Performing Authenticated Vulnerability Scan

Overview

Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents.

Prerequisites

• Vulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM)
• Service accounts with appropriate privileges on target systems
• Secure credential storage (vault integration preferred)
• Network access from scanner to target management ports
• Written authorization from system owners

Core Concepts

Why Authenticated Scanning

Unauthenticated scanning can only assess externally visible services and banners, often leading to:

• Missed vulnerabilities in locally installed software
• Inaccurate version detection from banner changes
• Inability to check patch levels, configurations, or local policies
• Higher false positive rates due to inference-based detection

Authenticated scanning resolves these by directly querying the target OS.

Credential Types by Platform

Linux/Unix Systems

• SSH Key Authentication: RSA/Ed25519 key pairs (recommended)
• SSH Username/Password: Fallback for systems without key-based auth
• Sudo/Su Elevation: Non-root user with sudo privileges
• Certificate-based SSH: X.509 certificates for enterprise environments

Windows Systems

• SMB (Windows): Domain or local admin credentials
• WMI: Windows Management Instrumentation queries
• WinRM: Windows Remote Management (HTTPS preferred)
• Kerberos: Domain authentication with service tickets

Network Devices

• SNMP v3: USM with authentication and privacy (AES-256)
• SSH: For Cisco IOS, Juniper JunOS, Palo Alto PAN-OS
• API Tokens: REST API for modern network platforms

Databases

• Oracle: SYS/SYSDBA credentials or TNS connection
• Microsoft SQL Server: Windows auth or SQL auth
• PostgreSQL: Role-based authentication
• MySQL: User/password with SELECT privileges

Implementation Steps

Step 1: Create Dedicated Service Accounts

# Linux: Create scan service account
sudo useradd -m -s /bin/bash -c "Vulnerability Scanner Service Account" nessus_svc
sudo usermod -aG sudo nessus_svc

# Configure sudo for passwordless specific commands
echo 'nessus_svc ALL=(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \
/bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find' | sudo tee /etc/sudoers.d/nessus_svc

# Generate SSH key pair
sudo -u nessus_svc ssh-keygen -t ed25519 -f /home/nessus_svc/.ssh/id_ed25519 -N ""

# Distribute public key to targets
for host in $(cat target_hosts.txt); do
    ssh-copy-id -i /home/nessus_svc/.ssh/id_ed25519.pub nessus_svc@$host
done

# Windows: Create scan service account via PowerShell
New-ADUser -Name "SVC_VulnScan" `
    -SamAccountName "SVC_VulnScan" `
    -UserPrincipalName "SVC_VulnScan@domain.local" `
    -Description "Vulnerability Scanner Service Account" `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true `
    -Enabled $true `
    -AccountPassword (Read-Host -AsSecureString "Enter Password")

# Add to local Administrators group on targets via GPO or:
Add-ADGroupMember -Identity "Domain Admins" -Members "SVC_VulnScan"
# For least privilege, use a dedicated GPO for local admin rights instead

# Enable WinRM on targets
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\AllowRemote -Value $true
winrm set winrm/config/service '@{AllowUnencrypted="false"}'

Step 2: Configure Scanner Credentials

Nessus Configuration

{
  "credentials": {
    "add": {
      "Host": {
        "SSH": [{
          "auth_method": "public key",
          "username": "nessus_svc",
          "private_key": "/path/to/id_ed25519",
          "elevate_privileges_with": "sudo",
          "escalation_account": "root"
        }],
        "Windows": [{
          "auth_method": "Password",
          "username": "DOMAIN\\SVC_VulnScan",
          "password": "stored_in_vault",
          "domain": "domain.local"
        }],
        "SNMPv3": [{
          "username": "nessus_snmpv3",
          "security_level": "authPriv",
          "auth_algorithm": "SHA-256",
          "auth_password": "stored_in_vault",
          "priv_algorithm": "AES-256",
          "priv_password": "stored_in_vault"
        }]
      }
    }
  }
}

Step 3: Validate Credential Access

# Test SSH connectivity
ssh -i /path/to/key -o ConnectTimeout=10 nessus_svc@target_host "uname -a && sudo dpkg -l | head -5"

# Test WinRM connectivity
python3 -c "
import winrm
s = winrm.Session('target_host', auth=('DOMAIN\\\\SVC_VulnScan', 'password'), transport='ntlm')
r = s.run_cmd('systeminfo')
print(r.std_out.decode())
"

# Test SNMP v3 connectivity
snmpwalk -v3 -u nessus_snmpv3 -l authPriv -a SHA-256 -A authpass -x AES-256 -X privpass target_host sysDescr.0

Step 4: Run Authenticated Scan

Configure and launch the scan using the Nessus API:

# Create scan with credentials
curl -k -X POST https://nessus:8834/scans \
  -H "X-Cookie: token=$TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "uuid": "'$TEMPLATE_UUID'",
    "settings": {
      "name": "Authenticated Scan - Production",
      "text_targets": "192.168.1.0/24",
      "launch": "ON_DEMAND"
    },
    "credentials": {
      "add": {
        "Host": {
          "SSH": [{"auth_method": "public key", "username": "nessus_svc", "private_key": "/keys/id_ed25519"}],
          "Windows": [{"auth_method": "Password", "username": "DOMAIN\\SVC_VulnScan", "password": "vault_ref"}]
        }
      }
    }
  }'

Step 5: Verify Credential Success

After scan completion, check credential verification results:

• Plugin 19506 (Nessus Scan Information): Shows credential status
• Plugin 21745 (OS Security Patch Assessment): Confirms local checks
• Plugin 117887 (Local Security Checks): Credential verification
• Plugin 110385 (Nessus Credentialed Check): Target-level auth status

Credential Security Best Practices

1. Use a secrets vault (HashiCorp Vault, CyberArk, AWS Secrets Manager) for credential storage
2. Rotate credentials every 90 days or after personnel changes
3. Principle of least privilege - only grant minimum required access
4. Audit credential usage - monitor service account login events
5. Encrypt in transit - use SSH keys over passwords, WinRM over HTTPS
6. Separate accounts per scanner - never share credentials across tools
7. Disable interactive login for scan service accounts where possible
8. Log all authentication events for scan accounts in SIEM

Common Pitfalls

• Using domain admin accounts instead of least-privilege service accounts
• Storing credentials in plaintext scan configurations
• Not testing credentials before scan launch (leads to wasted scan windows)
• Forgetting to configure sudo/elevation for Linux targets
• Windows UAC blocking remote credentialed checks
• Firewall rules blocking WMI/WinRM/SSH between scanner and targets
• Credential lockout from multiple failed authentication attempts

Related Skills

• scanning-infrastructure-with-nessus
• performing-network-vulnerability-assessment
• implementing-continuous-vulnerability-monitoring

Verification Criteria

Confirm successful execution by validating:

• [ ] All prerequisite tools and access requirements are satisfied
• [ ] Each workflow step completed without errors
• [ ] Output matches expected format and contains expected data
• [ ] No security warnings or misconfigurations detected
• [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

• SOC 2: CC7.1 (Monitoring), CC8.1 (Change Management)
• ISO 27001: A.12.6 (Technical Vulnerability Management)
• NIST 800-53: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), CM-6 (Configuration Settings)
• NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add performing-authenticated-vulnerability-scan

# Or load dynamically via MCP
grc.load_skill("performing-authenticated-vulnerability-scan")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

• SHA-256 chain hashing ensures no step can be modified after execution
• Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
• Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.