udpz

UDPz

UDPz is a speedy, portable, cross-platform UDP port scanner written in Go.

Purpose

UDPz was created to address the need for a fast and efficient tool to scan UDP services across multiple hosts. Traditional network scanning tools like nmap often provide slower UDP scanning capabilities, which can be a bottleneck for network administrators and security professionals.

UDPz aims to fill this gap by providing a robust solution that can be easily integrated into existing workflows due to it's logging capabilities and flexible output options.

Features

• Root-less: In direct contrast to other UDP scanning solutions like nmap, UDPz does not require root or privileged access.
• Concurrent Scanning: Utilizes goroutines and channels to perform flexible concurrent scans, significantly speeding up the scanning process.
• Structured Logging: Uses zerolog for detailed and structured logging, making it easier to analyze scan results.
• Flexible Target Resolution: Supports loading IP addresses, CIDR ranges, and hostnames from arguments, or from a file.
• Proxy Support: Offers SOCKS5 proxy support for UDP tunneling.
• Error Handling: Gracefully handles errors during scanning, ensuring the process continues even if some targets fail.

[!WARNING] The SOCKS5 client will only work with SOCKS5 servers that implement UDP support.

Installation

[!TIP] Docker installation is recommended for higher performance.

Docker

1. Clone the repository:

git clone https://github.com/FalconOpsLLC/udpz.git
cd udpz

1. Build the Docker image:

docker build --tag="udpz" --network="host" .

1. Run the Docker container:

alias udpz='sudo docker run --rm --network="host" --name="udpz" --volume="$PWD:/output" -it udpz'
udpz [flags] [targets ...]

[!TIP] When using the docker image with file I/O, make sure to utilize Docker volumes to properly interact with files on the host filesystem.

Standard Installation

go install

go install -ldflags="-s -w" github.com/FalconOpsLLC/udpz@latest

Manual Installation

1. Clone the repository:

git clone https://github.com/FalconOpsLLC/udpz.git
cd udpz

1. Build the project:

go build

1. Run the binary:

./udpz [flags] [targets ...]

Usage

Usage:
  udpz [flags] [IP|hostname|CIDR|file ...]

Flags:
  -v, --version              version for udpz
  -o, --output string        Save output to file
  -O, --log string           Output log messages to file
      --append               Append results to output file (default true)
  -f, --format string        Output format [text, pretty, csv, tsv, json, yaml, auto] (default "auto")
  -F, --log-format string    Output log format [pretty, json, auto] (default "auto")
  -l, --list                 List available services / probes
  -p, --probes string        comma-delimited list of service probes
      --tags string          comma-delimited list of target service tags
  -c, --host-tasks uint      Maximum Number of hosts to scan concurrently (default 10)
  -P, --port-tasks uint      Number of Concurrent scan tasks per host (default 100)
  -r, --retries uint         Number of probe retransmissions per probe (default 2)
  -t, --timeout uint         UDP Probe timeout in milliseconds (default 3000)
  -A, --all                  Scan all resolved addresses instead of just the first (default true)
  -S, --socks string         SOCKS5 proxy address as HOST:PORT
      --socks-user string    SOCKS5 proxy username
      --socks-pass string    SOCKS5 proxy password
      --socks-timeout uint   SOCKS5 proxy timeout in milliseconds (default 3000)
  -D, --debug                Enable debug logging (Very noisy!)
  -T, --trace                Enable trace logging (Very noisy!)
  -q, --quiet                Disable info logging
  -s, --silent               Disable ALL logging
  -h, --help                 help for udpz

The target argument(s) can be an IP address, hostname, CIDR, or file(s) containing targets.

Examples

• Simple scan of a host and CIDR limited to one packet retransmission and without informational logging:

./udpz --retries 1 --quiet 10.10.197.101 10.10.197.102/31

╭───────────────┬───────────┬──────┬───────┬──────────┬──────────────────────╮
│ HOST          │ TRANSPORT │ PORT │ STATE │ SERVICE  │ PROBES               │
├───────────────┼───────────┼──────┼───────┼──────────┼──────────────────────┤
│ 10.10.197.101 │ UDP       │   53 │ OPEN  │ DNS      │ DNS A query          │
│ 10.10.197.101 │ UDP       │   88 │ OPEN  │ Kerberos │ Kerberos AS-REQ      │
│ 10.10.197.101 │ UDP       │  123 │ OPEN  │ NTP      │ NTPv4 request        │
│ 10.10.197.101 │ UDP       │  389 │ OPEN  │ CLDAP    │ CLDAP root DSE query │
│ 10.10.197.103 │ UDP       │   53 │ OPEN  │ DNS      │ DNS A query          │
│ 10.10.197.103 │ UDP       │   88 │ OPEN  │ Kerberos │ Kerberos AS-REQ      │
│ 10.10.197.103 │ UDP       │  123 │ OPEN  │ NTP      │ NTPv4 request        │
│ 10.10.197.103 │ UDP       │  389 │ OPEN  │ CLDAP    │ CLDAP root DSE query │
╰───────────────┴───────────┴──────┴───────┴──────────┴──────────────────────╯

• UDP scan with custom number of workers and timeout with debug logging:

./udpz -f pretty -p 100 -t 2000 localhost --debug

2:31PM INF cmd/root.go:187 > Starting scanner
2:31PM DBG pkg/scan/scan.go:297 > Calculating unique probe count service_count=49
2:31PM DBG pkg/scan/scan.go:304 > Calculated unique probe count probe_count=93
2:31PM DBG pkg/scan/scan.go:310 > Calculated total probe count total_probes=279
2:31PM DBG pkg/scan/scan.go:316 > Resolving targets target_count=1
2:31PM DBG pkg/scan/scan.go:139 > Resolved target hostname addresses=1 target=localhost
2:31PM DBG pkg/scan/scan.go:389 > Port closed host=127.0.0.1 port=427 target=localhost
2:31PM DBG pkg/scan/scan.go:377 > Skipping closed port host=127.0.0.1 port=427 target=localhost

...

• Scan multiple hosts using a CIDR range:

./udpz -f pretty 10.10.14.0/24

Supported Services

Inspiration / Credits

• Nmap
• UDPx