Authenticated Scans

While Nessus is often used to scan devices externally, it can also be used to perform authenticated, internal scans of a system. In this lab, you’ll explore how to add credentials to a Nessus scan using SSH and Windows authentication to scan a host from within.

Authenticated scanning

Nessus can be configured to perform both internal and external scanning of a remote host. When an internal scan is launched, Nessus uses valid login credentials to authenticate to the target system before starting the scan. This allows Nessus to access areas of the target system that might not be exposed to unauthenticated users. As a result, it can provide a more complete view of the target's security posture.

This type of scan is useful for identifying vulnerabilities that wouldn't be detected by an unauthenticated scan, such as those specific to privileged users or hidden behind authentication mechanisms. It's important to note that Nessus authenticated scans typically take longer to run than unauthenticated scans and that Nessus must be provided with the appropriate login credentials for the target system before the scan can run.

When credentials are added to a scan, Nessus will only perform an internal scan, not an external scan of the host. For more information on external network scans, have a look at the lab below.

Launching an authenticated scan

Configuring an internal scan with Nessus is much the same as configuring an external scan. From the My Scans page, click New Scan to open the Scan Templates page. Click Basic Network Scan to start configuring a new scan.

The Basic Network Scan configuration panel

Configure the scan the same as you would any external scan by giving it a name and entering the IP address of your target into the Targets field. Now, open the Credentials tab.

Adding credentials to a Basic Network Scan

Nessus displays all available types of credentials in the panel to the left of the Credentials tab. By default, Nessus will filter this list and display the two most common credential types you'll likely need when configuring an internal scan: SSH and Windows.

Adding a new credential

Click on the name of the credential type from the list to start configuring the credentials. For example, clicking SSH will add a new SSH credential to the panel.

Adding an SSH credential

Multiple credentials will be added to the scan if the credential type is clicked multiple times. You can remove any credentials you've added by clicking the Remove icon (X) on the right side of the row.

SSH credentials

Nessus supports using SSH to connect to a target host, using a range of different authentication methods. By default, Nessus uses private key authentication to connect to a host but can also be configured to use password-based, certificate-based, or Kerberos authentication methods.

You can change the authentication method used for SSH connections by updating the Authentication method field to one of the other options available in the dropdown list. Nessus will automatically update the panel to only display fields required for that authentication method.

For example, when using password-based authentication, Nessus only requires a username and password of a valid user account on the target. Any options essential for the authentication to succeed are marked with a REQUIRED badge.

Privilege escalation

Credentialed scans can only perform tasks that the user account can perform. The level of scanning depends on the privileges granted to the user account you configure Nessus to use. For example, standard users on Linux systems can identify basic security issues, such as missing patches or accounts listed in the /etc/passwd file. However, for a more in-depth look over the system configuration, you need an administrator-level (root) account.

Nessus supports various privilege escalation methods, depending on the host in use. Like the authentication method field, selecting a different privilege escalation method will update the configuration panel, depending on what fields Nessus needs for that particular method.

For example, if the user account Nessus is using for SSH has sudo permissions on the Linux host, the sudo privilege escalation method might be suitable. Switching to this method will prompt Nessus to display three new fields: sudo user, sudo password, and location of sudo (directory).

Enter the sudo user (typically root) and the password of the user account that's attempting to use sudo. If you're using password-based authentication, this'll be the same password you entered above. Finally, enter the full path to the sudo binary's directory. In most cases, this is /usr/bin, but this may differ depending on the host.

Once these fields are configured, Nessus can use sudo to escalate to root and perform privileged checks. It's not essential for Nessus to perform privileged checks when scanning a host. If the Elevate privileges with field is set to Nothing, Nessus won't attempt to perform any privileged checks.

Windows credentials

Nessus also supports authentication using built-in Windows accounts. Like with SSH credentials, Nessus supports several authentication methods. Nessus supports password-based authentication, hash-based authentication (both LM or NTLM hashes are supported), and Kerberos-based authentication.

Add a new Windows credential to a scan and change the authentication method option to see which fields are required by Nessus. Like the SSH credential type, any options essential for successful authentication are marked with a REQUIRED badge.

Password authentication is the default for Windows credentials

For password and hash-based authentication, all Nessus requires is the username and password (or hash) of the account it'll use for scanning (Domain is an optional field for when a host is domain-joined). Kerberos authentication requires slightly more configuration, requiring additional details (such as the Key Distribution Center) before it can be used.

Other credential types

By default, Nessus lists the credentials used for Host-based authentication (SSH and Windows). However, Nessus also supports authentication to specific services, such as FTP or IMAP. Change the Category of credentials to All to see each credential type supported by Nessus.

Some credential types can be added multiple times to a scan. Nessus displays the number of times each type of credential can be added to the scan in the same row as the name of each credential type. For example, whereas an unlimited number of SSH or Database credentials can be added to a scan (as indicated by the infinity symbol), only one set of FTP credentials can be added.

Launching the scan

Once credentials have been added, they're automatically saved along with the scan when the Save button is clicked. From the My Scans panel, click the Launch button to launch your scan. Once launched, select the corresponding row in the My Scans table to open the details page.

As the scan has been supplied credentials, Nessus will start an internal scan of the host. If Nessus fails to authenticate to the host using these credentials, it'll fall back to performing an external network scan of the host. In both cases, live results are added to the Vulnerabilities table as soon as Nessus discovers them.

SSH/Linux credentials scan

The results of running the Linux host vulnerability scan without credentials are

Highest level of Vulnerability was – INFO

The results of running the scan on the linux host for vulnerabilities with credentials –

Highest level of vulnerability was - HIGH

Results of Windows scan with with creds

59 Info Level vulnerabilities including false positives