thc-Amap – Application Protocol Detection & Fingerprinting

Keep on Guard!


thc-Amap (Application MAPper) is another excellent tool more towards banner grabbing and protocol detection than OS-fingerprinting. But from the services running on a machine you can get a good idea of the OS and the purpose of the server.

Amap is a next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal. It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.

Without filled databases containing triggers and responses, the tool is worthless, the authors would like you to help fill the database. How to do this? Well, whenever a client application connects to a server, some kind of handshake is exchanged (at least, usually. Syslogd for instance won’t say nothing, and snmpd without the right community string neither). Anyway, Amap takes the first packet sent back and compares it to a list of signature responses. Really simple, actually. And in reality, it turns out really to be that simple, at least, for most protocols.

Send the initial packets (sent and received) in tcpdump format for all wacko, proprietary and obscure applications. Send them to: amap-dev@thc.org. Please include application name and version.

Currently there are two tools for this purpose: Amap, and nmap – Both have their strength and weaknesses, as they deploy different techniques. We recommend to use both tools for reliabe identification.

The newer versions of nmap also have a banner grabbing feature.

You can download Amap here:

The source code of Amap: amap-5.2.tar.gz

The Win32/Cywin binary release: amap-5.2-win.zip

Or read more here.

Posted in: Hacking Tools, Networking Hacking

, , , ,


Latest Posts:


BootStomp - Find Bootloader Vulnerabilities BootStomp – Find Android Bootloader Vulnerabilities
BootStomp is a Python-based tool, with Docker support that helps you find two different classes of bootloader vulnerabilities and bugs.
Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018 Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018
Google is ramping up its campaign against HTTP only sites and is going to mark ALL Non-HTTPS sites insecure in July 2018 with the release of Chrome 68.
altdns - Subdomain Recon Tool With Permutation Generation altdns – Subdomain Recon Tool With Permutation Generation
Altdns is a subdomain recon tool in Python that allows for the discovery of subdomains that conform to patterns. The tool takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
0-Day Flash Vulnerability Exploited In The Wild 0-Day Flash Vulnerability Exploited In The Wild
So another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 28.0.0.137 and earlier versions
dorkbot - Command-Line Tool For Google Dorking dorkbot – Command-Line Tool For Google Dorking
dorkbot is a modular command-line tool for Google dorking, which is performing vulnerability scans against a set of web pages returned by Google search queries in a given Google Custom Search Engine.
USBPcap - USB Packet Capture For Windows USBPcap – USB Packet Capture For Windows
USBPcap is an open-source USB Packet Capture tool for Windows that can be used together with Wireshark in order to analyse USB traffic without using a Virtual Machine.


10 Responses to thc-Amap – Application Protocol Detection & Fingerprinting

  1. Jinesh Doshi May 23, 2008 at 9:55 am #

    This can be misused for reverse engineering. Does anyone know how to view and modify source code of a windows dll?

  2. Tyler May 23, 2008 at 12:49 pm #

    amap is hardly a “next generation” scanning tool. With a last release two years ago, it is clearly “previous generation”.

  3. lol May 23, 2008 at 3:06 pm #

    Woah time warp

  4. Bogwitch May 23, 2008 at 6:09 pm #

    Jinesh,

    THC-Amap cannot be used for reverse engineering at all.

    To view the source code of a Windows DLL, you need to download the source code. If the author is not distributing the source code, you cannot view it. You may be able to ascertain the functionality of a DLL by using a debugger, but if you think that THC Amap can be used for ‘reverse engineering’ I doubt you would be proficient in driving a decompilation tool.

  5. poweruser May 23, 2008 at 7:58 pm #

    There’s actually an easy to use tool called ResHacker that can be used to deconstruct DLLs to change values. I once used it to remove the ads from Windows Live Messenger, along with some of the phone-home stuff.

  6. matt May 23, 2008 at 9:21 pm #

    I would have to agree with Tyler that this tool is not next-generation. However, it seems Darknet just forgot to put quotes on what was taken from the Introduction of the THC-Amap Docs (http://freeworld.thc.org/thc-amap/).

    This tool seems like it could come in handy at some point. Good idea from the THC group.

    @Doshi
    If you want to get into RevEng on windows, get yourself a copy of OllyDebug or WinDasm32 and then figure out why I told you to get one of those. Also, this tool can’t really be used for RevEng (unless I am completely missing something). It actually requires Packet Analysis (which, I guess, could probably be confused with RevEng) before even using it. So really, it does what it says…compares signatures with already analyzed network communication, then guesses as to what is running on the server.

  7. macdaddy May 24, 2008 at 12:59 pm #

    Compiles on Ubuntu Hardy. Though seems like it out dated, as people above have said.

  8. Jinesh Doshi May 24, 2008 at 6:19 pm #

    @matt and all others,

    Guys i am aware that THC-Amap cannot be used for rev-engg this question is not related to the post. I just asked it bcos i believe that some real intelligent people read these posts (i am not counting myself). Thank you so much for your comments. :)

  9. Darknet May 24, 2008 at 7:19 pm #

    Yah it hasn’t been updated for a while, but nor have many tools and it’s still very relevant. Like I said a few posts ago I’ll be going through my toolkit and posting those tools I’ve missed out along the way. They will still be useful to many people and excellent as learning tools.

  10. Jinesh Doshi May 26, 2008 at 8:06 am #

    Thanks for the update Darknet.