Feature: Authenticated Scans
Authenticated scans use Credentials to access various services on the target system. These services are used in turn to collect information with relevance to determine vulnerabilities.
Minimal invasive: The Greenbone solution has been created solely for the purpose of judging the exposure to vulnerabilities - without doing any changes to the remote system.
Credentials are used to access various services. The most relevant are:
SMB: To check the patch level of Windows systems and similar checks on the remote machine, for example collecting version information for installed Java Runtime or Adobe Acrobat Reader.
SSH: To check the patch level and installed software versions on various Linux distributions and Unix derivates as well as additional local checks.
The volume and success of the testing routines for authenticated scans heavily depends on the access rights of the account used for the scan.
The function "Autogenerate Credential" in the Greenbone Security Manager creates an installation packet for the target system. This installation packet creates an account with the access rights that are necessary for the scan. Uninstalling the packet will undo all changes.
The following section describes relevant settings for particular target systems.
For Windows systems that are not part of a domain the "Remote Registry Service" has to be started and the following registry key has to be set:
DWORD: LocalAccountTokenFilterPolicy = 1
For systems that are part of a domain the account that should be used should be a member of the "Domain Administrators" group. Local Administrators as well as domain-assigned Local Administrators will not have sufficient privileges to scan for all vulnerabilities.
Autogenerated Credentials: The installer enables automatic startup of the "Remote Registry" service. If the installer is run on a domain controller the account is added to the Domain Administrators group (SID S-1-5-32-544).
An exemption for the IP address of the GSM has to be added to the Windows Firewall. For Windows XP systems the "File and Printer Sharing" has to be enabled.
Autogenerated Credentials: The installer allows entering the IP address of the GSM during installation. If an address is entered a firewall rule to allow access is added. For Windows XP the "File and Printer Sharing" service is set to automatically start.
Normally a regular user account is sufficient for an authenticated scan on Linux or Unix systems. SSH is used for remote access in this case. The authentication is performed via password or SSH keys.
Autogenerated Credentials: The installer is downloadable as Debian .deb or RedHat/SuSe .rpm package. This installer creates a new user and stores a generated SSH key in the user's home directory. In order to scan other Linux distributions or Unix derivates the administrator can download the SSH key only. The user account has to be created manually in this case. Care must be taken to assure correct access rights for the files as e.g. OpenSSH will often refuse keys with wrong permissions.
In all cases is is important to check that Public Key Authentication is enabled for the SSH demon. In case of OpenSSH, the line PubkeyAuthentication no must not exist in the configuration file.
It is also possible to use an existing SSH key, which may optionally be protected by a passphrase. It is recommended to use keys in the RSA or DSA format as generated by the ssh-keygen command.
For scans that contain policy checks a root user or a user with membership in privileged groups (often "wheel") can be needed. Many configuration files are only readable by by privileged users for security reasons.