udp-proto-scanner is a perl script which discovers UDP services by sending triggers to a list of hosts
Usage
$ udp-proto-scanner.pl -f ips.txt $ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1 $ udp-proto-scanner.pl -p ntp -f ips.txt
The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:
$ udp-proto-scanner.pl -l
What’s it used for?
It’s used in the host-discovery and service-discovery phases of a pentest.
It can be helpful if you need to discover hosts that only offer UDP services and are otherwise well firewalled – e.g. if you want to find all the DNS servers in a range of IP addresses. Alternatively on a LAN, you might want a quick way to find all the TFTP servers.
Not all UDP services can be discovered in this way (e.g. SNMPv1 won’t respond unless you know a valid community string). However, many UDP services can be discovered, e.g.:
- DNS
- TFTP
- NTP
- NBT
- SunRPC
- MS SQL
- DB2
- SNMPv3
It’s Not a Portscanner
It won’t give you a list of open and closed ports for each host. It’s simply looking for specific UDP services.
Efficiency
It’s most efficient to run udp-proto-scanner.pl against whole networks (e.g. 256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.
One cool feature of udp-proto-scanner is that it doesn’t load the whole host list into memory. Therefore if you want to scan 17 million IPs, you can. It’ll take a while, but you won’t run out of memory.
Credits
The UDP probes are mainly taken from amap, nmap and ike-scan. Inspiration for the scanning code was drawn from ike-scan. Net::Netmask by David Muir Sharnoff is included in this tool.
