1 00:00:00,180 --> 00:00:09,180 UDP scan is activated with the -­sU option. UDP scan works by sending a UDP packet to every 2 00:00:09,180 --> 00:00:18,630 targeted port. For some common ports, such as 53 and 161, a protocol-­specific payload is sent to increase response rate, 3 00:00:18,630 --> 00:00:19,770 rate. 4 00:00:19,920 --> 00:00:27,460 but for most ports the packet is empty. Well, there are some options to force Nmap to send non-­empty packets, 5 00:00:27,460 --> 00:00:35,090 such as data parameter. Because UDP scanning is generally slower and more difficult than TCP, 6 00:00:35,360 --> 00:00:37,850 some security auditors ignore these ports. 7 00:00:38,030 --> 00:00:44,960 I think this is a mistake, as exploitable UDP services are quite common and attackers certainly don't 8 00:00:44,960 --> 00:00:46,780 ignore the whole protocol. 9 00:00:47,900 --> 00:00:53,940 So in general destination systems do not respond when they receive a UDP packet. 10 00:00:54,020 --> 00:01:00,080 So, Nmap doesn’t recognise if the port is open or filtered when there is no response from the target system. 11 00:01:01,130 --> 00:01:09,170 In this case, the port is flagged as “open or filtered”. To force the systems to respond to our packets, 12 00:01:09,310 --> 00:01:13,480 you should better use UDP scan with version detection option. 13 00:01:13,720 --> 00:01:15,990 You'll have much more accurate results. 14 00:01:18,080 --> 00:01:25,690 Let’s perform an Nmap UDP scan in our virtual network. Go to Kali and open a terminal screen. 15 00:01:25,730 --> 00:01:28,370 I want to scan my Metasploitable system. 16 00:01:28,570 --> 00:01:36,490 Let’s create the UDP scan command: nmap is the command itself, -n is to avoid the DNS resolution. 17 00:01:36,720 --> 00:01:42,190 I’d like to see the IP addresses. -­Pn is to avoid the host discovery. 18 00:01:42,190 --> 00:01:47,710 We have seen these before. sU is to do UDP scan. 19 00:01:47,720 --> 00:01:53,790 Now here's the target IP address 172.16.99.206. 20 00:01:54,020 --> 00:02:00,730 Let’s keep it fast, scan for the top 10 ports only. I use -top-ports parameter for this purpose. 21 00:02:00,820 --> 00:02:08,270 Now as I said a minute ago UDP scan should run with version detection. Use -­sV parameter 22 00:02:08,270 --> 00:02:10,780 use a version detection. 23 00:02:10,889 --> 00:02:19,230 I’d like to add one more parameter here, which is -reason. Reason parameter is used to show the reason 24 00:02:19,230 --> 00:02:24,220 why the state of the port is set as open, close, or filtered. 25 00:02:24,260 --> 00:02:27,160 Now hit Enter. See what I mean. 26 00:02:27,280 --> 00:02:34,720 UDP is much slower then SYN scan or TCP scan, because the destination system does not respond in most 27 00:02:34,720 --> 00:02:35,260 of the time. 28 00:02:35,320 --> 00:02:39,620 Nmap has to wait more to decide the states. 29 00:02:39,810 --> 00:02:46,110 Moreover, we used version detection, which sends more packets to understand the service and the version. 30 00:02:47,260 --> 00:02:50,490 So, this scan takes much longer than the SYN or TCP scans. 31 00:03:00,890 --> 00:03:05,660 One IP address and 10 ports scanned in about 100 seconds! 32 00:03:05,660 --> 00:03:12,370 Wake up if you took a nap! Here are the states of top 10 UDP ports of Metasploitable. Ports 33 00:03:12,370 --> 00:03:19,130 Ports 53 and 137 are flagged as open because they returned UDP responses. And you see the version of the 34 00:03:19,150 --> 00:03:28,450 services listening to that ports. Port 138 is flagged as open|filtered, because there is no response. 35 00:03:28,450 --> 00:03:34,130 And the other ports are flagged as closed because they were turned ICMP port unreachable error. 36 00:03:34,570 --> 00:03:37,910 Let's see how nmap interprets the results of a UDP scan. 37 00:03:39,420 --> 00:03:45,190 Occasionally, a service will respond with a UDP packet proving that it is open. 38 00:03:45,310 --> 00:03:51,910 If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. 39 00:03:52,740 --> 00:03:54,740 Other ICMP unreachable errors 40 00:03:54,840 --> 00:04:01,330 type 3, codes 0, 1, 2, 9, 10, or 13 mark 41 00:04:01,350 --> 00:04:09,060 The port as filtered. If no response is received after retransmissions, the port is classified as open 42 00:04:09,330 --> 00:04:10,350 or filtered.