Amap is a next-generation tool for assisting network penetration testing. It performs fast and reliable application protocol detection, independant on the TCP/UDP port they are being bound to. Amap is a scanning tool that allows you to identify the applications that are running on a specific port or ports. This is achieved by connecting to the port(s) and sending trigger packets. These trigger packets will typically be an application protocol handshake. Many network daemons will only respond to the correct handshake (i.e. SSL). Amap then looks up the response in a list and prints out any match it finds. Amap supports tcp and udp protocols, regular and SSL-enabled ASCII and binary protocols and a variety of options are at your disposal to control the behaviour of the tool. It can take an nmap machine readable output file as its input file and can log to a file and screen.

Opening Amap Screen:

A list of Amap features with smal descriptions (taken from MAN files):

MODES

amap can be run in three different modes:
-A
Map applications: send triggers and analyse responses (default). All options can be used in this mode.
-B
Just grab banners, do not send triggers. Only a few commandline options are used from the set when run this mode. They are maked below as “(Banner)”
-P
No banner, application, stuff - be a (full connect) port scanner! Only a few commandline options are used from the set when run this mode. They are maked below as “(Portscan)”
-W
This is the Web Online Update mode. When specifying this option, all other options except -D are ignored, and the application fingerprints and triggers are updated from the thc.org web site.

OPTIONS

Options can also be seen by typing ‘amap -h’. Here follows an explanation of all options.
HOSTS AND PORTS (all modes)
-i <file>
This makes amap read its hosts and ports from the specified file. The file must be generated by nmap, using the -oM <file> option of nmap. It doesn’t matter if you have multiple hosts and mixed tcp and udp ports in the file: amap reads them all.
<target> and <port/portlist>
Target can be an IP address or fully qualified host name. A port can be any number between 1 and 65535, ranges (e.g. 1-65535) are also supported. You can specify as many ports on the command line as you want. Ports are by default TCP (see -u option below).

GENERAL OPTIONS

None of these are required but some can be quite useful.
Note that all options can be used in amap’s default mode (-A), the banner grab (-B) and portscan modes (-P) support only those options which are marked as such.
-u
Ports specified on commandline are UDP (default is TCP). (Modes: Amap, Banner, Portscan)
-1
Only send triggers to a port until 1st identification. Speeeeed!
-v
Verbose. Usually not used, but gives detailed info on the screen as to what connections are made to what ip’s/ports. Don’t use twice. You will be bored to death with even more stupid uninteresting information. (Modes: Amap, Banner, Portscan)
-q
Quiet. Has got nothing to do with the “-v” option :-) If the -q option is applied, all closed and timed out ports are NOT marked as unidentified, and are not reported at all.
-d
Make a hex dump of all received responses. The default is to only print unrecognised responses.
-U
Do not dump unrecognized responses. (see option above)
-b
Print ACSII banners (if one is received).
-o <file>
Log the output of amap to <file>. (Modes: Amap, Banner, Portscan)
-m <file>
Make the log file output (-o option) machine readable (colon seperated). (Modes: Amap, Banner, Portscan)
-D <file>
Triggers and responses are read by default from appdefs.trig and appdefs.resp. By specifying for instance ‘-D trojans’ it will read triggers and responses from trojans.trig and trojans.resp. It can be very usefull if you only want to scan for certain applications. Please take a look at the appdefs files to see what the format of these files is (it’s pretty simple, you shouldn’t have any trouble adding your own triggers and responses, which you are encouraged to do, btw).

SCANNING OPTIONS

These options influence the behaviour of amap when scanning.
-p <proto>
This specifies a single protocol trigger to send. The name of the protocol must match one of the first fields of the lines in the trigger file. For instance, ‘-p SSL’ will scan only for SSL enabled port. However, if by chance other protocols are also indentified, they will be printed.
-S
Do NOT NOT look behind an SSL port. Otherwise amap will reconnect later to identify the service running behind the ssl wrapper.
-R
Do NOT identify RPC service. Otherwise amap will connect many times to identify the exact rpc service type and version. This can be time consuming.
-c n
Open ‘n’ parallel tasks (connections). The default is 32, the maximum 256. (Modes: Amap, Banner, Portscan)
-C n
If a TCP connect timed out (did not finnish in “-T n” time), how often should be retried the connect? This is by default 3. (Modes: Amap, Banner, Portscan)
-T n
Causes amap to wait upto ‘n’ seconds for a successful TCP connect. Default is 5 seconds, but this can be too few sometimes when scanning over a slow link, and too long on a LAN. (Modes: Amap, Banner, Portscan)
-t n
Causes amap to wait upto ‘n’ seconds for a response. Default is 5 seconds, but this can be too few sometimes when scanning over a slow link, and too long on a LAN. (Modes: Amap, Banner)
-H
Skip potentially harmful triggers. Some daemons and applications will crash when receiving long or unexpected binary input. -H skips triggers marked as potentially harmful. See appdefs.trig for information on how to mark a trigger as harmful.

We will Discuss some of the network mapping features of Amap:

In the first Example we will use the banner grabbing mode and try to collect information on open ports by scanning all possible ports, with this command “amap -B -q 192.168.1.2 1-65535″

We will scan both a linux box (192.168.1.14) and a windows box (192.168.1.2) and see what information we can collect:

Now we will use the default scan option -A to map applications and reveal more options of the specific application running on a previously revealed port.

Amap has other many supplementary options that you can play with on your free time.

pavsBacktrack 2 Hacking Tools