Information Gathering Amap Package Description
Amap Package Description
Amap was the first next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal.
It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.
Tools included in the amap package
amapcrap – sends random data to a UDP, TCP or SSL’ed port to elicit a response
root@kali:~# amapcrap
Syntax: amapcrap [-S] [-u] [-m 0ab] [-M min,max] [-n connects] [-N delay] [-w delay] [-e] [-v] TARGET PORT
Options:
-S use SSL after TCP connect (not usuable with -u)
-u use UDP protocol (default: TCP) (not usable with -c)
-n connects maximum number of connects (default: unlimited)
-N delay delay between connects in ms (default: 0)
-w delay delay before closing the port (default: 250)
-e do NOT stop when a response was made by the server
-v verbose mode
-m 0ab send as random crap:0-nullbytes, a-letters+spaces, b-binary
-M min,max minimum and maximum length of random crap
TARGET PORT target (ip or dns) and port to send random crap
This tool sends random data to a silent port to illicit a response, which can
then be used within amap for future detection. It outputs proper amap
appdefs definitions. Note: by default all modes are activated (0:10%, a:40%,
b:50%). Mode 'a' always sends one line with letters and spaces which end with
\r\n. Visit our homepage at http://www.thc.org
amap – Application MAPper: next-generation scanning tool for pentesters
root@kali:~# amap
amap v5.4 (c) 2011 by van Hauser www.thc.org/thc-amap
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o ] [-D ] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i ] [target port [port] ...]
Modes:
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff - be a (full connect) port scanner
Options:
-1 Only send triggers to a port until 1st identification. Speeeeed!
-6 Use IPv6 instead of IPv4
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended 😃
-q Do not report closed ports, and do not print them as unidentified
-o FILE [-m] Write output to file FILE, -m creates machine readable output
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
TARGET PORT The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.
amap Usage Example
Scan port 80 on 192.168.1.15. Display the received banners (b), do not display closed ports (q), and use verbose output (v):
root@kali:~# amap -bqv 192.168.1.15 80
Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
Using response file /etc/amap/appdefs.resp ... loaded 346 responses
Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers
amap v5.4 (www.thc.org/thc-amap) started at 2014-05-13 19:07:16 - APPLICATION MAPPING mode
Total amount of tasks to perform in plain connect mode: 23
Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http - banner: \n\n501 Method Not Implemented\n\n
Method Not Implemented
\n
to /index.html not supported.
\n
\n
\n
Apache/2.2.22 (Debian) Server at 12
Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http-apache-2 - banner: \n\n501 Method Not Implemented\n\n
Method Not Implemented
\n
to /index.html not supported.
\n
\n
\n
Apache/2.2.22 (Debian) Server at 12
Waiting for timeout on 19 connections ...
amap v5.4 finished at 2014-05-13 19:07:22
北极监测和评估方案包的描述
Amap是第一代用于钢笔测试的扫描工具。它试图识别应用程序,即使它们运行在与正常端口不同的端口上。
它还标识基于非ascii的应用程序。这是通过发送触发器包并在响应字符串列表中查找响应来实现的。
发送随机数据到UDP, TCP或SSL 'ed端口,以引起响应
root@kali: ~ # amapcrap
语法:amapcrap [-S] [-u] [-m 0ab] [-m min,max] [-n连接][-n延迟][-w延迟][-e] [-v]目标端口
选项:
-S在TCP连接后使用SSL(不能使用-u)
使用UDP协议(默认:TCP)(不能使用-c)
最大连接数(默认:无限)
-N延时ms连接延时(默认为0)
关闭端口前的延迟(默认值:250)
当服务器做出响应时,不要停止
- v详细模式
-m 0ab作为随机垃圾发送:0-null字节,a-字母+空格,b-二进制
-M最小,最大最小和最大长度的随机废话
目标端口(ip或dns)和发送随机垃圾的端口
该工具将随机数据发送到静默端口,然后发送给illicit a响应,这样就可以
然后在amap中使用,以便将来进行检测。它输出正确的amap
appdefs定义。注意:默认情况下所有模式都是激活的(0:10%,a:40%,
b: 50%)。模式“a”总是发送一行以字母和空格结尾的内容
\ r \ n。请访问我们的主页http://www.thc.org
应用映射器:用于钢笔测试的下一代扫描工具
root@kali: ~ #同理
amap v5.4 (c) 2011由van Hauser www.thc.org/thc-amap提供
语法:同理(——| - b - p | | - w] [1 busrhudqv] [[m] - o] [- d] [- t / t秒][- c缺点][- c重试][p原型][我]目标端口(端口)[…]
模式:
-地图应用:发送触发器和分析响应(默认)
只抓取横幅,不发送触发器
没有横幅或应用程序的东西-是一个(完全连接)端口扫描器
选项:
-1只发送触发器到一个端口,直到第一次识别。Speeeeed !
使用IPv6代替IPv4
-b打印ascii旗帜的反应
-i文件Nmap机读输出文件读取端口
命令行的-u端口是UDP(默认是TCP)
-R不识别RPC服务
-H不要发送标记为潜在有害的应用程序触发器
-U不转储未识别的响应(更适合脚本)
-d转储所有响应
-v详细模式,使用两次(或更多!)调试(不建议:-)
不要报告关闭的端口,也不要将它们打印为未识别的
-o文件[-m]将输出写入文件文件,-m创建机读输出
-c表示要建立的并行连接数量(默认32个,最多256个)
-C在连接超时时重试重新连接的次数(见-T)(默认3)
连接尝试超时(秒)(默认5)
-t秒响应等待超时(默认5秒)
-p原型只发送该协议的触发器(如ftp)
目标地址和要扫描的端口(附加到-i)
amap是一种用于识别目标端口上的应用程序协议的工具。
注意:此版本没有使用SSL支持进行编译!
使用提示:建议使用选项“-bqv”,快速/快速检查时添加“-1”。
北极监测和评估方案使用的例子
在192.168.1.15上扫描端口80。显示接收到的横幅(b),不显示关闭的端口(q),使用详细的输出(v):
@kali:~# amap -bqv 192.168.1.15 80
使用触发器文件/etc/ ap/appdef .三角…加载30触发器
使用响应文件/etc/ ap/appdef . s分别地……装载346响应
使用触发器文件/etc/ ap/appdef .rpc……装载450触发
amap v5.4 (www.thc.org/thc-amap)启动于2014-05-13 19:07:16 -应用程序映射模式
在普通连接模式下执行的任务总数:23
192.168.1.15 /tcp上的协议(通过触发器ssl)匹配http - banner: \n\n501方法未实现\n\n
方法没有实现
\ n
不支持转到/index.html。
\ n
\ n
\ n
Apache/2.2.22 (Debian)服务器在12
192.168.1.15 /tcp上的协议(通过触发器ssl)匹配http- apache2 - banner: \n\n501方法未实现\n\n
方法没有实现
\ n
不支持转到/index.html。
\ n
\ n
\ n
Apache/2.2.22 (Debian)服务器在12
等待19个连接超时…
amap v5.4完成于2014-05-13 19:07:22
