1
00:00:00,150 --> 00:00:04,170
‫UDP scan is activated with the S uppercase U option.

2
00:00:05,240 --> 00:00:13,880
‫UDP scan works by sending a UDP packet to every targeted port for some common port such as 53 and one

3
00:00:13,880 --> 00:00:18,920
‫six one, a protocol specific payload sent to increase response rate.

4
00:00:19,870 --> 00:00:21,630
‫But for most sports, the packet isn't.

5
00:00:22,920 --> 00:00:29,250
‫Well, there are some options to force and map to send non-empty packets such as data parameter.

6
00:00:30,370 --> 00:00:37,120
‫Because UDP scanning is generally slower and more difficult than Tsipi, some security auditors ignore

7
00:00:37,120 --> 00:00:38,240
‫these ports now.

8
00:00:38,560 --> 00:00:45,010
‫I think this is a mistake as exploitable UDP services are quite common and attackers certainly don't

9
00:00:45,010 --> 00:00:46,510
‫ignore the whole protocol.

10
00:00:47,830 --> 00:00:55,210
‫So in general, destination systems do not respond when they receive a UDP packet, so Unmap doesn't

11
00:00:55,210 --> 00:01:00,130
‫recognize if the port is open or filtered when there is no response from the target system.

12
00:01:01,100 --> 00:01:08,290
‫In this case, the port is flagged as open or filtered divorcées systems to respond to our package.

13
00:01:09,240 --> 00:01:15,780
‫You'd be better off using UDP skin with version detection option, you'll have much more accurate results.

14
00:01:18,010 --> 00:01:21,310
‫Let's perform and map UDP scan in our virtual network.

15
00:01:22,630 --> 00:01:29,470
‫Go to Cali and open a terminal scream, I want to scan my medicine voidable system, let's create the

16
00:01:29,470 --> 00:01:30,640
‫UDP scan command.

17
00:01:31,500 --> 00:01:36,250
‫And map is the command itself and is to avoid the DNS resolution.

18
00:01:36,630 --> 00:01:42,150
‫I like to see the IP addresses uppercase p end is to avoid the host discovery.

19
00:01:42,180 --> 00:01:43,080
‫We've seen this before.

20
00:01:44,020 --> 00:01:47,510
‫S Uppercase U is to do the UDP scan.

21
00:01:47,650 --> 00:01:53,310
‫Now here's the target IP address one seven two one six nine nine zero six.

22
00:01:53,980 --> 00:01:54,910
‫So let's keep it fast.

23
00:01:54,910 --> 00:01:56,800
‫Scan for the top 10 ports only.

24
00:01:57,490 --> 00:02:00,220
‫I use top words parameter for this purpose.

25
00:02:00,730 --> 00:02:08,140
‫Now, as I said a minute ago, UDP scan should run with version detection, use of a score of parameter

26
00:02:08,140 --> 00:02:09,490
‫to use a version detection.

27
00:02:10,790 --> 00:02:19,250
‫I'd like to add one more parameter here, which is reason, reason parameter is used to show the reason

28
00:02:19,250 --> 00:02:23,270
‫why the state of the port is set as open, closed or filtered.

29
00:02:24,220 --> 00:02:25,120
‫Now hit enter.

30
00:02:26,370 --> 00:02:32,790
‫See what I mean, UDP is much slower than SoundScan scan or TCP scan because the destination system

31
00:02:32,790 --> 00:02:35,280
‫does not respond in most of the time.

32
00:02:35,280 --> 00:02:38,040
‫And then MAP has to wait more to decide the state's.

33
00:02:39,690 --> 00:02:45,750
‫And moreover, we use version detection, which sends more packets to understand the service and the

34
00:02:45,750 --> 00:02:46,170
‫version.

35
00:02:47,200 --> 00:02:50,620
‫So this can takes much longer than this in or TCP scanned.

36
00:03:00,850 --> 00:03:06,830
‫One IP address and 10 port scanned in about was had 100 seconds, wake up if you took a nap.

37
00:03:07,540 --> 00:03:10,900
‫Here are the states of the top 10 UDP boards of medicine voidable.

38
00:03:11,850 --> 00:03:18,240
‫Four, five, three and one three seven are flagged as open because they were turned UDP responses and

39
00:03:18,240 --> 00:03:21,360
‫you see the version of the services listening to those ports.

40
00:03:22,920 --> 00:03:29,220
‫Bought one three eight is flagged, is open, filtered because there is no response and the other ports

41
00:03:29,220 --> 00:03:33,390
‫are flagged, is closed because they were turned ICMP port unreachable.

42
00:03:34,500 --> 00:03:37,650
‫Let's see how Unmap interprets the results of a UDP scan.

43
00:03:39,380 --> 00:03:42,230
‫Occasionally, a service will respond with a UDP packet.

44
00:03:43,300 --> 00:03:44,380
‫Proving that it is open.

45
00:03:45,240 --> 00:03:49,680
‫If an ICMP port unreachable error, type three, code three is returned.

46
00:03:50,680 --> 00:03:51,840
‫The port is closed.

47
00:03:52,640 --> 00:03:59,990
‫Other ICMP unreachable errors, type three codes zero one two nine, 10 or 13.

48
00:04:01,020 --> 00:04:02,400
‫Mark, the port is filtered.

49
00:04:03,260 --> 00:04:06,110
‫If no response is received after retransmissions.

50
00:04:07,340 --> 00:04:10,370
‫The board is classified as open or filtered.