Performing Authenticated Vulnerability Scan

Overview

Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents.

Prerequisites

• Vulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM)
• Service accounts with appropriate privileges on target systems
• Secure credential storage (vault integration preferred)
• Network access from scanner to target management ports
• Written authorization from system owners

Core Concepts

Why Authenticated Scanning

Unauthenticated scanning can only assess externally visible services and banners, often leading to:

• Missed vulnerabilities in locally installed software
• Inaccurate version detection from banner changes
• Inability to check patch levels, configurations, or local policies
• Higher false positive rates due to inference-based detection

Authenticated scanning resolves these by directly querying the target OS.

Credential Types by Platform

Linux/Unix Systems

• SSH Key Authentication: RSA/Ed25519 key pairs (recommended)
• SSH Username/Password: Fallback for systems without key-based auth
• Sudo/Su Elevation: Non-root user with sudo privileges
• Certificate-based SSH: X.509 certificates for enterprise environments

Windows Systems

• SMB (Windows): Domain or local admin credentials
• WMI: Windows Management Instrumentation queries
• WinRM: Windows Remote Management (HTTPS preferred)
• Kerberos: Domain authentication with service tickets

Network Devices

• SNMP v3: USM with authentication and privacy (AES-256)
• SSH: For Cisco IOS, Juniper JunOS, Palo Alto PAN-OS
• API Tokens: REST API for modern network platforms

Databases

• Oracle: SYS/SYSDBA credentials or TNS connection
• Microsoft SQL Server: Windows auth or SQL auth
• PostgreSQL: Role-based authentication
• MySQL: User/password with SELECT privileges

Implementation Steps

Step 1: Create Dedicated Service Accounts

# Linux: Create scan service account
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc
sudo usermod -aG sudo nessus_svc

# Configure sudo for passwordless specific commands
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc

# Generate SSH key pair
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""

# Distribute public key to targets
for host in $(cat target_hosts.txt); do
    ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host
done

# Windows: Create scan service account via PowerShell
New-ADUser -Name "SVC_VulnScan" `
    -SamAccountName "SVC_VulnScan" `
    -UserPrincipalName "SVC_VulnScan@domain.local" `
    -Description "Vulnerability Scanner Service Account" `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true `
    -Enabled $true `
    -AccountPassword (Read-Host -AsSecureString "Enter Password")

# Add to local Administrators group on targets via GPO or:
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
# For least privilege, use a dedicated GPO for local admin rights instead

# Enable WinRM on targets
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\AllowRemote -Value $true
winrm set winrm/config/service '@{AllowUnencrypted="false"}'

Step 2: Configure Scanner Credentials

Nessus Configuration

{
  "credentials": {
    "add": {
      "Host": {
        "SSH": [{
          "auth_method": "public key",
          "username": "nessus_svc",
          "private_key": "/path/to/id_ed25519",
          "elevate_privileges_with": "sudo",
          "escalation_account": "root"
        }],
        "Windows": [{
          "auth_method": "Password",
          "username": "DOMAIN\\SVC_VulnScan",
          "password": "stored_in_vault",
          "domain": "domain.local"
        }],
        "SNMPv3": [{
          "username": "nessus_snmpv3",
          "security_level": "authPriv",
          "auth_algorithm": "SHA-256",
          "auth_password": "stored_in_vault",
          "priv_algorithm": "AES-256",
          "priv_password": "stored_in_vault"
        }]
      }
    }
  }
}

Step 3: Validate Credential Access

# Test SSH connectivity
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"

# Test WinRM connectivity
python3 -c "
import winrm
s = winrm.Session('target_host', auth=('DOMAIN\\\\SVC_VulnScan', 'password'), transport='ntlm')
r = s.run_cmd('systeminfo')
print(r.std_out.decode())
"

# Test SNMP v3 connectivity
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0

Step 4: Run Authenticated Scan

Configure and launch the scan using the Nessus API:

# Create scan with credentials
curl -k -X POST https://nessus:8834/scans \
  -H "X-Cookie: token=$TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "uuid": "'$TEMPLATE_UUID'",
    "settings": {
      "name": "Authenticated Scan - Production",
      "text_targets": "192.168.1.0/24",
      "launch": "ON_DEMAND"
    },
    "credentials": {
      "add": {
        "Host": {
          "SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}],
          "Windows": [{"auth_method": "Password", "username": "DOMAIN\\SVC_VulnScan", "password": "vault_ref"}]
        }
      }
    }
  }'

Step 5: Verify Credential Success

After scan completion, check credential verification results:

• Plugin 19506 (Nessus Scan Information): Shows credential status
• Plugin 21745 (OS Security Patch Assessment): Confirms local checks
• Plugin 117887 (Local Security Checks): Credential verification
• Plugin 110385 (Nessus Credentialed Check): Target-level auth status

Credential Security Best Practices

1. Use a secrets vault (HashiCorp Vault, CyberArk, AWS Secrets Manager) for credential storage
2. Rotate credentials every 90 days or after personnel changes
3. Principle of least privilege - only grant minimum required access
4. Audit credential usage - monitor service account login events
5. Encrypt in transit - use SSH keys over passwords, WinRM over HTTPS
6. Separate accounts per scanner - never share credentials across tools
7. Disable interactive login for scan service accounts where possible
8. Log all authentication events for scan accounts in SIEM

Common Pitfalls

• Using domain admin accounts instead of least-privilege service accounts
• Storing credentials in plaintext scan configurations
• Not testing credentials before scan launch (leads to wasted scan windows)
• Forgetting to configure sudo/elevation for Linux targets
• Windows UAC blocking remote credentialed checks
• Firewall rules blocking WMI/WinRM/SSH between scanner and targets
• Credential lockout from multiple failed authentication attempts

Related Skills

• scanning-infrastructure-with-nessus
• performing-network-vulnerability-assessment
• implementing-continuous-vulnerability-monitoring