Sample Report

Target is the system that will be scanned (must be reachable over the Internet).

It can be specified as Hostname, IP or IP range.

Example Hostname:
Example IP:
Example IP range:

Maximum 255 hosts can be scanned at once.

Scan the most common 100 UDP ports

Scan the top 100 most common UDP ports (Nmap -F):

7 echo
9 discard
17 qotd
19 chargen
49 tacacs
53 domain
67 dhcps
68 dhcpc
69 tftp
80 http
88 kerberos-sec
111 rpcbind
120 cfdptkt
123 ntp
135 msrpc
136 profile
137 netbios-ns
138 netbios-dgm
139 netbios-ssn
158 pcmail-srv
161 snmp
162 snmptrap
177 xdmcp
427 svrloc
443 https
445 microsoft-ds
497 retrospect
500 isakmp
514 syslog
515 printer
518 ntalk
520 route
593 http-rpc-epmap
623 asf-rmcp
626 serialnumberd
631 ipp
996 vsinet
997 maitrd
998 puparp
999 applix
1022 exp2
1023 unknown
1025 blackjack
1026 win-rpc
1027 unknown
1028 ms-lsa
1029 solid-mux
1030 iad1
1433 ms-sql-s
1434 ms-sql-m
1645 radius
1646 radacct
1701 L2TP
1718 h225gatedisc
1719 h323gatestat
1812 radius
1813 radacct
1900 upnp
2000 cisco-sccp
2048 dls-monitor
2049 nfs
2222 msantipiracy
2223 rockwell-csp2
3283 netassistant
3456 IISrpc-or-vat
3703 adobeserver-3
4444 krb524
4500 nat-t-ike
5000 upnp
5060 sip
5353 zeroconf
5632 pcanywherestat
9200 wap-wsp
10000 ndmp
17185 wdbrpc
20031 bakbonenetvault
30718 unknown
31337 BackOrifice
32768 omad
32769 filenet-rpc
32771 sometimes-rpc6
32815 unknown
33281 unknown
49152 unknown
49153 unknown
49154 unknown
49156 unknown
49181 unknown
49182 unknown
49185 unknown
49186 unknown
49188 unknown
49190 unknown
49191 unknown
49192 unknown
49193 unknown
49194 unknown
49200 unknown
49201 unknown
65024 unknown

About this tool

UDP Port Scan with Nmap allows you to discover which UDP ports are open on your target host.

Even though UDP services are less popular than TCP services, having a vulnerable UDP service exposes the target to the same risk as having a vulnerable TCP service. Hence, discovering all open UDP ports is important in a penetration test for achieving complete coverage of the security evaluation.


  • Target: This is the target to scan for open UDP ports. Can be specified as hostname, IP address or IP range
  • Ports to scan - Common: This option tells Nmap to scan only the top 100 most common UDP ports (Nmap -F).
  • Ports to scan - Range: You can specify a range of ports to be scanned. Valid ports are between 1 and 65535. Because of the way UDP protocol works, scanning is pretty slow so if you specify a large range of ports, the scan can take up to several hours.
  • Ports to scan - List: You can specify a comma separated list of ports to be scanned.
  • Detect operating system: If enabled, Nmap will try to determine the type and version of the operating system that runs on the target host. The result is not always 100% accurate, depending on the way the target responds to probe requests.
  • Detect service version: In this case Nmap will try to detect the version of the service that is running on each open port. In case of UDP, this is possible only by sending UDP requests that can be understood by the tested service, otherwise the service will not answer at all.
  • Don't ping host: If enabled, Nmap will not try to see if the host is up before scanning it (which is the default behavior). This option is useful when the target host does not respond to ICMP requests but it is actually up and it has open ports.

How it works

The tool is a web interface for Nmap, which is called with the proper parameters in order to provide speed and accuracy.

Behind the curtains, Nmap sends UDP packets to each port specified in the parameters. If the target responds with 'ICMP port unreachable', Nmap can be sure that the port is closed. Otherwise (no response received), Nmap cannot know if the port is open, firewalled or if the packet was lost on the way. In this case, Nmap will show you the status 'open|filtered' for that port.

In order to make sure that a certain port marked as 'open|filtered' is really open, you should enable the detection of service version. Since this operation is really slow, you should do it in a second scan, only for the ports that were reported as 'open|filtered' in the initial simple scan.