TOC & Recently Viewed

Recently Viewed Topics

Credentials

Credentials are reusable objects that facilitate scan target login. Credentials created by the admin user are available to all Organizations, while those created by Organizational users are only available to the applicable Organization. Various types of credentials can be configured for use in scan policies. Credentials can be shared between users for scanning purposes and allow the user to scan a remote host without actually knowing the login credentials of the host.

Windows Credentials

Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied. There are five options for authentication methods: Password, Kerberos, LM Hash, NTLM Hash, CyberArk Vault, and Thycotic Secret Server.

Your Authentication Method selection determines the other options you must configure. For more information about CyberArk and Thycotic-specific options, see CyberArk Vault Options and Thycotic Secret Server Options.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Nessus user with administrative privileges that is used solely for scheduled scanning.

SSH Credentials

SSH credentials are used to obtain local information from remote Linux, Unix, and Cisco IOS systems for patch auditing or compliance checks.

Your Authentication Method selection determines the other options you must configure. For more information about CyberArk and Thycotic-specific options, see CyberArk Vault Options and Thycotic Secret Server Options.

Using the password method for SSH authentication requires entering a username and password for the account. Additionally, adding a privilege escalation method may be selected if needed.

The credentials stored are protected (encrypted) using the AES-256-CBC algorithm.

To use the Kerberos option to authenticate using a SSH login, type the username, password, domain, KDC Host, KDC port, KDC transport, and Realm options. Additionally, adding a privilege escalation method may be selected if needed.

The Public Key authentication option requires entering a username, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

The Certificate authentication option requires entering a username, uploading a user certificate, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

The most effective credentialed scans are those with root privileges (enable privileges, for Cisco IOS). Since many sites do not permit a remote login as root for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: su, sudo, su+sudo, DirectAuthorize (dzdo), PowerBroker (pbrun), k5login, and Cisco Enable.

To direct the Nessus scanner to use privilege escalation, click the drop-down box labeled Privilege Escalation and click the appropriate option for your target system. Type the escalation information in the provided box.

Note: PowerBroker (pbrun), from BeyondTrust and DirectAuthorize (dzdo), from Centrify, are proprietary root task delegation methods for Unix and Linux systems.

Tip: Scans run using su+sudo allow the user to scan with a non-privileged account and then switch to a user with sudo privileges on the remote host. This is important for locations where remote privileged login is prohibited.

Note: Scans run using sudo vs. the root user do not always return the same results because of the different environmental variables applied to the sudo user and other subtle differences. For more information, see: https://www.sudo.ws/man/sudo.man.html.

SNMP Credentials

Type the SNMP Community string used for authentication.

Database Credentials

The credentials and options for various types of database servers, including MSSQL, DB2, Informix/DRDA, MySQL, Oracle, and PostgreSQL.

Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential options may differ from the descriptions documented here.

CyberArk Vault Options

The following table describes the options when using CyberArk Vault as the Authentication Method for Windows and SSH credentials.

Option Description

Username

The target system’s username.

CyberArk elevate privileges with This item allows users to select or update options for SSH privilege escalation.

Domain

The domain, if the Username is part of a domain.

Central Credential Provider URL Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider URL Port

The port the CyberArk Central Credential Provider is listening on.

Vault Username (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this option for authentication.

Vault Password (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this option for authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

AppID

The AppID that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

PolicyID

The PolicyID assigned to the credentials you would like to retrieve from the CyberArk Central Credential Provider.

Vault Use SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS, check for secure communication.

Vault Verify SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.

CyberArk AIM Service URL

The URL for the CyberArk AIM web service. By default, the system uses /AIMWebservice/v1.1/AIM.asmx.

CyberArk Address If CyberArk Central Credential Provider is configured to support SSL through IIS, the domain for the CyberArk account.

Privilege Escalation with CyberArk Credentials

Tenable supports the use of privilege escalation, such as su and sudo, when using SSH through the CyberArk authentication method. When adding a CyberArk Password Vault credential set, select SSH as the Type and CyberArk Vault as the Authentication Method:

As shown above, an option for CyberArk elevate privileges with appears under the Username option. Multiple options for privilege escalation are supported, including su, su+sudo, and sudo. For example, if sudo is selected, additional options for sudo login, CyberArk Account Details Name, and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk Password Vault.

When asked for a CyberArk Account Details Name, perform the following steps to obtain the correct value:

  1. Log in to CyberArk Password Vault.
  2. Type a password.
  3. Look at the name parameter (such as in the image below) in the Account Details page; this is the value to supply in the CyberArk Account Details Name option.

Thycotic Secret Server Options

Option Description

Username

(Required) The username you want to use to access the target system.
Domain (Required for Windows) The domain of the Username.
Thycotic Secret Name (Required) The value that the secret is stored as on the Thycotic server; the Secret Name on the Thycotic server.
Thycotic Secret Server URL

(Required) The value you want SecurityCenter to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, SecurityCenter determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory.

Thycotic Login Name (Required) The username for authenticating to the Thycotic server.
Thycotic Password (Required) The password for authenticating to the Thycotic server.
Thycotic Organization (Optional) In cloud instances of Thycotic, the value that identifies which organization the SecurityCenter query should target.
Thycotic Domain (Optional) The domain value, if set, for the Thycotic server.
Use Private Key If enabled, SecurityCenter uses key-based authentication for SSH connections instead of password authentication.
Verify SSL Certificate If enabled, SecurityCenter verifies the SSL Certificate for the Nessus-Thycotic Secret Server connection. For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.