Host supports the following forms of host authentication:


Use SNMPv3 credentials to scan remote systems that use an encrypted network management protocol (including network devices). uses these credentials to scan for patch auditing or compliance checks.

Note: SNMPv3 options are only available in the Advanced Network Scan template.

Click SNMPv3 in the Credentials list to configure the following settings:

Option Description



The username for the SNMPv3 based account that uses to perform the checks on the target system.



The port on which SNMP is running on the target system. By default, this value is 161.


Security level

The security level for SNMP:

  • No authentication and no privacy
  • Authentication without privacy
  • Authentication with privacy

Authentication algorithm

The algorithm the remove service supports (MD5 or SHA1).

yes (if you select authentication)

Authentication password

The password for the username specified.

yes (if you select authentication)

Privacy algorithm

The encryption algorithm to use for SNMP traffic.

yes (if you select authentication with privacy)

Privacy password

A password used to protect encrypted SNMP communication.

yes (if you select authentication with privacy)


Use SSH credentials for host-based checks on Unix systems and supported network devices. uses these credentials to obtain local information from remote Unix systems for patch auditing or compliance checks. uses Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks. encrypts the data to protect it from being viewed by sniffer programs.

Note: Non-privileged users with local access on Linux systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.

Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable recommends adding no more than 10 SSH credentials per scan.

Select SSH in the Credentials list to configure the settings for the following SSH authentication methods:

Note: Non-privileged users with local access on Unix systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.


Click Windows in the Credentials list to configure settings for the Windows-based authentication methods described below.

Windows Authentication Considerations

Regarding the authentication methods:

  • automatically uses SMB signing if it is required by the remote Windows server. SMB signing is a cryptographic checksum applied to all SMB traffic to and from a Windows server. Many system administrators enable this feature on their servers to ensure that remote users are 100% authenticated and part of a domain. In addition, make sure you enforce a policy that mandates the use of strong passwords that cannot be easily broken via dictionary attacks from tools like John the Ripper and L0phtCrack. Note that there have been many different types of attacks against Windows security to illicit hashes from computers for re-use in attacking servers. SMB Signing adds a layer of security to prevent these man-in-the-middle attacks.
  • The SPNEGO (Simple and Protected Negotiate) protocol provides Single Sign On (SSO) capability from a Windows client to a variety of protected resources via the users’ Windows login credentials. supports use of SPNEGO Scans and Policies: Scans 54 of 151 with either NTLMSSP with LMv2 authentication or Kerberos and RC4 encryption. SPNEGO authentication happens through NTLM or Kerberos authentication; nothing needs to be set in the scan configuration.
  • If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails, attempts to log in via NTLMSSP/LMv2 authentication. If that fails, then attempts to log in using NTLM authentication.
  • also supports the use of Kerberos authentication in a Windows domain. To configure this, the IP address of the Kerberos Domain Controller (actually, the IP address of the Windows Active Directory Server) must be provided.

Server Message Block (SMB) is a file-sharing protocol that allows computers to share information across the network. Providing this information to allows it to find local information from a remote Windows host. For example, using credentials enables to determine if important security patches have been applied. It is not necessary to modify other SMB parameters from default settings.

The SMB domain field is optional and is able to log on with domain credentials without this field. The username, password, and optional domain refer to an account that the target machine is aware of. For example, given a username of joesmith and a password of my4x4mpl3, a Windows server first looks for this username in the local system’s list of users, and then determines if it is part of a domain.

Regardless of credentials used, always attempts to log into a Windows server with the following combinations:

  • Administrator without a password
  • A random username and password to test Guest accounts
  • No username or password to test null sessions

The actual domain name is only required if an account name is different on the domain from that on the computer. It is entirely possible to have an Administrator account on a Windows server and within the domain. In this case, to log onto the local server, the username of Administrator is used with the password of that account. To log onto the domain, the Administrator username is also used, but with the domain password and the name of the domain.

When multiple SMB accounts are configured, attempts to log in with the supplied credentials sequentially. Once is able to authenticate with a set of credentials, it checks subsequent credentials supplied, but only uses them if administrative privileges are granted when previous accounts provided user access.

Some versions of Windows allow you to create a new account and designate it as an administrator. These accounts are not always suitable for performing credentialed scans. Tenable recommends that the original administrative account, named Administrator be used for credentialed scanning to ensure full access is permitted. On some versions of Windows, this account may be hidden. To unhide the real administrator account, open a DOS prompt with administrative privileges and run the following command:

C:\> net user administrator /active:yes

If an SMB account is created with limited administrator privileges, can easily and securely scan multiple domains. Tenable recommends that network administrators create specific domain accounts to facilitate testing. includes a variety of security checks for Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 that are more accurate if a domain account is provided. does attempt to try several checks in most cases if no account is provided.

Note: The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry is not possible, even with full credentials. This service must be started for a credentialed scan to fully audit a system using credentials.

For more information, see the Tenable blog post Dynamic Remote Registry Auditing - Now you see it, now you don’t!

Credentialed scans on Windows systems require that a full administrator level account be used. Several bulletins and software updates by Microsoft have made reading the registry to determine software patch level unreliable without administrator privileges, but not all of them. plugins check that the provided credentials have full administrative access to ensure the plugins execute properly. For example, full administrative access is required to perform direct reading of the file system. This allows to attach to a computer and perform direct file analysis to determine the true patch level of the systems being evaluated.