thc-Amap (Application MAPper) is another excellent tool more towards banner grabbing and protocol detection than OS-fingerprinting. But from the services running on a machine you can get a good idea of the OS and the purpose of the server.
Amap is a next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal. It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.
Without filled databases containing triggers and responses, the tool is worthless, the authors would like you to help fill the database. How to do this? Well, whenever a client application connects to a server, some kind of handshake is exchanged (at least, usually. Syslogd for instance won’t say nothing, and snmpd without the right community string neither). Anyway, Amap takes the first packet sent back and compares it to a list of signature responses. Really simple, actually. And in reality, it turns out really to be that simple, at least, for most protocols.
Send the initial packets (sent and received) in tcpdump format for all wacko, proprietary and obscure applications. Send them to: email@example.com. Please include application name and version.
Currently there are two tools for this purpose: Amap, and nmap – Both have their strength and weaknesses, as they deploy different techniques. We recommend to use both tools for reliabe identification.
The newer versions of nmap also have a banner grabbing feature.
You can download Amap here:
The source code of Amap: amap-5.2.tar.gz
The Win32/Cywin binary release: amap-5.2-win.zip
Or read more here.