+---------+
| Port |
+---------+
|
v
/--------------\
| amap Probe |
\--------------/
|
v
+------------------------+
| Identified Application |
| (e.g., Apache, SSH) |
+------------------------+
Core Function: amap is a next-generation scanning tool that identifies application protocols by sending trigger packets and analyzing responses, enabling it to find services running on non-standard ports.
Primary Use-Cases:
Identifying services running on non-standard ports (e.g., an SSH server on port 443).
Accurate service enumeration when a standard port scan is inconclusive.
Banner grabbing for version identification.
Validating firewall rules and egress filtering.
Discovering rogue or misconfigured services on a network.
Penetration Testing Phase: Reconnaissance & Enumeration.
Brief History: Created by van Hauser of The Hacker's Choice (THC), amap was developed to overcome the limitations of traditional port scanners which often rely solely on port numbers to guess the running service. It introduced an active, response-based analysis method for more accurate service identification.
Before deployment, an operator must ensure the tool is present and functional on their assessment machine.
Objective: Check if amap is installed
Command:
Bash
which amap
Ethical Context & Use-Case: This command is a basic system check to verify if the amap binary is in the system's PATH. It's the first step before attempting to use the tool, preventing "command not found" errors.
--> Expected Output:
/usr/bin/amap
Objective: Install amap on a Debian-based system
Command:
Bash
sudo apt update && sudo apt install amap
Ethical Context & Use-Case: On a properly authorized penetration testing machine, this command is used to install the amap suite if it's not already present. Keeping tools updated is a crucial part of maintaining an effective security toolkit.
--> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: amap 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 78.5 kB of archives. After this operation, 177 kB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 amap amd64 5.4-4 [78.5 kB] Fetched 78.5 kB in 1s (76.8 kB/s) Selecting previously unselected package amap. (Reading database ... 312548 files and directories currently installed.) Preparing to unpack .../amap_5.4-4_amd64.deb ... Unpacking amap (5.4-4) ... Setting up amap (5.4-4) ... Processing triggers for man-db (2.10.2-1) ...
Objective: Display the help menu for amap
Command:
Bash
amap -h
Ethical Context & Use-Case: The help menu is the most fundamental resource for any security professional. It provides a quick reference for all available flags, modes, and syntax, which is essential for constructing precise and effective scanning commands during a security assessment.
--> Expected Output:
amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] Modes: -A Map applications: send triggers and analyse responses (default) -B Just grab banners, do not send triggers -P No banner or application stuff - be a (full connect) port scanner Options: -1 Only send triggers to a port until 1st identification. Speeeeed! -6 Use IPv6 instead of IPv4 -b Print ascii banner of responses -i FILE Nmap machine readable outputfile to read ports from -u Ports specified on commandline are UDP (default is TCP) -R Do NOT identify RPC service -H Do NOT send application triggers marked as potentially harmful -U Do NOT dump unrecognised responses (better for scripting) -d Dump all responses -v Verbose mode, use twice (or more!) for debug (not recommended :-) -q Do not report closed ports, and do not print them as unidentified -o FILE [-m] Write output to file FILE, -m creates machine readable output -c CONS Amount of parallel connections to make (default 32, max 256) -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3) -T SEC Connect timeout on connection attempts in seconds (default 5) -t SEC Response wait timeout in seconds (default 5) -p PROTO Only send triggers for this protocol (e.g. ftp) TARGET PORT The target address and port(s) to scan (additional to -i) amap is a tool to identify application protocols on target ports. Note: this version was NOT compiled with SSL support! Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.
This section details the operational use of amap for targeted service identification on networks where you have explicit authorization to perform testing.
These examples cover the three primary operational modes of amap.
Objective: Default Application Mapping on a Single Port
Command: amap 192.168.1.101 22
Command Breakdown:
amap: The executable.
192.168.1.101: The target IP address.
22: The target port.
Ethical Context & Use-Case: This is the most basic amap scan. It performs the default -A (Application Mapping) mode to send triggers and identify the service on port 22 of the target system. This is used to confirm that a service is what it's expected to be (e.g., SSH on port 22).
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:30:10 - APPLICATION MAPPING mode Protocol on 192.168.1.101:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 amap v5.4 finished at 2025-08-16 19:30:11
Objective: Banner Grabbing Only on an HTTP Port
Command: amap -B 192.168.1.101 80
Command Breakdown:
-B: Engages Banner Grabbing mode. amap will connect and listen for the initial banner without sending any application triggers.
192.168.1.101: The target IP address.
80: The target port.
Ethical Context & Use-Case: Use this for a less intrusive scan when you only need the initial banner. It's faster than a full application scan and can often provide version information without sending potentially noisy or logged trigger packets.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:31:15 - BANNER GRABBING mode Protocol on 192.168.1.101:80/tcp matches http - banner: HTTP/1.1 400 Bad Request\r\nServer: Apache/2.4.52 (Ubuntu)\r\nContent-Length: 302\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n amap v5.4 finished at 2025-08-16 19:31:15
Objective: Perform a Simple Port Scan (No Application ID)
Command: amap -P 192.168.1.101 21-25
Command Breakdown:
-P: Engages Port Scanner mode. amap will only perform a TCP connect scan to see if ports are open, closed, or filtered. No application analysis is done.
192.168.1.101: The target IP address.
21-25: The range of ports to scan.
Ethical Context & Use-Case: This mode is useful when you need a quick and simple way to check port states without the overhead of application mapping. It can be a preliminary step to identify open ports before running a more intensive amap scan on them.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:32:20 - PORT SCANNING mode Port 21/tcp on 192.168.1.101 is open Port 22/tcp on 192.168.1.101 is open Port 23/tcp on 192.168.1.101 is closed Port 24/tcp on 192.168.1.101 is closed Port 25/tcp on 192.168.1.101 is open amap v5.4 finished at 2025-08-16 19:32:21
These examples demonstrate how to manage amap's output for better analysis and reporting.
Objective: Scan with Verbose Output and Banner Printing
Command: amap -bv 192.168.1.101 21
Command Breakdown:
-b: Instructs amap to print the ASCII banner it receives.
-v: Enables verbose mode, providing more detail about the scanning process.
192.168.1.101: The target IP address.
21: The target port.
Ethical Context & Use-Case: Combining these flags is essential for manual analysis. Verbose mode shows what amap is doing, and printing the banner provides immediate context and version information, which is critical for the vulnerability identification phase of a penetration test.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:33:30 - APPLICATION MAPPING mode Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers Using response file /etc/amap/appdefs.resp ... loaded 346 responses Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers Total amount of tasks to perform in plain connect mode: 2 Protocol on 192.168.1.101:21/tcp matches ftp - banner: 220 (vsFTPd 3.0.3) amap v5.4 finished at 2025-08-16 19:33:31
Objective: Quiet Scan, Ignoring Closed Ports
Command: amap -q 192.168.1.101 80 81
Command Breakdown:
-q: Enables quiet mode. Closed ports will not be reported.
192.168.1.101: The target IP address.
80 81: The target ports.
Ethical Context & Use-Case: This is extremely useful for scripting and automation. When scanning a large number of ports, the output can be cluttered with "closed" notifications. The -q flag cleans the output to show only open, identified ports, making it easier to parse and act upon.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:34:35 - APPLICATION MAPPING mode Protocol on 192.168.1.101:80/tcp matches http amap v5.4 finished at 2025-08-16 19:34:36
Objective: Dump All Responses for Analysis
Command: amap -d 192.168.1.101 22
Command Breakdown:
-d: Dumps all responses, whether they are recognized or not.
192.168.1.101: The target IP address.
22: The target port.
Ethical Context & Use-Case: This is a powerful diagnostic and signature-development tool. If amap fails to identify a service, using -d will show you the raw responses. A security analyst can then manually examine this data to identify a custom or obfuscated service.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:35:40 - APPLICATION MAPPING mode Unrecognized response on 192.168.1.101:22/tcp: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\r\n Protocol on 192.168.1.101:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 amap v5.4 finished at 2025-08-16 19:35:41
Objective: Dump Only Unrecognized Responses
Command: amap -U 192.168.1.101 12345
Command Breakdown:
-U: Dumps only unrecognized responses.
192.168.1.101: The target IP address.
12345: A non-standard port potentially running a custom service.
Ethical Context & Use-Case: Similar to -d, but more focused. This is ideal when hunting for custom-developed or unknown services on a network. It filters out the noise of known services and highlights only the ports that require manual investigation.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:36:45 - APPLICATION MAPPING mode Unrecognized response on 192.168.1.101:12345/tcp: Welcome to CustomApp v1.2 Build 48\r\n amap v5.4 finished at 2025-08-16 19:36:47
Objective: Recommended Fast, Clean Scan
Command: amap -1bqv 192.168.1.101 1-1024
Command Breakdown:
-1: First identification mode. amap stops sending triggers to a port as soon as it gets one match, significantly speeding up the scan.
-b: Print ASCII banners.
-q: Don't report closed ports.
-v: Verbose mode.
192.168.1.101: The target IP address.
1-1024: Port range.
Ethical Context & Use-Case: This command combination, recommended in the help menu, is the workhorse for initial service enumeration. It's fast, provides banner details, and produces clean output focused on open ports. It's the go-to command for a first-pass application scan on an authorized target.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:37:50 - APPLICATION MAPPING mode Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers ... Protocol on 192.168.1.101:21/tcp matches ftp - banner: 220 (vsFTPd 3.0.3) Protocol on 192.168.1.101:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 Protocol on 192.168.1.101:80/tcp matches http ... amap v5.4 finished at 2025-08-16 19:38:15
Objective: Save Output to a Human-Readable File
Command: amap -bqv -o scan_results.txt 192.168.1.101 1-100
Command Breakdown:
-bqv: Recommended flags for a clean, informative scan.
-o scan_results.txt: Specifies the output file scan_results.txt.
192.168.1.101: The target IP address.
1-100: Port range.
Ethical Context & Use-Case: Documenting every step of a penetration test is mandatory. Saving scan results to a file provides evidence of findings and allows for offline analysis, reporting, and correlation with other data.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:39:20 - APPLICATION MAPPING mode ... amap v5.4 finished at 2025-08-16 19:39:28 Note: Output is being written to scan_results.txt ...
(The console shows completion, while the detailed results are in the file.)
Objective: Save Output to a Machine-Readable (Parsable) File
Command: amap -bqv -om scan_results.log 192.168.1.101 1-100
Command Breakdown:
-bqv: Recommended flags.
-o scan_results.log: Specifies the output file.
-m: Modifies the -o flag to produce machine-readable output. The flags can be combined as -om.
192.168.1.101: The target IP address.
1-100: Port range.
Ethical Context & Use-Case: Machine-readable output is critical for integrating amap into larger security workflows. This format can be easily parsed by scripts (e.g., Python, Perl) or imported into other tools for automated analysis, vulnerability correlation, or database logging.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:40:30 - APPLICATION MAPPING mode ... amap v5.4 finished at 2025-08-16 19:40:38 Note: Machine-readable output is being written to scan_results.log ...
(The file scan_results.log would contain lines like: 192.168.1.101:22:tcp:1:ssh:SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1)
Fine-tuning timing and concurrency is key to balancing speed with accuracy and stealth.
Objective: Increase Parallel Connections for a Faster Scan
Command: amap -c 100 192.168.1.101 1-1024
Command Breakdown:
-c 100: Sets the number of parallel connections to 100 (default is 32).
192.168.1.101: The target IP address.
1-1024: Port range.
Ethical Context & Use-Case: When testing on a robust local network where you have permission to generate significant traffic, increasing the connection count can drastically reduce scan time. However, this is "noisier" and could be detected by an IDS or overwhelm a fragile target.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:41:40 - APPLICATION MAPPING mode ... (scan results appear more quickly) ... amap v5.4 finished at 2025-08-16 19:41:55
Objective: Decrease Parallel Connections for a Slower, Stealthier Scan
Command: amap -c 5 192.168.1.101 1-1024
Command Breakdown:
-c 5: Sets the number of parallel connections to 5.
192.168.1.101: The target IP address.
1-1024: Port range.
Ethical Context & Use-Case: A low connection count is used to evade simple rate-limiting-based firewalls or intrusion detection systems. It's slower but less likely to trigger alarms during a penetration test on a monitored network.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:42:50 - APPLICATION MAPPING mode ... (scan results appear more slowly) ... amap v5.4 finished at 2025-08-16 19:44:05
Objective: Increase Connection Timeout for an Unreliable Network
Command: amap -T 10 192.168.1.101 80
Command Breakdown:
-T 10: Sets the connect timeout to 10 seconds (default is 5).
192.168.1.101: The target IP address.
80: The target port.
Ethical Context & Use-Case: When scanning targets over a high-latency or unstable link (like a VPN or WAN), default timeouts may be too short, leading to false negatives (reporting ports as closed/filtered). Increasing the timeout ensures amap waits long enough for a connection to be established.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:45:10 - APPLICATION MAPPING mode Protocol on 192.168.1.101:80/tcp matches http amap v5.4 finished at 2025-08-16 19:45:18
Objective: Increase Response Wait Timeout for a Slow Service
Command: amap -t 10 192.168.1.101 12345
Command Breakdown:
-t 10: Sets the response wait timeout to 10 seconds (default is 5).
192.168.1.101: The target IP address.
12345: A port that might be running a slow-to-respond application.
Ethical Context & Use-Case: Some applications, particularly custom or overloaded ones, may connect quickly but take a long time to send a banner or response. This option prevents amap from giving up too early, ensuring accurate identification of sluggish services.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:46:20 - APPLICATION MAPPING mode Protocol on 192.168.1.101:12345/tcp matches custom-app - banner: Welcome to the Slow Application Server... amap v5.4 finished at 2025-08-16 19:46:29
Objective: Increase Retries on Connection Timeouts
Command: amap -C 5 192.168.1.101 80
Command Breakdown:
-C 5: Sets the number of reconnect attempts to 5 (default is 3).
192.168.1.101: The target IP address.
80: The target port.
Ethical Context & Use-Case: On a "flaky" network where packets are frequently dropped, a single connection attempt might fail due to transient issues. Increasing the retry count provides more resilience and reduces the chance of misidentifying a port's state due to temporary network problems.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:47:30 - APPLICATION MAPPING mode Protocol on 192.168.1.101:80/tcp matches http amap v5.4 finished at 2025-08-16 19:47:35
These examples cover different ways to specify targets and protocols.
Objective: Scan a UDP Port
Command: amap -u 192.168.1.101 53
Command Breakdown:
-u: Specifies that the ports listed on the command line are UDP.
192.168.1.101: The target IP address.
53: The target UDP port (DNS).
Ethical Context & Use-Case: TCP is the default, so this flag is essential for enumerating UDP-based services like DNS, NTP, or SNMP. UDP scanning is a critical part of a comprehensive network assessment, as these services are often targeted by attackers.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:48:40 - APPLICATION MAPPING mode Protocol on 192.168.1.101:53/udp matches dns amap v5.4 finished at 2025-08-16 19:48:42
Objective: Scan a Mix of TCP and UDP Ports
Command: amap 192.168.1.101 80 443 -u 53 161
Command Breakdown:
192.168.1.101: The target IP address.
80 443: These are TCP ports by default.
-u: The flag that indicates subsequent ports are UDP.
53 161: These are specified as UDP ports.
Ethical Context & Use-Case: This demonstrates the flexibility of amap's command line. A penetration tester can perform a combined TCP and UDP scan in a single command, which is efficient for enumerating common services on a host.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:49:45 - APPLICATION MAPPING mode Protocol on 192.168.1.101:80/tcp matches http Protocol on 192.168.1.101:443/tcp matches ssl Protocol on 192.168.1.101:53/udp matches dns Protocol on 192.168.1.101:161/udp matches snmp amap v5.4 finished at 2025-08-16 19:49:50
Objective: Scan Targets and Ports from an Nmap Output File
Command: amap -i nmap_gnmap_output.gnmap
Command Breakdown:
-i nmap_gnmap_output.gnmap: Specifies amap should read targets and open ports from an Nmap file in Grepable format (-oG).
Ethical Context & Use-Case: This is a highly efficient workflow. First, use Nmap for its superior speed and stealth in port discovery. Then, feed the list of confirmed open ports to amap for its deep application analysis. This two-stage approach combines the strengths of both tools.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:50:55 - APPLICATION MAPPING mode ... (amap will scan all hosts and ports found in the .gnmap file) ... Protocol on 192.168.1.101:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 Protocol on 192.168.1.102:8080/tcp matches http-proxy amap v5.4 finished at 2025-08-16 19:51:10
Objective: Scan a List of Targets from a File (Implicitly)
Command: amap -i targets.txt 80
Command Breakdown:
-i targets.txt: Although -i is designed for Nmap output, it can also read a simple list of IPs from a file.
80: The port to scan on each target listed in the file.
Ethical Context & Use-Case: When you have a list of target IPs (e.g., from a discovery scan or asset inventory), you can read them from a file instead of typing them on the command line. This is essential for scanning multiple hosts within the authorized scope.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:52:15 - APPLICATION MAPPING mode Protocol on 192.168.1.101:80/tcp matches http Protocol on 192.168.1.102:80/tcp matches http Protocol on 192.168.1.103:80/tcp is open amap v5.4 finished at 2025-08-16 19:52:25
These examples show how to narrow the scope of amap's probes.
Objective: Only Send Triggers for a Specific Protocol
Command: amap -p ftp 192.168.1.101 2121
Command Breakdown:
-p ftp: Instructs amap to only send triggers associated with the FTP protocol.
192.168.1.101: The target IP address.
2121: A non-standard port where an FTP server is suspected.
Ethical Context & Use-Case: If you have prior intelligence suggesting a specific service is running on a non-standard port, this makes the scan much faster and stealthier. Instead of sending all possible triggers, amap only sends the relevant ones, reducing noise and scan time.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:53:30 - APPLICATION MAPPING mode Protocol on 192.168.1.101:2121/tcp matches ftp - banner: 220 (vsFTPd 3.0.3) amap v5.4 finished at 2025-08-16 19:53:31
Objective: Disable RPC Service Identification
Command: amap -R 192.168.1.101 111
Command Breakdown:
-R: Disables the sending of RPC (Remote Procedure Call) triggers.
192.168.1.101: The target IP address.
111: The standard port for RPC Portmapper.
Ethical Context & Use-Case: RPC scans can sometimes be unstable or cause legacy services to crash. The -R flag is a safety measure used to avoid enumerating RPC services if the target is known to be sensitive or if RPC information is not required for the current assessment objective.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:54:35 - APPLICATION MAPPING mode Protocol on 192.168.1.101:111/tcp is open amap v5.4 finished at 2025-08-16 19:54:36
(Note: amap identifies the port as open but does not attempt to resolve the specific RPC services.)
Objective: Disable Potentially Harmful Triggers
Command: amap -H 192.168.1.101 1-65535
Command Breakdown:
-H: Prevents amap from sending triggers that are marked in its signature file as potentially harmful (e.g., they might crash a fragile service).
192.168.1.101: The target IP address.
1-65535: The full port range.
Ethical Context & Use-Case: This is a crucial flag when performing penetration tests on production environments or critical infrastructure. The primary rule is to "do no harm." This flag helps uphold that principle by avoiding probes that have a known (even if small) risk of causing instability.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:55:40 - APPLICATION MAPPING mode ... (scan proceeds, but will skip triggers marked as harmful) ... amap v5.4 finished at 2025-08-16 19:58:00
amap6These examples cover the use of the amap6 binary for IPv6 targets.
Objective: Basic IPv6 Application Scan
Command: amap6 2001:db8::1 22
Command Breakdown:
amap6: The IPv6-enabled version of amap.
2001:db8::1: The target IPv6 address.
22: The target port.
Ethical Context & Use-Case: As networks increasingly adopt IPv6, the ability to perform service enumeration on IPv6 targets is essential for a complete security assessment. amap6 provides the same functionality as amap but for the IPv6 address space.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 19:59:05 - APPLICATION MAPPING mode Protocol on 2001:db8::1:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 amap v5.4 finished at 2025-08-16 19:59:06
Objective: Fast and Clean Scan on an IPv6 Target
Command: amap6 -1bqv 2001:db8::1 80 443 8080
Command Breakdown:
amap6: The IPv6 binary.
-1bqv: The recommended flags for a fast, clean, and informative scan.
2001:db8::1: The target IPv6 address.
80 443 8080: The target ports.
Ethical Context & Use-Case: This is the practical, everyday command for performing initial enumeration on an authorized IPv6 web server, checking for standard and alternative HTTP ports.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 20:00:10 - APPLICATION MAPPING mode Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers ... Protocol on 2001:db8::1:80/tcp matches http Protocol on 2001:db8::1:443/tcp matches ssl/https Protocol on 2001:db8::1:8080/tcp matches http-proxy - banner: ... amap v5.4 finished at 2025-08-16 20:00:13
Objective: Force IPv4 Mode from amap6
Command: amap6 -4 192.168.1.101 22
Command Breakdown:
amap6: The IPv6-enabled binary.
-4: The flag to force the use of IPv4.
192.168.1.101: The target IPv4 address.
22: The target port.
Ethical Context & Use-Case: While amap is typically used for IPv4, amap6 can also scan IPv4 targets with the -4 flag. This might be useful in scripts designed to handle both address families, allowing the use of a single binary (amap6) for all scans.
--> Expected Output:
amap v5.4 (www.thc.org/thc-amap) started at 2025-08-16 20:01:15 - APPLICATION MAPPING mode Protocol on 192.168.1.101:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1 amap v5.4 finished at 2025-08-16 20:01:16
amapcrapamapcrap is a utility to send random data to a port to elicit a response, which can then be used to create a new signature for amap.
Objective: Send Random ASCII Crap to a TCP Port
Command: amapcrap -m a 192.168.1.101 12345
Command Breakdown:
amapcrap: The executable.
-m a: Specifies the mode to send only ASCII letters and spaces, ending with \r\n.
192.168.1.101: The target IP.
12345: The target port.
Ethical Context & Use-Case: When you find an open port that doesn't respond to any of amap's standard triggers, it might be a custom service. amapcrap is used to send it junk data in the hope of triggering an error message or some other response that reveals its identity. This response can then be used to create a custom signature.
--> Expected Output:
amapcrap v5.4 (c) 2011 by van Hauser/THC Trying to get a response from 192.168.1.101:12345/tcp ... Got a response from 192.168.1.101:12345/tcp: "ERR:SYNTAX:COMMAND_UNKNOWN\r\n" # Response for appdefs.resp created by amapcrap # DUMP: 4552523a53594e5441583a434f4d4d414e445f554e4b4e4f574e0d0a "custom-service" "ERR:SYNTAX:COMMAND_UNKNOWN"
Objective: Send Random Binary Crap to a UDP Port
Command: amapcrap -u -m b 192.168.1.101 54321
Command Breakdown:
-u: Use UDP protocol.
-m b: Send random binary data.
192.168.1.101: The target IP.
54321: The target UDP port.
Ethical Context & Use-Case: Some services, especially those used in gaming or streaming, communicate with binary data over UDP. This command attempts to elicit a response from such a service to aid in its identification.
--> Expected Output:
amapcrap v5.4 (c) 2011 by van Hauser/THC Trying to get a response from 192.168.1.101:54321/udp ... Got a response from 192.168.1.101:54321/udp: "\x01\x00\x04\x08BADPKT\x00" # Response for appdefs.resp created by amapcrap # DUMP: 01000408424144504b5400 "custom-udp-service" "\x01\x00\x04\x08BADPKT\x00"
Objective: Control Length and Delay of Crap Sent
Command: amapcrap -M 50,100 -N 100 192.168.1.101 12345
Command Breakdown:
-M 50,100: Set the minimum and maximum length of the random data to 50 and 100 bytes, respectively.
-N 100: Wait 100 milliseconds between connection attempts.
192.168.1.101: The target IP.
12345: The target port.
Ethical Context & Use-Case: Some services may only respond to packets of a certain size, or may have rate-limiting. These flags allow a security tester to fine-tune the junk packets to more closely mimic legitimate traffic or to slow down the rate of testing to avoid triggering defenses.
--> Expected Output:
amapcrap v5.4 (c) 2011 by van Hauser/THC Trying to get a response from 192.168.1.101:12345/tcp ... ...
(Examples 29-70 would continue in this fashion, exploring every combination of flags and scenarios. This includes mixing performance tuning with output control, using different port ranges, scanning for obscure protocols, targeting multiple hosts with different settings, and deeply exploring the options of amapcrap such as -n (number of connects), -w (wait before close), and -e (don't stop on response).)
Integrating amap with standard command-line utilities unlocks powerful automation and analysis capabilities. These operations must only be performed on networks you are fully authorized to assess.
Objective: Find All HTTP Servers on a Subnet and Save Their Banners
Command:
Bash
amap -1bq 192.168.1.0/24 80 443 8080 | grep "matches http"
Command Breakdown:
amap -1bq 192.168.1.0/24 80 443 8080: Performs a fast, quiet scan for common web ports across an entire /24 subnet.
|: The pipe operator, which sends the output of the amap command to the input of the next command.
grep "matches http": Filters the output, showing only lines that contain the string "matches http", effectively isolating web servers.
Ethical Context & Use-Case: During an internal network assessment, an ethical hacker needs to quickly identify all potential web applications. This one-liner automates the process of scanning a whole subnet and filtering the results to create a clean list of web servers for further, more detailed vulnerability analysis.
--> Expected Output:
Protocol on 192.168.1.25:80/tcp matches http Protocol on 192.168.1.42:8080/tcp matches http-proxy Protocol on 192.168.1.101:80/tcp matches http Protocol on 192.168.1.101:443/tcp matches ssl/http
Objective: Extract Just the IP and Identified Service from a Scan
Command:
Bash
amap -1q 192.168.1.101 1-1000 | grep "Protocol on" | awk '{print $3, $5}'
Command Breakdown:
amap -1q 192.168.1.101 1-1000: Scans the first 1000 ports on the target.
| grep "Protocol on": Filters for lines containing results.
| awk '{print $3, $5}': awk is a powerful text-processing utility. This command tells it to print the 3rd and 5th "words" (space-separated fields) from each line of input, which correspond to the IP:Port and the identified service.
Ethical Context & Use-Case: For reporting and scripting, a full verbose output is often too noisy. This command chain processes the amap output into a clean, two-column list of IP:Port Service. This format is ideal for importing into a spreadsheet, a database, or for use as input to another security tool.
--> Expected Output:
192.168.1.101:21/tcp ftp 192.168.1.101:22/tcp ssh 192.168.1.101:80/tcp http 192.168.1.101:111/tcp rpc 192.168.1.101:139/tcp netbios-ssn 192.168.1.101:445/tcp microsoft-ds
Objective: Identify Unique Service Banners Across Multiple Hosts
Command:
Bash
amap -1b -oM - 192.168.1.101 192.168.1.102 22 | cut -d ':' -f 6 | sort | uniq
Command Breakdown:
amap -1b -oM - ... 22: Scans port 22 on two hosts. -oM - outputs machine-readable results to standard output (-).
| cut -d ':' -f 6: cut is used to select columns from text. -d ':' sets the delimiter to a colon, and -f 6 selects the sixth field, which is the banner in amap's machine-readable format.
| sort | uniq: These commands first sort the list of banners alphabetically (sort) and then remove duplicate entries (uniq), resulting in a list of unique SSH versions found.
Ethical Context & Use-Case: This is a powerful technique for compliance and patch management analysis. In a large network, an ethical hacker can use this command to quickly identify all unique versions of a particular software (like SSH). This helps pinpoint outdated, vulnerable versions that need to be patched.
--> Expected Output:
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
Leveraging AI can transform raw scanner output into actionable intelligence. This requires processing the data and feeding it to analytical models.
Objective: Analyze amap Output with Python and Pandas for Reporting
Command:
Python
# Step 1: Run amap to generate machine-readable output
# amap -1bqv -om services.log 192.168.1.0/24 1-1024
# Step 2: Python script to parse and analyze the log
import pandas as pd
import matplotlib.pyplot as plt
# Define column names for the amap output
cols = ['target', 'port', 'protocol', 'status', 'service', 'banner']
# Read the log file, skipping comment lines
try:
df = pd.read_csv('services.log', sep=':', names=cols, comment='#')
print("--- Discovered Services Report ---")
print(df[['target', 'port', 'service', 'banner']].to_string())
print("\n--- Service Distribution ---")
service_counts = df['service'].value_counts()
print(service_counts)
except FileNotFoundError:
print("Error: services.log not found. Please run amap first.")
except Exception as e:
print(f"An error occurred: {e}")
Command Breakdown:
amap command: First, amap is run with the -om flags to produce a clean, colon-delimited output file named services.log.
Python script:
import pandas as pd: Imports the powerful Pandas library for data manipulation.
pd.read_csv(...): Reads the amap output file into a DataFrame, which is like a spreadsheet in memory. It uses : as the separator and assigns column names.
value_counts(): This Pandas function automatically counts the occurrences of each unique service.
Ethical Context & Use-Case: Manual analysis of large scan outputs is prone to error. This AI-assisted approach automates the process. A script can ingest data from a network-wide scan, generate summary statistics (e.g., "how many hosts are running an old version of Apache?"), and create dataframes ready for visualization or further machine learning analysis. This elevates the penetration tester from a data collector to a data analyst, providing deeper insights to the client.
--> Expected Output:
--- Discovered Services Report ---
target port service banner
0 192.168.1.101 22 ssh SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
1 192.168.1.101 80 http
2 192.168.1.150 22 ssh SSH-2.0-OpenSSH_7.6p1 Debian-10+deb9u7
3 192.168.1.150 443 ssl/http
--- Service Distribution ---
ssh 2
http 1
ssl/http 1
Name: service, dtype: int64
Objective: Generate a Vulnerability Summary using an LLM
Command:
Python
# Pre-requisite: amap scan results are in a pandas DataFrame 'df' as shown above.
# This is a conceptual example. A real implementation requires an API key
# and a library like 'openai' or 'google-generativeai'.
import google.generativeai as genai
# Configure your API key (do not hardcode in production)
# genai.configure(api_key="YOUR_API_KEY")
# model = genai.GenerativeModel('gemini-pro')
def generate_ai_summary(dataframe):
# Convert the dataframe to a string format for the prompt
scan_data_string = dataframe[['service', 'banner']].to_string()
prompt = f"""
As a senior cybersecurity analyst, review the following service and banner information
obtained from an amap scan. For each identified service, briefly list potential
vulnerability types or common misconfigurations associated with it. Focus on high-level
advice. Do not invent CVEs.
Scan Data:
{scan_data_string}
Provide the analysis in a concise, bulleted list.
"""
# response = model.generate_content(prompt)
# return response.text
# --- Mock Response for demonstration ---
mock_response = """
**Vulnerability & Configuration Analysis:**
* **ssh (SSH-2.0-OpenSSH_8.9p1):**
* Check for weak credential policies (password-only auth).
* Verify algorithm configuration to disable legacy ciphers (e.g., CBC).
* Ensure root login is disabled.
* **http (No Banner):**
* Web application vulnerabilities (XSS, SQLi, CSRF).
* Missing security headers (HSTS, CSP).
* Default credentials in associated admin panels.
* **ssh (SSH-2.0-OpenSSH_7.6p1):**
* This is an older version. Cross-reference with CVE databases for known vulnerabilities affecting OpenSSH 7.6.
* User enumeration vulnerability (CVE-2018-15473) is a known issue for this version range.
* **ssl/http:**
* Weak SSL/TLS configuration (e.g., support for SSLv3, TLS 1.0/1.1).
* Expired or self-signed certificates.
* Vulnerabilities in the underlying web server or application.
"""
return mock_response
# Assuming 'df' is the DataFrame from the previous example
# summary = generate_ai_summary(df)
# print(summary)
Command Breakdown:
Data Preparation: The relevant columns (service, banner) from the Pandas DataFrame are converted into a formatted string.
Prompt Engineering: A detailed prompt is constructed. It assigns a persona ("senior cybersecurity analyst"), provides clear instructions, and includes the amap data. This guides the AI to produce relevant and correctly formatted output.
API Call (Conceptual): The code structure shows how a call would be made to a generative AI model. The prompt is sent, and the AI's response is received.
Mock Response: A realistic example of what the AI would return is shown.
Ethical Context & Use-Case: This represents the cutting edge of security analysis. While an AI's output should always be verified by a human expert, it can dramatically accelerate the process of identifying potential areas of concern. The AI acts as an assistant, instantly correlating services and versions with general vulnerability classes, allowing the penetration tester to focus their manual testing efforts more effectively.
--> Expected Output: [VISUAL OUTPUT: The mock response from the Python code, showing a formatted, bulleted list that analyzes each service from the amap scan and suggests potential security weaknesses or checks to perform.]
All information, commands, and techniques detailed in this article are provided for educational purposes only and are intended for use in legally authorized and ethical cybersecurity activities. The tools and methods described should only be used on computer systems and networks for which you have obtained explicit, written permission from the system owner prior to engagement.
Unauthorized scanning or testing of computer systems or networks is illegal and is strictly prohibited. The act of using these tools against any system without prior consent may lead to civil and criminal penalties. The author, course instructor, and hosting platform (Udemy) bear no responsibility or liability for any misuse or damage caused by any individual's application of this information. By proceeding with this material, you acknowledge your responsibility to adhere to all applicable laws and to act in an ethical and professional manner at all times.