You are here: Features > Scans > Credentials

Credentials

Credentials are reusable objects that facilitate scan target login. Credentials created by the admin user are available to all Organizations, while those created by Organizational users are only available to the applicable Organization. Various types of credentials can be configured for use in scan policies. Credentials can be shared between users for scanning purposes and allow the user to scan a remote host without actually knowing the login credentials of the host. Available credential types include:

To use the standard Windows password authentication method, enter the Username, Password, and Domain in the text boxes.

When using the Kerberos option to authenticate to a Windows host, enter the username, password, domain, KDC Host, KDC port, and KDC transport options.

The LM and NTLM hash methods require the username, hash, and domain to be entered for the account to be used for logins.

When using CyberArk Vault credentials for authentication to Windows hosts, a variety of information is required to be entered including the username to authenticate with, the domain, and information about the CyberArk Vault server as described in the table at the end of this section.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Nessus user with administrative privileges that is used solely for scheduled scanning.

Using the password method for SSH authentication requires entering a username and password for the account. Additionally, adding a privilege escalation method may be selected if needed.

The credentials stored are protected (encrypted) using the AES-256-CBC algortithm.

To use the Kerberos option to authenticate using a SSH login, enter the username, password, domain, KDC Host, KDC port, KDC transport, and Realm options. Additionally, adding a privilege escalation method may be selected if needed.

The Public Key authentication option requires entering a username, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

The Certificate authentication option requires entering a username, uploading a user certificate, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

When using CyberArk Vault credentials for authentication to SSH hosts, a variety of information is required to be entered including the username to authenticate with and information about the CyberArk Vault server as described in the table at the end of this section. Additionally, adding a privilege escalation method may be selected if needed.

The most effective credentialed scans are those with “root” privileges (“enable” privileges for Cisco IOS). Since many sites do not permit a remote login as “root” for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: “su”, “sudo”, “su+sudo”, “DirectAuthorize (dzdo)”, “PowerBroker (pbrun)”, “k5login”, and “Cisco Enable”.

To direct the Nessus scanner to use privilege escalation, click the drop-down menu labeled “Privilege Escalation” and select the appropriate option for your target system. Enter the escalation information in the provided box.

Note: PowerBroker (pbrun), from BeyondTrust and DirectAuthorize (dzdo), from Centrify, are proprietary root task delegation methods for Unix and Linux systems.

Tip: Scans run using “su+sudo” allow the user to scan with a non-privileged account and then switch to a user with “sudo” privileges on the remote host. This is important for locations where remote privileged login is prohibited.

Note: Scans run using “sudo” vs. the root user do not always return the same results because of the different environmental variables applied to the “sudo” user and other subtle differences. Please refer to the “sudo” man pages or the following web page for more information: https://www.sudo.ws/man/sudo.man.html.

An example Windows credential window with CyberArk Vault as the authentication method is displayed below:

Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential options may differ from the descriptions documented here.

CyberArk Vault Options

The following table describes the options when using CyberArk Vault as the Authentication Method for Windows and SSH credentials.

CyberArk Vault Options

Option Description

Username

The target system’s username.

Domain

This is an optional field if the above username is part of a domain.

Central Credential Provider Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider Port

The port the CyberArk Central Credential Provider is listening on.

Vault Username (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this field for authentication.

Vault Password (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this field for authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

AppID

The AppID that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

PolicyID

The PolicyID assigned to the credentials you would like to retrieve from the CyberArk Central Credential Provider.

Vault Use SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS check for secure communication.

Vault Verify SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.