Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Credentialed Scan Failures

by Henry Kuhfeldt
February 23, 2016

Credentialed Scan Failures

Credentialed scans provide more detailed results that can help to detect outdated software, vulnerabilities, and compliance issues. Without proper credentials, analysts will not be able to obtain accurate information to properly assess an organization’s risk posture. The Credentialed Scan Failures report delivers an organized list of failed credentialed scans that analysts can use to quickly remediate scanning issues on a network. The report covers a 25 day scanning history and provides a breakdown of various Windows scan issues and SSH failures, as well as general credential failures.  The chapters in this report provide an overview of the monitored failures, while the remainder of the report is dedicated to detailed accounts of those failures.  A series of plugins are used to leverage the Nessus plugin output data to provide granular results. Using a combination of plugins and results from Nessus, Tenable.sc can identify credential failures while scanning. Organizations will find this report useful when reviewed on a daily or weekly basis. The report is organized in a manner that provides timely information that analysts can use to correct any credentialed scan failures. This report uses the following plugins:

  • 10428: - Microsoft Windows SMB Registry Not Fully Accessible Detection
  • 19506: - Nessus Scan Information
  • 21745: - Authentication Failure - Local Checks Not Run
  • 24786: - Nessus Windows Scan Not Performed with Admin Privileges
  • 26917: - Microsoft Windows SMB Registry: Nessus Cannot Access the Windows Registry

This report uses output from plugin 21745 to determine the service Nessus tried to use for login (SMB or SSH), as well as the nature of the failure. The failure could result from a variety of issues, such as bad credentials or a general socket failure while accessing the service.  Using the output from 19506, the report filters out the successful credentialed checks from the un-credentialed checks. The remaining three plugins, 10428, 24786, and 26917, are specific to Windows environments and can be useful in troubleshooting issues with access to patch and registry information, which will assist in properly identifying patching and security issues. Scanning without credentials is a valid method for identifying what is visible to the scanner and an initial assessment of the exterior attack surface of a system; properly configured credentialed scans are able to look beyond the surface and identify potential issues that may not be apparent. Scans without credentials should go into their own repository so that they do not interfere with the vulnerabilities identified by credentialed scanning.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed by selecting category Monitoring. The report requirements are:

  • Tenable.sc 5.2
  • Nessus 8.4.0
  • This report requires “Full Text Search” to be enabled for each analyzed repository.

Tenable.sc Continuous View (CV) is a scalable continuous network monitoring solution that identifies the biggest risk management system that identifies the biggest risk across the entire enterprise. Tenable’s products allows for the most comprehensive and integrated view of network health. Nessus and Tenable.sc are continuously updated with information about advanced threats and zero-day vulnerabilities, as well as new types of regulatory compliance configuration audits, allowing organizations to respond to new threats as they emerge.

Chapters

Executive Summary: This chapter provides a high level view of the credentialed scan failures from Tenable.sc on SMB Credential issues, SSH Credential Issues, Scans without Credentials and Windows-specific credential issues.

Credentialed Scan Failures by Protocol: This chapter provides a summary of failures associated with credentials broken down by SMB and SSH protocol and associated issues. The first three data sets leverage Nessus plugin 21745: ‘Authentication Failure - Local Checks Not Run’ and the resulting output to provide a granular view into SMB credentialed scan failures.  The filtered data provides a more specific view, allowing deeper insight into a SMB credential failure.  The final data group uses output from Nessus plugin 21745: ‘Authentication Failure - Local Checks Not Run’ to deliver SSH credential failures. The results are specific to login failures with supplied credentials only.

Hosts Scanned Without Credentials: This chapter provides a list of hosts scanned without credentials. The scans may have been run without credentials intentionally, or the credentials may have failed.  This section uses Nessus plugin 19506 filtered to exclusively return results that indicate that no credentialed checks were performed as part of a successful scan.

Windows Specific Credential Issues: This chapter contains details the on events related to specific issues with Windows credentials. Many of the solutions to issues presented in this section are covered in the Tenable.sc 5.2 documentation on the Tenable Support Portal. This section uses the following plugins, presented in the same order as they are used.  Nessus Plugin 10428 ‘Microsoft Windows SMB Registry Not Fully Accessible Detection‘ collects a list of hosts in which Nessus was able to log in and access the registry, but there were keys that it could not check due to lack of full administrative rights.  Nessus Plugin 26917 ‘Microsoft Windows SMB Registry: Nessus Cannot Access the Windows Registry’ collects hosts where the registry was completely inaccessible, such as instances of having the Windows Remote Registry (winreg) turned off. 24786: ‘Nessus Windows Scan Not Performed with Admin Privileges’ provides the count of hosts that allowed login with the supplied SMB credentials, but were not administrator accounts.