Also see: https://labs.portcullis.co.uk/tools/udp-proto-scanner/
udp-proto-scanner.pl scans by sending UDP probes (from udp-proto-scanner.conf) to a list of targets:
$ udp-proto-scanner.pl -f ips.txt $ udp-proto-scanner.pl -p ntp -f ips.txt
The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option: $ udp-proto-scanner.pl -l
It's used in the host-discovery and service-discovery phases of a pentest. It can be helpful if you need to discover hosts that only offer UDP services and are otherwise well firewalled - e.g. if you want to find all the DNS servers in a range of IP addresses. Alternatively on a LAN, you might want a quick way to find all the TFTP servers.
Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond unless you know a valid community string). However, many UDP services can be discovered, e.g.:
- DNS
- TFTP
- NTP
- NBT
- SunRPC
- MS SQL
- DB2
- SNMPv3
It won't give you a list of open and closed ports for each host. It's simply looking for specific UDP services.
It's most efficient to run udp-proto-scanner.pl against whole networks (e.g. 256 IPs or more). If you run it against small numbers of hosts it will seem quite slow because it waits for 1 second between each different type of probe.
The UDP probes are mainly taken from amap, nmap and ike-scan. Inspiration for the scanning code was drawn from ike-scan.