handshake. Many network
daemons will only respond to the correct handshake (i.e. SSL). Amap
then looks up the response in a list and prints out any match it finds.
Amap supports tcp and udp protocols, regular and SSL-enabled ASCII and
binary protocols and a variety of options are at your disposal to con‐
trol the behaviour of the tool. It can take an nmap machine readable
output file as its input file and can log to a file and screen.
Why use our tool? Well, when portscanning a host, you will be presented
with a list of open ports. In many cases, the port number tells you
what application is running. Port 25 is usually SMTP, port 80 mostly
HTTP. However, this is not always the case, and especially when deal‐
ing with proprietary protocols running on non-standard ports you will
not be able to determine what application is running. With amap, you
will be able to identify that SSL server running on port 3445 and some
oracle listener on port 23. Also, it will actually do an SSL connect if
you want and then try to identify the SSL-enabled protocol!
Please also see amapcrap -h for an additional tool for ports who do not
give any output.
MODESamap can be run in three different modes:
-A Map applications: send triggers and analyse responses (default).
All options can be used in this mode.
-B Just grab banners, do not send triggers. Only a few commandline
options are used from the set when run this mode. They are maked
below as "(Banner)"
-P No banner, application, stuff - be a (full connect) port scan‐
ner! Only a few commandline options are used from the set when
run this mode. They are maked below as "(Portscan)"
-W This is the Web Online Update mode. When specifying this option,
all other options except -D are ignored, and the application
fingerprints and triggers are updated from the thc.org web site.
OPTIONS
Options can also be seen by typing 'amap -h'. Here follows an explana‐
tion of all options.
HOSTS AND PORTS (all modes)
-i <file>
This makes amap read its hosts and ports from the specified
file. The file must be generated by nmap, using the -oM <file>
option of nmap. It doesn't matter if you have multiple hosts and
mixed tcp and udp ports in the file: amap reads them all.
<target> and <port/portlist>
Target can be an IP address or fully qualified host name. A port
can be any number between 1 and 65535, ranges (e.g. 1-65535) are
also supported. You can specify as many ports on the command
line as you want. Ports are by default TCP (see -u option
below).
GENERAL OPTIONS
None of these are required but some can be quite useful.
Note that all options can be used in amap's default mode (-A), the ban‐
ner grab (-B) and portscan modes (-P) support only those options which
are marked as such.
-u Ports specified on commandline are UDP (default is TCP). (Modes:
Amap, Banner, Portscan)
-6 Use IPv6, not IPv4
-1 Only send triggers to a port until 1st identification. Speeeeed!
-v Verbose. Usually not used, but gives detailed info on the screen
as to what connections are made to what ip's/ports. Don't use
twice. You will be bored to death with even more stupid uninter‐
esting information. (Modes: Amap, Banner, Portscan)
-q Quiet. Has got nothing to do with the "-v" option :-) If the -q
option is applied, all closed and timed out ports are NOT marked
as unidentified, and are not reported at all.
-d Make a hex dump of all received responses. The default is to
only print unrecognised responses.
-U Do not dump unrecognized responses. (see option above)
-b Print ACSII banners (if one is received).
-o <file>
Log the output of amap to <file>. (Modes: Amap, Banner,
Portscan)
-m <file>
Make the log file output (-o option) machine readable (colon
seperated). (Modes: Amap, Banner, Portscan)
-D <file>
Triggers and responses are read by default from appdefs.trig and
appdefs.resp. By specifying for instance '-D trojans' it will
read triggers and responses from trojans.trig and trojans.resp.
It can be very usefull if you only want to scan for certain
applications. Please take a look at the appdefs files to see
what the format of these files is (it's pretty simple, you
shouldn't have any trouble adding your own triggers and
responses, which you are encouraged to do, btw).
SCANNING OPTIONS
These options influence the behaviour of amap when scanning.
-p <proto>
This specifies a single protocol trigger to send. The name of
the protocol must match one of the first fields of the lines in
the trigger file. For instance, '-p SSL' will scan only for SSL
enabled port. However, if by chance other protocols are also
indentified, they will be printed.
-S Do NOT NOT look behind an SSL port. Otherwise amap will recon‐
nect later to identify the service running behind the ssl wrap‐
per.
-R Do NOT identify RPC service. Otherwise amap will connect many
times to identify the exact rpc service type and version. This
can be time consuming.
-c n Open 'n' parallel tasks (connections). The default is 32, the
maximum 256. (Modes: Amap, Banner, Portscan)
-C n If a TCP connect timed out (did not finnish in "-T n" time), how
often should be retried the connect? This is by default 3.
(Modes: Amap, Banner, Portscan)
-T n Causes amap to wait upto 'n' seconds for a successful TCP con‐
nect. Default is 5 seconds, but this can be too few sometimes
when scanning over a slow link, and too long on a LAN. (Modes:
Amap, Banner, Portscan)
-t n Causes amap to wait upto 'n' seconds for a response. Default is
5 seconds, but this can be too few sometimes when scanning over
a slow link, and too long on a LAN. (Modes: Amap, Banner)
-H Skip potentially harmful triggers. Some daemons and applications
will crash when receiving long or unexpected binary input. -H
skips triggers marked as potentially harmful. See appdefs.trig
for information on how to mark a trigger as harmful.
LICENSE AND USER BEWARESamap is (C) 2003 by vanHauser and DJ.RevMoon (of THC - www.thc.org)
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; Version 2. This guarantees your right to
use, modify, and redistribute amap under certain conditions.
Source is provided to this software because we believe users have a
right to know exactly what a program is going to do before they run it.
This also allows you to audit the software for security holes.
Source code also allows you to port amap to new platforms, fix bugs,
and add new features. You are highly encouraged to send your applica‐
tion triggers and responses to us. Please send triggers and responses
(either as a tcpdump file or in our own format) to amap-dev@thc.org.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details (it is in the COPYING file of the amap
distribution).
It should also be noted that amap has been known to crash certain
poorly written applications, TCP/IP stacks, and even operating systems.
Amap should never be run against mission critical systems unless you
are prepared to suffer downtime. We acknowledge here that Amap may
crash your systems or networks and we disclaim all liability for any
damage or problems Amap could cause.
BUGS
There are bound to be numerous bugs in amap. Please tell us if you find
any. Please email to amap-dev@thc.org.
AMAP(1)
