AMAP(1)							  AMAP(1)


NAME
       amap - a powerful application mapper

SYNOPSIS
       amap  [Mode]  [Options]	<target> <port/portrange> [<port>
       ...]

DESCRIPTION
       Amap is a scanning tool that allows you	to  identify  the
       applications that are running on a specific port or ports.
       This is achieved by connecting to the port(s) and  sending
       trigger	packets.  These trigger packets will typically be
       an application protocol handshake.  Many	 network  daemons
       will  only  respond  to	the correct handshake (i.e. SSL).
       Amap then looks up the response in a list and  prints  out
       any  match it finds.  Amap supports tcp and udp protocols,
       regular and SSL-enabled ASCII and binary protocols  and	a
       variety	of  options  are  at your disposal to control the
       behaviour of the tool. It can take an nmap  machine  read-
       able  output  file as its input file and can log to a file
       and screen.

       Why use our tool? Well, when portscanning a host, you will
       be presented with a list of open ports. In many cases, the
       port number tells you what application is running. Port 25
       is  usually  SMTP,  port 80 mostly HTTP.	 However, this is
       not always the case, and especially when dealing with pro-
       prietary	 protocols running on non-standard ports you will
       not be able to determine what application is running. With
       amap, you will be able to identify that SSL server running
       on port 3445 and some oracle listener on port 23. Also, it
       will  actually  do an SSL connect if you want and then try
       to identify the SSL-enabled protocol!

       Please also see amapcrap -h for	an  additional	tool  for
       ports who do not give any output.

MODES
       amap can be run in three different modes:

       -A     Map   applications:   send   triggers  and  analyse
	      responses (default). All options	can  be	 used  in
	      this mode.

       -B     Just grab banners, do not send triggers. Only a few
	      commandline options are used from the set when  run
	      this mode. They are maked below as "(Banner)"

       -P     No banner, application, stuff - be a (full connect)
	      port scanner! Only a few	commandline  options  are
	      used  from  the  set  when  run this mode. They are
	      maked below as "(Portscan)"

OPTIONS
       Options can also be seen by typing 'amap -h'. Here follows
       an explanation of all options.

       HOSTS AND PORTS (all modes)

       -i <file>
	      This  makes  amap read its hosts and ports from the
	      specified file. The file must be generated by nmap,
	      using  the  -oM  <file>  option of nmap. It doesn't
	      matter if you have multiple hosts and mixed tcp and
	      udp ports in the file: amap reads them all.

       <target> and <port/portlist>
	      Target can be an IP address or fully qualified host
	      name. A port can be any number between 1 and 65535,
	      ranges  (e.g. 1-65535) are also supported.  You can
	      specify as many ports on the command  line  as  you
	      want.  Ports  are	 by  default  TCP  (see -u option
	      below).

       GENERAL OPTIONS

       None of these are required but some can be quite useful.

       Note that all options can be used in amap's  default  mode
       (-A),	   the	banner	grab (-B) and portscan modes (-P)
       support only those options which are marked as such.

       -u     Ports specified on commandline are UDP (default  is
	      TCP). (Modes: Amap, Banner, Portscan)

       -1     Only  send triggers to a port until 1st identifica-
	      tion. Speeeeed!

       -v     Verbose. Usually not used, but gives detailed  info
	      on  the  screen  as to what connections are made to
	      what ip's/ports. Don't use twice. You will be bored
	      to death with even more stupid uninteresting infor-
	      mation. (Modes: Amap, Banner, Portscan)

       -q     Quiet. Has got nothing to do with the  "-v"  option
	      :-)  If  the  -q	option is applied, all closed and
	      timed out ports are NOT marked as unidentified, and
	      are not reported at all.

       -d     Make  a  hex  dump  of  all received responses. The
	      default is to only print unrecognised responses.

       -U     Do not dump  unrecognized	 responses.  (see  option
	      above)

       -b     Print ACSII banners (if one is received).


       -o <file>
	      Log  the	output	of  amap to <file>. (Modes: Amap,
	      Banner, Portscan)

       -m <file>
	      Make the log file output (-o option) machine  read-
	      able  (colon  seperated).	  (Modes:  Amap,  Banner,
	      Portscan)

       -D <file>
	      Triggers and responses are  read	by  default  from
	      appdefs.trig  and	 appdefs.resp.	By specifying for
	      instance '-D trojans' it	will  read  triggers  and
	      responses	 from  trojans.trig  and trojans.resp. It
	      can be very usefull if you only want  to	scan  for
	      certain  applications.  Please  take  a look at the
	      appdefs files to see what the format of these files
	      is  (it's	 pretty	 simple,  you  shouldn't have any
	      trouble adding your  own	triggers  and  responses,
	      which you are encouraged to do, btw).

       SCANNING OPTIONS
	      These  options influence the behaviour of amap when
	      scanning.

       -p <proto>
	      This specifies a single protocol trigger	to  send.
	      The  name	 of  the  protocol  must match one of the
	      first fields of the lines in the trigger file.  For
	      instance,	 '-p  SSL' will scan only for SSL enabled
	      port. However, if by  chance  other  protocols  are
	      also indentified, they will be printed.

       -S     Do  NOT NOT look behind an SSL port. Otherwise amap
	      will reconnect later to identify the  service  run-
	      ning behind the ssl wrapper.

       -R     Do  NOT  identify	 RPC service. Otherwise amap will
	      connect many times to identify the exact	rpc  ser-
	      vice  type and version. This can be time consuming.

       -c n   Open 'n' parallel tasks (connections). The  default
	      is  32,  the  maximum  256.   (Modes: Amap, Banner,
	      Portscan)

       -C n   If a TCP connect timed out (did not finnish in  "-T
	      n"  time), how often should be retried the connect?
	      This  is	by  default  3.	  (Modes:  Amap,  Banner,
	      Portscan)

       -T n   Causes amap to wait upto 'n' seconds for a success-
	      ful TCP connect. Default is 5 seconds, but this can
	      be  too  few  sometimes  when  scanning over a slow
	      link, and too long on a LAN. (Modes: Amap,  Banner,
	      Portscan)

       -t n   Causes   amap  to	 wait  upto  'n'  seconds  for	a
	      response. Default is 5 seconds, but this can be too
	      few  sometimes  when scanning over a slow link, and
	      too long on a LAN. (Modes: Amap, Banner)

       -H     Skip potentially harmful triggers. Some daemons and
	      applications  will  crash	 when  receiving  long or
	      unexpected binary input. -H skips	 triggers  marked
	      as potentially harmful. See appdefs.trig for infor-
	      mation on how to mark a trigger as harmful.

LICENSE AND USER BEWARES
       amap is (C) 2003 by vanHauser and  DJ.RevMoon  (of  THC	-
       www.thc.org)

       This  program  is  free	software; you can redistribute it
       and/or modify it under the terms of the GNU General Public
       License as published by the Free Software Foundation; Ver-
       sion 2.	This guarantees your right to  use,  modify,  and
       redistribute amap under certain conditions.

       Source  is  provided  to	 this software because we believe
       users have a right to know exactly what a program is going
       to  do  before they run it.  This also allows you to audit
       the software for security holes.

       Source code also allows you to port amap to new platforms,
       fix bugs, and add new features.	You are highly encouraged
       to send your application triggers  and  responses  to  us.
       Please  send  triggers  and responses (either as a tcpdump
       file or in our own format) to amap-dev@thc.org.

       This program is distributed in the hope that  it	 will  be
       useful, but WITHOUT ANY WARRANTY; without even the implied
       warranty of MERCHANTABILITY or FITNESS  FOR  A  PARTICULAR
       PURPOSE.	  See  the  GNU	 General  Public License for more
       details (it is in the COPYING file of the  amap	distribu-
       tion).

       It  should also be noted that amap has been known to crash
       certain poorly written applications,  TCP/IP  stacks,  and
       even  operating systems.	 Amap should never be run against
       mission critical systems unless you are prepared to suffer
       downtime.   We  acknowledge  here that Amap may crash your
       systems or networks and we disclaim all liability for  any
       damage or problems Amap could cause.

BUGS
       There  are  bound to be numerous bugs in amap. Please tell
       us if you find any.  Please email to amap-dev@thc.org.
