TOC & Recently Viewed

Recently Viewed Topics

Credentials

Credentials are reusable objects that facilitate scan target login. Credentials created by the admin user are available to all Organizations, while those created by Organizational users are only available to the applicable Organization. Various types of credentials can be configured for use in scan policies. Credentials can be shared between users for scanning purposes and allow the user to scan a remote host without actually knowing the login credentials of the host.

An example Windows credential window with CyberArk Vault as the authentication method is displayed below:

Windows Credentials

Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied. There are five options for authentication methods: Password, Kerberos, LM Hash, NTLM Hash, CyberArk Vault, and Thycotic Secret Server.

To use the standard Windows password authentication method, type the Username, Password, and Domain in the boxes.

When using the Kerberos option to authenticate to a Windows host, type the username, password, domain, KDC Host, KDC port, and KDC transport options.

The LM and NTLM hash methods require the username, hash, and domain to be entered for the account to be used for logins.

When using CyberArk Vault credentials for authentication to Windows hosts, type additional information as described in CyberArk Vault Options.

When using Thycotic Secret Server credentials for authentication to SSH or Windows hosts, type additional information as described in Thycotic Secret Server Options.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Nessus user with administrative privileges that is used solely for scheduled scanning.

SSH Credentials

SSH credentials are used to obtain local information from remote Linux, Unix, and Cisco IOS systems for patch auditing or compliance checks. There are five options for authentication methods: Password, Kerberos, Public Key, Certificate, and CyberArk Vault.

Using the password method for SSH authentication requires entering a username and password for the account. Additionally, adding a privilege escalation method may be selected if needed.

The credentials stored are protected (encrypted) using the AES-256-CBC algortithm.

To use the Kerberos option to authenticate using a SSH login, type the username, password, domain, KDC Host, KDC port, KDC transport, and Realm options. Additionally, adding a privilege escalation method may be selected if needed.

The Public Key authentication option requires entering a username, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

The Certificate authentication option requires entering a username, uploading a user certificate, uploading a private key, and entering the passphrase if needed. Additionally, adding a privilege escalation method may be selected if needed.

When using CyberArk Vault credentials for authentication to Windows hosts, type additional information as described in CyberArk Vault Options and/or Privilege Escalation with CyberArk Credentials.

When using Thycotic Secret Server credentials for authentication to SSH or Windows hosts, type additional information as described in Thycotic Secret Server Options.

The most effective credentialed scans are those with “root” privileges (“enable” privileges for Cisco IOS). Since many sites do not permit a remote login as “root” for security reasons, a Nessus user account can invoke a variety of privilege escalation options including: “su”, “sudo”, “su+sudo”, “DirectAuthorize (dzdo)”, “PowerBroker (pbrun)”, “k5login”, and “Cisco Enable”.

To direct the Nessus scanner to use privilege escalation, click the drop-down box labeled Privilege Escalation and click the appropriate option for your target system. Type the escalation information in the provided box.

Note: PowerBroker (pbrun), from BeyondTrust and DirectAuthorize (dzdo), from Centrify, are proprietary root task delegation methods for Unix and Linux systems.

Tip: Scans run using “su+sudo” allow the user to scan with a non-privileged account and then switch to a user with “sudo” privileges on the remote host. This is important for locations where remote privileged login is prohibited.

Note: Scans run using “sudo” vs. the root user do not always return the same results because of the different environmental variables applied to the “sudo” user and other subtle differences. Please refer to the “sudo” man pages or the following web page for more information: https://www.sudo.ws/man/sudo.man.html.

SNMP Credentials

Type the SNMP community string used for authentication.

Database Credentials

Type credentials and options for various types of database servers, including MSSQL, DB2, Informix/DRDA, MySQL, Oracle, and PostgreSQL.

Note: Aspects of credential options are based on Nessus plugin options. Therefore, specific credential options may differ from the descriptions documented here.

CyberArk Vault Options

The following table describes the options when using CyberArk Vault as the Authentication Method for Windows and SSH credentials.

Option Description

Username

The target system’s username.

CyberArk elevate privileges with This item allows users to select/update options for SSH privilege escalation.

Domain

This is an optional option if the above username is part of a domain.

Central Credential Provider Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider Port

The port the CyberArk Central Credential Provider is listening on.

Vault Username (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this option for authentication.

Vault Password (optional)

If the CyberArk Central Credential Provider is configured to use basic authentication you can fill in this option for authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contained the authentication information you would like to retrieve.

AppID

The AppID that has been allocated permissions on the CyberArk Central Credential Provider to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the authentication information you would like to retrieve.

PolicyID

The PolicyID assigned to the credentials you would like to retrieve from the CyberArk Central Credential Provider.

Vault Use SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS, check for secure communication.

Vault Verify SSL

If CyberArk Central Credential Provider is configured to support SSL through IIS and you want to validate the certificate, check this. Refer to custom_CA.inc documentation for how to use self-signed certificates.

Privilege Escalation with CyberArk Credentials

Tenable supports the use of privilege escalation, such as “su” and “sudo”, when using SSH through the CyberArk authentication method. When adding a CyberArk Password Vault credential set, select SSH as the Type and CyberArk Vault as the Authentication Method:

As shown above, an option for CyberArk elevate privileges with appears under the Username option. Multiple options for privilege escalation are supported, including “su”, “su+sudo”, and “sudo”. For example, if “sudo” is selected, additional options for sudo login, CyberArk Account Details Name, and Location of sudo (directory) are provided and can be completed to support authentication and privilege escalation through CyberArk Password Vault.

When asked for a CyberArk Account Details Name, perform the following steps to obtain the correct value:

  1. Log in to CyberArk Password Vault.
  2. Type a password.
  3. Look at the name parameter (such as in the image below) in the Account Details page; this is the value to supply in the CyberArk Account Details Name option.

Thycotic Secret Server Options

Option Description

Username

(Required) The username you want to use to access the target system.
Domain (Required for Windows) The domain of the Username.
Thycotic Secret Name (Required) The value that the secret is stored as on the Thycotic server; the Secret Name on the Thycotic server.
Thycotic Secret Server URL

(Required) The value you want SecurityCenter to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, SecurityCenter determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory.

Thycotic Login Name (Required) The username for authenticating to the Thycotic server.
Thycotic Password (Required) The password for authenticating to the Thycotic server.
Thycotic Organization (Optional) In cloud instances of Thycotic, the value that identifies which organization the SecurityCenter query should target.
Thycotic Domain (Optional) The domain value, if set, for the Thycotic server.
Use Private Key If enabled, SecurityCenter uses key-based authentication for SSH connections instead of password authentication.
Verify SSL Certificate If enabled, SecurityCenter verifies the SSL Certificate for the Nessus-Thycotic Secret Server connection. For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

 

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.