What is an NMAP Scan for UDP Ports?

Scanning your network for open ports and services is a critical part of assessing your attack surface and identifying vulnerabilities. An NMAP (Network Mapper) port scan finds hosts on your network and identifies open TCP and UDP ports, services running on those ports, and the operating system running on targeted hosts.

What is Port Scanning?

As a network grows and more devices connect to it, an administrator might want to gather a list of devices and services running on the network. NMAP is a Linux command that scans the network and finds open ports and services connected to the environment. The primary purpose for an NMAP port scan is to audit the network, but it’s also useful for finding vulnerabilities open to possible exploits.

After running the NMAP command and scanning a host, the output displays open ports on the targeted machine. The following image is an example of NMAP output showing open ports:

What is UDP vs TCP/IP?

Two protocols are common on a standard network: UDP and TCP. User Datagram Protocol (UDP) is a connectionless protocol, meaning that a computer sends a message to a recipient without knowing if the recipient is available or receives it. Basic online text messaging software uses UDP, because it’s unnecessary to know if the other party is online to receive the message.

Transmission Control Protocol (TCP) is a connection-based protocol where a handshake happens before transmission of data. UDP is more lightweight than TCP, but TCP ensures that the other party is online and available using a process called the handshake. The TCP handshake is common with web applications where the handshake happens before a user downloads content from a server.

The IP (Internet Protocol) component in TCP/IP is the address assigned to every connected machine – servers, mobile devices, desktop computers, IoT devices, and any other machine that needs to send and receive data. Most applications use TCP/IP for its connection-based data transfers, but UDP is also useful for lightweight notification and chat applications.

The NMAP tool scans for open TCP and UDP ports on connected devices. Look at the output after running an NMAP command, and the open ports listed also display the protocol. NMAP also tells you if the state is open or closed, and the service running on the port.

What is Network Mapper (NMAP)?

The NMAP tool is a scanning application with a graphical user interface (GUI) or a standard command-line interface. The tool finds computers on the network and scans them for open ports. NMAP scans more than just computers too. It scans any device connected to the network including desktops, mobile devices, routers, and IoT devices.

NMAP is an open-source tool available for free at the developer website. It runs on Linux, Mac, and Windows operating systems. The utility has been a part of most network administrator and ethical hacking tools for years, and it’s useful for finding devices on a network and determining if they have vulnerable services running on them.

How to Do an NMAP UDP Scan

Before performing an NMAP scan, open the NMAP GUI or open your command-line utility. Most administrators use NMAP in the command line, because it’s quick and easy to use with basic output for review. After typing the command, the NMAP tool searches for devices on a subnet. Every subnet has a definitive number of hosts, so NMAP scans every possibility for a host response. With a host response, the NMAP tool then identifies open UDP and TCP ports.

You can scan specific ports on NMAP too instead of scanning all IP addresses for all open ports. Ports are given a numerical value between 1 and 65,535, so you should perform a lookup of services running on a specific port before running a scan. Once you choose a port, you can execute the following command:

nmap -p 22 192.168.1.100

The above NMAP scan searches for the open port 22 (the SSH service) running on a device with the IP address 192.168.1.100. If the service is running on the target host, the NMAP output displays the state as open. If not, the NMAP output displays the state as closed.

UDP scans are slower than TCP scans, so you might experience extreme lag in responses or long delays before the tool displays output. Some hosts might take up to an hour to scan if you don’t optimise the NMAP process. You can speed up UDP scans depending on the use case. For example, use the following NMAP command to eliminate slow-responding hosts and gives up on scans when a host does not respond within 1 minute:

nmap 192.168.1.100 --host-timeout 1m

Without specifying TCP or UDP, NMAP will try all open ports. Another way to optimise scans is to limit them to UDP ports and set the version intensity. Setting the version intensity to 0 will only show common services running on the target host. Version intensity ranges from 0 to 9. The higher the intensity, the more probes sent to the targeted host. The NMAP default is 7. Running the following command finds only common ports on the host:

nmap 192.168.1.100 -sU -sV –version-intensity 0

Why Would You Do a UDP Scan with NMAP?

Administrators have several reasons for performing a UDP scan using NMAP. It could be to simply audit the network for open unnecessary ports. For cybersecurity reasons, unnecessary services should be disabled, and an NMAP scan tells administrators which machines are running services that can be shut down.

Another reason for a UDP scan is to find vulnerabilities on the network. If an attacker can install malware on the network, a compromised host could be running a malicious service on a UDP port. Using the NMAP scan, an administrator would find the open port and perform additional scans and analysis on the host. 

NMAP could also be used to discover hosts on the network. Shadow IT is the term given to unauthorized devices installed on the network. An administrator could find the unauthorized device and find out who owns it and how it was installed on the environment.

Conclusion

For any administrator responsible for network security, the NMAP tool is a great auditing and vulnerability scanner. NMAP can discover machines, operating systems, and services that should not run on the environment. Discovery of unauthorized devices and open ports is essential in securing hosts and protecting corporate data. Port scanning is just one facet of the type of monitoring that you will need to do to keep your data centre safe. Power your security analytics with performant, scalable, and simple data infrastructure solutions by Everpure.