26

I need to retrieve both TCP and UDP ports in the same scan with Nmap in the fastest way possible. I'll try to explain it better. If I use the most common command:

nmap 192.168.1.1

It retrieves ONLY TCP ports and it is really fast.

If I use the following command:

nmap -sU 192.168.1.1

It retrieves ONLY UDP ports and it is quite fast (well not so fast but still).

My question: is there a combination of the two commands? I tryed:

nmap -sU -sS 192.168.1.1
nmap -sU -sT 192.168.1.1

But they are TERRIBLY slow.

I am using Nmap 5.51, any suggestion?

raz3r
  • 3,071
  • 8
  • 44
  • 66
  • 3
    This question is better-suited for [su] – Mike Pennington May 10 '12 at 10:57
  • You make a good point that TCP and UDP scans are fast when done separately, but they're slow when combined in the same command. – Lonnie Best Jul 01 '14 at 21:18
  • use the combo -sTU such as nmap -sTU 192.168.1.1 you can use the timing parameters to make scan faster -T5 for example . You can also use -PE for a lower number of probes. nmap -sTU -T5 -PE 192.168.1.1 – nassim Jan 15 '20 at 20:05

2 Answers2

17

As you've seen, UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.

You can add the -T switch to increase the speed of the scan, though this may reduce accuracy and make it easier to detect.

-T<0-5>: Set timing template (higher is faster)

-PN will turn off the ping scan element

You could also scan more hosts in parallel,

or reduce the number of ports you're scanning with the -p switch or --top-ports , which will scan the highest-ratio ports found in the nmap-services file.

If you were scanning multiple hosts, you could use --host-timeout to skip slow hosts.

Regarding TCP, -sS should be quicker than -sT.

HTH!

Mark Hillick
  • 6,853
  • 1
  • 19
  • 23
  • 1
    Yeah actually I am scanning the entire network, the 192.168.1.1 was just an example. Anyway your solution still has to combine -sS and -sU :( I mean it's strange because the two command separately are quite fast. – raz3r May 10 '12 at 11:01
  • Yeah, you have to combine them to get both protocols. I usually run something like - "sudo nmap -sSU -P0 -vv -top-ports 500 192.168.1.1" - and tweak the ports accordingly with maybe -T4 also and modify the parralelism setting. – Mark Hillick May 10 '12 at 11:36
  • $ sudo time nmap -sSU -Pn 10.92.5.5 Starting Nmap 5.61TEST5…. Nmap done: 1 IP address (1 host up) scanned in **404.18 seconds** 404.19 real 0.21 user 0.56 sys $ sudo time nmap -sU -Pn 10.92.5.5 Starting Nmap 5.61TEST5 Nmap done: 1 IP... **202.19 seconds** 202.20 real 0.17 user 0.27 sys $ sudo time nmap -sS -Pn 10.92.5.5 All 1000 scanned ports on 10.92.5.5 are filtered Nmap done: 1 IP address (1 host up) scanned in **202.29 seconds** 202.29 real 0.17 user 0.28 sys – Mark Hillick May 14 '12 at 13:44
  • 1
    Just a friendly reminder that in modern nmap versions `-PN` has changed to `-Pn` ;-) – Terry Wang Dec 21 '16 at 06:57
8

You didn't say how slow your scans get, but I think you would benefit from playing with the --min-parallelism option, which adjusts the minimum number of outstanding probes.

I'm seeing 70% reductions in scan time (compared with bare -sT -sU scans) like this. Note that it is possible to set --min-parallelism too high, such that the host (or network) cannot buffer this many queries simultaneously.

[mpenning@Hotcoffee]$ sudo nmap --min-parallelism 100 -sT -sU localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-10 01:07 CDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1978 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
25/tcp   open          smtp
49/tcp   open          tacacs
53/tcp   open          domain
80/tcp   open          http
111/tcp  open          rpcbind
631/tcp  open          ipp
2003/tcp open          finger
2004/tcp open          mailbox
3389/tcp open          ms-term-serv
5901/tcp open          vnc-1
5910/tcp open          unknown
6001/tcp open          X11:1
7002/tcp open          afs3-prserver
53/udp   open|filtered domain
69/udp   open|filtered tftp
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
161/udp  open|filtered snmp
631/udp  open|filtered ipp
1812/udp open|filtered radius
1813/udp open|filtered radacct

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
[mpenning@Hotcoffee]$
Mike Pennington
  • 41,899
  • 19
  • 136
  • 174
  • 1
    I noticed a bad reliability with this parameter (I used 100 like you). For instance one of my hosts has SNMP port opened|filtered but Nmap thinks it's closed. However if I run nmap -sU -p U:161 192.168.1.1 it correctly returns open|filtered. – raz3r May 10 '12 at 14:45
  • 1
    That's why I said, "Note that it is possible to set --min-parallelism too high, such that the host (or network) cannot buffer this many queries simultaneously.". Lower `--min-parallelism` until your reliability issues disappear, but you still get acceptable speeds – Mike Pennington May 10 '12 at 14:57
  • Is there a default value for that parameter? I mean by default how many parallel scans does Nmap on a single host? – raz3r May 11 '12 at 08:45
  • 3
    According to [the NMAP Performance Manual](http://nmap.org/book/man-performance.html): *By default, Nmap calculates an ever-changing ideal parallelism based on network performance. If packets are being dropped, Nmap slows down and allows fewer outstanding probes. The ideal probe number slowly rises as the network proves itself worthy. These options place minimum or maximum bounds on that variable. By default, the ideal parallelism can drop to one if the network proves unreliable and rise to several hundred in perfect conditions.* – Mike Pennington May 11 '12 at 11:10