Nmap scan specific udp port

Chưa phân loại
This tutorial starts by showing how to carry out UDP scans and identify vulnerable candidates to execute RDDOS (Reflective Denial of Service) attacks.  This tutorial is optimized for readers looking for a fast implementation. For a little theoretical information on the UDP protocol check the end of the article, you can also read Nmap Flags And What They Do before continuing.

RDDOS attack takes advantage of the lack of reliability of the UDP protocol which does not establish a connection previously to the packet transference. Therefore forging a source IP address is pretty easy, this attack consists of forging the victim’s IP address when sending packets to vulnerable UDP services exploiting their bandwidth by prompting them to reply to the victim’s IP address, that’s RDDOS.

Some of the vulnerable services may include:

  • CLDAP (Connection-less Lightweight Directory Access Protocol)
  • NetBIOS
  • Character Generator Protocol (CharGEN)
  • SSDP(Simple Service Discovery Protocol)
  • TFTP (Trivial File Transfer Protocol)
  • DNS (Domain Name System)
  • NTP (Network Time Protocol)
  • SNMPv2 (Simple Network Management Protocol version 2)
  • RPC (Portmap/Remote Procedure Call )
  • QOTD (Quote of the Day)
  • mDNS (Multicast Domain Name System ),
  • Steam Protocol
  • Routing Information Protocol version 1 (RIPv1),
  • Lightweight Directory Access Protocol (LDAP)
  • Memcached,
  • Web Services Dynamic Discovery (WS-Discovery).

Nmap Scan Specific UDP port

By default Nmap omits UDP scan, it can be enabled by adding the Nmap flag -sU. As listed above by ignoring UDP ports known vulnerabilities may remain ignored to the user. Nmap outputs for UDP scan may be open, open|filtered, closed and filtered.

open: UDP response.
no response.
ICMP port unreachable error code 3.
Other ICMP unreachable errors (type 3, code 1, 2, 9, 10 or 13)

The following example shows a simple UDP scan without additional flag other than the UDP specification and verbosity to see the process:

# nmap -sU -v linuxhint.com

The UDP scan above resulted in open|filtered and open results. The meaning of open|filtered is Nmap can’t distinguish between open and filtered ports because like filtered ports, open ports are unlikely to send responses. Contrary to the open|filtered, the open result means the specified port sent a response.

To use Nmap to scan a specific port use the -p<port> flag to define the port followed by the -sU flag to enable UDP scan before specifying the target, to scan LinuxHint for the 123 UDP NTP port run:

# nmap -p 123 -sU  linuxhint.com

The following example is an aggressive scan against https://gigopen.com

# nmap -sU -T4 gigopen.com

Note: for additional information on the scan intensity with the flag -T4 check https://books.google.com.ar/books?id=iOAQBgAAQBAJ&pg=PA106&lpg=PA106&d.

UDP scans make the scanning task extremely slow, there are some flags which can help to improve the scan speed. The -F (Fast), –version-intensity flags are an example.

The following example shows a scan speed increase by adding these flags when scanning LinuxHint.

Speeding up a UDP scan with Nmap:

# nmap -sUV -T4 -F –version-intensity 0 linuxhint.com

As you see the scan was one in 96.19 seconds against 1091.37 in the first simple sample.

You can also speed up by limiting retries and skipping host discovery and host resolution as in the next example:

# nmap -sU -pU:123 -Pn -n –max-retries=0 mail.mercedes.gob.ar

Scanning for RDDOS or  Reflective Denial Of Service candidates:

The following command includes the NSE (Nmap Scripting Engine) scripts ntp-monlist, dns-recursion and snmp-sysdescr to check for targets vulnerable to Reflective Denial of Service Attacks candidates to exploit their bandwidth. In the following example the scan is launched against a single specific target (linuxhint.com):

# nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,
dns-recursion,snmp-sysdescr linuxhint.com

The following example scans 50 hosts ranging from to, 50 hosts from the last octet, defining the range with an hyphen:

# nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,

And the output of a system we can use for a reflective attack seems like:

Brief Intro to the UDP Protocol

The UDP (User Datagram Protocol) protocol is part of the Internet Protocol Suite, it is faster but unreliable when compared against TCP (Transmission Control Protocol).

Why is the UDP Protocol faster than TCP?

The TCP protocol establishes a connection to send packets, the connection establishment process is called handshake. It was clearly explained at Nmap Stealth Scan:

“Usually when two devices connect, connections are established through a process called three way handshake which consists of 3 initial interactions:  first of a connection request by the client or device requesting the connection, second by a confirmation by the device to which the connection is requested and in third place a final confirmation from the device which requested the connection, something like:

-“hey, can you hear me?, can we meet?” (SYN packet requesting synchronization)

-”Hi!, I see you!, we can meet” (Where “I see you” is an ACK packet, “we can meet” a SYN packet)

-”Great!” (ACK packet)”

Source: https://linuxhint.com/nmap_stealth_scan/

Contrary to this the UDP protocol sends the packets without previous communication with the destination, making the packets transference faster since they don’t need to wait to be sent. It is a minimalist protocol without retransmission delays for resending missing data, the protocol by choice when high speed is needed, such as VoIP, streaming, gaming, etc. This protocol lacks reliability and it is only used when packet loss isn’t fatal.

The UDP header contains information on source port, destination port, checksum and size.

I hope you found this tutorial on Nmap to scan UDP ports useful. Keep following LinuxHint for more tips and updates on Linux and networking.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Find Length of String in Bash

The total number of characters of any string data indicates the length of the string. When we work with string data then...

Docker Compose Tutorial

Docker’s popularity as a development tool is on the rise. Docker has breathed new life into the container movement. Developers...

Understanding Red Hat Linux Price and Pricing

Despite being around for two decades and being one of the most popular Linux server distributions, the pricing of Red Hat...
Bài Viết

Bài Viết Mới Cập Nhật

Lý do tại sao bạn nên sử dụng proxy khi truy cập web đen

Các lỗi thường gặp khi sử dụng proxy và cách khắc phục chúng.

Tác động của việc sử dụng proxy đến tốc độ kết nối internet của bạn.

Các tiện ích và công cụ để quản lý proxy.

Các cách để kiểm tra tốc độ và độ ổn định của proxy.