Im not sure why this tool isnt in Backtrack. I really thought it was. its a simple arp & discovery tool. I went to use it today and realized it was not there.DUH

Here is a example of a generic scan of a whole local subnet.

Pureh@te ~ # arp-scan --interface=ath0 --localnet
Interface: ath0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts ( 00:1a:70:48:fb:19 Cisco-Linksys, LLC 00:c0:9f:11:27:11 QUANTA COMPUTER, INC. 00:0d:56:53:45:82 Dell PCBA Test 00:11:50:96:08:3e Belkin Corporation 00:1b:fc:9a:be:f3 ASUSTek COMPUTER INC. 00:01:02:c2:06:1b 3COM CORPORATION 00:13:02:85:1e:a5 Intel Corporate 00:0e:9b:c3:cd:aa Ambit Microsystems Corporation 00:03:94:04:9d:8b Connect One 00:13:ce:91:30:0d Intel Corporate

20 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 1.426 seconds (179.52 hosts/sec). 10 responded

It can also be used in this manner

Pureh@te ~ # arp-fingerprint -o "--interface=ath0" 11110000000 Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7

since Im doing some work Im posting the outputs for a sort of lesson. Here is how to use amap with a nmap

Pureh@te ~ # nmap -sV -P0 -oM test.nmap

Starting Nmap 4.20 ( ) at 2007-08-01 11:22 GMT
Interesting ports on
Not shown: 1693 filtered ports
20/tcp closed ftp-data
21/tcp closed ftp
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
MAC Address: 00:1A:70:48:FB:19 (Unknown)

Service detection performed. Please report any incorrect results at .
Nmap finished: 1 IP address (1 host up) scanned in 26.989 seconds
Pureh@te ~ # amap -i test.nmap -o test.amap -m
amap v5.2 ( started at 2007-08-01 11:26:38 - MAPPING mode

Protocol on matches http
Protocol on matches webmin

Unidentified ports: none.

amap v5.2 finished at 2007-08-01 11:26:49

The reason this tool is helpful is that if your crafty (like me) you will runn you services on non standard ports to avoid easy detection .amap can get around this issue for you

Or with out the file

Pureh@te ~ # amap 80
amap v5.2 ( started at 2007-08-01 11:31:11 - MAPPING mode

Protocol on matches http
Protocol on matches webmin

Unidentified ports: none.

amap v5.2 finished at 2007-08-01 11:31:22

amap is also updateable

Pureh@te ~ # amap -W
Running Online Update for fingerprints, connecting to
No new updates for file /usr/local/etc/appdefs.resp available
No new updates for file /usr/local/etc/appdefs.trig available
No new updates for file /usr/local/etc/appdefs.rpc available
Done with Online Update.

And finnaly here is the begining of a complete port scan with switches.Im not going to list it all as there are 65535 ports but you will get the idea.

Pureh@te ~ # amap -1bqv 1-65535
Using trigger file /usr/local/etc/appdefs.trig ... loaded 35 triggers
Using response file /usr/local/etc/appdefs.resp ... loaded 390 responses
Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers

amap v5.2 ( started at 2007-08-01 11:34:53 - MAPPING mode

Total amount of tasks to perform in plain connect mode: 1834980
ECT..............................Im feeling pure nice today

The next tool Ill be featuring is nikto. here is a example of a nikto scan.I have changed to ip to protect the inocent.

pureh@te nikto # -h -p 21,80,443,8000,8080 -g -e 167
- Nikto 1.36/1.37 -
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Using IDS Evasion: Random URI encoding (non-UTF8)
+ Using IDS Evasion: TAB as request spacer
+ Using IDS Evasion: Random case sensitivity
+ Start Time: Wed Aug 1 11:56:39 2007
+ Server: Microsoft-IIS/5.0
- Server did not understand HTTP 1.1, switching to HTTP 1.0
+ Server does not respond with '404' for error messages (uses '400').
+ This may increase false-positives.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Microsoft-IIS/5.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
+ %2fmSadc/..%2%355C%2e.%2f%2e.%%325%35c%2e.%2f%2e%2e%%325%35 c%2e./WiNn%74/sY%53t%65%4d32/%63%6d%64%2e%45X%65?/C%2bDi%52%2bc:%5c - May be able to issue arbitrary commands to host. (GET)
o issue arbitrary commands to host. (GET)
+ 2741 items checked - 1 item(s) found on remote host(s)
+ End Time: Wed Aug 1 12:02:10 2007 (331 seconds)
+ 1 host(s) tested

-h = target
-p = ports
-g force scan (no trust server)
-e evaision teqniques