In this lab, you will learn how to execute UDP scanning with Nmap. You'll start by performing a basic UDP scan on a target IP address using the -sU option. Then, you'll scan specific UDP ports, combine UDP and TCP scans, and add version detection. Finally, you'll view the UDP scan results in the Xfce terminal and compare the outputs in the Xfce text editor.
In this step, we will perform a basic UDP scan using Nmap. UDP (User Datagram Protocol) is a connectionless protocol, meaning that unlike TCP, there is no handshake to establish a connection before data is sent. This makes UDP scans different from TCP scans. Nmap's -sU option is used to initiate a UDP scan.
Before we begin, it's important to understand that UDP scans can be less reliable than TCP scans. Because UDP is connectionless, Nmap may not always receive a response from a port, even if it's open. Firewalls and network conditions can also affect the accuracy of UDP scans.
Let's start by scanning the target IP address 192.168.1.1 using the following command:
sudo nmap -sU 192.168.1.1This command tells Nmap to perform a UDP scan (-sU) on the IP address 192.168.1.1. You will need sudo because UDP scans often require elevated privileges to send raw packets.
After running the command, you will see output similar to the following:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 997 closed udp ports
PORT STATE SERVICE
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 5.23 secondsExplanation of the output:
Starting Nmap ...: Shows the Nmap version and the start time of the scan.Nmap scan report for 192.168.1.1: Indicates the target IP address.Host is up: Confirms that the target host is reachable.Not shown: 997 closed udp ports: Indicates that Nmap did not show the 997 closed UDP ports. By default, Nmap only shows open, open|filtered, or filtered ports.PORT STATE SERVICE: Lists the port number, its state, and the service running on that port (if known).
open: Indicates that Nmap received a response from the port, suggesting that a service is listening on that port.open|filtered: Indicates that the port is either open or filtered. Nmap couldn't determine which state it is in. This often means that a firewall is blocking Nmap's probes.filtered: Indicates that a firewall is blocking Nmap's probes, and Nmap cannot determine whether the port is open or closed.Nmap done: Shows the scan completion time and the number of IP addresses scanned.Important Considerations:
192.168.1.1 with the actual IP address of the target you want to scan.In this step, we will focus our UDP scan on specific ports. This is useful when you want to check if particular services are running on a target machine without scanning all UDP ports, which can be time-consuming. We'll be scanning ports 53 (DNS) and 123 (NTP) on the localhost (127.0.0.1).
The -p option in Nmap allows you to specify the ports you want to scan. You can provide a single port, a range of ports (e.g., 1-100), or a comma-separated list of ports (e.g., 21,22,80).
To scan UDP ports 53 and 123 on 127.0.0.1, use the following command:
sudo nmap -sU -p 53,123 127.0.0.1This command tells Nmap to perform a UDP scan (-sU) on ports 53 and 123 (-p 53,123) of the IP address 127.0.0.1 (localhost). Again, sudo is often required for UDP scans.
After running the command, you might see output similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).
PORT STATE SERVICE
53/udp open|filtered domain
123/udp closed ntp
Nmap done: 1 IP address (1 host up) scanned in 0.15 secondsExplanation of the output:
Nmap scan report for localhost (127.0.0.1): Indicates that the target is the localhost.PORT STATE SERVICE: Lists the port number, its state, and the service running on that port (if known).
53/udp open|filtered domain: Port 53 (DNS) is either open or filtered. This means Nmap couldn't definitively determine if the port is open due to potential firewall rules or network conditions.123/udp closed ntp: Port 123 (NTP) is closed. This means no service is listening on that port.Key Takeaways:
-p option allows you to target specific ports, making your scans more efficient.In this step, we will combine UDP and TCP scans in a single Nmap command. This allows us to get a more comprehensive view of the services running on a target machine, as some services use UDP while others use TCP.
Nmap's -sT option performs a TCP connect scan. This is the most basic form of TCP scanning, where Nmap attempts to establish a full TCP connection with the target port. It's generally reliable but can be easily detected.
To perform both a UDP scan and a TCP connect scan on 192.168.1.1, use the following command:
sudo nmap -sU -sT 192.168.1.1This command tells Nmap to perform a UDP scan (-sU) and a TCP connect scan (-sT) on the IP address 192.168.1.1. sudo is often needed, especially for the UDP portion of the scan.
After running the command, you will see output that includes results from both the UDP and TCP scans. The output might look something like this:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0010s latency).
Not shown: 997 closed udp ports
PORT STATE SERVICE
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.23 secondsExplanation of the output:
Benefits of Combining UDP and TCP Scans:
Important Note:
Combining scan types can increase the scan time. Consider targeting specific ports if you need faster results.
In this step, we will add version detection to our UDP scan. Version detection allows Nmap to attempt to determine the application name and version number running on open ports. This can provide valuable information about potential vulnerabilities.
The -sV option in Nmap enables version detection. When combined with -sU for UDP scan, it becomes -sUV. Nmap will send probes to open UDP ports to try and identify the service and its version.
To perform a UDP scan with version detection on 192.168.1.1, use the following command:
sudo nmap -sUV 192.168.1.1This command tells Nmap to perform a UDP scan (-sU) and version detection (-sV) on the IP address 192.168.1.1. The combined option is -sUV. As before, sudo is often required for UDP scans.
After running the command, you might see output similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00088s latency).
Not shown: 997 closed udp ports
PORT STATE SERVICE VERSION
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf Apple Bonjour
Service Info: OS: Apple embedded
Nmap done: 1 IP address (1 host up) scanned in 12.54 secondsExplanation of the output:
VERSION column, which displays the detected service version (if available).5353/udp open|filtered zeroconf Apple Bonjour: Nmap identified the service running on port 5353 as Apple Bonjour.Service Info: OS: Apple embedded: Nmap also attempts to determine the operating system based on the service information.Key Takeaways:
-sV option (or -sUV when combined with UDP scan) enables version detection.Important Considerations:
In this step, we will focus on viewing and analyzing the UDP scan results directly within the Xfce terminal. While Nmap provides output directly to the terminal, sometimes it's helpful to save the output to a file for easier review and analysis. We'll use terminal commands to filter and view the UDP-specific parts of the scan.
First, let's run a UDP scan and save the output to a file. This will allow us to work with the results more easily. We'll use the -oN option to save the output in a "normal" format.
sudo nmap -sUV 192.168.1.1 -oN udp_scan_results.txtThis command performs a UDP scan with version detection on 192.168.1.1 and saves the output to a file named udp_scan_results.txt in your current directory (~/project).
Now that we have the results saved in a file, we can use terminal commands to view and filter the UDP-specific information.
To view the entire contents of the file, you can use the cat command:
cat udp_scan_results.txtThis will display the entire Nmap scan report in the terminal. However, we're primarily interested in the UDP results. We can use the grep command to filter the output and show only the lines that contain "udp".
grep "udp" udp_scan_results.txtThis command will search the udp_scan_results.txt file for lines containing the string "udp" and display those lines in the terminal. The output will show you the open or filtered UDP ports, along with any version information that Nmap was able to detect.
Example output:
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf Apple BonjourYou can also use less command to view the file page by page:
less udp_scan_results.txtInside less, you can search for "udp" by typing /udp and pressing Enter. Press n to go to the next match. Press q to quit less.
By using these simple terminal commands, you can effectively view and analyze the UDP scan results generated by Nmap. This allows you to quickly identify open UDP ports and any associated service information.
In this step, we will use the Xfce text editor to compare the outputs of different Nmap scans. This is useful for identifying changes in open ports, services, or versions over time, or for comparing the results of scans with different options.
First, let's assume you have already performed two Nmap scans and saved the outputs to separate files. For example, you might have run a basic UDP scan and a UDP scan with version detection, saving the results to udp_scan_basic.txt and udp_scan_version.txt respectively. If you don't have these files, create them using the following commands:
sudo nmap -sU 192.168.1.1 -oN udp_scan_basic.txt
sudo nmap -sUV 192.168.1.1 -oN udp_scan_version.txtNow, we will use the xfce4-terminal command to open the Xfce text editor (mousepad) and load both files for comparison.
mousepad udp_scan_basic.txt udp_scan_version.txtThis command will open two instances of mousepad, each displaying one of the Nmap output files.
Comparing the Outputs:
Examine the Basic Scan Output (udp_scan_basic.txt): This file will contain the results of the basic UDP scan, showing the open or filtered UDP ports.
Examine the Version Detection Scan Output (udp_scan_version.txt): This file will contain the results of the UDP scan with version detection. In addition to the open or filtered UDP ports, it may also show the detected service versions.
Compare Side-by-Side: By having both files open in separate windows, you can easily compare the results side-by-side. Look for differences in the open ports, the state of the ports (open, filtered, closed), and the service information.
Example Comparison:
udp_scan_basic.txt might show:
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconfudp_scan_version.txt might show:
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf Apple Bonjour
Service Info: OS: Apple embeddedIn this example, the version detection scan was able to identify the service running on port 5353 as "Apple Bonjour" and provide OS information, which was not available in the basic scan.
By comparing the outputs in the Xfce text editor, you can gain a better understanding of the differences between the scans and the additional information provided by different Nmap options. This can be valuable for identifying potential vulnerabilities and planning further actions.
In this lab, participants learned to execute UDP scanning with Nmap. They started with a basic UDP scan using the -sU option on the IP 192.168.1.1, understanding that UDP is connectionless and scans may be less reliable than TCP scans. They also scanned specific UDP ports, combined UDP and TCP scans, added version detection, and viewed and compared results in the Xfce terminal and text editor.
