Back to Details

performing-authenticated-vulnerability-scan

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing Authenticated Vulnerability Scan

执行认证型漏洞扫描

Overview

概述

Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents.
认证型(凭据式)漏洞扫描使用有效的系统凭据登录目标主机,对已安装软件、补丁、配置和安全设置进行深度检查。与非认证扫描相比,凭据式扫描能多检测出45-60%的漏洞,且误报率显著降低,因为它可以直接查询已安装的软件包、注册表项和文件系统内容。

When to Use

使用场景

  • When conducting security assessments that involve performing authenticated vulnerability scan
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing
  • 开展涉及认证型漏洞扫描的安全评估时
  • 针对相关安全事件执行应急响应流程时
  • 进行定期安全测试或审计活动时
  • 通过实操测试验证安全控制措施时

Prerequisites

前提条件

  • Vulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM)
  • Service accounts with appropriate privileges on target systems
  • Secure credential storage (vault integration preferred)
  • Network access from scanner to target management ports
  • Written authorization from system owners
  • 漏洞扫描器(Nessus、Qualys、OpenVAS、Rapid7 InsightVM)
  • 在目标系统上拥有适当权限的服务账户
  • 安全的凭据存储(优先集成密钥管理库)
  • 扫描器到目标管理端口的网络访问权限
  • 系统所有者的书面授权

Core Concepts

核心概念

Why Authenticated Scanning

为什么选择认证型扫描

Unauthenticated scanning can only assess externally visible services and banners, often leading to:
  • Missed vulnerabilities in locally installed software
  • Inaccurate version detection from banner changes
  • Inability to check patch levels, configurations, or local policies
  • Higher false positive rates due to inference-based detection
Authenticated scanning resolves these by directly querying the target OS.
非认证扫描只能评估外部可见的服务和标识信息,通常会导致:
  • 遗漏本地安装软件中的漏洞
  • 因标识信息变更导致版本检测不准确
  • 无法检查补丁级别、配置或本地策略
  • 基于推断的检测方式导致较高的误报率
认证型扫描通过直接查询目标操作系统解决了这些问题。

Credential Types by Platform

按平台划分的凭据类型

Linux/Unix Systems

Linux/Unix系统

  • SSH Key Authentication: RSA/Ed25519 key pairs (recommended)
  • SSH Username/Password: Fallback for systems without key-based auth
  • Sudo/Su Elevation: Non-root user with sudo privileges
  • Certificate-based SSH: X.509 certificates for enterprise environments
  • SSH密钥认证:RSA/Ed25519密钥对(推荐)
  • SSH用户名/密码:无密钥认证系统的 fallback 方案
  • Sudo/Su提权:拥有sudo权限的非root用户
  • 基于证书的SSH:企业环境中的X.509证书

Windows Systems

Windows系统

  • SMB (Windows): Domain or local admin credentials
  • WMI: Windows Management Instrumentation queries
  • WinRM: Windows Remote Management (HTTPS preferred)
  • Kerberos: Domain authentication with service tickets
  • SMB (Windows):域或本地管理员凭据
  • WMI:Windows管理规范查询
  • WinRM:Windows远程管理(优先使用HTTPS)
  • Kerberos:使用服务票据的域认证

Network Devices

网络设备

  • SNMP v3: USM with authentication and privacy (AES-256)
  • SSH: For Cisco IOS, Juniper JunOS, Palo Alto PAN-OS
  • API Tokens: REST API for modern network platforms
  • SNMP v3:带认证和隐私(AES-256)的USM
  • SSH:适用于Cisco IOS、Juniper JunOS、Palo Alto PAN-OS
  • API令牌:现代网络平台的REST API

Databases

数据库

  • Oracle: SYS/SYSDBA credentials or TNS connection
  • Microsoft SQL Server: Windows auth or SQL auth
  • PostgreSQL: Role-based authentication
  • MySQL: User/password with SELECT privileges
  • Oracle:SYS/SYSDBA凭据或TNS连接
  • Microsoft SQL Server:Windows认证或SQL认证
  • PostgreSQL:基于角色的认证
  • MySQL:拥有SELECT权限的用户名/密码

Workflow

工作流程

Step 1: Create Dedicated Service Accounts

Step 1: 创建专用服务账户

bash
undefined
bash
undefined

Linux: Create scan service account

Linux: Create scan service account

sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc sudo usermod -aG sudo nessus_svc
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc sudo usermod -aG sudo nessus_svc

Configure sudo for passwordless specific commands

Configure sudo for passwordless specific commands

echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa,
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa,
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc

Generate SSH key pair

Generate SSH key pair

sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""

Distribute public key to targets

Distribute public key to targets

for host in $(cat target_hosts.txt); do ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host done

```powershell
for host in $(cat target_hosts.txt); do ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host done

```powershell

Windows: Create scan service account via PowerShell

Windows: Create scan service account via PowerShell

New-ADUser -Name "SVC_VulnScan" 
    -SamAccountName "SVC_VulnScan"
-UserPrincipalName "SVC_VulnScan@domain.local" 
    -Description "Vulnerability Scanner Service Account"
-PasswordNeverExpires $true 
    -CannotChangePassword $true
-Enabled $true ` -AccountPassword (Read-Host -AsSecureString "Enter Password")
New-ADUser -Name "SVC_VulnScan" 
    -SamAccountName "SVC_VulnScan"
-UserPrincipalName "SVC_VulnScan@domain.local" 
    -Description "Vulnerability Scanner Service Account"
-PasswordNeverExpires $true 
    -CannotChangePassword $true
-Enabled $true ` -AccountPassword (Read-Host -AsSecureString "Enter Password")

Add to local Administrators group on targets via GPO or:

Add to local Administrators group on targets via GPO or:

Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"

For least privilege, use a dedicated GPO for local admin rights instead

For least privilege, use a dedicated GPO for local admin rights instead

Enable WinRM on targets

Enable WinRM on targets

Enable-PSRemoting -Force Set-Item WSMan:\localhost\Service\AllowRemote -Value $true winrm set winrm/config/service '@{AllowUnencrypted="false"}'
undefined
Enable-PSRemoting -Force Set-Item WSMan:\localhost\Service\AllowRemote -Value $true winrm set winrm/config/service '@{AllowUnencrypted="false"}'
undefined

Step 2: Configure Scanner Credentials

Step 2: 配置扫描器凭据

Nessus Configuration

Nessus配置

json
{
  "credentials": {
    "add": {
      "Host": {
        "SSH": [{
          "auth_method": "public key",
          "username": "nessus_svc",
          "private_key": "/path/to/id_ed25519",
          "elevate_privileges_with": "sudo",
          "escalation_account": "root"
        }],
        "Windows": [{
          "auth_method": "Password",
          "username": "DOMAIN\\SVC_VulnScan",
          "password": "stored_in_vault",
          "domain": "domain.local"
        }],
        "SNMPv3": [{
          "username": "nessus_snmpv3",
          "security_level": "authPriv",
          "auth_algorithm": "SHA-256",
          "auth_password": "stored_in_vault",
          "priv_algorithm": "AES-256",
          "priv_password": "stored_in_vault"
        }]
      }
    }
  }
}
json
{
  "credentials": {
    "add": {
      "Host": {
        "SSH": [{
          "auth_method": "public key",
          "username": "nessus_svc",
          "private_key": "/path/to/id_ed25519",
          "elevate_privileges_with": "sudo",
          "escalation_account": "root"
        }],
        "Windows": [{
          "auth_method": "Password",
          "username": "DOMAIN\\SVC_VulnScan",
          "password": "stored_in_vault",
          "domain": "domain.local"
        }],
        "SNMPv3": [{
          "username": "nessus_snmpv3",
          "security_level": "authPriv",
          "auth_algorithm": "SHA-256",
          "auth_password": "stored_in_vault",
          "priv_algorithm": "AES-256",
          "priv_password": "stored_in_vault"
        }]
      }
    }
  }
}

Step 3: Validate Credential Access

Step 3: 验证凭据访问权限

bash
undefined
bash
undefined

Test SSH connectivity

Test SSH connectivity

ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"

Test WinRM connectivity

Test WinRM connectivity

python3 -c " import winrm s = winrm.Session('target_host', auth=('DOMAIN\\SVC_VulnScan', 'password'), transport='ntlm') r = s.run_cmd('systeminfo') print(r.std_out.decode()) "
python3 -c " import winrm s = winrm.Session('target_host', auth=('DOMAIN\\SVC_VulnScan', 'password'), transport='ntlm') r = s.run_cmd('systeminfo') print(r.std_out.decode()) "

Test SNMP v3 connectivity

Test SNMP v3 connectivity

snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0
undefined
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0
undefined

Step 4: Run Authenticated Scan

Step 4: 运行认证型扫描

Configure and launch the scan using the Nessus API:
bash
undefined
使用Nessus API配置并启动扫描:
bash
undefined

Create scan with credentials

Create scan with credentials

curl -k -X POST https://nessus:8834/scans
-H "X-Cookie: token=$TOKEN"
-H "Content-Type: application/json"
-d '{ "uuid": "'$TEMPLATE_UUID'", "settings": { "name": "Authenticated Scan - Production", "text_targets": "192.168.1.0/24", "launch": "ON_DEMAND" }, "credentials": { "add": { "Host": { "SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}], "Windows": [{"auth_method": "Password", "username": "DOMAIN\SVC_VulnScan", "password": "vault_ref"}] } } } }'
undefined
curl -k -X POST https://nessus:8834/scans
-H "X-Cookie: token=$TOKEN"
-H "Content-Type: application/json"
-d '{ "uuid": "'$TEMPLATE_UUID'", "settings": { "name": "Authenticated Scan - Production", "text_targets": "192.168.1.0/24", "launch": "ON_DEMAND" }, "credentials": { "add": { "Host": { "SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}], "Windows": [{"auth_method": "Password", "username": "DOMAIN\SVC_VulnScan", "password": "vault_ref"}] } } } }'
undefined

Step 5: Verify Credential Success

Step 5: 验证凭据成功使用

After scan completion, check credential verification results:
  • Plugin 19506 (Nessus Scan Information): Shows credential status
  • Plugin 21745 (OS Security Patch Assessment): Confirms local checks
  • Plugin 117887 (Local Security Checks): Credential verification
  • Plugin 110385 (Nessus Credentialed Check): Target-level auth status
扫描完成后,检查凭据验证结果:
  • 插件19506(Nessus扫描信息):显示凭据状态
  • 插件21745(操作系统安全补丁评估):确认本地检查已执行
  • 插件117887(本地安全检查):凭据验证情况
  • 插件110385(Nessus凭据式检查):目标级认证状态

Credential Security Best Practices

凭据安全最佳实践

  1. Use a secrets vault (HashiCorp Vault, CyberArk, AWS Secrets Manager) for credential storage
  2. Rotate credentials every 90 days or after personnel changes
  3. Principle of least privilege - only grant minimum required access
  4. Audit credential usage - monitor service account login events
  5. Encrypt in transit - use SSH keys over passwords, WinRM over HTTPS
  6. Separate accounts per scanner - never share credentials across tools
  7. Disable interactive login for scan service accounts where possible
  8. Log all authentication events for scan accounts in SIEM
  1. 使用密钥管理库(HashiCorp Vault、CyberArk、AWS Secrets Manager)存储凭据
  2. 定期轮换凭据:每90天或人员变动后轮换
  3. 最小权限原则:仅授予所需的最低权限
  4. 审计凭据使用:监控服务账户登录事件
  5. 传输加密:优先使用SSH密钥而非密码,WinRM通过HTTPS传输
  6. 工具专用账户:为每个扫描器单独创建账户,切勿跨工具共享凭据
  7. 禁用交互式登录:尽可能禁用扫描服务账户的交互式登录权限
  8. 日志记录:在SIEM中记录扫描账户的所有认证事件

Common Pitfalls

常见陷阱

  • Using domain admin accounts instead of least-privilege service accounts
  • Storing credentials in plaintext scan configurations
  • Not testing credentials before scan launch (leads to wasted scan windows)
  • Forgetting to configure sudo/elevation for Linux targets
  • Windows UAC blocking remote credentialed checks
  • Firewall rules blocking WMI/WinRM/SSH between scanner and targets
  • Credential lockout from multiple failed authentication attempts
  • 使用域管理员账户而非最小权限服务账户
  • 在扫描配置中明文存储凭据
  • 扫描前未测试凭据(导致扫描窗口浪费)
  • 未为Linux目标配置sudo/提权权限
  • Windows UAC阻止远程凭据式检查
  • 防火墙规则阻止扫描器与目标之间的WMI/WinRM/SSH通信
  • 多次认证失败导致凭据锁定

Related Skills

相关技能

  • scanning-infrastructure-with-nessus
  • performing-network-vulnerability-assessment
  • implementing-continuous-vulnerability-monitoring
  • scanning-infrastructure-with-nessus
  • performing-network-vulnerability-assessment
  • implementing-continuous-vulnerability-monitoring