Nmap UDP scan options

While the TCP scan has many types of scans, the UDP scan only has one type, which is the UDP scan (-sU). Even though the UDP scan is less reliable than the TCP scan, as a penetration tester, you should not ignore this scan, because there may be interesting services located on these UDP ports.

The biggest problem with the UDP scan is how to perform the scan quickly. A Linux kernel limits the sending of the ICMP Port Unreachable message to one message per second. Doing a UDP scan of 65,536 ports to a machine will take more than 18 hours to complete.

To help mitigate this problem, there are several methods that can be used, as follows:

  • Running the UDP scan in parallel
  • Scanning the most popular ports first
  • Scanning behind the firewall
  • Setting the --host-timeout option to skip slow hosts

These methods can help to decrease the time required for doing UDP port scans.

Let's look at a scenario where we want to find which UDP ports are open on the target machine. To speed up the scanning process, we will only check for ports 53 (DNS) and 161 (SNMP). The following is the command used to do this:

nmap -sU 172.16.43.156 -p 53,161

The following is the result of this command:

Nmap scan report for 172.16.43.156
Host is up (0.0016s latency).
PORT    STATE  SERVICE
53/udp  open   domain
161/udp closed snmp
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.190.217.134