SSH

Use SSH credentials for host-based checks on Unix systems and supported network devices. Tenable Nessus uses these credentials to obtain local information from remote Unix systems for patch auditing or compliance checks. Tenable Nessus uses Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.

Tenable Nessus encrypts the data to protect it from being viewed by sniffer programs.

Note: Non-privileged users with local access on Linux systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable recommends adding no more than 10 SSH credentials per scan.

See the following settings for the different SSH authentication methods:

There are four settings for SSH credentials that apply to all SSH Authentication methods.

Option Default Value Description

known_hosts file

none

If an SSH known_hosts file is available and provided as part of the Global Credential Settings of the scan policy in the known_hosts file field, Tenable Nessus attempts to log into hosts in this file. This can ensure that someone does not use the same username and password you are using to audit your known SSH servers to attempt a log into a system that may not be under your control.

Preferred port

22

You can set this option to direct Tenable Nessus to connect to SSH if it is running on a port other than 22.

Client version

OpenSSH_5.0

Specifies which type of SSH client Tenable Nessus impersonates while scanning.

Attempt least privilege

Cleared

Enables or disables dynamic privilege escalation. When enabled, Tenable Nessus attempts to run the scan with an account with lesser privileges, even if you enable the Elevate privileges with option. If a command fails, Tenable Nessus escalates privileges. Plugins 102095 and 102094 report which plugins ran with or without escalated privileges.

Note: Enabling this option may increase scan run time by up to 30%.
Option Description

Username

Username of the account which is being used for authentication on the host system.

User Certificate

RSA or DSA certificate file of the user.

Private Key

RSA, DSA, ECDSA, or ED25519 OpenSSH private key of the user.

Private key passphrase

Passphrase of the private key.

Elevate privileges with

Allows for increasing privileges once authenticated.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

Tip: To view whether your Cyberark credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Tenable Nessus Manager can get credentials from CyberArk to use in a scan.

Option Description Required

CyberArk Host

The IP address or FQDN name for the CyberArk AIM Web Service.

yes

Port

The port on which the CyberArk API communicates. By default, Tenable uses 443.

yes

AppID

The Application ID associated with the CyberArk API connection.

yes
Client Certificate

The file that contains the PEM certificate used to communicate with the CyberArk host.

Note: Customers self-hosting CyberArk CCP on a Windows Server 2022 and above should follow the guidance found in Tenable’s Community post about CyberArk Client Certification Authentication Issue.

no
Client Certificate Private Key The file that contains the PEM private key for the client certificate.

yes, if private key is applied
Client Certificate Private Key Passphrase The passphrase for the private key, if required.

yes, if private key is applied

Kerberos Target Authentication

If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

no

Key Distribution Center (KDC)

(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

yes

KDC Port

The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

no

KDC Transport

The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

no

Realm

(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com). By default, Tenable Nessus uses 443.

yes
Get credential by

The method with which your CyberArk API credentials are retrieved. Can be Address, Identifier, Parameters, or Username.

Note: For more information about the Parameters option, refer to the Parameters Options table.

Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier.

 yes
Username

(If Get credential by is set to Username) The username of the CyberArk user to request a password from.

 no
Safe

The CyberArk safe the credential should be retrieved from.

 no
Address The option should only be used if the Address value is unique to a single CyberArk account credential. no
Account Name (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. no

Use SSL

If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

no

Verify SSL Certificate

If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

Tip: To view whether your Cyberark credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

You can now take advantage of a significant improvement to Tenable’s CyberArk Integration which gathers bulk account information for specific target groups without entering multiple targets.

Option Description Required

CyberArk Host

The IP address or FQDN name for the user’s CyberArk Instance.

Note: Customers hosting the PVWA and CCP on separate servers should only use this field for the PVWA host.

yes

Port

The port on which the CyberArk API communicates. By default, Tenable uses 443.

Note: Customers hosting the PVWA and CCP on separate servers should only use this field for the PVWA host.

yes

CCP Host

The IP address or FQDN name for the user’s CyberArk CCP component.

Note: Customers hosting the PVWA and CCP on separate servers should only use this field for the PVWA host.

no

CCP Port

The port on which the CyberArk CCP (AIM Web Service) API communicates. By default, Tenable uses 443.

Note: Customers hosting the PVWA and CCP on separate servers should only use this field for the PVWA host.

no

AppID

The Application ID associated with the CyberArk API connection.

yes
Safe

Users may optionally specify a Safe to gather account information and request passwords.

 no
AIM Web Service Authentication Type There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted.

yes
CyberArk PVWA Web UI Login Name Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information.

yes
CyberArk PVWA Web UI Login Password Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information.

yes
CyberArk Platform Search String

String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter UnixSSH Admin TestSafe, to gather all UnixSSH platform accounts containing a username Admin in a Safe called TestSafe.

Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy.

 yes

Elevate Privileges with

Users can only select Nothing or sudo at this time.

no

Use SSL

If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

yes

Verify SSL Certificate

If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

Tip: To view whether your Cyberark credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

The following is the legacy CyberArk authentication method.

Option Description

Username

The target system’s username.

CyberArk AIM Service URL

The URL of the AIM service. By default, this field uses /AIMWebservice/v1.1/AIM.asmx.

Central Credential Provider Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider Port

The port on which the CyberArk Central Credential Provider is listening.

Central Credential Provider Username

If you configured the CyberArk Central Credential Provider to use basic authentication, you can fill in this field for authentication.

Central Credential Provider Password

If you configured the CyberArk Central Credential Provider to use basic authentication, you can fill in this field for authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.
CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate.
CyberArk Client Certificate Private Key Passphrase (Optional) The passphrase for the private key, if required.

AppId

The AppId that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

PolicyId

The PolicyID assigned to the credentials you would like to retrieve from the CyberArk Central Credential Provider.

Use SSL

If you configured the CyberArk Central Credential Provider to support SSL through IIS, select this for secure communication.

Verify SSL Certificate

Select this if you configured CyberArk Central Credential Provider to support SSL through IIS and you want to validate the certificate. Refer to the custom_CA.inc documentation for how to use self-signed certificates.

CyberArk Account Details Name

The unique name of the credential you want to retrieve from CyberArk.

CyberArk Address

The domain for the user account.

CyberArk Elevate Privileges With

The privilege escalation method you want to use to increase the user's privileges after initial authentication. Your selection determines the specific options you must configure.

Tip: To view whether your Delinea credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Description Required
Delinea Authentication Method Indicates whether to use credentials or an API key for authentication. By default, Credentials is selected. yes

Delinea Login Name

The username to authenticate to the Delinea server.

yes

Delinea Password

The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided.

yes
Delinea API Key The API key generated in the Secret Server user interface. This setting is required if the API Key authentication method is selected. yes

Delinea Secret Name

The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server.

yes

Delinea Host

The Delinea Secret Server host to pull the secrets from.

yes

Delinea Port

The Delinea Secret Server Port for API requests. By default, Tenable uses 443.

yes

Use Private Key

If enabled, uses key-based authentication for SSH connections instead of password authentication.

no

Kerberos Target Authentication

If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

no

Key Distribution Center (KDC)

(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

yes

KDC Port

The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

no

KDC Transport

The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

no

Realm

(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target.

yes

Use SSL

Enable if the Delinea Secret Server is configured to support SSL.

no

Verify SSL Certificate

If enabled, verifies the SSL Certificate on the Delinea server.

no

Elevate privileges with

 The privilege escalation method you want to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo. Your selection determines the specific options you must configure.

no
Custom password prompt Some devices are configured to prompt for a password with a non-standard string (for example, "secret-passcode"). This setting allows recognition of these prompts. Leave this blank for most standard password prompts.

no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

Tip: To view whether your Delinea credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Description Required

Delinea Host

The Delinea Secret Server host to pull the secrets from.

Yes

Delinea Port

The Delinea Secret Server Port for API requests. By default, Tenable uses 443.

Yes

Delinea Authentication Method

Indicates whether to use credentials or an API key for authentication. By default, Credentials is selected.

Yes
Delinea Login Name

The username to authenticate to the Delinea server.

 Yes
Delinea Password The password to authenticate to the Delinea server. This is associated with the provided Delinea Login Name.

Yes
Delinea API Key The API key generated in the Secret Server user interface. This setting is required if the API Key authentication method is selected.

Yes
Query Mode Choose to query accounts using pre-set fields or by constructing a string of URL query parameters. By default, Simple is selected.

Yes
Folder ID

Query accounts with the given folder ID. This option is only available if query mode is set to Simple.

 No

Search Text

Query accounts matching the given search text. This option is only available if query mode is set to Simple.

No

Search Field

The field to search using the given search text. If not specified, the query will search the name field. This option is only available if query mode is set to Simple.

No
Exact Match Perform an exact match against the search text. By default, this is unselected. This option is only available if query mode is set to Simple.

No
Query String Provide a string of URL query parameters. This option is only available if query mode is set to Advanced, and in that case it is required.

Yes
Use Private Key Use key-based authentication for SSH connections instead of password authentication.

No
Use SSL Use SSL for secure communications.

Yes
Verify SSL Certificate Verify the Delinea Secret Server SSL certificate.

No
Delinea Elevate Privileges With

The privilege escalation method to use to increase users' privileges after initial authentication. Multiple options for privilege escalation are supported, including su, su+sudo and sudo.

Selecting a privilege escalation method provides options to configure an escalation query, similar to “query mode” and its related options. These fields must only be completed if using a separate account for escalation than initial login (for example, “su”).

Yes

Kerberos, developed by MIT’s Project Athena, is a client/server application that uses a symmetric key encryption protocol. In symmetric encryption, the key used to encrypt the data is the same as the key used to decrypt the data. Organizations deploy a KDC (Key Distribution Center) that contains all users and services that require Kerberos authentication. Users authenticate to Kerberos by requesting a TGT (Ticket Granting Ticket). Once you grant a user a TGT, the user can use it to request service tickets from the KDC to be able to utilize other Kerberos based services. Kerberos uses the CBC (Cipher Block Chain) DES encryption protocol to encrypt all communications.

Note: You must already have a Kerberos environment established to use this method of authentication.

The Tenable Nessus implementation of Linux-based Kerberos authentication for SSH supports the aes-cbc and aes-ctr encryption algorithms. An overview of how Tenable Nessus interacts with Kerberos is as follows:

  • End user gives the IP of the KDC
  • nessusd asks sshd if it supports Kerberos authentication
  • sshd says yes
  • nessusd requests a Kerberos TGT, along with login and password
  • Kerberos sends a ticket back to nessusd
  • nessusd gives the ticket to sshd
  • nessusd is logged in

In both Windows and SSH credentials settings, you can specify credentials using Kerberos keys from a remote system. There are differences in the configurations for Windows and SSH.

Option Description

Username

The target system’s username.

Password

Password of the username specified.

Key Distribution Center (KDC)

This host supplies the session tickets for the user.

KDC Port

You can set this option to direct Tenable Nessus to connect to the KDC if it is running on a port other than 88.

KDC Transport

The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

Realm

The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com).

Elevate privileges with

Allows for increasing privileges once authenticated.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

If Kerberos is used, you must configure sshd with Kerberos support to verify the ticket with the KDC. You must configure reverse DNS lookups properly for this to work. The Kerberos interaction method must be gssapi-with-mic.

Option Description

Username

The target system’s username.

Password

Password of the username specified.

Elevate privileges with

Allows for increasing privileges once authenticated.
Custom password prompt The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Vulnerability Management receiving an unrecognized password prompt on the target host's interactive SSH shell.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

Public Key Encryption, also referred to as asymmetric key encryption, provides a more secure authentication mechanism by the use of a public and private key pair. In asymmetric cryptography, Tenable Nessus uses the public key to encrypt data and Tenable Nessus uses the private key to decrypt it. The use of public and private keys is a more secure and flexible method for SSH authentication. Tenable Nessus supports both DSA and RSA key formats.

Like Public Key Encryption, Tenable Nessus supports RSA and DSA OpenSSH certificates. Tenable Nessus also requires the user certificate, which is signed by a Certificate Authority (CA), and the user’s private key.

Note: Tenable Nessus supports the openssh SSH public key format (pre-7.8 OpenSSH). Tenable Nessus does not support the new OPENSSH format (OpenSSH versions 7.8+). To check which version you have, check your private key contents. openssh shows -----BEGIN RSA PRIVATE KEY----- or -----BEGIN DSA PRIVATE KEY-----, and the new, incompatible OPENSSH shows -----BEGIN OPENSSH PRIVATE KEY-----. You must convert non-openssh formats, including PuTTY and SSH Communications Security, to the openssh public key format.

The most effective credentialed scans are when the supplied credentials have root privileges. Since many sites do not permit a remote login as root, Tenable Nessus can invoke su, sudo, su+sudo, dzdo, .k5login, or pbrun with a separate password for an account that you set up to have su or sudo privileges. In addition, Tenable Nessus can escalate privileges on Cisco devices by selecting Cisco ‘enable’ or .k5login for Kerberos logins.

Note: Tenable Nessus supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms. Some commercial variants of SSH do not have support for the blowfish algorithm, possibly for export reasons. It is also possible to configure an SSH server to accept certain types of encryption only. Check your SSH server to ensure that it supports the correct algorithm.

Tenable Nessus encrypts all passwords stored in policies. However, Tenable recommends using SSH keys for authentication rather than SSH passwords. This helps ensure that someone does not use the same username and password you are using to audit your known SSH servers to attempt a log into a system that may not be under your control.

Note: For supported network devices, Tenable Nessus only supports the network device’s username and password for SSH connections.

If you have to use an account other than root for privilege escalation, you can specify it under the Escalation account with the Escalation password.

Option Description

Username

Username of the account which is being used for authentication on the host system.

Private Key

RSA, DSA, ECDSA, or ED25519 OpenSSH private key of the user.

Private key passphrase

Passphrase of the private key.

Elevate privileges with

Allows for increasing privileges once authenticated.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

Tip: To view whether your QiAnXin credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Description Required

QiAnXin Host

The IP address or url for the QiAnXin host.

yes

QiAnXin Port

The port on which the QiAnXin API communicates. By default, Tenable uses 443.

yes

QiAnXin API Client ID

The Client ID for the embedded account application created in QiAnXin PAM.

yes

QiAnXin API Secret ID

 The Secret ID for the embedded account application created in QiAnXin PAM.

yes

Username

 The username to log in to the hosts you want to scan. yes

Host IP

 Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. no

Platform

Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:

  • ACTIVE_DIRECTORY — Windows Domain Account

  • WINDOWS — Windows Local Account

  • LINUX — Linux Account

  • SQL_SERVER — SQL Server Database

  • ORACLE — Oracle Database

  • MYSQL — MySQL Database

  • DB2 — DB2 Database

  • HP_UNIX — HP Unix

  • SOLARIS — Solaris

  • OPENLDAP — OpenLDAP

  • POSTGRESQL — PostgreSQL

 no

Region ID

 Specify the region ID of the asset containing the account to use. Only if using multiple regions
Escalate Privileges with

Use the drop-down menu to select the privilege elevation method, or select “Nothing” to skip privilege elevation.

Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through QiAnXin. The Escalation Account Name field is only required if the escalation password differs from the normal login password.

Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide or the Tenable Vulnerability Management User Guide.

Required if you wish to escalate privileges.
Escalation Account Username If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. no

Kerberos Target Authentication

If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

no

Key Distribution Center (KDC)

(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.

yes

KDC Port

The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

no

KDC Transport

The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

no

Realm

(Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target.

yes
Use SSL When enabled, Tenable uses SSL for secure communication. This is enabled by default.

no

Verify SSL Certificate

When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA.

no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

Tip: To view whether your Senhasegura credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Description Required

Senhasegura Host

The IP address or url for the Senhasegura host.

yes

Senhasegura Port

The port on which the Senhasegura API communicates. By default, Tenable uses 443.

yes

Senhasegura API Client ID

The Client ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication.

yes
Senhasegura API Secret ID The Secret ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication.

yes
Senhasegura Credential ID or Identifier The credential ID or identifier for the credential the you are requesting to retrieve.

yes
Use SSH Key for Target Authentication The user can select this option to retrieve the SSH Key to authenticate to the target if the configuration is applicable in Senhasegura. Required if authenticating to target with SSH Key.

Private Key File

The private key used to decrypt encrypted sensitive data from A2A.

Note: You can enable encryption of sensitive data in the A2A Application Authorizations. If enabled, you must provide a private key file in the scan credentials. This can be downloaded from the applicable A2A application in Senhasegura.

Required if you have enabled encryption of sensitive data in A2A Application Authorizations.
Escalate Privileges with

Use the drop-down menu to select the privilege elevation method, or select Nothing to skip privilege elevation.

Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through Senhasegura. The Escalation Account Name field is then required to complete your privilege escalation.

Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide, the Tenable Vulnerability Management User Guide, or the Tenable Security Center User Guide.

 Required if you wish to escalate privileges.
Escalation account credential ID or identifier If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

HTTPS

This is enabled by default.

yes

Verify SSL Certificate

This is disabled by default.

no
Option Default Value

Username(required)

The username that is used to authenticate via ssh to the system.

Domain

Set the domain the username is part of if using Windows credentials.

Thycotic Secret Name (required)

This is the value to store the secret as on the Thycotic server. It is referred to as the “Secret Name” on the Thycotic server.

Thycotic Secret Server URL (required)

Use this option to set the transfer method, target, and target directory for the scanner. You can find this value in Admin > Configuration > Application Settings > Secret Server URL on the Thycotic server. For example consider the following address https://pw.mydomain.com/SecretServer/. We parse this to know that HTTPS defines it is a ssl connection, pw.mydomain.com is the target address, /SecretServer/ is the root directory.

Thycotic Login Name (required)

The username to authenticate to the Thycotic server.

Thycotic Password (required)

The password associated with the Thycotic Login Name.

Thycotic Organization (required)

Use this value in cloud instances of Thycotic to define which organization your query should hit.

Thycotic Domain (optional)

This is an optional value set if you set the domain value for the Thycotic server.

Private Key (optional)

Use key based authentication for SSH connections instead of password.

Verify SSL Certificate

Verify if the SSL Certificate on the server is signed by a trusted CA.
Thycotic elevate privileges with The privilege escalation method you want to use to increase the user's privileges after initial authentication. Tenable Nessus supports multiple options for privilege escalation, including su, su+sudo and sudo. Your selection determines the specific options you must configure.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

Tip: To view whether your BeyondTrust credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Default Value

Username

(Required) The username to log in to the hosts you want to scan.

BeyondTrust host

(Required) The BeyondTrust IP address or DNS address.

BeyondTrust port

(Required) The port BeyondTrust is listening on.

BeyondTrust API key

(Required) The API key provided by BeyondTrust.

Checkout duration

(Required) The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable Nessus scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Note: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Nessus scans. If BeyondTrust changes a password during a scan, the scan fails.

Use SSL

If enabled, Tenable Nessus uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.

Verify SSL certificate

If enabled, Tenable Nessus validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.

Use private key

If enabled, Tenable Nessus uses private key-based authentication for SSH connections instead of password authentication. If it fails, Tenable Nessus requests the password.

Use privilege escalation

If enabled, BeyondTrust uses the configured privilege escalation command. If it returns something, it uses it for the scan.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.
Option Description Required
Username The target system’s username.

yes
Lieberman host

The Lieberman IP/DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

yes
Lieberman port The port on which Lieberman listens.

yes
Lieberman API URL The URL Tenable Nessus uses to access Lieberman. no
Lieberman user The Lieberman explicit user for authenticating to the Lieberman RED API.

yes
Lieberman password The password for the Lieberman explicit user.

yes
Lieberman Authenticator

The alias used for the authenticator in Lieberman. The name should match the name used in Lieberman.

Note: If you use this option, append a domain to the Lieberman user option, i.e., domain\user.

 no
Lieberman Client Certificate

The file that contains the PEM certificate used to communicate with the Lieberman host.

Note: If you use this option, you do not have to enter information in the Lieberman user, Lieberman password, and Lieberman Authenticator fields.

 no
Lieberman Client Certificate Private Key The file that contains the PEM private key for the client certificate. no
Lieberman Client Certificate Private Key Passphrase The passphrase for the private key, if required. no
Use SSL

If Lieberman is configured to support SSL through IIS, check for secure communication.

no
Verify SSL Certificate

If Lieberman is configured to support SSL through IIS and you want to validate the certificate, check this option. Refer to Custom CA documentation for how to use self-signed certificates.

no
System Name In the rare case your organization uses one default Lieberman entry for all managed systems, enter the default entry name.

no
Custom password prompt The password prompt used by the target host. Only use this setting when an interactive SSH session fails due to Tenable Nessus receiving an unrecognized password prompt on the target host's interactive SSH shell.

no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

Tip: To view whether your Wallix Bastion credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Description Required

WALLIX Host

The IP address for the WALLIX Bastion host.

yes

WALLIX Port

The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443.

yes

Authentication Type

Basic authentication (with WALLIX Bastion user interface username and Password requirements) or API Key authentication (with username and WALLIX Bastion-generated API key requirements).

no
WALLIX User

Your WALLIX Bastion user interface login username.

 yes
WALLIX Password Your WALLIX Bastion user interface login password. Used for Basic authentication to the API. yes
WALLIX API Key The API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. yes
Get Credential by Device Account Name

The account name associated with a Device you want to log in to the target systems with.

Note: If your device has more than one account you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system.

Required only if you have a target and/or device with multiple accounts.

HTTPS

This is enabled by default.

Caution: The integration fails if you disable HTTPS.

yes

Verify SSL Certificate

This is disabled by default and is not supported in WALLIX Bastion PAM integrations.

no

Elevate privileges with

This enables WALLIX Bastion Privileged Access Management (PAM). Use the drop-down menu to select the privilege elevation method. To bypass this function, leave this field set to Nothing.

Caution: In your WALLIX Bastion account, the WALLIX Bastion super admin must have enabled "credential recovery" on your account for PAM to be enabled. Otherwise, your scan may not return any results. For more information, see your WALLIX Bastion documentation.

Note: Multiple options for privilege escalation are supported, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation Account Name, and Location of su and sudo (directory) are provided and can be completed to support authentication and privilege escalation through WALLIX Bastion PAM. The Escalation Account Name field is then required to complete your privilege escalation.

Note: For more information about supported privilege escalation types and their accompanying fields, see the Tenable Nessus User Guide.

Required if you wish to escalate privileges.

Database

Port		 The TCP port that the Oracle database instance listens on for communications from. The default is port 1521.

no

Auth Type

The type of account you want Tenable to use to access the database instance: 

  • SYSDBA
  • SYSOPER
  • NORMAL

no
Service Type The Oracle parameter you want to use to specify the database instance: SID or SERVICE_NAME.

no
Service

The SID value or SERVICE_NAME value for your database instance.

The Service value you enter must match your parameter selection for the Service Type option.

yes
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no

Tip: To view whether your HashiCorp credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Windows and SSH Credentials
Option Description

Required
Hashicorp Vault host

The Hashicorp Vault IP address or DNS address.

Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname / subdirectory path.

 yes
Hashicorp Vault port The port on which Hashicorp Vault listens. yes
Authentication Type

Specifies the authentication type for connecting to the instance: App Role or Certificates.

If you select Certificates, additional options for Hashicorp Client Certificate(Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

 yes
Role ID The GUID provided by Hashicorp Vault when you configured your App Role. yes
Role Secret ID

The GUID generated by Hashicorp Vault when you configured your App Role.

 yes
Authentication URL

The path/subdirectory to the authentication endpoint. This is not the full URL. For example:

/v1/auth/approle/login

yes
Namespace The name of a specified team in a multi-team environment. no
Vault Type

The Tenable Nessus version: KV1, KV2, AD, or LDAP. For additional information about Tenable Nessus versions, see the Tenable Nessus documentation.

 yes
KV1 Engine URL

(KV1) The URL Tenable Nessus uses to access the KV1 engine.

Example: /v1/path_to_secret. No trailing /

 yes, if you select the KV1 Vault Type
KV2 Engine URL

(KV2) The URL Tenable Nessus uses to access the KV2 engine.

Example: /v1/path_to_secret. No trailing /

 yes, if you select the KV2 Vault Type
AD Engine URL

(AD) The URL Tenable Nessus uses to access the Active Directory engine.

Example: /v1/path_to_secret. No trailing /

 yes, if you select the AD Vault Type
LDAP Engine URL

(LDAP) The URL Tenable Nessus uses to access the LDAP engine.

Example: /v1/path_to_secret. No trailing /

 yes, if you select the LDAP Vault Type
Username Source (KV1 and KV2) A drop-down box to specify if the username is input manually or pulled from Hashicorp Vault. yes
Username Key (KV1 and KV2) The name in Hashicorp Vault that usernames are stored under. yes
Password Key (KV1 and KV2) The key in Hashicorp Vault that passwords are stored under. yes

Domain Key (Windows)

(Required if Kerberos Target Authentication is enabled.) The key name that the domain is stored under in the secret.

yes
Secret Name (KV1, KV2, and AD) The key secret you want to retrieve values for. yes

Kerberos Target Authentication

If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.

no

Key Distribution Center (KDC)

(Required if Kerberos Target Authentication is enabled.) This host supplies the session tickets for the user.

yes

KDC Port

The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.

no

KDC Transport

The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.

no

Domain (Windows)

(Required if Kerberos Target Authentication is enabled.) The domain to which Kerberos Target Authentication belongs, if applicable.

yes

Realm (SSH)

(Required if Kerberos Target Authentication is enabled.) The Realm is the authentication domain, usually noted as the domain name of the target (for example, example.com).

yes
Use SSL If enabled, Tenable Nessus Manager uses SSL for secure communications. Configure SSL in Hashicorp Vault before enabling this option. no
Verify SSL Certificate If enabled, Tenable Nessus Manager validates the SSL certificate. Configure SSL in Hashicorp Vault before enabling this option. no
Enable for Tenable Nessus Enables/disables IBM DataPower Gateway use with Tenable Nessus. yes
Elevate privileges with (SSH)

Use a privilege escalation method such as su or sudo to use extra privileges when scanning.

Note: Tenable supports multiple options for privilege escalation, including su, su+sudo and sudo. For example, if you select sudo, more fields for sudo user, Escalation account secret name, and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through Tenable Nessus.

Note: For more information about supported privilege escalation types and their accompanying fields, see the Nessus User Guide and the Tenable Vulnerability Management User Guide.

 Required if you wish to escalate privileges.
Escalation account secret name (SSH) If the escalation account has a different username or password from the least privileged user, enter the credential ID or identifier for the escalation account credential here. no
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

 no
Option Default Value

Centrify Host

(Required) The Centrify IP address or DNS address.

Note: If your Centrify installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Centrify Port

 The port on which Centrify listens.
API User (Required) The API user provided by Centrify

API Key

 (Required) The API key provided by Centrify.
Tenant The name of a specified team in a multi-team environment.

Authentication URL

 The URL Tenable Nessus Manager uses to access Centrify.
Password Engine URL The name of a specified team in a multi-team environment.
Username (Required) The username to log in to the hosts you want to scan.
Checkout Duration

The length of time, in minutes, that you want to keep credentials checked out in Centrify.

Configure the Checkout Duration to exceed the typical duration of your Tenable Nessus Manager scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Note: Configure the password change interval in Centrify so that password changes do not disrupt your Tenable Nessus Manager scans. If Centrify changes a password during a scan, the scan fails.
Use SSL When enabled, Tenable Nessus Manager uses SSL through IIS for secure communications. You must configure SSL through IIS in Centrify before enabling this option.
Verify SSL When enabled, Tenable Nessus Manager validates the SSL certificate. You must configure SSL through IIS in Centrify before enabling this option.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.

Tip: To view whether your Arcon credentials were successfully authenticated, view the plugin output of the integration_status.nasl plugin once the scan is complete. For more information, see Plugins.

Option Default Value

Arcon host

(Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Arcon port

The port on which Arcon listens.
API User

(Required) The API user provided by Arcon.
API Key

(Required) The API key provided by Arcon.
Authentication URL The URL Tenable Nessus Manager uses to access Arcon.

Password Engine URL

The URL Tenable Nessus Manager uses to access the passwords in Arcon.
Username (Required) The username to log in to the hosts you want to scan.
Arcon Target Type (Optional) The name of the target type. . Depending on the Arcon PAM version you are using and the system type the SSH credential has been created with, this is set to linux by default. Refer to the Arcon PAM Specifications document (provided by Arcon) for target type/system type mapping for the correct target type value.
Checkout Duration

(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon.

Configure the Checkout Duration to exceed the typical duration of your Tenable Vulnerability Management scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Note: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Vulnerability Management scans. If Arcon changes a password during a scan, the scan fails.
Kerberos Target Authentication If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target.
Key Distribution Center (KDC) (Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user.
KDC Port The port on which the Kerberos authentication API communicates. By default, Tenable uses 88.
KDC Transport The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation.
Realm (Required if Kerberos Target Authentication is enabled) The Realm is the authentication domain, usually noted as the domain name of the target.
Use SSL When enabled, Tenable Nessus Manager uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option.
Verify SSL When enabled, Tenable Nessus Manager validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option.
Targets to Prioritize Credentials

Specify IPs or CIDR blocks on which this credential is attempted before any other credential. To specify multiple IPs or CIDR blocks, use a comma or space-separated list.

Using this setting can decrease scan times by prioritizing a credential that you know works against your selected targets. For example, if your scan specifies 100 credentials, and the successful credential is the 59th credential out of 100, the first 58 credentials have to fail before the 59th credential succeeds. If you use Targets To Prioritize Credentials, you configure the scan to use the successful credential first, which allows the scan to access the target faster.