Information Gatheringscanningportapplicationprotocolidentificationpentesting

amap

AMAP is a next-generation scanning tool for pentesters that identifies applications even on non-standard ports. It uses trigger packets and response strings to detect protocols including non-ASCII based applications.

Description

AMAP stands for Application MAPper. It is designed for pentesters to map applications running on arbitrary ports, distinguishing it from traditional port scanners by actively probing for application fingerprints. This is particularly useful when services are running on unexpected ports or when identifying obscure protocols.

The tool sends specially crafted trigger packets to target ports and matches the responses against a database of known signatures stored in files like appdefs.trig, appdefs.resp, and appdefs.rpc. It supports both TCP and UDP protocols and can handle IPv6 via the amap6 binary.

Common use cases include reconnaissance during penetration tests, service enumeration beyond basic banner grabbing, and identifying services that don't respond to standard probes. Recommended options like -bqv provide banners, quiet output, and verbosity for effective scanning.

How It Works

AMAP operates by loading trigger definitions from /etc/amap/appdefs.trig (30 triggers), response signatures from /etc/amap/appdefs.resp (346 responses), and RPC triggers from /etc/amap/appdefs.rpc (450 triggers). In default -A mode, it sends trigger packets to target ports and analyzes responses to match against known application signatures. For banner grabbing (-B), it simply captures service banners without triggers. It supports plain connect mode for port scanning (-P) and can process Nmap output files (-i). UDP mode (-u), IPv6 (-6), and various optimizations like single-trigger (-1) enhance its flexibility.

Installation

bash

sudo apt install amap

Flags

-AMap applications: send triggers and analyse responses (default)

-BJust grab banners, do not send triggers

-PNo banner or application stuff - be a (full connect) port scanner

-1Only send triggers to a port until 1st identification. Speeeeed!

-bPrint ascii banner of responses

-qDo not display closed ports

-vVerbose output

-uPorts specified on commandline are UDP (default is TCP)

-6Use IPv6 instead of IPv4

Examples

Scan port 80 on 192.168.1.15. Display the received banners (-b), do not display closed ports (-q), and use verbose output (-v)

amap -bqv 192.168.1.15 80

Display help and syntax information for amap

amap -h

Display help for amap6 (IPv6 version)

amap6 -h

Display help for amapcrap (tool to generate responses from silent ports)

amapcrap -h

Fast scan with single trigger (-1), banners (-b), quiet (-q), verbose (-v) on port 80

amap -1bqv 192.168.1.15 80

Grab banners (-b) from UDP port 53 (-u)

amap -bu 192.168.1.15 53

Read ports from Nmap machine-readable output file (-i)

amap -i nmap.xml 192.168.1.15

Updated 2026-04-16kali.org ↗