1
00:00:00,120 --> 00:00:04,170
‫UDP scan is activated with the upper Kasu option.

2
00:00:05,240 --> 00:00:13,460
‫UDP scan works by sending a UDP packet to every targeted port for some common port, such as the three

3
00:00:13,460 --> 00:00:18,890
‫and one six one a protocol specific payload sent to increase response rate.

4
00:00:19,870 --> 00:00:21,670
‫But for most sports, the packet is empty.

5
00:00:22,920 --> 00:00:29,220
‫Well, there are some options to force and map to send on empty packets, such as data parameter.

6
00:00:30,370 --> 00:00:34,780
‫Because you'd be scanning is generally slower and more difficult than TCP.

7
00:00:35,320 --> 00:00:37,720
‫Some security auditors ignore these pork.

8
00:00:37,990 --> 00:00:44,980
‫Now I think this is a mistake as exploitable UDP services are quite common and attackers certainly don't

9
00:00:44,980 --> 00:00:46,480
‫ignore the whole protocol.

10
00:00:47,860 --> 00:00:53,230
‫So in general, destination systems do not respond when they receive a UDP packet.

11
00:00:53,980 --> 00:00:59,650
‫So when Map doesn't recognize of the port is open or filtered when there is no response from the target

12
00:00:59,650 --> 00:01:00,130
‫system.

13
00:01:01,130 --> 00:01:08,240
‫In this case, the port is flagged as open or filtered to force the systems to respond to our package.

14
00:01:09,240 --> 00:01:12,960
‫You'd be better off using UDP scan with version detection option.

15
00:01:13,650 --> 00:01:15,750
‫You'll have much more accurate results.

16
00:01:18,040 --> 00:01:21,280
‫Let's perform an end map UDP scan in our virtual network.

17
00:01:22,630 --> 00:01:24,690
‫Go to Carly and open a terminal screen.

18
00:01:25,660 --> 00:01:27,850
‫I want to scan my Metasploit system.

19
00:01:28,620 --> 00:01:30,610
‫Let's create the UDP scan command.

20
00:01:31,530 --> 00:01:36,240
‫And map is the command itself and is to avoid the DNS resolution.

21
00:01:36,660 --> 00:01:42,120
‫I like to see the IP addresses uppercase pen is to avoid the host discovery.

22
00:01:42,150 --> 00:01:43,080
‫We've seen this before.

23
00:01:44,080 --> 00:01:47,530
‫S upper case, you is to do the UDP scan.

24
00:01:47,650 --> 00:01:53,290
‫Now here's the target IP address one seven two one six nine nine two zero six.

25
00:01:54,010 --> 00:01:56,800
‫So let's keep it fast scan for the top ten ports only.

26
00:01:57,520 --> 00:02:00,190
‫I use top ports parameter for this purpose.

27
00:02:00,730 --> 00:02:08,140
‫Now, as I said a minute ago, UDP scan should run with version detection use s ever score v parameter

28
00:02:08,140 --> 00:02:09,520
‫to use a version detection.

29
00:02:10,850 --> 00:02:19,220
‫I'd like to add one more parameter here, which is reason reason parameter is used to show the reason

30
00:02:19,220 --> 00:02:23,270
‫why the state of the port is set as open, closed or filter.

31
00:02:24,220 --> 00:02:25,120
‫Now hit enter.

32
00:02:26,400 --> 00:02:26,880
‫See what I mean.

33
00:02:27,210 --> 00:02:34,230
‫UDP is much slower than since scan or TCP scan, because the destination system does not respond in

34
00:02:34,380 --> 00:02:37,980
‫most of the time, and then Map has to wait more to decide the state's.

35
00:02:39,600 --> 00:02:45,720
‫And moreover, we use version detection, which sends more packets to understand the service and the

36
00:02:45,720 --> 00:02:46,140
‫version.

37
00:02:47,230 --> 00:02:50,620
‫So this scan takes much longer than this in or TCP scanned.

38
00:03:00,820 --> 00:03:05,630
‫One IP address and 10 port scanned in about what's at 100 seconds.

39
00:03:05,650 --> 00:03:06,790
‫Wake up if you took a nap.

40
00:03:07,570 --> 00:03:10,900
‫Here are the states of the top 10 UDP ports of Metasploit about.

41
00:03:12,000 --> 00:03:18,210
‫It's five, three and one, three seven our flag as open because they were turned UDP responses and

42
00:03:18,210 --> 00:03:19,830
‫you see the version of the services.

43
00:03:20,040 --> 00:03:21,330
‫Listening to those ports.

44
00:03:22,920 --> 00:03:29,670
‫Port, 138, is flagged as open filtered because there is no response and the other ports are flagged

45
00:03:29,670 --> 00:03:33,780
‫as closed because they were turned ICMP port unreachable areas.

46
00:03:34,500 --> 00:03:37,620
‫Let's see how Nmap interprets the results of a UDP scan.

47
00:03:39,380 --> 00:03:42,200
‫Occasionally, a service will respond with a UDP packet.

48
00:03:43,300 --> 00:03:44,350
‫Proving that it is open.

49
00:03:45,240 --> 00:03:49,650
‫If an export unreachable error type three code three is returned.

50
00:03:50,680 --> 00:03:51,810
‫The port is closed.

51
00:03:52,700 --> 00:03:54,560
‫Other ICMP unreachable errors.

52
00:03:54,770 --> 00:03:59,960
‫Type three, code zero, one, two, nine, 10 or 13.

53
00:04:01,050 --> 00:04:02,400
‫Mark Deport is filtered.

54
00:04:03,290 --> 00:04:06,080
‫If no response is received after retrans missions.

55
00:04:07,340 --> 00:04:10,370
‫The board is classified as open or filtered.