Configuring site-specific scan credentials

In this topic:

In this topic, you will learn how set up and test credentials for a site, how to restrict them to a specific asset or port, and how to edit and enable the use of previously created credentials.

When configuring scan credentials in a site, you have two options:

Note:  To learn about credential types, see Shared credentials vs. site-specific credentials.

Starting configuration for a new set of site-specific credentials

The first action in creating new site-specific scan credentials is naming and describing them. Think of a name and description that will help you recognize at a glance which assets the credentials will be used for. This will be helpful, especially if you have to manage many sets of credentials.

If you want to add credentials while configuring a new site, click the Create site button on the Home page.
OR
Click the Create tab at the top of the page and then select Site from the drop-down list.

If you want to add credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.

Note:  If you created the site through the integration with VMware NSX, you cannot edit scan credentials, which are unnecessary because the integration provides Nexpose with the depth of access to target assets that credentials would otherwise provide. See Integrating NSX network virtualization with scans.

  1. Click the Authentication tab in the site configuration .
  1. Click Add Credentials.
  1. In the Add Credentials form, enter a name and description for the new set of credentials.
  2. Continue with configuring the account, as described in the next section.

Configuring the account for authentication

If you do not know what authentication service to select or what credentials to use for that service, consult your network administrator.

Note:  All credentials are protected with RSA encryption and triple DES encryption before they are stored in the database.

  1. Click Account under the Add Credentials tab.
  2. Select an authentication service or method from the drop-down list.
  3. Enter all requested information in the appropriate text fields.

Configuring an account for site credentials

  1. If you want to test the credentials or restrict them see the following two sections. Otherwise, click Create.

The newly created credentials appear in the Scan Credentials table, which you can view by clicking Manage Authentication.

Testing the credentials

You can verify that a target asset in your site will authenticate the Scan Engine with the credentials you’ve entered. It is a quick method to ensure that the credentials are correct before you run the scan.

  1. In the Add Credentials form, expand the Test Credentials section by clicking the arrow.
  2. Expand the Test Credentials section.
  3. Enter the name or IP address of the authenticating asset.

Note:  If you do not enter a port number, the Security Console will use the default port for the service. For example, the default port for CIFS is 445.

  1. To test authentication on a single port, enter a port number.
  2. Click Test credentials.

Note:  If you are testing Secure Shell (SSH) or Secure Shell (SSH) Public Key credentials and you have assigned elevated permissions, both credentials will be tested. Credentials for authentication on the target are tested first, and a message appears if the credentials failed. Permission elevation failures are reported in a separate message. See Using SSH public key authentication.

  1. Note the result of the test. If it was not successful, review and change your entries as necessary, and test them again. The Security Console and scan logs contain information about authentication failure when testing or scanning with these credentials. See Working with log files.

A successful test of site credentials

  1. If you want to restrict the credentials to a specific asset or port, see the following section. Otherwise, click Create.

Limiting the credentials to a single asset and port

If a particular set of credentials is only intended for a specific asset and/or port, you can restrict the use of the credentials accordingly. Doing so can prevent scans from running unnecessarily longer due to authentication attempts on assets that don’t recognize the credentials.

If you restrict credentials to a specific asset and/or port, they will not be used on other assets or ports.

Specifying a port allows you to limit your range of scanned ports in certain situations. For example, you may want to scan Web applications using HTTP credentials. To avoid scanning all Web services within a site, you can specify only those assets with a specific port.

  1. Click the Account under the Add Credentials tab.
  2. Enter only the host name or IP address of the asset that you want to restrict the credentials to.

OR
Enter host name or IP address of the asset and the number of the port that you want to restrict the credentials to.

Note:  If you do not enter a port number, the Security Console will use the default port for the service. For example, the default port for CIFS is 445.

  1. When you have finished configuring the set of credentials, click Create.

Tip:  To verify successful scan authentication on a specific asset, search the scan log for that asset. If the message “A set of [service_type] administrative credentials have been verified.” appears with the asset, authentication was successful.

Enabling a previously created set of credentials for use in a site

If a set of credentials is not enabled for a site, the scan will not attempt authentication on target assets with those credentials. Make sure to enable credentials if you want to use them.

  1. To enable credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.
  2. Click the Authentication link in the Site configuration .

The Scan Credentials table lists any site-specific credentials that were created for the site or any shared credentials that were assigned to the site. For more information, see Shared credentials vs. site-specific credentials.

  1. Select the Enable check box for any set of credentials that you want to scan with.
  2. Click the Save button for the site configuration.

Enabling a set of credentials for a site

Editing a previously created set of site credentials

Note:  You cannot edit shared scan credentials in the Site Configuration panel. To edit shared credentials, go to the Administration page and select the manage link for Shared scan credentials. See Editing shared credentials that were previously created. You must be a Global Administrator or have the Manage Site permission to edit shared scan credentials.

The ability to edit credentials can be very useful, especially if passwords change frequently. You can only edit site-specific credentials in a Site Configuration panel.

  1. To enable credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.
  2. Click the Authentication tab in the Site configuration .
  1. Click the hyperlink name of any set of credentials that you want to edit.
  2. Change the configuration as desired. See the following topics for more information:
  1. When you have finished editing the credentials, click Save.

Verifying scan credential authentication

  1. Upon completion of a scan, on the Scan Overview page, view the Completed Assets table.
  2. Locate the asset you have added credentials to.
  3. Look at the Authentication column for the located asset.
  4. For more information on Understanding Credential Authentication Status, see the next section.
  5. For more details, click on the status.

The Security Console will bring you to the Node Page.

  1. In the asset details, locate Credentials and click on the detail listed.
  2. The Security Console will bring you to the Services table.
  3. Under the Authentication column, the security console will display which credential was a success or failure.

Understanding credential authentication status

In the Authentication column, the security console will display one of the following notes to determine the status of your credential authentication: