UDP scan

UDP Scan

 

what is udp scan

 

UDP Scan

In the realm of network security, understanding different scanning techniques is crucial. One such technique is UDP (User Datagram Protocol) scanning. While TCP (Transmission Control Protocol) scanning is more widely known, UDP scanning serves its unique purpose. In this blog post, we will delve into the fundamentals of UDP scanning, explore its significance, and understand how it differs from TCP scanning.

UDP scanning involves sending UDP packets to specific ports on a target system to identify open, closed, or filtered ports. Unlike TCP, UDP is a connectionless protocol, which makes scanning UDP ports trickier. UDP scans are typically used to discover services running on a target system, especially those that may not respond to traditional TCP scans.

 

Highlights: UDP Scan

The following post will address how to perform a UDP scan, for example, with an NMAP UDP scan. We will start by discussing UDP operation along with the UDP header and UDP handshake process. Finally, we will address some of the security implications of UDP scanning. Remember, when it comes to UDP scanning, UDP is a prime target for the DNS reflection attack.

  • Conducting a UDP Scan

When conducting a UDP scan, the scanner sends UDP packets to a range of ports on the target system. If a UDP port is open, the target system responds with an ICMP (Internet Control Message Protocol) port unreachable message.

If a UDP port is closed, the target system may respond with an ICMP message indicating it is closed or ignore the packet. In some cases, if a firewall filters a UDP port, the target system may not respond, making it harder to determine the port’s status.

  • Significance of UDP Scan

UDP scanning plays a crucial role in network security and vulnerability assessment. It helps identify potential vulnerabilities and misconfigurations in network devices and services. By discovering open UDP ports, network administrators can assess the potential risks associated with those services and take appropriate measures to secure them.

Additionally, UDP scanning enables the detection of UDP-based services that may not be visible through traditional TCP scans.

 

Related: Before you proceed, you may find the following posts helpful:

  1. IP Forwarding
  2. VPNOverview
  3. IPv6 RA
  4. Internet of Things Access Technologies
  5. TCP IP Optimizer
  6. What is OpenFlow
  7. Computer Networking
  8. OpenFlow Protocol
  9. Service Chaining 

 



UDP Scanning


Key UDP Scan Discussion Points:


  • The basics of UDP and how this differs from TCP.

  • Connectionless vs connection-oriented protocols.

  • UDP operation: UDP Header.

  • UDP operations: UDP Handsake.

  • Performing a UDP scan. NMAP UDP scan.

  • Performing a TCP scan. SYN Scan.

 

  • A key point: Video on port scanning for UDP and TCP

In the following whiteboard session, we will address port scanning. Now. Port scanning can be performed against TCP and UDP ports. Identifying open ports on a target system is the stage that a bad actor has to carry out when understanding and defining the attack surface of a target.

We will address a tool called Scapy that can help you scan your network and determine the different ways and types of scanning. Remember that the transport layer is responsible for transparent data transfer between layers, from a source to a destination host, via one or more networks.

It can do this in a “reliable” fashion, which means the transport layer will retransmit if packet loss, or in an “unreliable / best efforts” fashion, saying that some higher-layer applications must retransmit data lost at lower layers. TCP is reliable, and UDP is unreliable.

 

Port Scanning: UDP and TCP
Prev 1 of 1 Next
Prev 1 of 1 Next

 

Back to Basics: UDP Scanning

UDP Scanning 

Main Scanning Components

UDP Scanning Main Components

  • UDP scanning is network scanning to discover services running on a computer or network.

  • Network Scanning can be performed with NMAP.

  • UDP uses headers when packaging message data to transmit. UDP headers include a set of parameters.

  • A UDP handshake is a method computers use to connect over the User Datagram Protocol (UDP).

Network Scanning

UDP scanning is network scanning to discover services running on a computer or network. In addition, it is used to detect any open ports on a system that may be used for malicious activities.

System administrators and security professionals commonly use UDP scanning to identify potential weaknesses in their network security.UDP scanning involves sending a packet to a specific port on the target host.

The host will respond with an acknowledgment packet if the port is open. If the port is closed, the host will not respond. By sending multiple UDP packets to various ports, it is possible to determine which services are running on the target host.

UDP scanning
Diagram: UDP Scanning. Source is GeeksforGeeks.

 

UDP scanning can be used to identify potential targets for malicious activities quickly. It can also be used to identify vulnerable services that attackers may exploit. UDP scanning is often used with other network scanning techniques, such as port and vulnerability scanning.

UDP scanning is an essential tool for network security professionals, as it provides valuable information about the open ports on a system. As a result, system administrators can better secure their networks and help prevent malicious activities by understanding which ports are open.

 

Lab Guide: Network Scanning with NMAP

Nmap (Network Mapper) is an open-source and versatile network scanning tool that enables users to discover hosts and services on a computer network. 

It operates by sending packets and analyzing the responses received from target devices. Nmap scanning provides valuable insights into network topology, open ports, operating systems, and potential vulnerabilities. The following will teach you the foundational knowledge of NMAP to scan a network to see which hosts and ports are online on each host you know about.

Note:

  1. You will use NMAP to scan the 192.168.18.0/24 network. For this first test, we want to see which hosts respond and not care what ports they have open.  I have a small network that is isolated using VMware.
  2. Use the “Ping Scan” option, either -sn or -sP, in this example. In the example below, I am using the -sP option. I also used the -F option. The -F argument will tell NMAP to only scan the host for the 100 most common open ports.

 

Analysis:

    • You can see that there are three hosts online. Those three hosts are 192.168.18.2, 192.168.18.130, and 192.168.18.131.
    • You will also see how long it took for this NMAP scan to complete and how many IP addresses were scanned.
    • The example shows that 256 IP addresses were scanned on the screen, which took 2.64 seconds.
    • We can also see the open ports. We have port 22 open for SSH on 192.168.18.131. We also have port 53 open on 192.168.18.2.

Note: It is easy to be detected by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) when performing NMAP scans on a network. There are ways to get around this, such as completing a Stealth Scan and limiting the speed at which the scans are performed.  We will look at Stealth Scan in the following lab guide.

 

Port Scanning

Port scanning is a method computer networks use to identify open ports on a system and check for vulnerabilities. It is commonly used to detect security weaknesses in networks and systems by probing for open ports and services that may be vulnerable to attack. Port scanning is done by either manually entering commands or using specialized software.

Port scans are used as a reconnaissance step to identify open ports on a system and assess the target’s security posture. A port scan will typically look for open ports on a target system and then attempt to identify the service running on that port. This helps to identify possible vulnerabilities in the design and determine what kind of attack may be possible.

Port scanning is essential for network security, as it can help to identify any potential weaknesses in a system that an attacker could exploit. However, it is also necessary to ensure that all ports and services are adequately secured, as an open port can be an easy target for an attacker.

Port scanning
Diagram: Port scanning. Source Varonis.

 

Port scanning with NMAP.

NMAP can be used to perform host discovery. Once you’ve identified confirmed hosts within your network, you can continue by performing port scanning, which will help you identify risk areas. Additionally, you can perform TCP and UDP port scans. This post focuses on the UDP scan with the process of UDP scanning. Remember that the information that should be exposed to the outside world is down to security policy.

Any IP scanning starts with an ICMP. This is the first step; you can block all incoming ICMPs at the perimeter network. This will make Ping ineffective and filter ICMP unreachable messages to block Traceroute. Consider this to be the first line of defense. But does this solve all of the problems? No, port scan works on TCP/UDP ports as well.

Connectionless protocols ( UDP ) spread the state required to carry the data through every possible device. In contrast, connection-oriented protocols ( TCP ) constrain the state to only those involved in two-way communication. These differences affect network convergence and how applications react to network failure.

Connectionless moves the data onto another path, while connections-orientated must build up the state again. You can see from the packet header below that UDP is a lightweight protocol with few options to set. On the other hand, TCP has many options and flags that can influence communication.

NMAP UDP Scan
Diagram: NMAP UDP Scan. Source is GeeksforGeeks

 

Best Practices for UDP Scanning:

1. Be mindful of the network bandwidth: UDP scans can generate significant traffic. It is essential to consider the network capacity and prioritize critical systems to avoid overwhelming the network.

2. Use appropriate scanning tools: Various network scanning tools, such as Nmap or Nessus, offer UDP scanning capabilities. Choose a tool that aligns with your specific requirements and provides accurate results.

3. Understand the limitations: Due to the connectionless nature of UDP, scanning accuracy might be compromised. Some ports may be filtered or unresponsive, leading to inconclusive results. It is crucial to analyze the results holistically and consider other factors.

 

UDP header

UDP (User Datagram Protocol) is a communications protocol for sending data over an IP network. It is an alternative to the more commonly used Transmission Control Protocol (TCP). Unlike TCP, UDP does not provide reliable delivery of data, meaning that there is a chance that packets of data sent over UDP may be dropped or lost. However, UDP is faster than TCP and is more suitable for applications that require speed.

The following diagram shows the UDP Header. UDP uses headers when packaging message data to transmit. UDP headers include a set of parameters. These parameters are called fields defined by the protocol’s technical specifications. The UDP header has four fields, each of which is 2 bytes. The UDP header’s four fields are listed as follows:

    • Source port number, which is the source port of the sender.
    • The destination port number is the port to which the datagram is addressed and destined.
    • Length, the length in bytes of the UDP header.
    • Checksum, which is used for error checking.

In summary, the UDP header is 8 bytes long and consists of four fields: source port, destination port, length, and checksum. The source port is a 16-bit field that identifies the source application used for the communication.

The destination port is a 16-bit field that identifies the application used for the transmission. The length field is a 16-bit field that specifies the length of the UDP header and data. The checksum is a 16-bit field used to verify the integrity of the header and data.

UDP scan
Diagram: UDP scan and the UDP header.

 

UDP handshake

A UDP handshake is a method computers use to connect over the User Datagram Protocol (UDP). It is an essential part of the process of setting up a network connection, and it allows two devices to communicate with each other.

The UDP handshake starts with the sending device sending a request to the receiving device. This request is usually in the form of an IP address and a port number. The receiving device then sends a confirmation packet, indicating it is ready to receive data.

Once this packet is received, the sending device can send data to the receiving device. The UDP handshake is often used for streaming audio and video, as it is a fast way of establishing a connection between two devices. In addition, it does not require the same security level as a TCP connection, so it is often preferred for streaming applications.

Once the UDP handshake is complete, the two devices are connected and can begin exchanging data. The connection remains active until one of the devices closes it. This is done either by sending a particular packet or by the connection timing out. A UDP handshake is a fast and reliable way to connect two devices.

    • No three-way UDP handshake:

UDP has a source and destination port but does not mandate the source and destination to establish a three-way UDP handshake before transmission occurs. Further, there is no requirement for an end-to-end connection. This is in comparison to TCP.

TCP establishes a connection between a sender and receiver before sending data. The UDP handshake does not establish a connection before sending data. So in a TCP-based connection, a three-way handshake is used to create a connection. TCP uses handshake protocols like SYN, SYN-ACK, and ACK, while in the case of UDP, we have no UDP handshake protocols.

    • Differences from TCP Scan:

Unlike TCP scanning, which establishes a connection with the target system, UDP scanning works without a handshake process. This makes UDP scanning faster but less reliable. Furthermore, UDP scans are more likely to trigger intrusion detection systems (IDS) or firewalls due to the nature of unsolicited packets being sent. It is important to configure these security systems accordingly to avoid false alarms.

Capabilities:

TCP

UDP

  • Connection Type:

  • Sequencing:

  • Usage:

  • Connection-oriented

  • Yes

  • Downloads

  • File Sharing

  • Connectionless

  • No

  • Video Streaming

  • VoIP

Transmission Control Protocol


User Datagram Protocl


Getting Started with UDP Scanning

Consider how these protocols work and respond to scans when enabled at your perimeter. How these protocols interact with the network affects how they are viewed and scanned by the outside world. For example, UDP sends a packet to the receiver with no mechanism for ensuring packet delivery and does not require a response from the target machine.

This type of communication is often referenced as dropping a letter into a mailbox and not knowing if the receiver has opened it. So, how does the design of these protocols affect the type of scans and results they offer?

50%

UDP Scanning Checklist

  • UDP is a prime target for DNS reflection attacks. UDP does not have any in-built security.

  • Examine port scanning with a layered approach. Start with ICMP and then move to port scanning with both a TCP and UDP scan.

  • TCP and UDP differ significantly with their handshake methods.

  • NMAP is a tool that can be used to perform port scans.

 

What Is a UDP Scan?

A classic problem with UDP fingerprinting is that you will unlikely get a response from the receiver. If the service is available and accepting UDP packets, the expected behavior for this service is to accept the packet but not send back a response to the sender. Likewise, a common firewall strategy is to absorb the packet and not send a reply back to the sender – the “if you can’t see me, you can’t attack me” approach.

UDP scanning
Diagram: UDP scanning and the UDP transfer.

 

This is common with UDP scans, which tend to result in false positives. As a result of this behavior, most UDP scans provide very little information and mark nearly every port as “open|filtered.” Generally, a port is considered “open” if the scanning host does not receive back an Internet Control Message Protocol ( ICMP ) port unreachable message.

 

NMAP UDP Scan

To elicit more of a response, you can optimize NMAP ( Network Mapper ) to include the “-sV” switch, which will send specially crafted packets to the ports that are listed as “open|filtered.” This can hopefully help us narrow down the results and generate ports to become “open|open.”

Now, the Nmap UDP scan can help inventory UDP ports. So, the NMAP UDP scan is activated with the -sU option. Consider combining the NMAP UDP scan with an SYN, TCP scan type. This can be carried out with the -sS option. It allows you to check both protocols during the same scan run.

Alternatively, you could go above Layer 4. For example, if you are doing an SNMP scanning, you would send an “SNMP ping” instead of looking for open UDP ports. An SNMP ping is not like an ICMP ping. Instead, it operates above Layer 4 and requests the OID/object name universally present on all SNMP agents.

NMAP UDP Scan
Diagram: NMAP UDP Scan example. Source NMAP.

 

UDP scans are slow

Another problem with UDP scans is that they are slow. UDP does not provide any error checking; sometimes, the UDP CRC32 checksum is not supported by the IP stack being used. As a result, the scanning host usually sends three successive UDP packets and waits for at least one ICMP port unreachable message ( if the receiving host decides to generate a response ).

The only way to do this is to offset your stealth and generate multiple UDP scans in parallel. In contrast, TCP is a connection-oriented protocol that uses a three-way handshake to create the communication session.

TCP Handshake
Diagram: TCP handshake

 

Its design makes it subject to several different scans, which offer better results than a UDP scan. The most basic and stable type of scan is a TCP Connect scan. The scanning host attempts to complete the three-way handshake and tears down the session gracefully.

This type of scan is not a “Stealth” scan; most applications will log the completion of a three-way handshake. Instead, you could go for a TCP SYN scan if you want a faster or stealthier scan. SYN scans are faster because rather than completing the entire three-way handshake, they only complete the process’s first two steps.

If we consider the example of comparing the TCP three-way handshake to the analogy of someone making a phone call, an SYN scan would be similar to someone making a call, but once the receiver picks up, you say nothing and hang up. An SYN scan is the default NMAP scan.

Slow UDP scan
Diagram: Slow UDP scan—source NMAP.

 

NMAP and Stealth Scans

Note: It is easy to be detected by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) when performing NMAP scans on a network. There are ways to get around this, such as completing a Stealth Scan and limiting the speed at which the scans are performed.

When performing a Stealth Scan, Nmap sends a SYN packet to the target host. The port is open and listening if the target host responds with a SYN/ACK packet. At this point, Nmap sends an RST packet to terminate the connection without completing the handshake. This approach allows Nmap to gather information about open ports without establishing a full connection, making detecting the scan difficult for intrusion detection systems.

Note:

  1. The -sS argument performs what is called a Stealth Scan. This is accomplished by not completing the TCP three-way handshake. The computer performing the NMAP scan sends the TCP SYN message, and when the host responds with the TCP SYN-ACK message, the computer doesn’t send the final TCP ACK message, completing the handshake.
  2. The -O argument tells NMAP to guess the host’s operating system. NMAP can detect the operating system by looking at the responses to various TCP/IP messages, such as TTL messages.
  3. The -Pn argument tells NMAP not to send an ICMP (or Ping) packet. The ICMP packet is used for host discovery.

 

Note: NMAP has numerous scripts that can be run. You tell NMAP to run a script by adding the –script argument and then immediately specifying which script you want to run. In this command, you run the vuln script to check the host for 105 vulnerabilities.

I am on a lockdown Unbuntu host that is pretty secure by default. Also, I run a different Nmap scan and not a stealth scan. In production, this scan out be detected. However, at least now you can see that it has detected my Ubuntu OS as a version of Linux.

Benefits of a Stealth Scan:

1. Reduced network footprint: The Stealth Scan minimizes the network footprint by avoiding unnecessary connections and reducing the chances of detection by IDS and intrusion prevention systems (IPS).

2. Faster scanning: Since the Stealth Scan only partially completes the TCP three-way handshake, it can scan many ports, making it an efficient scanning technique.

3. Evasion of firewall rules: The Stealth Scan can bypass specific firewall rules that only filter incoming connections but do not inspect outgoing SYN packets.

Limitations and Considerations:

While the Stealth Scan is an effective scanning technique, it has its limitations and considerations:

1. Limited application with stateful firewalls: Stateful firewalls that track the status of network connections can detect and block Stealth Scans by recognizing the incomplete three-way handshake.

2. Inaccurate results with heavily filtered ports: Some hosts may be configured to drop incoming SYN packets instead of responding with an SYN/ACK packet. In such cases, the Stealth Scan may yield inaccurate results.

3. Detection by advanced IDS/IPS systems: Advanced intrusion detection and prevention systems may implement behavior analysis and anomaly detection techniques to identify and block Stealth Scans. Therefore, it’s important to remember the scan’s stealthiness when conducting security assessments.

  • A key point: Video on Stateful Inspection Firewalls

We know we have a set of well-defined protocols that are used to communicate over our networks. Let’s call these communication rules. You are probably familiar with the low-layer transport protocols, such as TCP and UDP, and higher application layer protocols, such as HTTP and FTP.

Generally, we interact directly with the application layer and have networking and security devices working at the lower layers. So when host A wants to talk to host b, it will go through several communication layers with devices working at each layer. A device that works at one of these layers is a stateful firewall.

Stateful Inspection Firewall
Prev 1 of 1 Next
Prev 1 of 1 Next

 

The Use of XMAS scans

An XMAS scan is another helpful scan that sets specific flags in the TCP header. XMAS scans get their name due to the analogy of being “lit up like a Christmas tree.” The “lighting up” refers to the fact that the FIN, PSH, and URG packet flags are all set to “on,” and the packet is “lit up like a Christmas tree.”

TCP Scans
Diagram: TCP scans

An XMAS-crafted packet is highly unusual because it doesn’t have an SYN, ACK, or RST flag set, violating traditional TCP communications. Why would you not set these flags? To elicit a response or no response from the receiver.

The RFC states that the packet should be ignored if an opened port receives a packet without an SYN, ACK, or RST flag set. As a result, NMAP can determine the port state without initiating or completing a connection to the target system, but only if the target host’s operating system fully complies with the TCP RFC.

XMASS scan creates packets without the SYN flag set

Early packet filters block inbound SYN packets to stop a TCP three-way handshake. If no TCP three-way handshake could occur, then no TCP communication can be originated from outside the filter.

However, it would help if you considered that the NMAP XMASS scan does not attempt to establish an entire TCP session to determine what ports are open. This filter will indeed prevent a TCP Connect scan, but because an XMASS scan creates packets without the SYN flag set, it will bypass the filter.

 

Summary: UDP Scanning

UDP scanning involves probing target systems for open UDP ports. Unlike TCP, UDP is connectionless, making verifying whether a port is open or closed is challenging. UDP scanning attempts to determine the state of UDP ports by sending packets and analyzing the responses.

UDP scanning provides valuable insights into network security. By identifying open UDP ports, security professionals can assess potential vulnerabilities and take appropriate measures to protect against threats. Additionally, it allows for the discovery of services and applications running on these ports, aiding in network mapping and understanding the network infrastructure better.

Types of UDP Scanning Techniques:

1. UDP Connect Scanning: This technique emulates a connection-oriented approach, similar to TCP scanning. It sends a UDP packet to a specific port and waits for a response, indicating whether the port is open, closed, or filtered.

2. UDP Stealth Scanning: Also known as UDP Idle Scanning, this technique leverages the concept of zombie hosts. UDP stealth scanning can glean information about open ports without directly interacting with the target by exploiting the trust relationship between a zombie host and the target.

3. UDP Fragmentation Scanning: This technique involves splitting UDP packets into smaller fragments to bypass firewall filters and evade detection. The scanner can identify open UDP ports by reassembling the fragmented packets at the receiving end.

Vulnerabilities Revealed by UDP Scanning:

1. Open UDP Ports: UDP scanning exposes open UDP ports that can be potential entry points for attackers. Services running on these ports may have vulnerabilities that can be exploited.

2. Misconfigured Firewalls: UDP scanning can uncover misconfigured firewalls that allow unauthorized access through open UDP ports.

3. Amplification Attacks: Certain UDP-based services can be exploited to launch amplification attacks, where a small request generates a large response. UDP scanning helps identify such susceptible services and enables their mitigation.

Conclusion:

While TCP scanning is more widely recognized, UDP scanning plays a crucial role in network security assessments. Security professionals can identify open UDP ports and potential vulnerabilities by leveraging various scanning techniques. Understanding UDP scanning and its significance helps organizations strengthen their network defenses against threats. Regular UDP scanning and robust security measures ensure a more resilient and secure network infrastructure.

 

fingerprinting in cybersecurity