UDP Scan (-sU)
Although most popular services on the Internet use the TCP protocol, UDP services are widely used. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are the three most common UDP services. UDP scanning is usually slower and more difficult than TCP scanning. UDP scanning works by sending a UDP packet to each intended port. In most ports, this packet is empty (without any information), but for a few common ports, protocol-specific data is sent. Based on the response or lack thereof, the port is classified into one of four states (Open, Open/Filtered, closed, filtered).
The most interesting may be the open|filtered state. It is a symptom of the biggest challenges in UDP scanning, as open ports rarely respond to empty queries. Ports for which Nmap has protocol-specific data sections are more likely to receive a response and are marked as open, but for other ports, the target simply redirects the empty packet to a listening application, which usually immediately rejects it as erroneous. Unfortunately, it is also known that firewalls and filtering devices drop packets without responding to them. So when Nmap does not receive a response after several attempts, it cannot determine whether the port is open or filtered.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.