LabEx
Log InJoin For Free

Combine TCP and UDP Scanning in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to combine TCP and UDP scanning in Nmap. The lab covers running a combined scan on a target IP, scanning specific ports, adding verbosity to the scan, saving the combined results, comparing TCP and UDP outputs, and analyzing the results in the Xfce terminal. You'll use commands like nmap -sS -sU with different options to perform various scanning tasks.

Note that in real - world scenarios, you should only scan networks and hosts with explicit permission. For this lab, you can use 192.168.1.1 or substitute it with the IP of your LabEx VM if needed.

Run combined scan with nmap -sS -sU 192.168.1.1

In this step, you will learn how to perform a combined TCP SYN (stealth) scan and UDP scan using Nmap. This type of scan is useful for identifying both TCP and UDP services running on a target host.

Before we begin, let's briefly explain the flags used in the command:

  • -sS: This flag tells Nmap to perform a TCP SYN scan, also known as a stealth scan. It's called "stealth" because it doesn't complete the full TCP handshake, making it less likely to be logged by the target.
  • -sU: This flag tells Nmap to perform a UDP scan. UDP scans are generally slower and less reliable than TCP scans because UDP is a connectionless protocol.
  • 192.168.1.1: This is the target IP address you will be scanning. Note: In a real-world scenario, you should only scan networks and hosts that you have explicit permission to scan. For this lab, we will assume 192.168.1.1 is a valid target within your testing environment. If you don't have a host at this address, you can substitute it with the IP address of your LabEx VM (usually 127.0.0.1 or localhost).

Now, let's execute the combined scan. Open your Xfce terminal and enter the following command:

sudo nmap -sS -sU 192.168.1.1

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will show the open, closed, or filtered ports for both TCP and UDP protocols on the target host. It might take a few minutes to complete, especially the UDP scan.

Example output (the actual output will vary depending on the target host):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http

Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 996 closed udp ports (reset)
PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
137/udp   open|filtered netbios-ns

Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

In this example, Nmap found TCP ports 22 and 80 open, and UDP ports 53, 67, and 137 open or filtered. The open|filtered state means that Nmap couldn't determine whether the port is open or filtered due to network conditions or firewall rules.

Scan specific ports with nmap -sS -sU -p 22,53 127.0.0.1

In the previous step, you performed a combined TCP and UDP scan on a target host. Now, you will learn how to scan specific ports using Nmap. This is useful when you want to focus your scan on particular services or vulnerabilities.

The -p option in Nmap allows you to specify the ports you want to scan. You can specify a single port, a range of ports, or a comma-separated list of ports.

In this step, you will scan ports 22 (SSH) and 53 (DNS) on the localhost (127.0.0.1).

Open your Xfce terminal and enter the following command:

sudo nmap -sS -sU -p 22,53 127.0.0.1

Again, you will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

This command tells Nmap to perform a TCP SYN scan and a UDP scan on ports 22 and 53 of the localhost.

Example output (the actual output may vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).

PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds

In this example, Nmap found TCP port 22 (SSH) open and UDP port 53 (DNS) open or filtered. The open|filtered state means that Nmap couldn't determine whether the port is open or filtered due to network conditions or firewall rules. Since we are scanning localhost, it is likely that the service is running, but a firewall might be interfering with the scan.

By specifying the ports to scan, you can significantly reduce the scan time and focus on the services you are interested in.

Add verbosity with nmap -v -sS -sU 192.168.1.1

In this step, you will learn how to increase the verbosity of Nmap scans. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding Nmap's behavior.

The -v option in Nmap increases the verbosity level. You can use it multiple times (e.g., -vv) for even more detailed output.

Let's add verbosity to the combined TCP SYN and UDP scan you performed in the first step. Open your Xfce terminal and enter the following command:

sudo nmap -v -sS -sU 192.168.1.1

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

This command will perform the same combined scan as before, but with increased verbosity.

Example output (the actual output will vary depending on the target host and the verbosity level):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 0 scripts for scanning.
Initiating SYN Stealth Scan at 10:10
Scanning 192.168.1.1 [1000 ports]
Completed SYN Stealth Scan at 10:10, 0.00s elapsed (1000 total ports)
Initiating UDP Scan at 10:10
Scanning 192.168.1.1 [1000 ports]
Completed UDP Scan at 10:10, 5.00s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http

Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 996 closed udp ports (reset)
PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
137/udp   open|filtered netbios-ns

Nmap done: 1 IP address (1 host up) scanned in 5.00 seconds

Notice that the output now includes information about the scan initiation, the number of ports being scanned, and the time elapsed for each scan phase. This can be helpful for monitoring the progress of the scan and identifying any potential issues.

Save combined results with nmap -sS -sU -oN tcpudp.txt 127.0.0.1

In this step, you will learn how to save Nmap scan results to a file. This is useful for later analysis, reporting, or comparison with previous scans.

Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format.

In this step, you will save the results of a combined TCP SYN and UDP scan of localhost (127.0.0.1) to a file named tcpudp.txt in your ~/project directory.

Open your Xfce terminal and enter the following command:

sudo nmap -sS -sU -oN tcpudp.txt 127.0.0.1

You will be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

This command will perform the combined scan and save the results to the tcpudp.txt file.

After the scan is complete, you can view the contents of the file using the cat command:

cat tcpudp.txt

Example output (the actual output may vary):

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023 as: nmap -sS -sU -oN tcpudp.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000027s latency).

PORT   STATE         SERVICE
53/udp open|filtered domain

## Nmap done at Fri Oct 27 10:15:01 2023 -- 1 IP address (1 host up) scanned in 1.50 seconds

The output shows the scan results in a human-readable format, including the open ports and their associated services. The file also includes information about the Nmap version, the scan initiation time, and the scan duration.

You can now use this file for further analysis or reporting.

Compare TCP and UDP outputs in Xfce terminal

In this step, you will compare the results of TCP and UDP scans to understand the differences in the services running on each protocol. You will use the grep command to filter the output from the tcpudp.txt file created in the previous step and observe the differences.

First, let's display the content of the tcpudp.txt file using the cat command:

cat tcpudp.txt

You should see the combined TCP and UDP scan results for localhost (127.0.0.1).

Now, let's filter the output to show only the TCP scan results. Use the grep command to search for lines containing "tcp":

grep "tcp" tcpudp.txt

Example output:

22/tcp open  ssh

This shows the open TCP ports on localhost. In this example, port 22 (SSH) is open.

Next, let's filter the output to show only the UDP scan results. Use the grep command to search for lines containing "udp":

grep "udp" tcpudp.txt

Example output:

53/udp open|filtered domain

This shows the open or filtered UDP ports on localhost. In this example, port 53 (domain) is open or filtered.

By comparing the TCP and UDP outputs, you can see which services are running on each protocol. TCP is typically used for reliable, connection-oriented services like SSH, while UDP is often used for connectionless services like DNS (domain). The open|filtered state for UDP indicates that Nmap could not determine whether the port is open or filtered due to the nature of the UDP protocol.

In summary, by using grep to filter the output of the combined TCP and UDP scan, you can easily identify the services running on each protocol and gain a better understanding of the network services available on the target host.

Analyze results in Xfce terminal

In this step, you will analyze the Nmap scan results to identify potential vulnerabilities and understand the services running on the target system. You will use the information gathered in the previous steps to draw conclusions about the security posture of the target.

Let's start by reviewing the contents of the tcpudp.txt file, which contains the combined TCP and UDP scan results for localhost (127.0.0.1):

cat tcpudp.txt

Based on the output, you can identify the following:

  • Open Ports: The scan reveals which ports are open on the target system. Open ports indicate services that are actively listening for connections.
  • Services: Nmap attempts to identify the services running on each open port. This information can be used to understand the purpose of each port and potential vulnerabilities associated with those services.
  • TCP vs. UDP: The scan distinguishes between TCP and UDP services. TCP is connection-oriented and typically used for reliable data transfer, while UDP is connectionless and often used for faster, less reliable communication.
  • Filtered Ports: For UDP scans, Nmap may report ports as "open|filtered". This means that Nmap could not determine whether the port is open or filtered because UDP does not require a handshake to establish a connection.

Now, let's analyze the results in more detail.

In the previous steps, you scanned localhost (127.0.0.1) and found that port 22/tcp (SSH) and 53/udp (domain) were open or filtered.

  • Port 22 (SSH): SSH is a secure shell protocol used for remote administration and file transfer. If SSH is running, it's important to ensure that it is configured securely with strong passwords or key-based authentication to prevent unauthorized access.
  • Port 53 (domain): Port 53 is typically used for DNS (Domain Name System) services. If this port is open, it indicates that the system may be running a DNS server. DNS servers can be vulnerable to various attacks, such as DNS spoofing and cache poisoning, so it's important to keep them up-to-date with the latest security patches.

To further analyze the results, you can use Nmap's scripting engine (NSE) to perform more in-depth vulnerability scans. However, this is beyond the scope of this lab.

In conclusion, by analyzing the Nmap scan results, you can gain valuable insights into the services running on the target system and identify potential vulnerabilities that need to be addressed. Remember to always obtain proper authorization before scanning any network or system.

Summary

In this lab, you learned to combine TCP and UDP scanning using Nmap. You executed a combined scan with the command nmap -sS -sU on a target IP, where -sS performs a TCP SYN scan and -sU a UDP scan. You also learned to scan specific ports, add verbosity to the scan, and save the combined results to a file.

Additionally, you were instructed to compare and analyze the TCP and UDP outputs in the Xfce terminal. Remember, in real - world scenarios, only scan networks and hosts with explicit permission.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner