2

I'm testing out both Tenable's Nessus scanner as well as eEye's Retina for scanning network devices. I am trying to supply credentials to get deeper, more accurate results, however there seems to be no difference in the results whether I supply the credentials or not. I've read the documentation and it seems like I've tried all the logical settings in the Credential options. I've submit along with usernames and passwords for many different accounts and types of accounts (both SSH Credentials and Web Application Credentials) on the devices as well as their respective domain names (when applicable).

Is there possibly a good test for either (or both) scanners to tell where these credentials are being provided (if at all) and if any of them are successfully getting authentication?

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
grossmae
  • 121
  • 1
  • 2
  • What OS is the client? – Scott Pack Sep 21 '10 at 23:26
  • The OS is Linux. – grossmae Sep 21 '10 at 23:34
  • unless you have a single pw for all the linux devices the authentication willl not perform well, the tennable version of nessus works fine against a windows based domain when you provide an account with admin privs on the devices your scanning – tony roth Sep 22 '10 at 00:35
  • I am only scanning one device at the moment, so the credentials are essentially all identical. – grossmae Sep 22 '10 at 01:24
  • so do you run the test with an account that has root? When we run nessus against our windows server it has admin privs on the device that we are scanning. Its unfair but does expose everything! Windows 08+ when scanned with admin privs show's no vuln's worth mentioning.. – tony roth Sep 23 '10 at 03:06
  • I'm sorry, I'm a little confused. Do you mean with credentials it finds everything, but without it can't find anything? Whether I supply credentials or not, I get the same vulnerabilities. Also, I am supply the credentials for both SSH and web applications on the device – grossmae Sep 23 '10 at 18:24
  • on w2k8+ scanned with priv's it finds everything, but under the nessus report it show as no remediation possible for the given vuln's. – tony roth Sep 23 '10 at 18:43

2 Answers2

2

If you are scanning some windows systems you can check the security event log to see if the authentication attempts from the scanner were valid or not. If the connection attempts from the scanners were authenticated then the scanners had access provided by the credentials, now whether the scanners were configured properly to "scan deeper" is another issue.

David Yu
  • 1,032
  • 7
  • 14
  • I'm not scanning any windows systems. Network logs from the device are not easily reachable and probably won't provide very much information. I have been using wireshark to sniff for credentials being passed, but I cannot find any. Are there perhaps some techniques to find packets with credentials other than searching for string values? – grossmae Sep 22 '10 at 00:20
2

Attempting to debug authentication problems in automated systems can certainly be tricky. While authentication isn't the first thing the scanner tries, it is fairly early in the scan process. What the system does is kick off a port scan looking at a handful of the most common ports, and if the remote authentication ports are open it will attempt to authenticate and run the credentialed checks. On Windows this would be TCP port 445, and on Linux/Unix TCP port 22.

There are a lot of things that can go wrong with this kind of authentication, so these are the steps I would try:

  1. Are you authenticating but unable to run the remote checks? Use the fancy filtering system and look for PluginID 21745. This is kind of a meta-plugin that tests to see if the scanner failed to authenticate. If this plugin is in your report, then authentication failed. This is a nice, fast, way to prove our initial assumption that we failed to authenticate.
  2. Does your scan policy include any local checks? From the web interface open the policy you're using, select the 'Plugins' tab, and add the filter 'Plugin Type -> is equal to -> local'.
  3. Check your scan report to make sure that port 22 is listed as open. If not, then you'll need to check the host's firewall settings, and possibly /etc/ssh/sshd_config.
  4. Check to see if the user itself can login to the remote host. From the Nessus scanner try ssh nessususer@remotehost.tld and see if you can actually authenticate. If your username and password still don't work, then the sysadmin needs to get involved to fix the user on the remote host.
  5. Is the remote host expecting key based auth instead of password? If so, then make sure the public key has been placed correctly into the authorized_key file on the remote host. Remember, the public key must be a single line per entry (be wary of introducing new lines from copy/pasting) and that the permissions are appropriately strict on the .ssh folder.
  6. Look at your scan profile. If you had copied this profile from another scanner, or had created it as a copy of an existing profile, then the saved passwords probably didn't come with it. Import them again.
  7. If all of this fails, I would try contacting support. Since you're paying for the ProfessionalFeed (and based on the assumptions in the FAQ you're violating your license otherwise) you can file a ticket in same place you get your activation key.

All that being said, I can't say that I've ever tried to use password authentication for the credentialed Linux/Unix checks. The system may very easily be assuming public/private key pairs.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83