以下为本文档的中文说明performing-authenticated-vulnerability-scan执行认证漏洞扫描是关于使用有效系统凭证登录目标主机进行深度安全评估的技能。相比未认证扫描认证扫描能多检测45-60%的漏洞且误报率显著更低因为它可以直接查询已安装的软件包、注册表项和文件系统内容。该技能涵盖了跨平台凭证管理包括Linux/Unix系统推荐SSH密钥认证、sudo提权、Windows系统SMB域凭证、WMI、WinRM、Kerberos、网络设备SNMP v3、SSH、API令牌和数据库Oracle、SQL Server、PostgreSQL、MySQL。完整的扫描工作流程包括五个步骤创建专用服务账户——在Linux中创建nessus_svc用户并配置sudo权限在Windows中创建AD服务账户并加入本地管理员组配置扫描器凭证——在Nessus、Qualys或OpenVAS中配置SSH密钥、Windows密码和SNMP v3凭证验证凭证访问——通过SSH连接、WinRM会话和SNMP walk命令测试连通性运行认证扫描——通过Nessus API创建带凭证的扫描任务验证凭证成功——检查特定插件如19506、21745的输出确认凭证状态。该技能还强调了凭证安全最佳实践使用密钥管理服务HashiCorp Vault、CyberArk、AWS Secrets Manager存储凭证、每90天轮换凭证、最小权限原则、审计凭证使用、传输加密、不同扫描器使用独立账户、禁用服务账户的交互式登录、将所有认证事件记录到SIEM。常见陷阱包括使用域管理员账户而非最小权限服务账户、明文存储凭证、未预先测试凭证等。Performing Authenticated Vulnerability ScanOverviewAuthenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security settings. Compared to unauthenticated scanning, credentialed scans detect 45-60% more vulnerabilities with significantly fewer false positives because they can directly query installed packages, registry keys, and file system contents.When to UseWhen conducting security assessments that involve performing authenticated vulnerability scanWhen following incident response procedures for related security eventsWhen performing scheduled security testing or auditing activitiesWhen validating security controls through hands-on testingPrerequisitesVulnerability scanner (Nessus, Qualys, OpenVAS, Rapid7 InsightVM)Service accounts with appropriate privileges on target systemsSecure credential storage (vault integration preferred)Network access from scanner to target management portsWritten authorization from system ownersCore ConceptsWhy Authenticated ScanningUnauthenticated scanning can only assess externally visible services and banners, often leading to:Missed vulnerabilities in locally installed softwareInaccurate version detection from banner changesInability to check patch levels, configurations, or local policiesHigher false positive rates due to inference-based detectionAuthenticated scanning resolves these by directly querying the target OS.Credential Types by PlatformLinux/Unix SystemsSSH Key Authentication: RSA/Ed25519 key pairs (recommended)SSH Username/Password: Fallback for systems without key-based authSudo/Su Elevation: Non-root user with sudo privilegesCertificate-based SSH: X.509 certificates for enterprise environmentsWindows SystemsSMB (Windows): Domain or local admin credentialsWMI: Windows Management Instrumentation queriesWinRM: Windows Remote Management (HTTPS preferred)Kerberos: Domain authentication with service ticketsNetwork DevicesSNMP v3: USM with authentication and privacy (AES-256)SSH: For Cisco IOS, Juniper JunOS, Palo Alto PAN-OSAPI Tokens: REST API for modern network platformsDatabasesOracle: SYS/SYSDBA credentials or TNS connectionMicrosoft SQL Server: Windows auth or SQL authPostgreSQL: Role-based authenticationMySQL: User/password with SELECT privilegesWorkflowStep 1: Create Dedicated Service Accounts# Linux: Create scan service accountsudouseradd-m-s/bin/bash-cVulnerability Scanner Service Accountnessus_svcsudousermod-aGsudonessus_svc# Configure sudo for passwordless specific commandsechonessus_svc ALL(ALL) NOPASSWD: /usr/bin/dpkg -l, /usr/bin/rpm -qa, \\ /bin/cat /etc/shadow, /usr/sbin/dmidecode, /usr/bin/find|sudotee/etc/sudoers.d/nessus_svc# Generate SSH key pairsudo-unessus_svc ssh-keygen-ted25519-f/home/nessus_svc/.ssh/id_ed25519-N# Distribute public key to targetsforhostin$(cattarget_hosts.txt);dossh-copy-id-i/home/nessus_svc/.ssh/id_ed25519.pub nessus_svc$hostdone# Windows: Create scan service account via PowerShellNew-ADUser-NameSVC_VulnScan-SamAccountNameSVC_VulnScan-UserPrincipalNameSVC_VulnScandomain.local-DescriptionVulnerability Scanner Service Account-PasswordNeverExpires$true-CannotChangePassword$true-Enabled$true-AccountPassword(Read-Host-AsSecureStringEnter Password)# Add to local Administrators group on targets via GPO or:Add-ADGroupMember-IdentityDomain Admins-MembersSVC_VulnScan# For least privilege, use a dedicated GPO for local admin rights instead# Enable WinRM on targetsEnable-PSRemoting-ForceSet-ItemWSMan:\\localhost\\Service\\AllowRemote-Value$truewinrmsetwinrm/config/service{AllowUnencryptedfalse}Step 2: Configure Scanner CredentialsNessus Configuration{credentials:{add:{Host:{SSH:[{auth_method:public key,username:nessus_svc,private_key:/path/to/id_ed25519,elevate_privileges_with:sudo,escalation_account:root}],Windows:[{auth_method:Password,username:DOMAIN\\\\SVC_VulnScan,password:stored_in_vault,domain:domain.local}],SNMPv3:[{username:nessus_snmpv3,security_level:authPriv,auth_algorithm:SHA-256,auth_password:stored_in_vault,priv_algorithm:AES-256,priv_password:stored_in_vault}]}}}}Step 3: Validate Credential Access# Test SSH connectivityssh-i/path/to/key-oConnectTimeout10nessus_svctarget_hostuname -a sudo dpkg -l | head -5# Test WinRM connectivitypython3-c import winrm s winrm.Session(target_host, auth(DOMAIN\\\\\\\\SVC_VulnScan, password), transportntlm) r s.run_cmd(systeminfo) print(r.std_out.decode()) # Test SNMP v3 connectivitysnmpwalk-v3-unessus_snmpv3-lauthPriv-aSHA-256-Aauthpass-xAES-256-Xprivpass target_host sysDescr.0Step 4: Run Authenticated ScanConfigure and launch the scan using the Nessus API:# Create scan with credentialscurl-k-XPOST https://nessus:8834/scans\\-HX-Cookie: token$TOKEN\\-HContent-Type: application/json\\-d{ uuid: $TEMPLATE_UUID, settings: { name: Authenticated Scan - Production, text_targets: 192.168.1.0/24, launch: ON_DEMAND }, credentials: { add: { Host: { SSH: [{auth_method: public key, username: nessus_svc, private_key: /keys/id_ed25519}], Windows: [{auth_method: Password, username: DOMAIN\\\\SVC_VulnScan, password: vault_ref}] } } } }Step 5: Verify Credential SuccessAfter scan completion, check credential verification results:Plugin 19506(Nessus Scan Information): Shows credential statusPlugin 21745(OS Security Patch Assessment): Confirms local checksPlugin 117887(Local Security Checks): Credential verificationPlugin 110385(Nessus Credentialed Check): Target-level auth statusCredential Security Best PracticesUse a secrets vault(HashiCorp Vault, CyberArk, AWS Secrets Manager) for credential storageRotate credentialsevery 90 days or after personnel changesPrinciple of least privilege- only grant minimum required accessAudit credential usage- monitor service account login eventsEncrypt in transit- use SSH keys over passwords, WinRM over HTTPSSeparate accountsper scanner - never share credentials across toolsDisable interactive loginfor scan service accounts where possibleLog all authenticationevents for scan accounts in SIEMCommon PitfallsUsing domain admin accounts instead of least-privilege service accountsStoring credentials in plaintext scan configurationsNot testing credentials before scan launch (leads to wasted scan windows)Forgetting to configure sudo/elevation for Linux targetsWindows UAC blocking remote credentialed checksFirewall rules blocking WMI/WinRM/SSH between scanner and targetsCredential lockout from multiple failed authentication attemptsRelated Skillsscanning-infrastructure-with-nessusperforming-network-vulnerability-assessmentimplementing-continuous-vulnerability-monitoring