There are options in Nmap to discover hosts with both TCP and UDP. UDP discovery with Nmap is already configured to use unique payloads necessary to trigger replies from less-responsive port services:
- To perform a discovery scan with UDP, use the -PU option in conjunction with the port to test:
- Similarly, it is also possible to configure an Nmap UDP ping request to a series of IP addresses as defined by an input list. Here, in the example provided, we will use the iplist.txt file in the same directory to scan each host listed within:
- Although the output from each of these examples indicated that six hosts were discovered, this does not necessarily indicate that the six hosts were all discovered by means of the UDP discovery method. In addition to the probing performed on UDP port 53, Nmap also will utilize any other discovery technique it can to discover hosts within the designated range or within the input list. Although the -sn option is effective in preventing Nmap from performing a TCP port scan, it does not completely isolate our UDP ping request.
- Although there is no effective way to isolate just this task, you can determine what hosts were discovered via UDP requests by analyzing the traffic in Wireshark or TCPdump. Alternatively, Nmap can also be used to perform a TCP ACK ping in the same fashion as was discussed with Scapy. To use ACK packets to identify live hosts, use the -PA option in conjunction with the port that you would like to use:
- The TCP ACK ping-discovery method can also be performed on a range of hosts using dash notation, or can be performed on specified host addresses based on an input list:
