Troubleshooting Nessus credentialed scanning failed on Windows
If you don’t know how to create Nessus profile for a host then follow below.
Once you login to nessus then you will be landed to the above similar page. Click on New Scan.
Now you need to select this scan template for the scan.
Now provide the host name, set target host ip, then from the discovery tab disable ping remote host option (is shown beneath). Then from the credentials tab, set credentials for windows or linux machine as per your requirement.
The problem looks like this:
Click on the Nessus Scan Information and see the Output.
As we can see the credential checks failed.
Let’s start the troubleshoot:
If in your network, ping is off, then you need to configure the Nessus scanning profile in such a way so that it will not ping that host.
To do that click on a host. Under the settings tab, go to discovery.
You need to disable the ping the remote host option otherwise Nessus will ping that host, find unreachable the host as ping is off, thus credential check will fail because Nessus will then declare that host as dead.
Now let’s check what are the other things that we can do for the credentials to work:
- Check the username and passwords that you are provided is correctly typed along with other settings.
2. Check you can connect to that host using rdp client or via ssh manually if the credentials checks failed. If you can connect successfully but nessus cred check still fails then different issues may exists.
3. Check the appropriate firewall rules or time based ACL’s are in place to allow connections between source and destination. TCP port is 135, 139, 3389, 445. Check the host firewall settings as well.
telnet command to check after allowing rules on firewall:
telnet <destination host ip> <destination host port>
telnet 192.168.195.70 3389
4. The Windows Management Instrumentation (WMI) service must be enabled on the target. Login to the target machine. Go to services.msc Check that the corresponding service is running or not. If not then run/start the service.
5. The Remote Registry service must be enabled on the target. The same way you need to check.
6. File & Printer Sharing must be enabled in the target’s network configuration. From the control panel click on Network and Sharing Center > Change advanced sharing settings.
7. An SMB account must be used that has local administrator rights on the target. Note: A domain account can be used as long as that account is a local administrator on the devices being scanned. The account that we used also has the local admin rights on the target. And smb port 445 is also allowed.
8. Ensure that there are no security policies are in place that blocks access to these services. This can include:
- Windows Security Policies
- Antivirus or Endpoint Security rules. We find that in one of our cases, Symantec was blocking the connection coming from nessus.
- IPS/IDS
9. The default administrative shares must be enabled.
- These shares include:
- IPC$
- ADMIN$
- C$
- The setting that controls this is AutoShareServer (Windows Server) or AutoShareWks (Windows Workstation) which must be set to 1.
- Windows 10 has the ADMIN$ disabled by default.
- For all other operating systems, these shares are enabled by default and can cause other issues if disabled. For more information, see http://support.microsoft.com/kb/842715/en-us
Some other troubleshooting commands:
These steps will test connections to a target host using methods similar to what Nessus uses to perform credentialed checks. If these tests fail, it establishes that the issue is likely not with Nessus or the scan configuration, but with the target’s security settings. Run all commands from an elevated Command prompt or PowerShell on a host in the same network as the target. Make sure this is not done on the target itself. If possible, use the scanner.
Anonymous IPC$ login test
Test the IPC$ share without a username by using the following command. This command is similar to how Nessus checks the share.
Note: Change <Target_IP> to the target’s IP address.
net use \\<Target_IP>\ipc$ "" /user:""
If this returns “Failed to connect to the IPC$ share anonymously.” then the following should be verified:
- Ensure SMB is set up correctly
- Double-check firewall settings
SMB Log on Test
This is how Nessus tests the credentials to make sure it has access to the system.
Run the following commands from an elevated command prompt.
Note: Replace <username> and <password> with the credentials the scan is using. Also, change <Target_IP> to the target’s IP address.
net use \\<Target_IP>\ipc$ /user:<username> <password>
net use \\<Target_IP>\admin$ /user:<username> <password>
These commands should return “The command completed successfully.” If it does not, then:
- Check the credentials.
- Check the account has sufficient privileges.
Remote Registry Test
Run the following command to check if the remote registry is running.
Note: Change <Target_IP> to the target’s IP address.
reg query \\x.x.x.x\hklm
If this returns registry keys, the service is running and accessible. If this returns “ERROR: The network path was not found.” then the service is not running and must be enabled.
Testing from a Linux Host
The program smbclient can be used as an alternative method of testing if the Nessus scanner is running on a Linux system that is scanning the Windows-based host. To install smbclient, run the following command as root:
yum install samba-client
To test the IPC$ share without a username by using the following command. This command is similar to how Nessus checks the share.
Note: Change <Target_IP> to the target’s IP address. Change <username> and <password> to the credentials that Nessus uses.
smbclient //<Target_IP>/IPC$ -U <username> <password>
- If this returns “smb: \>”, then the credentials and permissions work.
- If this returns “session setup failed: NT_STATUS_LOGON_FAILURE”, then:
- Check the credentials.
- Check that the account has sufficient privileges.
Resources:
Credentialed Checks on Windows (Tenable Nessus 10.8)
Thanks. I hope this blog will help you to troubleshoot why nessus is saying credentials checks failed and fix the issue. If you find this blog useful then please consider subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube: