UDP services are often ignored during penetration tests, but good penetration testers know that they frequently reveal important host information and can even be vulnerable and used to compromise a host.
This recipe shows how to use Nmap to list all open UDP ports on a host.
Open your terminal and type:
#nmap -sU -p- <target>
The output follows Nmap's standard format:
# nmap -sU -F scanme.nmap.org Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.100s latency). Not shown: 98 closed ports PORT STATE SERVICE 68/udp open|filtered dhcpc 123/udp open ntp
The argument -sU tells Nmap to launch a UDP scan against the target host. Nmap sends UDP probes to the selected ports and analyzes the response to determine the port's state. Nmap's UDP scanning technique works in the following way:
- A UDP packet is sent to the target with an empty UDP payload unless one is specified in the file
nmap-payloads. - If the port is closed, a ICMP Port Unreachable message is received from the target.
- If the port is open, UDP data is received.
- If the port does not respond at all, we assume the port state is
filtered|open.
UDP scanning is slow due to transmission rates imposed by operating systems that limit the number of responses per second. Also, firewalled hosts blocking ICMP will drop port unreachable messages. This makes it difficult for Nmap to differentiate between closed and filtered ports, and causes retransmissions that make this scan technique even slower. It is important that you consider this beforehand if you need to do an inventory of UDP services and are on a tight time schedule.
- The Fingerprinting services of a remote host recipe in Chapter 1, Nmap Fundamentals
- The Getting information from WHOIS records recipe
- The Fingerprinting the operating system of a host recipe
- The Discovering hostnames pointing to the same IP address recipe
- The Listing protocols supported by a remote host recipe
- The Matching services with known security vulnerabilities recipe
- The Spoofing the origin IP of a port scan recipe
- The Brute forcing DNS records recipe