Nmap UDP Scan: Advanced Scanning Techniques

Nmap UDP Scan Featured Image

Are you looking to identify open UDP ports on a network? The Nmap UDP scan might be exactly what you need.

But what is UDP, and how do you use Nmap to scan for these ports? Understanding UDP's role in network communication is key to effective and targeted scanning.

Nmap’s UDP scan option allows you to probe these ports, revealing important information about a host on a network.

This concise guide will explain what UDP is, how to scan it, what types of ports and services you can discover, and any challenges this scan type can present.

If you are ready to learn how to use Nmap to scan UDP, let’s begin.

What Is UDP?

UDP stands for user datagram protocol and is part of the internet protocol suite that also includes TCP (transmission control protocol). It determines how, among other things, data should be transmitted and received. UDP operates at Layer 4 of the OSI model, which is the transport layer.

To understand UDP, let’s compare it with TCP.

TCP vs UDP Communication

Connectionless: Unlike TCP, which uses a three-way handshake to establish a connection, UDP is connectionless. This means that when data is sent via UDP, there's no handshake to establish a connection before data is sent. A UDP sender can send data to a receiver without waiting for a reply.

Speed and Efficiency: Because there's no connection and no requirement to maintain a connection, UDP is faster and more efficient for many uses, especially when speed is important, such as for applications like live video or audio streaming, where losing some data is a better option than waiting.

No Error Correction: UDP does not provide error checking, error correction, or retransmission if a packet is lost. It simply sends data to the recipient. Therefore, the application must handle any error detection and correction using UDP.

Usage in Applications: UDP is widely used in applications where occasional packet loss is acceptable, but speed and real-time access are crucial. Examples include online games, video and voice communications (like VoIP), and DNS lookups.

Nmap Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do, and we will generate the command for you.

Nmap and UDP Scanning

Before we begin scanning UDP ports, let’s quickly discuss what Nmap does when it scans UDP.

  • Nmap sends a UDP packet to each port in the specified range. For many ports, Nmap sends a simple, empty packet.
  • For some well-known ports, it sends protocol-specific payloads to try and get a  response.
  • Remember, UDP is connectionless and often does not respond when the port is open; many packets Nmap sends won’t elicit a response. This is normal for UDP scanning.

To begin an Nmap UDP scan, the easiest way we can do this is with the -sU flag without any other options. This will scan the top 1000 UDP ports.

Nmap will need sudo privileges to run a UDP scan to send custom packets.

We can use the following command.

sudo nmap -sU <target>

The scan may take a while; in our case, it took over 46 minutes to complete the scan on our target. Due to how Nmap scans these ports, it can lead to timeouts and multiple retransmissions to accurately determine the status of each port.

Nmap UDP Scan

When Nmap returns its results, it will tell you what state it thinks the ports are in. This could be one of four states.

ClosedIf an ICMP port unreachable error is received, the port is marked as closed.
OpenThe port is assumed open if a UDP packet is received in the response.
FilteredOther ICMP unreachable errors suggest the port is filtered, likely by a firewall.
Open or FilteredIf there is no response at all, the port is classified as open|filtered, meaning it could be open or it could be filtered by a firewall.

Our results confirmed that one port running the NTP (network time protocol) service could be open. The other 999 ports are in the open|filtered state.

We can add some flags to our command to speed up an Nmap UDP scan. A good way to accomplish this is to scan the top 100 ports.

We can use the following command:

sudo nmap -sU -T4 -F <target>

-T4: This sets the timing template to "4", which is a more aggressive scan speed. Nmap offers timing templates from "0" (paranoid) to "5" (insane). "-T4" is a faster scan that balances speed and reliability, but it could potentially miss some information and might be detected by intrusion detection systems.

-F: This option tells Nmap to perform a "fast" scan. It limits the scan to fewer ports than the default scan, specifically the most common 100 ports. This significantly reduces scan time.

Nmap Fast UDP Scan

We found the same port as our last scan, but this time, it only took us 53 seconds instead of 46 minutes.

What Can You Discover Scanning UDP?

What types of UDP ports can you find when scanning? Below are some common examples.

Port 53 - Domain Name System (DNS): Used for domain name resolution. DNS servers listen on this port for requests from clients wanting to resolve a domain name to an IP address.

Port 67 and 68 - Dynamic Host Configuration Protocol (DHCP): Ports 67 and 68 are used for DHCP. Port 67 is used by DHCP servers to receive requests from clients (which use port 68). DHCP is used to assign IP addresses automatically.

Port 88 - Kerberos Authentication Protocol: Used in Windows environments for secure network authentication.

Port 123 - Network Time Protocol (NTP): Used for clock synchronization between

Systems.

Port 137 - NetBIOS Name Service: Used for NetBIOS name resolution in Windows networks, important for older versions of SMB protocol.

Port 161 - Simple Network Management Protocol (SNMP): Used for network management, such as monitoring and managing network devices.

Port 514 - Syslog: Used for system logging.

In addition to these ports, let's examine other popular services that employ UDP, which is integral to many applications we use every day.

Voice over Internet Protocol (VoIP)

UDP is mostly used in VoIP because it has low delay. In voice conversations, getting audio packets to the right place at the right time is crucial for keeping the conversation flowing naturally. Voice data can be sent faster over UDP than TCP because it has less protocol overhead. This improves call quality.

Online Gaming

In online games, UDP is preferred because it lets people talk to each other quickly and in real time. When playing games, the speed at which info is sent is important for how quickly players can react and how well the game runs. UDP makes it possible for packets to be sent quickly, which is important for keeping online games in real-time.

Live Streaming:

UDP is often used for live streaming to cut down on broadcasting latency. The technique works great when getting data quickly is more important than getting it completely intact. For live streaming, like Twitch or Zoom, UDP's ability to send video and audio streams with little delay is very important for keeping the "live" experience.

OpenVPN

UDP is often preferred for OpenVPN connections because it handles VPN data well. UDP can send data without acknowledgment packets. This speeds up VPN connections.

Challenges With UDP Scanning

There are many challenges with UDP scanning; let’s take a look at three of these below.

Speed

Most of the time, UDP scans take longer than TCP scans. This is because UDP doesn't recognize received packets. When Nmap sends a UDP packet to a port, it needs to wait for a response to find out what the state of the port is. If there is no response, the wait time can get longer.

When scanning for UDP ports, there might not be a response unless the service for that port sees the payload and reacts. Nmap waits a certain amount of time before choosing what to do next, making the scanning process take longer.

Ambiguities

While port states are more clearly defined in TCP scanning, the lack of reaction in UDP scanning can produce ambiguous results. Nmap can't say for sure if a port is open or blocked by a firewall if it doesn't get an answer to a probe.

False Positives/Negatives

False Positives: Intrusion detection systems (IDS) or firewalls may occasionally reply to UDP scans with misleading or no information, causing Nmap to report a port as open mistakenly.

False Negatives: A firewall may sometimes silently drop incoming packets, leading Nmap to incorrectly classify an open port as filtered or closed due to the lack of response.

Conclusion

As you can see, scanning UDP ports with Nmap can effectively identify potential services running on a host.

This scan can be slow and can have some challenges, but at the end of the day, these UDP ports should not be ignored as they can be points of vulnerabilities and are often used by important services.

Are you looking to take your career to the next level? Join our Accelerator program today and get access to courses, career roadmaps, focus and mastermind groups, and more.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

>