Nessus can now use Kerberos for DCOM Authentication

Summary

Nessus scans that are provided with Windows Kerberos credentials will now use the Kerberos protocol for authentication in plugins that use DCOM or WMI.  Kerberos authentication has been available for a long time in Nessus for plugins that only use SMB.  Prior to this change the DCOM/WMI plugins would authenticate using NTLM even if only a Kerberos credential was provided.  Microsoft Windows is abandoning NTLM due to security concerns and has recommended host and domain configuration that excludes the use of NTLM.

Change

This implementation of Kerberos for DCOM/WMI only supports the packet integrity authentication level (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) which is the minimum required since Microsoft hardened DCOM to address CVE-2021-26414.  If a server or service requires packet privacy (RPC_C_AUTHN_LEVEL_PKT_PRIVACY), Nessus will not be able to scan it.

Following the deprecation of SHA1 hashes, Kerberos will slowly be updated to use SHA2 hashes on Windows and other platforms.  At this time the Nessus implementation does not support SHA2 based checksums or encryption.

Future Tenable plans include upgrading the Nessus DCOM implementation to use packet privacy and upgrading the Nessus Kerberos implementation to use SHA2 based cryptography.

Target Release Date

Immediate