Manual Page - amap(1)
Manual Reference Pages - AMAP (1)
NAME
amap - a powerful application mapper
CONTENTS
Synopsis
Description
Modes
Options
License And User Bewares
Bugs
SYNOPSIS
amap [Mode] [Options] <target> <port/portrange> [<port> ...]
DESCRIPTION
Amap is a scanning tool that allows you to identify the applications that are
running on a specific port or ports. This is achieved by connecting to the
port(s) and sending trigger packets. These trigger packets will typically be
an application protocol handshake. Many network daemons will only respond to
the correct handshake (i.e. SSL). Amap then looks up the response in a list
and prints out any match it finds.
Amap supports tcp and udp protocols, regular and SSL-enabled ASCII and binary
protocols and a variety of options are at your disposal to control the
behaviour of the tool. It can take an nmap machine readable output file
as its input file and can log to a file and screen.
Why use our tool? Well, when portscanning a host, you will be presented with a
list of open ports. In many cases, the port number tells you what
application is running. Port 25 is usually SMTP, port 80 mostly HTTP.
However, this is not always the case, and especially when dealing with
proprietary protocols running on non-standard ports you will not be
able to determine what application is running. With amap, you will be able
to identify that SSL server running on port 3445 and some oracle listener on
port 23. Also, it will actually do an SSL connect if you want and then
try to identify the SSL-enabled protocol!
Please also see
amapcrap -h for an additional tool for ports who do not give any output.
MODES
amap can be run in three different modes:
|
|
|
-A |
Map applications: send triggers and analyse responses (default). All options
can be used in this mode.
|
|
-B |
Just grab banners, do not send triggers. Only a few commandline options are
used from the set when run this mode. They are maked below as "(Banner)"
|
|
-P |
No banner, application, stuff - be a (full connect) port scanner! Only a few
commandline options are
used from the set when run this mode. They are maked below as "(Portscan)"
|
|
-W |
This is the Web Online Update mode. When specifying this option, all other
options except -D are ignored, and the application fingerprints and triggers
are updated from the thc.org web site.
|
|
OPTIONS
Options can also be seen by typing ’amap -h’. Here follows an explanation of
all options.
|
|
HOSTS AND PORTS (all modes)
-i <file> |
| |
This makes amap read its hosts and ports from the specified file. The file
must be
Generated by nmap, using the -oM <file> option of nmap. It doesn’t
matter if you have multiple hosts and mixed tcp and udp ports in the file:
amap reads them all.
|
|
lt;target> and <port/portlist> |
| |
Target can be an IP address or fully qualified host name. A port can be any
number between 1 and 65535, ranges (e.g. 1-65535) are also supported.
You can specify as many ports on the command
line as you want. Ports are by default TCP (see -u option below).
|
GENERAL OPTIONS
None of these are required but some can be quite useful.
Note that all options can be used in amap’s default mode (-A), the banner grab (-B) and portscan modes (-) support only those options which are marked as such.
-u |
| |
Ports specified on commandline are UDP (default is TCP). (Modes: Amap, Banner,
Portscan)
|
|
-6 |
Use IPv6, not IPv4
|
|
-1 |
Only send triggers to a port until 1st identification. Speeeeed!
|
|
-v |
Verbose. Usually not used, but gives detailed info on the screen as to what
connections are made to what ip’s/ports. Don’t use twice. You will be bored
to death with even more stupid uninteresting information. (Modes: Amap,
Banner, Portscan)
|
|
-q |
Quiet. Has got nothing to do with the "-v" option :-)
If the -q option is applied, all closed and timed out ports are NOT marked
as unidentified, and are not reported at all.
|
|
-d |
Make a hex dump of all received responses. The default is to only print
unrecognised responses.
|
|
-U |
Do not dump unrecognized responses. (see option above)
|
|
-b |
Print ACSII banners (if one is received).
|
|
-o <file> |
| |
Log the output of amap to <file>. (Modes: Amap, Banner, Portscan)
|
|
-m <file> |
| |
Make the log file output (-o option) machine readable (colon seperated).
(Modes: Amap, Banner, Portscan)
|
|
-D <file> |
| |
Triggers and responses are read by default from appdefs.trig and
appdefs.resp. By specifying for instance ’-D trojans’ it will read triggers
and responses from trojans.trig and trojans.resp. It can be very usefull if
you only want to scan for certain applications. Please take a look at the
appdefs files to see what the format of these files is (it’s pretty simple,
you shouldn’t have any trouble adding your own triggers and responses, which
you are encouraged to do, btw).
|
|
SCANNING OPTIONS |
| |
These options influence the behaviour of amap when scanning.
|
|
-p <proto> |
| |
This specifies a single protocol trigger to send. The name of the protocol must
match one of the first fields of the lines in the trigger file. For
instance, ’-p SSL’ will scan only for SSL enabled port. However, if by
chance other protocols are also indentified, they will be printed.
|
|
-S |
Do NOT NOT look behind an SSL port. Otherwise amap will reconnect later to
identify the service running behind the ssl wrapper.
|
|
-R |
Do NOT identify RPC service. Otherwise amap will connect many times to
identify the exact rpc service type and version. This can be time consuming.
|
|
-c n |
Open ’n’ parallel tasks (connections). The default is 32, the maximum 256.
(Modes: Amap, Banner, Portscan)
|
|
-C n |
If a TCP connect timed out (did not finnish in "-T n" time), how often
should be retried the connect? This is by default 3.
(Modes: Amap, Banner, Portscan)
|
|
-T n |
Causes amap to wait upto ’n’ seconds for a successful TCP connect. Default is 5 seconds, but
this can be too few sometimes when scanning over a slow link, and too long
on a LAN. (Modes: Amap, Banner, Portscan)
|
|
-t n |
Causes amap to wait upto ’n’ seconds for a response. Default is 5 seconds, but
this can be too few sometimes when scanning over a slow link, and too long
on a LAN. (Modes: Amap, Banner)
|
|
-H |
Skip potentially harmful triggers. Some daemons and applications will crash
when receiving long or unexpected binary input. -H skips triggers marked as
potentially harmful. See appdefs.trig for information on how to mark a
trigger as harmful.
|
|
LICENSE AND USER BEWARES
amap is (C) 2003 by vanHauser and DJ.RevMoon (of THC - www.thc.org)
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation;
Version 2. This guarantees your right to use, modify, and
redistribute amap under certain conditions.
Source is provided to this software because we believe users
have a right to know exactly what a program is going to do
before they run it. This also allows you to audit the
software for security holes.
Source code also allows you to port amap to new platforms,
fix bugs, and add new features. You are highly encouraged
to send your application triggers and responses to us. Please send triggers
and responses (either as a tcpdump file or in our own format) to
amap-dev@thc.org.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details (it is in the COPYING file of
the
amap distribution).
It should also be noted that amap has been known to crash
certain poorly written applications, TCP/IP stacks, and even
operating systems.
Amap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge
here that Amap may crash your systems or networks and we
disclaim all liability for any damage or problems Amap could
cause.
BUGS
There are bound to be numerous bugs in amap. Please tell us if you find any.
Please email to amap-dev@thc.org.
Top of page |
Generated by manServer 1.07 from /usr/local/man/man1/amap.1 using man macros.
Printable version of this article
