Enhanced Live Host Detection via UDP Ping on NetBIOS and IKE Ports

Background

When “Ping the remote host” is enabled in a scan policy and UDP Ping has been enabled, some UDP ports are probed to determine whether a live host exists at the IP. The existing probes cover DNS (53), portmapper (111), NTP (123), and RIP (520). Probes on these UDP ports are less effective at identifying Windows targets that have common TCP ports firewalled. 

Change

Additional UDP ping probes are being added for NetBIOS (137) and IKE (500) to better detect Windows targets that have common TCP ports firewalled but leave UDP ports open.

Impact

Customers should expect better detection of live targets, including Windows targets, that have common TCP ports firewalled but leave UDP ports open. This may result in an increased number of assets discovered and scanned.

Depending on the environment, there is potential for network devices to respond to TCP or UDP ping probes in such a way that scan targets appear to be live when they are not. The additional UDP ports being tested expand the scope of this potential.

Plugins

10180 - Ping the remote host

Target Release Date

22 March 2021

----------------------------------------------------------------------------------------------------

Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.