Identify failed credentialed scans in Nessus / Security Center

Objective

  • Identify and remediate failed scans in Nessus / Security Center.

Requirements

For Windows credentialed scans make sure your scan account has local admin privileges on the target:

On your Windows scan targets make sure that:

  • WMI is be enabled
  • Ports 139 and 445 are both be open between scanner and target
  • File & print sharing enabled
  • Remote registry service enabled
  • Default admin shares enabled ($ADMIN, $IPC…)

On Linux hosts and Network devices make sure that:

  • Port 22 is open
  • You can ssh into the scan target
  • The account has enough privileges to perform all checks
  • The account can do privileges escalation via: su, sudo su, cisco enable etc

Plugins to check

Plugin ID Plugin Name Action
11219 Nessus SYN scanner Verify if tcp port 22 is open for Linux and Network devices.
Verify if tcp port 139/445 is open for Windows systems.
Verify if tcp port 443 is open for VMWare ESXi hosts.
Verify if tcp port 443 is open for hosts running VCenter.
10335 Nessus TCP scanner Verify if tcp port 22 is open for Linux and Network devices.
Verify if tcp port 139/445 is open for Windows systems.
Verify if tcp port 443 is open for VMWare ESXi hosts.
14274 Nessus SNMP Scanner Verify if tcp port 22 is open for Linux and Network devices.
Verify if tcp port 139/445 is open for Windows systems.
Verify if tcp port 443 is open for VMWare ESXi hosts
19506 Nessus Scan Information Verify if the string “Credentialed checks : yes” exists to identify successful scans.
Verify if the string “Credentialed checks : no” exists to identify failed scans.
10394 Microsoft Windows SMB Log In Possible Review the account that is used to perform the scan.
Output shows:
– The SMB tests will be done as <account name>
Credentialed scan failed when only this line is logged.
NULL sessions are enabled on the remote host.
10395 Microsoft Windows SMB Shares Enumeration ADMIN$, C$ and IPC$ must be present
21745 Authentication Failure – Local Checks Not Run The plugin output will give you a good indicator:
Failed to authenticate to the VMware ESX server listening on port 443.
It was not possible to log into the remote host via smb (invalid credentials).
It was not possible to log into the remote host via smb (protocol failed).
It was not possible to log into the remote host via smb (unable to create a socket).
SSH was unable to login with any supplied credentials.
the account used does not have sufficient privileges to read all the required registry entries
24786 Nessus Windows Scan Not Performed with Admin Privileges  Plugin output will note to the following:

It was not possible to connect to ‘\\HOSTNAME\ADMIN$’ with the supplied credentials.
10428 Microsoft Windows SMB Registry Not Fully Accessible Detection  Nessus had insufficient access to the remote registry.
Nessus did not access the remote registry completely,
because full administrative rights are required.Solution:
Use an administrator level account for scanning.
26917 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry  Plugin output will note something like:

Could not connect to the registry because:
Could not connect to IPC$

Could not connect to the registry because:
Could not connect to \winreg
35705 Microsoft Windows SMB Registry : Starting the Registry Service during the scan failed  Plugin output will note something like:

The following error occurred :
NetUseAdd failed

The following error occurred :
OpenSCManager() failed
12634 Authenticated Check : OS Name and Installed Package Enumeration Review plugin output: search for the string “failed”
10919 Open Port Re-check (10919) Plugin Description:

Previously open ports are now closed.

One of several ports that were previously open are now closed or unresponsive.
There are several possible reasons for this :
– The scan may have caused a service to freeze or stop running.
– An administrator may have stopped a particular service during the scanning process.
This might be an availability problem related to the following :
– A network outage has been experienced during the scan,
and the remote network cannot be reached anymore by the scanner.
– This scanner may has been blacklisted by the system administrator or
by an automatic intrusion detection / prevention system that detected the scan.
– The remote host is now down, either because a user turned it off during the scan or
because a select denial of service was effective.

In any case, the audit of the remote host might be incomplete and may need to be done again.

Plugin output will record the port that became unresponsive:
Port 22 was detected as being open but is now unresponsive
24269 Windows Management Instrumentation (WMI) Available
Review all plugins.
Search the plugin output on known error conditions like:
– failed due to networking problems
– WMI_ERROR_CONNECT
– POLICY_SUBCATEGORY_ERROR

Other plugins of interest:

Plugin ID Plugin Name Action
1007758 Compliance Check Test Error Review plugin output

References