This is the eighth post detailing my notes on Nmap Network Scanning.
UDP scan is activated with -sU and works by sending empty UDP headers:
:~# nmap -sU scanme.nmap.org
Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-30 12:55 BST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.22s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
123/udp open ntp
1701/udp open|filtered L2TPNmap done: 1 IP address (1 host up) scanned in 1035.51 seconds
As you can see this scan took some time to complete, much longer than the TCP scan.
An interesting feature is the “open/filtered” result is given if there has been no response to the probe; in contrast, the “filtered” result is given in the same circumstances for TCP Scans.
In an attempt to improve UDP scan results it is advised to enable version scanning -sV or -A
~# nmap -sUV scanme.nmap.org
Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-30 13:52 BST
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
123/udp open ntp NTP v4
1701/udp open|filtered L2TPService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1209.27 seconds
In this instance exactly the same results were produced as the non-version scan.