IBM Support

QRadar Vulnerability Manager: Best Practices for Nmap UDP/TCP Port Scans

Question & Answer


Question

How can I run Nmap UDP and TCP port scans more efficiently when using QRadar Vulnerability Manager?

Cause

The purpose of this technote is to discuss TCP and UDP port scans and help administrators understand why Nmap full range UDP scans can take a long time to complete. The Scan Policy used and included results show the length of time it took the system to scan a single host in the network. This article shows alternate scan policies that administrators can be used as a best practice scan and discusses the vulnerability that is generated when a scan is unable to complete due to the configured timeout value.

Answer

What tool does QRadar Vulnerability Manager use to complete port scans?

QRadar Vulnerability Manager uses Nmap in order to scan and discover hosts, ports, and operating systems. The Nmap tool is packaged with QRadar Vulnerability Manager by default and administrators can find the Nmap tool in the following directory: /opt/qvm/bin/initmap/nmap-full/bin/nmap-full.pl

Note: To check whether the Nmap tool is running while a QVM scan is in progress, administrators can type the following command:

ps -aef | grep -i nmap-full | grep init

What types of Nmap scans are available?

There are two main types of Nmap scans used for port scanning:

  • TCP port scans: The Nmap tool functions by asking the Operating System to establish a connection with the host and port and issues a connect system call (TCP scan). TCP scans are activated by using the -sT option in Nmap.
  • UDP port scans: The Nmap tool completes UDP scans by sending a UDP packet to every targeted port and waits for a response or timeout. UDP port scans are activated by using the -sU option in Nmap.
Depending on the port range assigned to the scan and how each port scan functions, UDP port scans are typically slower to complete compared to TCP port scans. The performance becomes especially clear when a UDP port scan is configured to scan the maximum port range of 1 - 65535. When the maximum port range for UDP is configured in your QVM Scan Policy, this scan range is then used in the Scan Profile, which significantly increases the duration of the scan.

How do Scan Policies affect the duration of my scan?

For PCI compliance, specific TCP and UDP ports must be scanned. All of these ports are configured under Scan Policies screen in QVM. If a full ranged UDP port scan is configured in a Scan Policy, then this scan might take long time to complete due to the limitation of the Nmap tool. This is especially true when the target host being scanned has a number of closed UDP ports. As UDP is connectionless, so Nmap must retransmit the packet to verify it was not lost, and wait for a response that rarely occurs to make a decision if a UDP port is open, closed, or potentially filtered. The following three scans illustrate how scan policies impact the duration of a scan.

Three Scan Policies were used to run the discovery scans, as well as three different Scan Profiles. In this section we will examine the configuration of each scan type, then in the next section review the scan duration and results.
 
Full Range UDP & TCP Port Scan
This example is a Scan Policy that includes a full TCP and UDP port range scan.
Fast UDP & TCP Port Scan
This example uses the Default Discovery Scan Policy.

Scan Profile Configuration for a Default Discovery Scan:
Best Practice Scan (Fast UDP & TCP Port Scan & UDP PCI Compliance port)
This example is a Best Practices Policy Discovery Scan. This scan is the Default Server Scan Policy, but modified to include a recommended UDP range in order to make the scan PCI compliant.

Scan duration results for the three scan policies

This section shows the breakdown of the scan results sorted by their duration from the QVM database.

  • Scan duration results of the Full Range UDP & TCP Port Scan
    Result: Timeout received. Results might be inaccurate. When a scan reaches the timeout limit and is unable to complete, a 'Scan Interference' vulnerability is displayed:


    The reason for generating a Scan Interference vulnerability is displayed on the Vulnerability Details window. In the example, our scan hit the timeout limit, however other network devices, such as IPS or IDS devices might block Nmap scan requests and cause the Scan Interference vulnerability to be displayed. The same example can be used for testing Full Scan Policy scans, which provide you more details about the vulnerabilities currently found in the targeted or scanned host. The Full Range UDP & TCP Port Scan proves that the UDP scan with a maximum port range is inefficient in detecting vulnerabilities. For example, when a timeout value of 30 minutes is configured Nmap tool scans less than 5% of the range before timing out. This behavior results in the pseudo-vulnerability being raised that states "Scan Interference Detected - Scan Potentially Incomplete" as displayed in the Scan Interference Vulnerability Description:



    Full TCP and UDP Scan Policy Time:

  • Scan duration results of the Fast UDP & TCP Port Scan

    Result: No timeout received. Accurate results provided from scan.
    Default Discovery Scan Time:

  • Scan duration results of the Best Practice Scan (Fast UDP & TCP Port Scan & UDP PCI Compliance port)

    Result: No timeout received. Accurate results.
    Best Practice Server Discovery Scan Time:

How can I run the Nmap tool from the command line?

Using the time function
To check how long it takes for the Nmap tool to scan a host, you can use one of the following commands:

  • UDP port scanning: 
    time /usr/bin/nmap -Pn -sU <host_IP>
  • TCP port scanning: 
    time /usr/bin/nmap -Pn -sT <host_IP>
Note: The time function gives the run time in minutes. There is an elapsed time within the Nmap tool that outputs the time in seconds.

The case of the Fast scan option
Nmap tool works faster if the Fast option is selected. In this case, the -F option is used. The ports that are scanned are the ports inside /etc/services directory:
 
  • UDP port scanning: 
    time /usr/bin/nmap -Pn -F -sU <host_IP>
    For the UDP port scan, it is suggested to set a timeout value or the scan might take a long time to complete, especially if the host has many closed UDP ports.
    The following command limits the tool to run a maximum of 30 minutes: 
    time /usr/bin/nmap -Pn -sU --host-timeout=1800s <host_IP>
  • TCP port scanning: 
    time /usr/bin/nmap -Pn -F -sT <host_IP>
    There is not any significant difference on the scan times for TCP port scans when using by the -F option.

Best practices scan policy


As discussed, the best practice scan policy for server discovery is to copy your default scan policy and include the following UDP ports on top of your Fast TCP and UDP scans configuration: 53,67,69,111,123,135,137,138,161,177,445,500,631,1434,1900,4500

In Nmap, to include UDP ports on top of your Fast UDP&TCP port scan, use the -p option and provide a list of comma-separated port values.
For example, 
time /usr/bin/nmap -Pn -p '53,67,69,111,123,135,137,138,161,177,445,500,631,1434,1900,4500' -sU --host-timeout=1800s <host_IP>

These UDP ports relate to the following services:
  • Authentication services such as RADIUS and Kerberos
  • Backdoors and remote access applications
  • Backup applications
  • Database servers
  • DNS (Domain Name System)
  • NetBIOS and CIFS
  • NFS (Network File System)
  • NTP (Network Time Protocol)
  • P2P (peer-to-peer) and chat applications
  • Routing protocols, including RIP (Routing Information Protocol)
  • RPC (Remote Procedure Call) and RPC endpoint mapping
  • SNMP (Simple Network Management Protocol) and SNMP trap
  • Syslog
  • TFTP (Trivial File Transfer Protocol)
  • VPNs (Virtual Private Networks), including ISAKMP, L2TP, and NAT-T

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHLPS","label":"IBM Security QRadar Vulnerability Manager"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
12 August 2022

UID

swg21981708

Page Feedback