Thc-amap

From aldeid
Jump to navigation Jump to search
You might also see: Nmap

Description

THC AMAP is a scanner that identifies (fingerprinting) applications/services installed on a remote machine. Its database is not as complete as the Nmap's one but results sometimes defer. The tool can be used to confirm or complete a Nmap analysis.

Installation

$ cd /data/src/
$ wget http://freeworld.thc.org/releases/amap-5.2.tar.gz
$ tar xzvf amap-5.2.tar.gz
$ cd amap-5.2/

At this stage, it is necessary to apply following patch:

$ wget http://dl.dropbox.com/u/10761700/amap.h.patch
$ patch -p0 < amap.h.patch
Note
This patch enables to update the URL in amap.h and that is used by the updater. Unless you patch it, you won't be able to use the online updater. Indeed, the URL is incorrect (redirect) and the updater is unable to complete its process.
$ ./configure
$ make
$ sudo make install
Note
make install may output an error related to the creation of a symbolic link. Although, it is not blocking the installation.

Usage

Basic syntax

$ amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec]
       [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

Modes

-A
Map applications: send triggers and analyse responses (default)
-B
Just grab banners, do not send triggers
-P
No banner or application stuff - be a (full connect) port scanner
-W
Web Update - online update the application fingerprint database!
Warning
If you haven't applied the patch (see installation section), you won't be able to use the updater since the URL has not been updated.
Warning
Please notice that the updater needs root privileges since amap is installed in /usr/local/bin. Try sudo amap -W.

General Options

-1
Only send triggers to a port until 1st identification. Speeeeed!
-6
Use IPv6 instead of IPv4
-b
Print ascii banner of responses
-i <file>
Nmap machine readable outputfile to read ports from
-u
Ports specified on commandline are UDP (default is TCP)
-U
Do NOT dump unrecognised responses (better for scripting)
-d
Dump all responses
-v
Verbose mode, use twice (or more!) for debug (not recommended :-)
-q
Do not report closed ports, and do not print them as unidentified
-o FILE [-m]
Write output to file FILE
-m creates machine readable output

Scanning Options

-p <proto>
Only send triggers for this protocol (e.g. ftp)
-R/-S
Do NOT identify RPC / SSL services
-c <connections>
Amount of parallel connections to make (default 32, max 256)
-C <retries>
Number of reconnects on connect timeouts (see -T) (default 3)
-T <sec>
Connect timeout on connection attempts in seconds (default 5)
-t <sec>
Response wait timeout in seconds (default 5)
-H
Do NOT send application triggers marked as potentially harmful

Examples

$ amap -bqv 192.168.100.1 22
Using trigger file ./appdefs.trig ... loaded 30 triggers
Using response file ./appdefs.resp ... loaded 346 responses
Using trigger file ./appdefs.rpc ... loaded 450 triggers

amap v5.2 (freeworld.thc.org/thc-amap) started at 2010-12-06 06:52:35 - MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.100.1:22/tcp (by trigger http) matches ssh - banner: SSH-2.0-OpenSSH_5.1p1 Debian-5\r\n
Protocol on 192.168.100.1:22/tcp (by trigger http) matches ssh-openssh - banner: SSH-2.0-OpenSSH_5.1p1 Debian-5\r\n

amap v5.2 finished at 2010-12-06 06:52:41

Comments

Talk:Thc-amap