LabEx
Log InJoin For Free

Perform UDP Port Scanning with Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to use Nmap for UDP (User Datagram Protocol) port scanning, a vital skill for network security professionals. UDP, a connectionless protocol, doesn't establish a dedicated end - to - end connection before data transfer. This makes it faster but less reliable than TCP.

Network scanning is crucial in cybersecurity, enabling professionals to identify open ports, running services, and potential vulnerabilities. Nmap, a powerful open - source tool for network discovery and security auditing, is widely used by system administrators and cybersecurity experts. By the end of this lab, you'll master setting up a UDP server, performing basic UDP port scanning with Nmap, and interpreting scan results, which are essential for network exploration and security assessment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/udp_scanning("UDP Scanning Techniques") subgraph Lab Skills nmap/installation -.-> lab-415938{{"Perform UDP Port Scanning with Nmap"}} nmap/save_output -.-> lab-415938{{"Perform UDP Port Scanning with Nmap"}} nmap/port_scanning -.-> lab-415938{{"Perform UDP Port Scanning with Nmap"}} nmap/udp_scanning -.-> lab-415938{{"Perform UDP Port Scanning with Nmap"}} end

Setting Up a UDP Server

In this step, you're going to set up a UDP server. This server will act as a target for your Nmap scans. By doing this, you'll gain a better understanding of how UDP services operate and how scanning tools can detect them.

Understanding UDP Protocol

Before we start setting up the server, let's take a moment to understand what UDP (User Datagram Protocol) is. UDP is an important part of the Internet Protocol (IP) suite.

  • UDP is a connectionless protocol. This means that, unlike TCP, it doesn't establish a connection before sending data. When using TCP, a connection is first set up between the sender and the receiver, but UDP skips this step.
  • UDP is faster than TCP. Since it doesn't have to go through the process of establishing a connection, data can be sent more quickly. However, this speed comes at a cost. UDP is less reliable than TCP because there's no guarantee that the data will be delivered, that it will arrive in the correct order, or that there won't be duplicate data.
  • UDP is commonly used in applications where speed is more important than reliability. For example, streaming media like videos and music, online games, and DNS lookups all rely on UDP. In these cases, a small delay in data delivery can be more noticeable and disruptive than a small amount of data loss.

Setting Up the UDP Server

To set up a UDP server, we'll use a tool called netcat, which is often abbreviated as nc. netcat is a very useful networking utility that allows you to read from and write to network connections using either TCP or UDP.

  1. First, open a terminal window. Once the terminal is open, you need to navigate to the project directory. This is where all the relevant files and configurations for this lab are located. You can do this by running the following command in the terminal:
cd /home/labex/project
  1. Now, it's time to start the UDP server. We want the server to listen on port 9999. You can start the server with the following command:
nc -u -l -p 9999 -k

Let's break down what each option in this command means:

  • -u: This option tells netcat to use UDP instead of the default TCP. Since we're setting up a UDP server, we need to specify this.
  • -l: This puts netcat in listen mode. In listen mode, netcat acts as a server, waiting for incoming connections.
  • -p 9999: This option specifies the port number that the server will listen on. In this case, we've chosen port 9999.
  • -k: This option tells the server to keep running even after a client disconnects. This is useful because it allows the server to accept new connections without having to restart it every time a client leaves.

After you run this command, your terminal might seem to freeze or hang. This is normal behavior. It means that netcat is now actively listening for incoming UDP connections on port 9999.

Keep this terminal window open because we'll need it for the next step. To continue with the lab, you'll need to open a new terminal window.

Performing a Basic Nmap UDP Scan

In this step, we're going to use Nmap to scan the UDP server you set up in the previous step. This process is crucial as it will help you understand how Nmap identifies open UDP ports and the services running on them. By the end of this step, you'll have a better grasp of how to use Nmap for UDP scanning, which is an essential skill in the field of cybersecurity.

Understanding Nmap UDP Scanning

Nmap, short for Network Mapper, is a well - known free and open - source tool used for network discovery and security auditing. When it comes to scanning UDP ports, Nmap operates differently compared to TCP port scanning.

UDP, or User Datagram Protocol, is a connectionless protocol. Unlike TCP, which establishes a connection before data transfer, UDP simply sends data without setting up a connection first. This means that traditional connection - based scanning methods used for TCP ports won't work for UDP.

When Nmap scans UDP ports, it sends empty UDP packets to the target port and then waits for a response. If the port is closed, the target system usually sends back an ICMP "port unreachable" message. However, if the port is open, things get a bit more complicated. There might be no response at all, which makes it hard to tell if the port is truly open. Or, if the UDP service running on the port recognizes the packet format, it might send a response.

It's important to note that UDP scanning is generally slower and less reliable than TCP scanning. This is because UDP doesn't have the built - in mechanisms for error checking and retransmission like TCP does.

Performing the UDP Scan

  1. First, open a new terminal window. Make sure to keep the previous terminal with the UDP server running. This is important because we'll be scanning the UDP server that's currently active in that terminal.

  2. Next, we need to navigate to the project directory. In the new terminal, run the following command:

cd /home/labex/project

This command changes the current working directory to the project directory where all our relevant files and configurations are located.

  1. Now, it's time to run the Nmap UDP scan. We'll be scanning the localhost (127.0.0.1) targeting port 9999. Run the following command:
sudo nmap -sU -p 9999 127.0.0.1 > /home/labex/project/udp_scan_results.txt

Let's break down this command to understand what each part does:

  • sudo: This is used to run the command with elevated privileges. UDP scanning requires these elevated privileges because it involves sending packets at a low - level network layer.
  • nmap: This is the scanning tool we're using. It's the core of our operation for network discovery and security auditing.
  • -sU: This option tells Nmap to perform a UDP scan.
  • -p 9999: This option specifies that we only want to scan port 9999.
  • 127.0.0.1: This is the target IP address. In this case, it's the localhost, which means we're scanning our own machine.
  • > /home/labex/project/udp_scan_results.txt: This part redirects the output of the Nmap scan to a file named udp_scan_results.txt in the project directory. This way, we can review the results later.
  1. After the scan is complete, we can view the results. Run the following command:
cat /home/labex/project/udp_scan_results.txt

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-15 12:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000054s latency).

PORT     STATE         SERVICE
9999/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

Understanding the Results

Let's take a closer look at the scan results and understand what they mean.

The open|filtered state indicates that Nmap did not receive an ICMP "port unreachable" message. There are a few possible explanations for this:

  • The port is open, and the UDP service is running as expected.
  • The port might be filtered by a firewall. A firewall could be blocking the ICMP "port unreachable" messages or the UDP traffic itself.
  • The target system might not be sending ICMP "port unreachable" messages for some reason.

In our case, since we set up the UDP server ourselves, we know that the port is open. The unknown service label means that Nmap couldn't determine what service is running on that port based on its service fingerprinting.

As mentioned earlier, UDP scanning is less conclusive than TCP scanning. That's why Nmap often shows the open|filtered state for UDP ports, making it a bit more challenging to accurately determine the status of UDP ports.

Summary

In this lab, you have learned how to use Nmap for UDP port scanning, a crucial skill for network security assessment. First, you set up a UDP server with netcat to create a practical target for scanning. Then, you conducted a basic Nmap UDP scan on the specific port where the server was listening.

You also gained hands - on experience in understanding the UDP protocol and its differences from TCP, setting up a basic UDP server using netcat, using Nmap to scan for open UDP ports, and interpreting UDP scan results. These skills are fundamental for more advanced network scanning and security assessment. UDP scanning is vital as many critical services like DNS, DHCP, and streaming protocols use UDP.

As you progress in your cybersecurity journey, remember that network scanning is just part of a comprehensive security assessment. Always scan systems you own or have explicit permission to scan.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner