4.3 UDP Port Scanning

Because UDP is a connectionless protocol, there are only two ways to effectively enumerate accessible UDP network services across an IP network:

  • Send UDP probe packets to all 65535 UDP ports, then wait for "ICMP destination port unreachable" messages to identify UDP ports that aren't accessible.

  • Use specific UDP service clients (such as snmpwalk, dig, or tftp) to send UDP datagrams to target UDP network services and await a positive response.

Many security-conscious organizations filter ICMP messages to and from their Internet-based hosts, so it is often difficult to assess which UDP services are accessible via simple port scanning. If "ICMP destination port unreachable" messages can escape the target network, a traditional UDP port scan can be undertaken to deductively identify open UDP ports on target hosts.

Figures Figure 4-12 and Figure 4-13 show the UDP packets and ICMP responses generated by hosts when ports are open and closed.

Figure 4-12. An inverse UDP scan result when a port is open
figs/NSA_0412.gif

UDP port scanning is an inverted scanning type in which open ports don't respond. What is looked for, in particular, are ICMP destination port unreachable (type 3 code 3) messages from the target host, as shown in Figure 4-13.

Figure 4-13. An inverse UDP scan result when a port is closed
figs/NSA_0413.gif

4.3.1 Tools That Perform UDP Port Scanning

nmap supports UDP port scanning with the -sU option. The latest version of Foundstone's SuperScan also supports UDP port scanning. However, both tools wait for negative "ICMP destination port unreachable" messages to identify open ports (i.e., those ports that don't respond). If these ICMP messages are filtered by a firewall as they try to travel out of the target network, inaccurate results are gleaned.

During a comprehensive audit of Internet-based network space, you should send crafted UDP client packets to popular services and await a positive response. The scanudp utility developed by Fryxar (http://www.geocities.com/fryxar/) does this very well.

Example 4-5 shows the scanudp utility being downloaded, compiled, and run from my Linux launch system against a Windows 2000 server at 192.168.0.50.

Example 4-5. Downloading, building, and running scanudp
# wget http://www.geocities.com/fryxar/scanudp_v2.tgz

# tar xvfz scanudp_v2.tgz

scanudp/

scanudp/scanudp.c

scanudp/enum.c

scanudp/enum.h

scanudp/makefile

scanudp/enum.o

scanudp/scanudp.o

scanudp/scanudp

# cd scanudp

# make

gcc enum.o scanudp.o -o scanudp

# ./scanudp

./scanudp v2.0 -   by: Fryxar

usage: ./scanudp [options] <host>



options:

 -t <timeout>     Set port scanning timeout

 -b <bps>         Set max bandwidth

 -v               Verbose



Supported protocol:

echo daytime chargen dns tftp ntp ns-netbios snmp(ILMI) snmp(public)



# ./scanudp 192.168.0.50

192.168.0.50    53

192.168.0.50    137

192.168.0.50    161


     
    ASPTreeView.com
     
    Evaluation has КГїexpired.
    Info...