TransWikia.com

Is there any alternative to nmap for UDP?

Information Security Asked on November 6, 2021

I know UDP Scan is very slow and there are a lots of parameters for nmap like, –max-retries etc.
But i want to speedly udp port scan. I tried a lots of programs but not speedly. Any alternative nmap for speedly UDP scan technique or program/script?

3 Answers

Nmap by default uses a slow algorithm for scanning UDP ports because it wants to be able to report all open or potentially open ports. A service listening on a UDP port is not obligated to respond to any arbitrary datagram. Instead, it usually only responds to correctly-formed application protocol datagrams. A probe sent to a closed port, however, will get an ICMP Port Unreachable reply from the OS. Many modern operating systems will rate-limit these responses, so a probe to a closed port may not get a response if the OS already sent a Port Unreachable message within the last second. Nmap slows down to the rate that will give it consistent closed-port responses to each probe, which often means 1 probe per second. For a default 1000-port scan, that's 1000 seconds or nearly 17 minutes.

Many stateless scanners will claim very high scan speeds for UDP ports, but they do not report open ports that do not respond with a UDP datagram. Newer versions of Nmap (7.40 and newer) have a scan mode that gives similar results in a very fast manner. It is not default because the expectation is that an Nmap scan will list all open ports, and this method only lists ports which give a response. The command for this mode is nmap -sU --defeat-icmp-ratelimit

Answered by bonsaiviking on November 6, 2021

First of all you can use the -T5 parameter on nmap, which is the fastest rate possible. By default, nmap uses -T4. Still you won't get as quick results as you would with masscan.

According to the creator's github:

This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.

It's input/output is similar to nmap, the most famous port scanner. When in doubt, try one of those features.

Internally, it uses asynchronous tranmissions, similar to port scanners like scanrand, unicornscan, and ZMap. It's more flexible, allowing arbitrary port and address ranges.

In practice many penetration testers, including myself, use it to quickly scan devices for open ports and then take the results to nmap for more information.

For example, the command below will scan a host on all TCP (-p1-65535) and UDP (-pU:1-65535). In just a few minutes you will have all open ports and you can use nmap to scan ONLY them for services etc.

masscan -p1-65535,U:1-65535 10.10.10.x --rate=1000

Answered by Chris Tsiakoulas on November 6, 2021

The main reason for been slow is because the nature of UDP, this means that in order to know if a port with UDP is close is by using timeouts or by received ICMP unreach packets. I dont think you can speed up the UDP scans, may be there is timeout values and tries that you can play with, but basically is a problem of how the UDP protocol works.

Answered by camp0 on November 6, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP