UDP scanning can often be challenging, time consuming, and tedious. Many systems will rate-limit ICMP host-unreachable replies and can drastically increase the amount of time required to scan a large number of ports and/or systems. Fortunately, the developers of Nmap have a more complex and much more effective tool to identify UDP services on remote systems.

1. To perform a UDP scan with Nmap, the -sU option should be used with the IP address of the host that is to be scanned:

2. Although Nmap is built to solicit replies from UDP ports with custom payloads for many services, it still requires a large amount of time to even scan the default 1,000 ports when no other arguments are used to specify the destination ports. As you can see from the scan metadata at the bottom of the output, the default scan required nearly 20 minutes to complete. Alternatively, we can shorten the required scan time by performing targeted scans, as shown in the following command:

3. The amount of time required to perform UDP scans can be drastically reduced if we specify the particular ports that need to be scanned. This can be done by performing a UDP scan and specifying the port with the -p option.
4. In the preceding example, we are performing a scan only on the port 53 to attempt to identify a DNS service. A scan can also be performed on multiple specified ports, as follows:

5. In the example provided, a scan was performed on the first 100 ports. This was done using dash notation and specifying both the first and last port to be scanned. Nmap then spins up multiple processes that will be used to simultaneously scan all of the ports between and including these two values.

6. On some occasions, a UDP analysis will need to be performed on multiple systems. A range of hosts can be scanned with Nmap using dash notation and by defining the range of values for the last octet, as follows:

7. In the example provided, scans were performed on all live hosts within the 172.16.69.0/24 range. Each host was scanned to identify whether a DNS service was running on the port 53. Another alternative option would be to scan multiple hosts using an input list of IP addresses.

8. To do this, the -iL option should be used, and it should be passed as either the name of a file in the same directory or the full path of a file in a separate directory. An example of the former is as follows:

9. In the example provided, a scan was performed to determine whether an NTP service was running on the port 123 on any of the systems within the iplist.txt file in the execution directory.