Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to retrieve both TCP and UDP ports with Nmap? [closed]

I need to retrieve both TCP and UDP ports in the same scan with Nmap in the fastest way possible. I'll try to explain it better. If I use the most common command:

nmap 192.168.1.1

It retrieves ONLY TCP ports and it is really fast.

If I use the following command:

nmap -sU 192.168.1.1

It retrieves ONLY UDP ports and it is quite fast (well not so fast but still).

My question: is there a combination of the two commands? I tryed:

nmap -sU -sS 192.168.1.1
nmap -sU -sT 192.168.1.1

But they are TERRIBLY slow.

I am using Nmap 5.51, any suggestion?

like image 701
raz3r Avatar asked May 10 '12 09:05

raz3r


People also ask

How Nmap tool scan both TCP and UDP ports?

Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan ( -sS ) to check both protocols during the same run. UDP scan works by sending a UDP packet to every targeted port.

Does Nmap show closed ports?

A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection.

How does Nmap decide if a UDP port is closed?

When a packet is sent to a closed UDP port, the target responds with an ICMP (ping) packet containing a message that the port is unreachable. Using ICMP error codes, nmap identifies and confirms the closed ports.

How can I tell if my UDP port is closed?

"nc -uvz ip port" isn't somehow accurate, you probably should use "nmap -sU -p port ip" , if the result shows "open" then the udp port probably is open, if it shows "open|filtered" then probably it is closed or filtered.


2 Answers

As you've seen, UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.

You can add the -T switch to increase the speed of the scan, though this may reduce accuracy and make it easier to detect.

-T<0-5>: Set timing template (higher is faster)

-PN will turn off the ping scan element

You could also scan more hosts in parallel,

or reduce the number of ports you're scanning with the -p switch or --top-ports , which will scan the highest-ratio ports found in the nmap-services file.

If you were scanning multiple hosts, you could use --host-timeout to skip slow hosts.

Regarding TCP, -sS should be quicker than -sT.

HTH!

like image 133
Mark Hillick Avatar answered Oct 18 '22 03:10

Mark Hillick


You didn't say how slow your scans get, but I think you would benefit from playing with the --min-parallelism option, which adjusts the minimum number of outstanding probes.

I'm seeing 70% reductions in scan time (compared with bare -sT -sU scans) like this. Note that it is possible to set --min-parallelism too high, such that the host (or network) cannot buffer this many queries simultaneously.

[mpenning@Hotcoffee]$ sudo nmap --min-parallelism 100 -sT -sU localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-10 01:07 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1978 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
25/tcp   open          smtp
49/tcp   open          tacacs
53/tcp   open          domain
80/tcp   open          http
111/tcp  open          rpcbind
631/tcp  open          ipp
2003/tcp open          finger
2004/tcp open          mailbox
3389/tcp open          ms-term-serv
5901/tcp open          vnc-1
5910/tcp open          unknown
6001/tcp open          X11:1
7002/tcp open          afs3-prserver
53/udp   open|filtered domain
69/udp   open|filtered tftp
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
161/udp  open|filtered snmp
631/udp  open|filtered ipp
1812/udp open|filtered radius
1813/udp open|filtered radacct

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
[mpenning@Hotcoffee]$
like image 8
Mike Pennington Avatar answered Oct 18 '22 04:10

Mike Pennington