Commit 4f8c5aee authored by dmknght's avatar dmknght
Browse files

Upload project to nest

Pipeline #1552 canceled with stages
You want to integrate amap functionality into your programs?
Thats easy.
If you just want to use amap-lib like amap, just do a:
include "amap-inc.h"
#include "amap.h"
#include "amap-lib.h"
int main(int argc, char *argv[]) {
amap_struct_options *opt;
opt = amap_main_init();
// change opt->OPTION_VARABLE if you want to, e.g. via getopt()
return amap_main(opt, argc, argv);
This results in the standard amap output to stdout/stderr.
You can control the funcionality via the "opt" structure.
Only two functions are necessary:
amap_main_init() - returns a pointer to (amap_struct_options), which is
the options structure, see amap.h
This is required prior amap_main()!
amap_main(opt, argc, argv) - opt contains the options, argc the number of
variables in argv, and argv is a standard *argv[]
structure, argv[0] may be NULL if opt->file_nmap is
used, otherwise argv[0] has to be a hostname or ip
address, and argv[1+] the ports, either single ports
or ranges ("1-65535").
Most people however may only want to include the identification part of
amap into their tools.
This is performed by these simple C lines:
#include "amap-inc.h"
#include "amap.h"
#include "amap-lib.h"
#define STR "HTTP/1.1 200 OK\r\nServer: Apache/1.3.25\r\n"
void main() {
amap_struct_responses *amap_resp;
char **results;
int i = 0;
amap_resp = amap_lib_init(NULL);
results = amap_lib_identify(STR, strlen(STR), 0, amap_resp);
while (results[i] != NULL)
printf("Results: %s\n", results[i++]);
Again, only two functions are necessary:
amap_lib_init() - returns a pointer to (amap_struct_responses), which
is the fingerprint database. You can change the default
name of appdef.resp, by using "foo" instead of NULL,
amap-lib looks then for "foo.resp".
This is required prior amap_lib_identify()!
amap_lib_identify(data, datalen, protocol, amap_struct_responses) -
you hand over the data, it's length, and the protocol
('T' for TCP, 'U' for UDP or 0 for both) and the
amap_struct_responses pointer from amap_lib_init().
You get a *result[] structure back which is NULL
As a response can match several fingerprints, a single
string response makes no sense.
Need other interface options/features?
Contact me!
v5.4 April 2011 (THC public release)
* Fix for IPv6 introduced in v5.3, doh
v5.3 April 2011 (THC public release)
! This is a release to fix IPv6 UDP port scanning as no other tool
! currently exists to do that.
! Beside this, amap is outdated, and nmap should be prefered
* Fixed UDP port scanning for IPv6
* Disabled web update
* added printing of [] brackets around IPv6 addresses (required)
* Fixed a bug in amapcrap that the trigger would not display correctly
v5.2 September 2005 (THC public release)
* Included patch from for cleaner gcc compile
* Added SSL_Pending() to prevent rare locking on SSL ports,
thanks to michel(at) for reporting
* Added lots of fingerprints, most from Johnny Cyberpunk / THC - THANKS!
v5.1 June 2005 (THC public release)
* Big appdefs.resp update. Thanks to all contributors!
* Finally and forever fixed the --prefix= issue
* Fixed the web update function for bad inet_pton implementations
* Added support for nmap files with IPv6 addresses
* You can scan/check port 0 now (wish from nbach<at>
* Less error prone "make install"
v5.0 February 2005 (THC public release)
* IPv6 support added, use -6 to activate
* Made the help screen easier to read
* No Cygwin detection needed anymore
* Dump -d option will only print "Unrecognized" response prior those
responses which are *really* not unrecognized
* Uh, appdefs.* files were installed to both, bin/ and etc/, duh
finally they are really only in .../etc/
* Removed the "error - ignored" messages from Makefile
* Added amap-lib - an open interface so incorporation can be made
easily into other programs. See the text file AMAP-LIB-INTERFACE
* Fixed "lvalue deprecated" warnings during compilation, lets hope
amap still compiles on old UNIXes. Please report if not.
* Fixed prefix issue if "./configure --prefix=/bla" was used
v4.9 February 2005 (THC internal release)
- internal, see v5.0
v4.8 January 2005 (THC public release)
* A project web page for amap was set-up:
* Added an Online Update feature for the application fingerprints!
Just run it as "amap -W" and there you go! Includes version
checking and some nice other features.
* The application fingerprints of amap will now be installed to
/usr/local/etc - this has been asked for sooo long :-)
* Added many new responses (thanks to, and others)
* Fixed a bug in the -q option
* Note: the license changed, and is now the same as hydra
* Added autodetection for Cygwin and MacOS/X, enhanced openssl
v4.7 October 2004 (THC public release)
* Fixed a bug in the SSL analyzing function, seems openssl changed
behaviour, fingerprinting behing SSL ports works now again
* Added more triggers and responses (especially
sent in lots of stuff, thanks a lot)
v4.6 June 2004 (THC public release)
* Added 9 new responses (thanks to, Alf, and more)
* Fixed a small string termination bug (thanks to
v4.5 November 2003 (THC public release)
* Added portability fixes for openbsd (thanks to
* Added portability fixes for cygwin (thanks to
* Added 6 responses (thanks to, and
v4.4 September 2003 (unreleased)
* Added mkdir -p to the Makefile (thanks to
* Added a few responses
v4.3 September 2003 (THC public release)
* Trigger names are now always printed with unrecognized responses
* Added 8 new responses (thanks to,,,
* Fixed a off-by-one overflow (which would not fuck up anything :-)
was found by z33d (thanks to
* Added --prefix option to configure script, and honoring PREFIX
* Enhanced ssl library searching
* Added PCRE_DOTALL to the pcre regex definition to enhance
response identifications
* Fixed typos :-) (thanks to guys from the CCC Camp presentation)
v4.2 August 2003 (THC public release)
* Added 10 new responses (thanks to,, and
* Enhanced again the max size for an nmap line, lets hope 64k are
enough now! (thanks to
* Due a bug, amap would only check the last host line in nmap files
* Fixed a compiler warning (thanks to
* Trigger name is now displayed in verbose mode by unrecognized
- 4.1 - THC beta release -
* 28 new response ids and triggers (thanks to,, and
* It was possible to define ports to be scanned > 65535, fixed
(found by
* If appdefs.* files are in MS-DOS file format, this is not a problem
any more :-) no need for dos2unix etc. if you received appdefs.*
files via M$-Outlook
v4.0 July 2003 (THC public release)
! This is the first public release of amap after its complete rewrite !
! If you would like to be an amap beta tester, subscribe yourself to
our amap mailing list! send an email to:
! What is new from the last public version (2.7):
+ TCP connection reuse for RPC identification
+ Banner grab mode, Portscan mode (-B, -P)
+ for response identification (appdefs.resp):
* response strings are now real perl regular expressions
* can hit only on a defined trigger if wished so
* can have a minimum and maximum length set on the reply data
* can require the ip protocol (tcp or udp)
+ Put as many ports on the command line as you like and ranges are
supported too! :-)
+ much faster
+ more reliable
+ bug fixes, better platform support
+ more application responses (of course)
+ added -q (uiet) switch which will not report any closed ports,
and wont mark them as unidentified.
! What changed from the last public version (2.7):
- switched the meaning of the -u and -U options
- Renamed -C options (number of parallel connections) to -c ...
- -C now specifies the number of retries on connection timeouts
- file formats for appdefs.* changed
- output changed a bit (it is much better now)
- README, man page, etc. are all up to date now
! Finally: thanks a lot to Skyper for the pcre library hint and all
the beta testers who helped to make amap stable, reliable and
bugfree :-) - and of course added many, many application ids.
! Have fun !
//=============================== OLD ======================================\\
v3.8 July 2003 (unreleased)
* Fix in skip functions and SSL shutdown
* Added new responses (thanks to and
* Reworked the README file, added an INSTALL file
! v3.8 will now be renamed to v4.0 and made public
v3.7 July 2003 (THC beta release)
* Thanks to for providing a patch for my configure
script to let it run on Solaris successfully
* Amap crashed when the nmap input file was not containing correct
data. Fixed. (thanks to and
* Enhanced a few responses (thanks to,,
* Added man page directory detection to the configure script :-)
* Fixed a typo in an error message (thanks to
v3.6 July 2003 (THC beta release)
* Amap segfaulted when executed like ./amap -B localhost 1-10000
for no known reason. disallowing socket 0 solved it.
(thanks to for reporting)
* Amap would loop endlessly in portscan mode against too many UDP ports.
UDP timeout checks were not correctly implemented. (thanks to for reporting)
* Small enhancements
v3.5 July 2003 (THC beta release)
! There is now a betatest mailinglist available !
* Added port range support (e.g. 20-25) on commandline
* Amap needs now less memory and is a little bit faster
* Added -q (uiet) switch which will not report any closed ports,
and wont mark them as unidentified.
* Added more response IDs (thanks to and
* Added a Solaris library definition (thanks to
v3.4 June 2003 (THC special release)
* Added -B option, which just grabs a banner, no triggers are sent
* Added -P option, which makes amap a full connect port scanner.
Note: Amap is a little bit faster than nmap -sT, cool ...
* Added another data definition to the -m (achine readable) logfile
output. It also has got a :PORT_STATUS: field now, which is set to
either: open, closed, timeout.
* Amap now reuses sockets, which is needed for port scanning :-)
v3.3 June 2003 (THC beta release)
* Renamed -C options (number of parallel connections) to -c ...
-C is now a hidden option to specify the number of retries on
connection timeouts [vH]
* More efficient checks on last timeout waiting routine
* Minor display message fixes [vH]
* Oops due a bug in the makefile, no openssl support was in, fixed.
(introduced in 3.1) [vH]
* Reconnects were made to the wrong target/port, fixed.
(introduced in 3.2) [vH]
v3.2 June 2003 (THC beta release)
* Made all connects unblocked. this speeeeeds things up and prevents
hangs on scans to firewalled ports [vH]
* Made the tcp port reuse for rpc scanning more effective [vH]
* Added more debug modes, the more -v you put, the more you get [vH]
* Added new ids (thanks to and
v3.1 June 2003 (unreleased)
* Added printing of the trigger name if a match is made in verbose
mode. Good idea by [vH]
* Fixed compile problems (thanks to, and vlaad@sezampro.yu) [vH]
* Added new ids (thanks to,,
and vlaad@sezampro.yu)
* RPC ids were not printed, fixed [vH]
v3.0 June 2003 (THC alpha release)
! Completely rewritten from scratch ! [vH]
Thanks go to Skyper who pointed me to the pcre library!
- By this, the following small bugs in v2.x were noticed:
- in task calculations, triggers to send to both udp and tcp
were never counted
- tasks numbers reduced for e.g. SSL mode would also apply
to RPC mode
- compilation without OPENSSL never worked
* responses (appdefs.resp):
* response strings are now real perl regular expressions
* can hit only on a defined trigger if wished so
* can have a minimum and maximum length set on the reply data
* can require the ip protocol (tcp or udp)
* In RPC scan mode, TCP connections are re-used
* better readable data dumps, warnings and errors
* safety checks on everything
* a few more response ids
# switch the meaning of the -u and -U options
# file formats for appdefs.* changed
# output changed a bit (hope its better now)
# README, man page, etc. are all up to date now
? so ... ?
? Please test this version as hard as you can and report ?
v2.7 June 2003 (THC release candidate)
* Removed the unnecessary NFS trigger which SANS wrote snort rules
for :-) [DJ] >>>
v2.6 June 2003 (THC internal test release)
* Fixed a bug which sent all UDP triggers to TCP ports as well.
(thanks to!) [vH]
* Added -DCYGWIN compile definition to let it easily compile
on cygwin (thanks to hans - posted into the THC forum) [vH]
* Added/fixed a few triggers/responses (thanks to,, [vH]
* Optimized connection handling - RPC identification wont loose
responses now [vH]
v2.5 May 2003 (THC release candidate 2)
* Fixed a bug in -o output and rpc scanning, hope it works
now. (reported by Johny ;-) [vH]
* Updated man page [vH]
v2.4 May 2003 (THC release candidate)
* Made ports on command line default to TCP, therefore removed
-sT|U option, and added the -U option to choose UDP protocol [vH]
* Added a few more fingerprints (thanks to, and Jesus Munoz + Daniel Solis of KPMG
v2.3 May 2003 (internal test release)
* Added RPC identification mode (happy now Johnny? ;-) [vH]
* Added appdefs.rpc (converted from nmap) [vH]
* Added -R mode which will DISABLE RPC identifications [vH]
* Rewrote code, functions and structures [vH]
v2.2 May 2003 (internal test release)
* lots of new application fingerprints added (thanks to nessus)
* added secondary identification type in appdefs.resp:
e.g. http-apache - means: http protocol, apache service
and added that for the lookup function in amap. [vH]
* Changed the meaning of the -S switch!!! [vH]
- Removed -S mode which tried SSL connects to all ports
- Added -S mode which will DISABLE an SSL connect to a port
after it has successfully been identified to support SSL
* added "time" detection (usually tcp port 37)
* added port unreachable detection for udp in amap and amapcrap
v2.1 May 2003 (THC release cadidate 2)
* Now you can specify as many ports on the command line as you like,
also, you can specify some on command line, and still use the -i
option. [vH]
* fixed a bug in the target selection engine, some ports were not
tested, depending on options. [vH]
* fixed a bug in the amapcrap display routine for the response [vH]
* uh, -D appdefs option was never correctly implemented, fixed [vH]
* added a few responses [vH]
v2.0 April 2003 (THC release candidate)
* big feature add: multiple identifications per response, for a
more reliable identification! [vH]
* added amapcrap to send random stuff to ports to illicit a response [vH]
* added machine readable ouput format (-m) [vH]
* implemented skip on ports which become unavailable [vH]
* reversed loops. before, all triggers were sent to the same
port, then to the next, etc. now a trigger is sent to every port
first. By this, port crashes will become rarer (e.g. inetd's "too
fast respawns" detection) [vH]
* Rewrote configure script to hopefully run on Solaris. Please report! [vH]
* small bug fixes [vH]
* code beautification [vH]
* more application fingerprints [DR, you guys out there]
* optimized fingerprints due to new features [vH]
v1.2.1b September 2002 (THC release candidate 2)
* when only a few tasks are there, the read_response loop was
only done once, before responses could come in. sleep(1) provided
the answer.... [DR]
* fixed -p <proto> case sensitivity bug [DR]
* fixed -t <timeout> bug [DR]
v1.2.1 September 2002 (THC release candidate)
* Thanks to Dagobert Michelsen Solaris with DNS resolution now
doesn't coredump no more, but also doesn't work :-(
* updated man page etc. [DR]
v1.2 August 2002 (private release)
* No more fork()ing around, non-blocking sockets are the way to go!
So: much greater efficiency, speed, and no more hanging(?) [DR]
* around waiting for responses from dead kids etc.... [DR]
* suppression of multiple secondary id's of protocols [DR]
* fixed some small stuff in SSL routines [DR]
v1.1 August 2002 (unreleased)
* added much needed SSL support (-S switch) [DR]
v0.95c August 2002 (unreleased)
* added and tuned triggers and responses [DR]
* fixed printing to logfile bug [DR]
* fixed showstopper (vH, you used goto?????) [DR]
v0.95b March 2002 (first public beta release)
* added manpage [DR]
* fixed a small bug [DR]
v0.9 February 2002 (private release)
* ported to Solaris. Compiles clean on OpenBSD. [vH]
* fixed the final never-ending loop (really!) [vH]
* fixed command line target/port function, seems like 3 lines were
accidently deleted [vH]
* cleaned up code to prevent compiler warnings and added humour :-) [vH]
* fixed 3 by-one-byte overflows [vH]
v0.8 February 2002 (private release)
* Finally got rid of bug that stopped amap from completing. [DR]
* Now, amap only sends UDP triggers to UDP ports and TCP triggers to
tcp ports. It sends undefined triggers to both kind of ports. [DR]
v0.7 February 2002 (unreleased)
* added and reformatted some triggers and responses [DR]
* added listing of unidentified ports after completion [DR]
v0.6 February 2002 (private release)
* scantype check for sending triggers was missing, uh [vH]
* added a few responses [vH]
* removed tftp check, it's too weird how it works currently [vH]
v0.5b January 2002 (private release)
* fixed a bug in lookup function for substrings and startstrings [DR]
* added triggers and responses [DR]
v0.5 January 2002 (private release)
* fixed a bug in the lookup function for unknown responses [DR/vH]
v0.4 January 2002 (private release)
* only the first of same unknown responses for a port is printed [vH]
* added search path for trigger/response files (20 directories) [vH]
* fixed variable names [vH]
* some beautifications [vH]
v0.3 January 2002 (private release)
* changed the "print unknown responses" option to be default [vH]
* fixed a bug in the print_banner function [vH]
* dumping responses will now also show it in printable ascii [vH]
* fixed various bugs in the dump function [vH]
* added check for invalid nmap input file [vH]
* had to implement a work around to prevent mis-detections on ECHO port [vH]
* added some responses [vH]
* removed unnecessary entries from the triggers file [vH]
v0.2 December 2001 (private release)
* fixed numerous bugs. numerous ;-) [vH]
* added new feature: -b prints the banner received [vH]
* added CHANGES, TODO and LICENSE file [vH]
v0.1 December 2001 (private release)
* first internal release [DR]
read TEST
for i in amap.h README CHANGES; do
joe $i
$ ./configure
$ make
$ su
# make install
thats it.
If you have Redhat 9.x installed, compilation may fail because of
a buggy openssl package. Deinstall the package and install an older version.
Then amap compiles fine. You may also take the painful way of setting
symlinks from files in the /usr/kerberos/include directory to /usr/include.
SuSE 8.x, 9.x (Linux 2.4.19-4GB/i686)
Redhat 9.0 (Linux 2.4-18-3/i686)
Slackware 8.1 (Linux 2.4.21/i586)
Parisc/Debian (Linux 2.4.19/hppa64)
OpenBSD 3.3 (Sparc64)
OpenBSD 3.3 (i686)
Solaris 5.7 (Sparc)
OSX/Darwin 6.6 (Mac PowerPC)
FreeBSD 5.x (i686)
LICENCE FOR AMAP (all version)
by van Hauser <>
1. This software comes with no warrenty or promised features. If it works
for you - fine. It just comes "AS-IS", which means as a bunch of bits and bytes.
2. Anyone may use this software and pass it on to other persons or companies
as long as it is not charged for! (except for a small transfer/medium fee)
3. This tool may *NOT* be used for illegal purpose. Please check the law
which affects your doing. I will have got no liability for any damage etc.
done with this tool legally or illegaly.
4. If this tool is used while providing a commercial service (e.g. as part
of a penetration test) the report has to state the tools name and version,
and additionally the authors (van Hauser and Dj RevMoon) and the distribution
homepage (
5. If this tool is used within a commercial tool (being called out of such a
tool or being incorporated), the report generated has to state the tools name
and version, and additionally the authors (van Hauser and Dj RevMoon) and the
distribution homepage ( A tool is "commercial" if it either
costs money to purchase it, has a license fee, and/or has costs for upgrades.
Additionally, a commercial version or license etc. must be made available to
the author free of charge.
6. In all other respects the GPL 2.0 applies
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of