A UDP port scan is a technique used to detect network hosts and services on those hosts, listening for datagrams from other hosts at specific ports. For example, if host A sent a datagram to host B destined for port 23 (the Telnet port) and there was no service listening on that port on host B, the receiving host would return an ICMP destination unreachable message. Thus, by varying the destination ports in successive packets sent to one host, it is possible to build up quite detailed information about what services are available or not available on individual hosts.
UDP port scan:
UDP is used over TCP in this process because of the non-connection state of UDP versus the three-way handshake involved when using TCP with its attendant overhead of approximately 40 bytes per packet. Here are different ways UDP port scan can be used:
- Detecting open ports on target The most common use for UDP port scans is that they can be used to determine what services (application protocol names) are running on a server. Because UDP doesn’t make much effort to confirm whether the destination host is reachable, this technique can yield incorrect results if devices between you and the target do not correctly handle (or log) UDP traffic. Firewalls or NATs may also block UDP traffic for this reason when configured differently than your systems.
- Discovering firewall rules If permitted by the target’s firewall configuration, a UDP scan may also be used to learn what types of packets are allowed through. This can be useful for learning whether the firewall would block certain activities such as an attempted (TCP connection ).
- Discovering NAT type If permitted by the target’s NAT rules (if any), a UDP port scan may be used to determine how the NAT maps ports and protocols and thus may indicate whether attempting to connect might work. However, this is not necessarily accurate due to the wide variety of different behavior observed in existing NATs.
- Enumerating hostnames via UDP reverse DNS lookup By default, some scanning programs (such as Nmap) attempt to perform a DNS reverse lookup of the IP address being scanned and list any found hostnames in the target specification.
- Detecting firewall rules on target A UDP scan will usually show no ports as open if a firewall blocks all traffic to those ports from the scanning machine since the reply packets never reach that machine. This can provide a hint that some filtering may be interfering with communication. However, it cannot determine whether the port is really open or merely unattended by anyone who cares about incoming network traffic at this particular moment.
- Discover NAT type on target If allowed by the NAT configuration, a UDP port scan can infer which types of packets are allowed through the NAT device since different NAT rules cause packets to be mapped in different ways.
- Discovering UDP servers behind a firewall A UDP scan may also be useful for discovering if one or more servers are up, even when you can’t connect to them directly or through the firewall. Many protocols will respond with an ICMP error message (“destination port unreachable”) when connecting to closed UDP ports, while some will not, which allows for learning their presence. Common examples include SNMP (port 161), NFS (2049), and NetBios (137-139).
- Enumerating networks behind target via traceroute If you can send ICMP “time exceeded” messages typically allowed outbound by most firewalls, and there are no intervening NATs, UDP scans can be used to perform a traceroute-like function. This will determine the route to the target host and discover how many hops it takes along this path.
- Enumerating networks behind target via ICMP Echo request packets If allowed by the target’s firewall rules (which may require establishing some outbound connections first), an inbound probe can be sent using ICMP “echo” request packets. Doing so may yield important information about the network beyond just what hosts are active at this time since firewalls could otherwise conceal such details from you.
- Traceback routes of TCP connections When packet filtering is not an issue and proxies don’t exist, UDP scans (and leaks) can be useful for mapping out the route packets take to their destination. While not all devices involved in transmitting traffic reveal this information, it is common for NATs and firewalls to do so. This could help you determine how best to attack this network by targeting other systems than those you initially discovered.
The UDP port scan is an effective way to find out if a device has any open ports. It involves sending UDP packets, which are unordered and unreliable, to potential targets on the network or internet. If it finds any available sockets, you will know that there may be some vulnerabilities with the target’s system. This technique can also help identify what type of operating system they are running and their IP address.