While the TCP scan has many types of scans, the UDP scan only has one type, which is the UDP scan (-sU). Even though the UDP scan is less reliable than the TCP scan, as a penetration tester, you should not ignore this scan, because there may be interesting services located on these UDP ports.
The biggest problem with the UDP scan is how to perform the scan quickly. A Linux kernel limits the sending of the ICMP Port Unreachable message to one message per second. Doing a UDP scan of 65,536 ports to a machine will take more than 18 hours to complete.
To help mitigate this problem, there are several methods that can be used, as follows:
- Running the UDP scan in parallel
- Scanning the most popular ports first
- Scanning behind the firewall
- Setting the --host-timeout option to skip slow hosts
These methods can help to decrease the time required for doing UDP port scans.
Let's look at a scenario where we want to find which UDP ports are open on the target machine. To speed up the scanning process, we will only check for ports 53 (DNS) and 161 (SNMP). The following is the command used to do this:
nmap -sU 172.16.43.156 -p 53,161
The following is the result of this command:
Nmap scan report for 172.16.43.156 Host is up (0.0016s latency). PORT STATE SERVICE 53/udp open domain 161/udp closed snmp