UDP services are often ignored during penetration tests, but good penetration testers know that they frequently reveal important host information and can even be vulnerable and used to compromise a host.
This recipe shows how to use Nmap to list all open UDP ports on a host.
Open your terminal and type:
#nmap -sU -p- <target>
The output follows Nmap's standard format:
# nmap -sU -F scanme.nmap.org Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.100s latency). Not shown: 98 closed ports PORT STATE SERVICE 68/udp open|filtered dhcpc 123/udp open ntp
The argument -sU
tells Nmap to launch a UDP scan against the target host. Nmap sends UDP probes to the selected ports and analyzes the response to determine the port's state. Nmap's UDP scanning technique works in the following way:
nmap-payloads
.filtered|open
.UDP scanning is slow due to transmission rates imposed by operating systems that limit the number of responses per second. Also, firewalled hosts blocking ICMP will drop port unreachable messages. This makes it difficult for Nmap to differentiate between closed and filtered ports, and causes retransmissions that make this scan technique even slower. It is important that you consider this beforehand if you need to do an inventory of UDP services and are on a tight time schedule.
18.119.131.178