You are here: Interface > Scans > Credentials

TOC & Recently Viewed

Recently Viewed Topics

Credentials

Credentials are reusable objects that facilitate scan target login. Credentials created by the admin user are available to all Organizations, while those created by Organizational users are only available to the applicable Organization. Various types of credentials can be configured for use in scan policies. Credentials can be shared between users for scanning purposes and allow the user to scan a remote host without actually knowing the login credentials of the host. Available credential types include:

  • Windows – Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied. There are five options for authentication methods: Password, Kerberos, LM Hash, NTLM Hash, and CyberArk Vault.

To use the standard Windows password authentication method, enter the Username, Password, and Domain in the text boxes.

When using the Kerberos option to authenticate to a Windows host, enter the username, password, domain, KDC Host, KDC port, and KDC transport options.

The LM and NTLM hash methods require the username, hash, and domain to be entered for the account to be used for logins.

When using CyberArk Vault credentials for authentication to Windows hosts, a variety of information is required to be entered including the username to authenticate with, the domain, and information about the CyberArk Vault server as described in the table at the end of this section.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Nessus user with administrative privileges that is used solely for scheduled scanning.

  • SSH (password with optional privilege escalation and key-based) – SSH credentials are used to obtain local information from remote Linux, Unix, and Cisco IOS systems for patch auditing or compliance checks. There are five options for authentication methods: Password, Kerberos, Public Key, Certificate, and CyberArk Vault.

Using the password method for SSH authentication requires entering a username and password for the account. Additionally, adding a privilege escalation method may be selected if needed.

The credentials stored are protected (encrypted) using the AES-256-CBC algortithm.

To use the Kerberos option to authenticate using a SSH login, enter the username, password, domain, KDC Host, KDC port, KDC transport, and Realm options. Additionally, adding a privilege escalation method may be selected if needed.

The Public Key authentication option requires entering a username, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

The Certificate authentication option requires entering a username, uploading a user certificate, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

When using CyberArk Vault credentials for authentication to SSH hosts, a variety of information is required to be entered including the username to authenticate with and information about the CyberArk Vault server as described in the table at the end of this section. Additionally, adding a privilege escalation method may be selected if needed.

The most effective credentialed scans are those with “root” privileges (“enable” privileges for Cisco IOS). Since many sites do not permit a remote login as “root” for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: “su”, “sudo”, “su+sudo”, “DirectAuthorize (dzdo)”, “PowerBroker (pbrun)”, “k5login”, and “Cisco Enable”.

To direct the Nessus scanner to use privilege escalation, click the drop-down menu labeled “Privilege Escalation” and select the appropriate option for your target system. Enter the escalation information in the provided box.

Note: PowerBroker (pbrun), from BeyondTrust and DirectAuthorize (dzdo), from Centrify, are proprietary root task delegation methods for Unix and Linux systems.

Tip: Scans run using “su+sudo” allow the user to scan with a non-privileged account and then switch to a user with “sudo” privileges on the remote host. This is important for locations where remote privileged login is prohibited.

Note: Scans run using “sudo” vs. the root user do not always return the same results because of the different environmental variables applied to the “sudo” user and other subtle differences. Please refer to the “sudo” man pages or the following web page for more information: https://www.sudo.ws/man/sudo.man.html.

  • SNMP community string – Enter the SNMP community string used for authentication.
  • Database – The Database option allows for entering credentials and options for various types of database servers, including MSSQL, DB2, Informix/DRDA, MySQL, Oracle, and PostgreSQL.

An example Windows credential window with CyberArk Vault as the authentication method is displayed below:

Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential options may differ from the descriptions documented here.

CyberArk Vault Options

The following table describes the options when using CyberArk Vault as the Authentication Method for Windows and SSH credentials.

CyberArk Vault Options

Option Description

Username

The target system’s username.

CyberArk elevate privileges with This item allows users to select/update options for SSH privilege escalation.

Domain

This is an optional field if the above username is part of a domain.

Central Credential Provider Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider Port

The port the CyberArk Central Credential Provider is listening on.

Vault Username (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this field for authentication.

Vault Password (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this field for authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

AppID

The AppID that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

PolicyID

The PolicyID assigned to the credentials you would like to retrieve from the CyberArk Central Credential Provider.

Vault Use SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS, check for secure communication.

Vault Verify SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.

Privilege Escalation with CyberArk Credentials

Tenable supports the use of privilege escalation, such as “su” and “sudo”, when using SSH through the CyberArk authentication method. When adding a CyberArk Password Vault credential set, select “SSH” as the “Type” and “CyberArk Vault” as the “Authentication Method”:

As shown above, an option for “CyberArk elevate privileges with” appears under the “Username” option. Multiple options for privilege escalation are supported, including “su”, “su+sudo”, and “sudo”. For example, if “sudo” is selected, additional fields for “sudo login”, “CyberArk Account Details Name”, and “Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk Password Vault.

When asked for a “CyberArk Account Details Name”, perform the following steps to obtain the correct value:

1. Log in to CyberArk Password Vault

2. Enter a password

3. Look at the name parameter (such as in the image below) in the Account Details page; this is the value to supply in the “CyberArk Account Details Name” field.

 

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.