4.3 UDP Port Scanning

Because UDP is a connectionless protocol, there are only two ways to effectively enumerate accessible UDP network services across an IP network:

  • Send UDP probe packets to all 65535 UDP ports, then wait for "ICMP destination port unreachable" messages to identify UDP ports that aren't accessible.

  • Use specific UDP service clients (such as snmpwalk, dig, or tftp) to send UDP datagrams to target UDP network services and await a positive response.

Many security-conscious organizations filter ICMP messages to and from their Internet-based hosts, so it is often difficult to assess which UDP services are accessible via simple port scanning. If "ICMP destination port unreachable" messages can escape the target network, a traditional UDP port scan can be undertaken to deductively identify open UDP ports on target hosts.

Figures Figure 4-12 and Figure 4-13 show the UDP packets and ICMP responses generated by hosts when ports are open and closed.

Figure 4-12. An inverse UDP scan result when a port is open

UDP port scanning is an inverted scanning type in which open ports don't respond. What is looked for, in particular, are ICMP destination port unreachable (type 3 code 3) messages from the target host, as shown in Figure 4-13.

Figure 4-13. An inverse UDP scan result when a port is closed

4.3.1 Tools That Perform UDP Port Scanning

nmap supports UDP port scanning with the -sU option. The latest version of Foundstone's SuperScan also supports UDP port scanning. However, both tools wait for negative "ICMP destination port unreachable" messages to identify open ports (i.e., those ports that don't respond). If these ICMP messages are filtered by a firewall as they try to travel out of the target network, inaccurate results are gleaned.

During a comprehensive audit of Internet-based network space, you should send crafted UDP client packets to popular services and await a positive response. The scanudp utility developed by Fryxar (http://www.geocities.com/fryxar/) does this very well.

Example 4-5 shows the scanudp utility being downloaded, compiled, and run from my Linux launch system against a Windows 2000 server at

Example 4-5. Downloading, building, and running scanudp
# wget http://www.geocities.com/fryxar/scanudp_v2.tgz

# tar xvfz scanudp_v2.tgz









# cd scanudp

# make

gcc enum.o scanudp.o -o scanudp

# ./scanudp

./scanudp v2.0 -   by: Fryxar

usage: ./scanudp [options] <host>


 -t <timeout>     Set port scanning timeout

 -b <bps>         Set max bandwidth

 -v               Verbose

Supported protocol:

echo daytime chargen dns tftp ntp ns-netbios snmp(ILMI) snmp(public)

# ./scanudp    53    137    161