UDP scan

Since most popular services run over the TCP protocol, UDP services are often ignored during penetration tests. There are, however, many protocols that use UDP for their communication, with DNS, SNMP, and DHCP being the most common. UDP is a connectionless protocol, which makes scanning UDP service more difficult and slower than traditional port scans.

To invoke UDP scanning, use the flag -sU. UDP scan works by sending an empty UDP header to every targeted port and analyzing the response. Here is an example:

root@kali:~# nmap -sU 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-05 20:53 CET
Nmap scan report for 192.168.5.102
Host is up (0.0025s latency).
Not shown: 997 open|filtered ports
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
51690/udp open unknown
Nmap done: 1 IP address (1 host up) scanned in 4.30 seconds

As you can see from the picture above, there are three open UDP ports on the target host – 123, 137, and 51690.

Save Nmap's output
Port states

UDP scan

Nmap tutorial