| name | performing-authenticated-vulnerability-scan |
| description | Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security sett |
| domain | cybersecurity |
| subdomain | vulnerability-management |
| tags | - vulnerability-management - cve - authenticated-scanning - credentials - nessus - qualys - risk |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-02 - ID.IM-02 - ID.RA-06 |
Performing Authenticated Vulnerability Scan
Overview
Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents.
When to Use
- When conducting security assessments that involve performing authenticated vulnerability scan
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Vulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM)
- Service accounts with appropriate privileges on target systems
- Secure credential storage (vault integration preferred)
- Network access from scanner to target management ports
- Written authorization from system owners
Core Concepts
Why Authenticated Scanning
Unauthenticated scanning can only assess externally visible services and banners, often leading to:
- Missed vulnerabilities in locally installed software
- Inaccurate version detection from banner changes
- Inability to check patch levels, configurations, or local policies
- Higher false positive rates due to inference-based detection
Authenticated scanning resolves these by directly querying the target OS.
Credential Types by Platform
Linux/Unix Systems
- SSH Key Authentication: RSA/Ed25519 key pairs (recommended)
- SSH Username/Password: Fallback for systems without key-based auth
- Sudo/Su Elevation: Non-root user with sudo privileges
- Certificate-based SSH: X.509 certificates for enterprise environments
Windows Systems
- SMB (Windows): Domain or local admin credentials
- WMI: Windows Management Instrumentation queries
- WinRM: Windows Remote Management (HTTPS preferred)
- Kerberos: Domain authentication with service tickets
Network Devices
- SNMP v3: USM with authentication and privacy (AES-256)
- SSH: For Cisco IOS, Juniper JunOS, Palo Alto PAN-OS
- API Tokens: REST API for modern network platforms
Databases
- Oracle: SYS/SYSDBA credentials or TNS connection
- Microsoft SQL Server: Windows auth or SQL auth
- PostgreSQL: Role-based authentication
- MySQL: User/password with SELECT privileges
Workflow
Step 1: Create Dedicated Service Accounts
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc
sudo usermod -aG sudo nessus_svc
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""
for host in $(cat target_hosts.txt); do
ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host
done
# Windows: Create scan service account via PowerShell
New-ADUser -Name "SVC_VulnScan" `
-SamAccountName "SVC_VulnScan" `
-UserPrincipalName "[email protected]" `
-Description "Vulnerability Scanner Service Account" `
-PasswordNeverExpires $true `
-CannotChangePassword $true `
-Enabled $true `
-AccountPassword (Read-Host -AsSecureString "Enter Password")
# Add to local Administrators group on targets via GPO or:
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
# For least privilege, use a dedicated GPO for local admin rights instead
# Enable WinRM on targets
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\AllowRemote -Value $true
winrm set winrm/config/service '@{AllowUnencrypted="false"}'
Step 2: Configure Scanner Credentials
Nessus Configuration
{
"credentials": {
"add": {
"Host": {
"SSH": [{
"auth_method": "public key",
"username": "nessus_svc",
"private_key": "/path/to/id_ed25519",
"elevate_privileges_with": "sudo",
"escalation_account": "root"
}],
"Windows": [{
"auth_method": "Password",
"username": "DOMAIN\\SVC_VulnScan",
"password": "stored_in_vault",
"domain": "domain.local"
}],
"SNMPv3": [{
"username": "nessus_snmpv3",
"security_level": "authPriv",
"auth_algorithm": "SHA-256",
"auth_password": "stored_in_vault",
"priv_algorithm": "AES-256",
"priv_password": "stored_in_vault"
}]
}
}
}
}
Step 3: Validate Credential Access
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"
python3 -c "
import winrm
s = winrm.Session('target_host', auth=('DOMAIN\\\\SVC_VulnScan', 'password'), transport='ntlm')
r = s.run_cmd('systeminfo')
print(r.std_out.decode())
"
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0
Step 4: Run Authenticated Scan
Configure and launch the scan using the Nessus API:
curl -k -X POST https://nessus:8834/scans \
-H "X-Cookie: token=$TOKEN" \
-H "Content-Type: application/json" \
-d '{
"uuid": "'$TEMPLATE_UUID'",
"settings": {
"name": "Authenticated Scan - Production",
"text_targets": "192.168.1.0/24",
"launch": "ON_DEMAND"
},
"credentials": {
"add": {
"Host": {
"SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}],
"Windows": [{"auth_method": "Password", "username": "DOMAIN\\SVC_VulnScan", "password": "vault_ref"}]
}
}
}
}'
Step 5: Verify Credential Success
After scan completion, check credential verification results:
- Plugin 19506 (Nessus Scan Information): Shows credential status
- Plugin 21745 (OS Security Patch Assessment): Confirms local checks
- Plugin 117887 (Local Security Checks): Credential verification
- Plugin 110385 (Nessus Credentialed Check): Target-level auth status
Credential Security Best Practices
- Use a secrets vault (HashiCorp Vault, CyberArk, AWS Secrets Manager) for credential storage
- Rotate credentials every 90 days or after personnel changes
- Principle of least privilege - only grant minimum required access
- Audit credential usage - monitor service account login events
- Encrypt in transit - use SSH keys over passwords, WinRM over HTTPS
- Separate accounts per scanner - never share credentials across tools
- Disable interactive login for scan service accounts where possible
- Log all authentication events for scan accounts in SIEM
Common Pitfalls
- Using domain admin accounts instead of least-privilege service accounts
- Storing credentials in plaintext scan configurations
- Not testing credentials before scan launch (leads to wasted scan windows)
- Forgetting to configure sudo/elevation for Linux targets
- Windows UAC blocking remote credentialed checks
- Firewall rules blocking WMI/WinRM/SSH between scanner and targets
- Credential lockout from multiple failed authentication attempts
Related Skills
- scanning-infrastructure-with-nessus
- performing-network-vulnerability-assessment
- implementing-continuous-vulnerability-monitoring
