Performing Authenticated Vulnerability Scan

Overview

Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents.

When to Use

When conducting security assessments that involve performing authenticated vulnerability scan
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

Prerequisites

Vulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM)
Service accounts with appropriate privileges on target systems
Secure credential storage (vault integration preferred)
Network access from scanner to target management ports
Written authorization from system owners

Core Concepts

Why Authenticated Scanning

Unauthenticated scanning can only assess externally visible services and banners, often leading to:

Missed vulnerabilities in locally installed software
Inaccurate version detection from banner changes
Inability to check patch levels, configurations, or local policies
Higher false positive rates due to inference-based detection

Authenticated scanning resolves these by directly querying the target OS.

Credential Types by Platform

Linux/Unix Systems

SSH Key Authentication: RSA/Ed25519 key pairs (recommended)
SSH Username/Password: Fallback for systems without key-based auth
Sudo/Su Elevation: Non-root user with sudo privileges
Certificate-based SSH: X.509 certificates for enterprise environments

Windows Systems

SMB (Windows): Domain or local admin credentials
WMI: Windows Management Instrumentation queries
WinRM: Windows Remote Management (HTTPS preferred)
Kerberos: Domain authentication with service tickets

Network Devices

SNMP v3: USM with authentication and privacy (AES-256)
SSH: For Cisco IOS, Juniper JunOS, Palo Alto PAN-OS
API Tokens: REST API for modern network platforms

Databases

Oracle: SYS/SYSDBA credentials or TNS connection
Microsoft SQL Server: Windows auth or SQL auth
PostgreSQL: Role-based authentication
MySQL: User/password with SELECT privileges

Workflow

Step 1: Create Dedicated Service Accounts

bash

# Linux: Create scan service account
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc
sudo usermod -aG sudo nessus_svc

# Configure sudo for passwordless specific commands
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc

# Generate SSH key pair
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""

# Distribute public key to targets
for host in $(cat target_hosts.txt); do
    ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host
done

powershell

# Windows: Create scan service account via PowerShell
New-ADUser -Name "SVC_VulnScan" `
    -SamAccountName "SVC_VulnScan" `
    -UserPrincipalName "SVC_VulnScan@domain.local" `
    -Description "Vulnerability Scanner Service Account" `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true `
    -Enabled $true `
    -AccountPassword (Read-Host -AsSecureString "Enter Password")

# Add to local Administrators group on targets via GPO or:
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
# For least privilege, use a dedicated GPO for local admin rights instead

# Enable WinRM on targets
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\AllowRemote -Value $true
winrm set winrm/config/service '@{AllowUnencrypted="false"}'

Step 2: Configure Scanner Credentials

Nessus Configuration

json

{
  "credentials": {
    "add": {
      "Host": {
        "SSH": [{
          "auth_method": "public key",
          "username": "nessus_svc",
          "private_key": "/path/to/id_ed25519",
          "elevate_privileges_with": "sudo",
          "escalation_account": "root"
        }],
        "Windows": [{
          "auth_method": "Password",
          "username": "DOMAIN\\SVC_VulnScan",
          "password": "stored_in_vault",
          "domain": "domain.local"
        }],
        "SNMPv3": [{
          "username": "nessus_snmpv3",
          "security_level": "authPriv",
          "auth_algorithm": "SHA-256",
          "auth_password": "stored_in_vault",
          "priv_algorithm": "AES-256",
          "priv_password": "stored_in_vault"
        }]
      }
    }
  }
}

Step 3: Validate Credential Access

bash

# Test SSH connectivity
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"

# Test WinRM connectivity
python3 -c "
import winrm
s = winrm.Session('target_host', auth=('DOMAIN\\\\SVC_VulnScan', 'password'), transport='ntlm')
r = s.run_cmd('systeminfo')
print(r.std_out.decode())
"

# Test SNMP v3 connectivity
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0

Step 4: Run Authenticated Scan

Configure and launch the scan using the Nessus API:

bash

# Create scan with credentials
curl -k -X POST https://nessus:8834/scans \
  -H "X-Cookie: token=$TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "uuid": "'$TEMPLATE_UUID'",
    "settings": {
      "name": "Authenticated Scan - Production",
      "text_targets": "192.168.1.0/24",
      "launch": "ON_DEMAND"
    },
    "credentials": {
      "add": {
        "Host": {
          "SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}],
          "Windows": [{"auth_method": "Password", "username": "DOMAIN\\SVC_VulnScan", "password": "vault_ref"}]
        }
      }
    }
  }'

Step 5: Verify Credential Success

After scan completion, check credential verification results:

Plugin 19506 (Nessus Scan Information): Shows credential status
Plugin 21745 (OS Security Patch Assessment): Confirms local checks
Plugin 117887 (Local Security Checks): Credential verification
Plugin 110385 (Nessus Credentialed Check): Target-level auth status

Credential Security Best Practices

Use a secrets vault (HashiCorp Vault, CyberArk, AWS Secrets Manager) for credential storage
Rotate credentials every 90 days or after personnel changes
Principle of least privilege - only grant minimum required access
Audit credential usage - monitor service account login events
Encrypt in transit - use SSH keys over passwords, WinRM over HTTPS
Separate accounts per scanner - never share credentials across tools
Disable interactive login for scan service accounts where possible
Log all authentication events for scan accounts in SIEM

Common Pitfalls

Using domain admin accounts instead of least-privilege service accounts
Storing credentials in plaintext scan configurations
Not testing credentials before scan launch (leads to wasted scan windows)
Forgetting to configure sudo/elevation for Linux targets
Windows UAC blocking remote credentialed checks
Firewall rules blocking WMI/WinRM/SSH between scanner and targets
Credential lockout from multiple failed authentication attempts

Related Skills

scanning-infrastructure-with-nessus
performing-network-vulnerability-assessment
implementing-continuous-vulnerability-monitoring

performing-authenticated-vulnerability-scan

NPX Install

Tags

SKILL.md Content

Performing Authenticated Vulnerability Scan

Overview

When to Use

Prerequisites

Core Concepts

Why Authenticated Scanning

Credential Types by Platform

Linux/Unix Systems

Windows Systems

Network Devices

Databases

Workflow

Step 1: Create Dedicated Service Accounts

Step 2: Configure Scanner Credentials

Nessus Configuration

Step 3: Validate Credential Access

Step 4: Run Authenticated Scan

Step 5: Verify Credential Success

Credential Security Best Practices

Common Pitfalls

Related Skills