[Lesson 6]Network Vulnerability and Scanning: UDP Scan in Nmap

Photo by Markus Spiske on Unsplash

In this lesson, we are going to talk about the UDP Scan in Nmap👌

What is UDP Scan?

  • The UDP scan is activated with -sU option.
  • UDP scan works by sending a UDP packet to every targeted port.
  • For most ports, UDP packet will be empty (no payload), but for a few of the more common ports a protocol-specific payload will be sent.
  • For instance some common ports such as port 53 and port 161. A protocol specific payload is sent to this following protocol to increase response rate.
  • Well, there are definitely some options to force Nmap to send non-empty packets such as data parameter.
  • Due to the UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is definitely a mistake as exploitable UDP services are quite common and attackers certainly don’t ignore the whole protocol.
How Nmap interprets responses to a UDP probe
  • In general, the destination system do not respond when they receive a UDP packet. Thus, Nmap doesn’t recognize if the port is open or filtered when there are no response from the target system.
  • In order to force the systems to response to our packets, you should be better to use UDP scan with version detection option. Then a much more accurate results can be yield.

Hands on Practice ✋ Let’s perform an Nmap UDP scan on the metasploitable system in our virtual network:

UDP Scan command:

  • nmap is the command itself
  • -n to avoid the DNS resolution
  • -Pn to avoid host discovery
  • -sU for UDP scan
  • Target IP address of metasploitable machine
  • --top-ports 10 which enable the scan of 10 ports only for fast scan
  • -sV where the UDP scan should be run with version detection
  • -- reason used to show the reason why the state of port is set as open, close or filtered

Note 😤: the UDP is much slower than SYN Scan or TCP Scan as the destination system doesn’t respond in most of the time. Nmap has to wait longer to decide the states. Moreover, we use the version detection which sends more packets to understand the service and the version. Therefore,this scan takes much more longer than the SYN Scan or Tcp Scan.


  • Ports 53 and 137 are flagged/determined as open because they returned a UDP responses. In addition, the version of these services is listening to that port (UDP port scan).
  • Port 138 is flagged as open|filtered as there are no response.
  • Other ports are flagged as closed because they return an ICMP port unreachable error.

UDP Scan Results:

UDP Scan results can be interpreted depend on different responses which is shown in the table and figure above 😄

More information about UDP Scan: https://nmap.org/book/scan-methods-udp-scan.html

Thanks for reading… 🌟

A Bachelor CS student with major in Network Security (UniSZa). Every stories I shared is based on my personal opinion. Thanks you. Having my Internship now.