Windows Credentials

Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Nessus user with administrative privileges that is used solely for scheduled scanning.

Configure the following options for Windows credentials, including options specific for your authentication method: Arcon Options, CyberArk Vault Options, Hashicorp Vault Options, Kerberos Options, LM Hash Options, NTLM Hash Options, Password Options, Thycotic Secret Server Options, BeyondTrust Options, and Lieberman Options.

General Options Description

Name

(Required) A name for the credential.
Description A description for the credential.

Tag

A tag for the credential. For more information, see Tags.

Arcon Options

The following table describes the additional options to configure when using Arcon as the authentication method for SSH credentials.

Option Description
Arcon Host

(Required) The Arcon IP address or DNS address.

Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Arcon Port (Required) The port on which Arcon listens. By default, Tenable.sc uses port 444.
API User (Required) The API user provided by Arcon.
API Key (Required) The API key provided by Arcon.
Authentication URL (Required) The URL Tenable.sc uses to access Arcon.
Password Engine URL

(Required) The URL Tenable.sc uses to access the passwords in Arcon.

Username (Required) The username to log in to the hosts you want to scan.
Checkout Duration

(Required) The length of time, in minutes, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable.sc scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable.sc scans. If Arcon changes a password during a scan, the scan fails.

Use SSL If enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option.
Verify SSL Certificate If enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option.

CyberArk Vault Options

The following table describes the options to configure when using CyberArk Vault as the authentication method for Windows credentials.

Note: You must be running Nessus 7.0.0 or later to configure CyberArk credentials.

Option Description

Username

The username for the target system.

Domain

The domain, if the username is part of a domain.

Central Credential Provider URL Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider URL Port

The port the CyberArk Central Credential Provider is listening on.

Vault Username (optional)

The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Vault Password (optional)

The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

CyberArk Client Certificate The file that contains the PEM certificate used to communicate with the CyberArk host.
CyberArk Client Certificate Private Key The file that contains the PEM private key for the client certificate.
CyberArk Client Certificate Private Key Passphrase The passphrase for the private key, if required.

AppID

The AppID with CyberArk Central Credential Provider permissions to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

PolicyID

The PolicyID assigned to the credentials you want to retrieve.

Vault Use SSL

When enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

Vault Verify SSL

When enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

For more information about using self-signed certificates, see Custom Plugin Packages for NASL and CA Certificate Upload.

CyberArk Escalation Account Details Name

The unique name of the credential you want to retrieve from CyberArk.

CyberArk AIM Service URL

The URL for the CyberArk AIM web service. By default, Tenable.sc uses /AIMWebservice/v1.1/AIM.asmx.

Hashicorp Vault Options

The following table describes the additional options to configure when using Hashicorp Vault as the authentication method for SSH credentials.

Option Default Value Required

Hashicorp Host

The Hashicorp Vault IP address or DNS address.

Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

yes

Hashicorp Port

The port on which Hashicorp Vault listens.

yes
Authenticaton Type

Specifies the authentication type for connecting to the instance: App Role or Certificates.

If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key.

yes
Role ID

The GUID provided by Hashicorp Vault when you configured your App Role.

yes
Role Secret ID The GUID generated by Hashicorp Vault when you configured your App Role. yes
Authentication URL The URL used to access Hashicorp Vault. yes

Namespace

The name of a specified team in a multi-team environment.

no

KV Engine URL

The URL Tenable.sc uses to access the Hashicorp Vault secrets engine.

yes
Username Source Specifies if the username is input manually or pulled from Hashicorp Vault. yes
Username key The name in Hashicorp Vault that usernames are stored under. yes
Password key The key in Hashicorp Vault that passwords are stored under. yes
Secret Name The key secret you want to retrieve values for. yes
Use SSL If enabled, Tenable.sc uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. no
Verify SSL If enabled, Tenable.sc validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. no

Kerberos Options

The following table describes the options to configure when using Kerberos as the authentication method for Windows credentials.

Option Description
Username The username for a user on the target system.
Password The password associated with the username you provided.
Domain The authentication domain, typically the domain name of the target (e.g., example.com).
KDC Host The host supplying the session tickets.
KDC Port The port you want to use for the KDC connection. By default, Tenable.sc uses port 88.
KDC Transport

The method you want to use to connect to the KDC server.

Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP protocol uses either port 88 or port 750.

LM Hash Options

The following table describes the options to configure when using LM Hash as the authentication method for Windows credentials.

Option Description
Username The username for a user on the target system.
Hash The LM hash you want to use.
Domain The domain of the username, if required.

NTLM Hash Options

The following table describes the options to configure when using NTLM Hash as the authentication method for Windows credentials.

Option Description
Username The username for a user on the target system.
Hash The NTLM hash you want to use.
Domain The domain of the username, if required.

Password Options

The following table describes the options to configure when using Password as the authentication method for Windows credentials.

Option Description
Username The username for a user on the target system.
Password The password associated with the username you provided.
Domain The domain of the username, if required.

Thycotic Secret Server Options

The following table describes the options to configure when using Thycotic Secret Server as the authentication method for Windows credentials.

Option Description

Username

(Required) The username for a user on the target system.
Domain The domain of the username, if set on the Thycotic server.
Thycotic Secret Name The Secret Name value on the Thycotic server.
Thycotic Secret Server URL

(Required) The value you want Tenable.sc to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, Tenable.sc determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory.

Thycotic Login Name (Required) The username for a user on the Thycotic server.
Thycotic Password (Required) The password associated with the Thycotic Login Name you provided.
Thycotic Organization In cloud instances of Thycotic, the value that identifies which organization the Tenable.sc query should target.
Thycotic Domain The domain, if set for the Thycotic server.
Use Private Key If enabled, Tenable.sc uses key-based authentication for SSH connections instead of password authentication.
Verify SSL Certificate

If enabled, Tenable.sc verifies the SSL Certificate on the Thycotic server.

For more information about using self-signed certificates, see Custom Plugin Packages for NASL and CA Certificate Upload.

BeyondTrust Options

The following table describes the options to configure when using BeyondTrust as the authentication method for Windows credentials.

Note: You must be running Nessus 7.0.3 or later to configure BeyondTrust credentials.

Option Description
Username The username to log in to the hosts you want to scan.
Domain The domain of the username, if required by BeyondTrust.
BeyondTrust Host The BeyondTrust IP address or DNS address.
BeyondTrust Port The port BeyondTrust is listening on.
BeyondTrust API User The API user provided by BeyondTrust.
BeyondTrust API Key The API key provided by BeyondTrust.
Checkout Duration

The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable.sc scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails.

Tip: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable.sc scans. If BeyondTrust changes a password during a scan, the scan fails.

Use SSL If enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.
Verify SSL Certificate If enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.

Lieberman Options

The following table describes the additional options to configure when using Lieberman as the authentication method for Windows credentials.

Note: You must be running Nessus 7.1.0 or later to configure Lieberman credentials.

Option Description
Username The username for a user on the database.
Domain The domain of the username, if required by Lieberman.
Lieberman Host

The Lieberman IP address or DNS address.

Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path.

Lieberman Port The port Lieberman is listening on.
Lieberman User

The username for the Lieberman explicit user you want Tenable.sc to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API.

Lieberman Password

The password for the Lieberman explicit user.

Use SSL

When enabled, Tenable.sc uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option.

Verify SSL Certificate

When enabled, Tenable.sc validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option.

For more information about using self-signed certificates, see Custom Plugin Packages for NASL and CA Certificate Upload.

System Name The name for the database credentials in Lieberman.