There are a lot of different scanning tools on Kali Linux, though they each seem to provide a slightly different function. For instance, NMAP is a great tool for feeling out a local network to identify hosts, open ports, and a few other pieces of key information. On the other hand, Cisco-Torch was created with an emphasis on discovering Cisco devices and network devices, and then to run dictionary attacks on the identified targets.
Today, however, we’re going to be looking at a different scanning tool called Amap. Amap is a next-generation scanning tool that has a massive amount of flags and options in its command syntax, and it can even identify processes and applications when they are running on different ports. For example, if a company decided to host an internal web server that accepted connections on port 1253 instead of 80 (I’m just making that up as an example, no one would ever do that), Amap would be able to discover it.
Furthermore, Amap can find applications and services that aren’t based on ASCII. Amap has a lot of interesting tools, too, such as the ability to send specially crafted trigger packets to generate special responses from servers.
Amap’s Tools and Capabilities
Amap is more than a simple scanner designed to ping a local network to identify active hosts. More specifically, we need to identify two main components and features of the Amap program. First off, Amap comes with a module called amapcrap, which sends random and bogus data to a port.
The port can be TCP, UDP, or even SSL, but the idea is to generate a response from the target port.
The second component is the actual Amap core functionality, which is an Application MAPper.
A Tip for Those of You Who Are Curious
If you’re a Linux newbie, you probably don’t know what verbose mode is. If you’re a Linux veteran, feel free to skip this section to avoid any inherent eye-rolling. Nevertheless, verbose mode is a common option for the vast majority of command line programs and tools.
Verbose mode basically allows you to peek under the hood to understand the inner workings of a command. Typically, after entering a command, you’ll wait for a few moments while it ‘does its thing’ in the background, and it will either return a message indicating success or failure. But with verbose mode, the tool will tell you what it’s doing step-by-step.
I’d highly recommend using the -v option with scanners just so you can see how they operate. For instance, you’ll find that NMAP host discovery scans simply have a looping function, whereby they ping one address after the next and increment the host value by one with each iteration.
Amap Command Syntax and Options
Amap seems to be a rather complicated tool when you view its help screen for the first time, but it isn’t as intimidating as it looks. However, I will say that it has a lot more options and flags than most other commands, though you won’t necessarily use them all.
First off, let’s take a look at the amapcrap options and syntax as follows:
Syntax: amapcrap [-S] [-u] [-m 0ab] [-M min,max] [-n connects] [-N delay] [-w delay] [-e] [-v] TARGET PORT
-S use SSL after TCP connect (not usable with -u)
-u use UDP protocol (default: TCP) (not usable with -c)
-n connects maximum number of connects (default: unlimited)
-N delay delay between connects in ms (default: 0)
-w delay delay before closing the port (default: 250)
-e do NOT stop when a response was made by the server
-v verbose mode
-m 0ab send as random crap:0-nullbytes, a-letters+spaces, b-binary
-M min,max minimum and maximum length of random crap
TARGET PORT target (ip or dns) and port to send random crap
/*This tool sends random data to a silent port to illicit a response, which can
then be used within amap for future detection. It outputs proper amap
appdefs definitions. Note: by default all modes are activated (0:10%, a:40%,
b:50%). Mode ‘a’ always sends one line with letters and spaces which end with
\r\n. Visit our homepage at http://gwww.thc.or */
Next, let’s take a look at the options and flags for the actual Amap portion of the tool. Be forewarned, there are more options for this tool than most other applications:
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o ] [-D ] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i ] [target port [port] …]
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff – be a (full connect) port scanner
-1 Only send triggers to a port until 1st identification. Speeeeed!
-6 Use IPv6 instead of IPv4
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended :-)
-q Do not report closed ports, and do not print them as unidentified
-o FILE [-m] Write output to file FILE, -m creates machine readable output
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
TARGET PORT The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options “-bqv” are recommended, add “-1” for fast/rush checks.
The command syntax looks pretty hairy, but it isn’t after you’ve played around with the tool for only a couple hours. We’re going to go through a short demonstration to highlight applicable command syntax, but first please heed a warning. If you want to test out this tool, only do it on your home network or on devices that you own.
Don’t run around in public or connect to a Wi-Fi hotspot to start scanning other people’s computing devices. It’s illegal and immoral. That said, let’s take a look at an example that scans a single host that is presumed to be a web server:
- amap -bqv 10.1.1.54 80
This command will scan the 10.1.1.54 host on port 80 (HTTP), and will print ASCII banner response, omit closed ports, and print the process in verbose mode.
There are a myriad of other options that can be used with Amap, and I encourage you to test it out. However, for simple host discovery and scanning for open ports, I still prefer to use NMAP. It’s just easier to use in my opinion, or perhaps it’s simply because I feel more comfortable using it. At any rate, Amap is another great scanner that can be used to identify hosts and fingerprint systems.