From aldeid
Jump to navigation Jump to search
You might also see: Nmap


THC AMAP is a scanner that identifies (fingerprinting) applications/services installed on a remote machine. Its database is not as complete as the Nmap's one but results sometimes defer. The tool can be used to confirm or complete a Nmap analysis.


$ cd /data/src/
$ wget
$ tar xzvf amap-5.2.tar.gz
$ cd amap-5.2/

At this stage, it is necessary to apply following patch:

$ wget
$ patch -p0 < amap.h.patch
This patch enables to update the URL in amap.h and that is used by the updater. Unless you patch it, you won't be able to use the online updater. Indeed, the URL is incorrect (redirect) and the updater is unable to complete its process.
$ ./configure
$ make
$ sudo make install
make install may output an error related to the creation of a symbolic link. Although, it is not blocking the installation.


Basic syntax

$ amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec]
       [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]


Map applications: send triggers and analyse responses (default)
Just grab banners, do not send triggers
No banner or application stuff - be a (full connect) port scanner
Web Update - online update the application fingerprint database!
If you haven't applied the patch (see installation section), you won't be able to use the updater since the URL has not been updated.
Please notice that the updater needs root privileges since amap is installed in /usr/local/bin. Try sudo amap -W.

General Options

Only send triggers to a port until 1st identification. Speeeeed!
Use IPv6 instead of IPv4
Print ascii banner of responses
-i <file>
Nmap machine readable outputfile to read ports from
Ports specified on commandline are UDP (default is TCP)
Do NOT dump unrecognised responses (better for scripting)
Dump all responses
Verbose mode, use twice (or more!) for debug (not recommended :-)
Do not report closed ports, and do not print them as unidentified
-o FILE [-m]
Write output to file FILE
-m creates machine readable output

Scanning Options

-p <proto>
Only send triggers for this protocol (e.g. ftp)
Do NOT identify RPC / SSL services
-c <connections>
Amount of parallel connections to make (default 32, max 256)
-C <retries>
Number of reconnects on connect timeouts (see -T) (default 3)
-T <sec>
Connect timeout on connection attempts in seconds (default 5)
-t <sec>
Response wait timeout in seconds (default 5)
Do NOT send application triggers marked as potentially harmful


$ amap -bqv 22
Using trigger file ./appdefs.trig ... loaded 30 triggers
Using response file ./appdefs.resp ... loaded 346 responses
Using trigger file ./appdefs.rpc ... loaded 450 triggers

amap v5.2 ( started at 2010-12-06 06:52:35 - MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on (by trigger http) matches ssh - banner: SSH-2.0-OpenSSH_5.1p1 Debian-5\r\n
Protocol on (by trigger http) matches ssh-openssh - banner: SSH-2.0-OpenSSH_5.1p1 Debian-5\r\n

amap v5.2 finished at 2010-12-06 06:52:41