ISSUE

When running a credentialed scan on Windows, the Nessus Scanner cannot authenticate to the target.

CAUSE

Generally, this issue is due to one of the following conditions not having been met:

1. The Windows Management Instrumentation (WMI) service must be enabled on the target. For more information, please see: Introduction to WEBMTEST. Additionally, ensure that ports 135 and 49152 through 65535 are open between the scanner and the target, as WMI connections will choose one of these ports to target.
2. The Remote Registry service must be enabled on the target.
3. File & Printer Sharing must be enabled in the target's network configuration.
4. An SMB account must be used that has local administrator rights on the target.
   Note: A domain account can be used as long as that account is a local administrator on the devices being scanned.
5. TCP ports 139 and 445 must be open between the Nessus Scanner and the target.
6. Ensure that there are no security policies are in place that blocks access to these services. This can include:
   • Windows Security Policies
   • Antivirus or Endpoint Security rules
   • IPS/IDS
7. The default administrative shares must be enabled.
   • These shares include:
     • IPC$
     • ADMIN$
     • C$
   • The setting that controls this is AutoShareServer (Windows Server) or AutoShareWks (Windows Workstation) which must be set to 1.
   • Windows 10 has the ADMIN$ disabled by default.
   • For all other operating systems, these shares are enabled by default and can cause other issues if disabled. For more information, see http://support.microsoft.com/kb/842715/en-us

RESOLUTION

Testing from a Windows Host

These steps will test connections to a target host using methods similar to what Nessus uses to perform credentialed checks. If these tests fail, it establishes that the issue is likely not with Nessus or the scan configuration, but with the target's security settings. Run all commands from an elevated Command prompt or PowerShell on a host in the same network as the target. Make sure this is not done on the target itself. If possible, use the scanner.

Anonymous IPC$ login test

Test the IPC$ share without a username by using the following command. This command is similar to how Nessus checks the share.
Note: Change <Target_IP> to the target's IP address.

net use \\<Target_IP>\ipc$ "" /user:""

For example:

If this returns "Failed to connect to the IPC$ share anonymously." then the following should be verified:

• Ensure SMB is set up correctly
• Double-check firewall settings

SMB Log on Test

This is how Nessus tests the credentials to make sure it has access to the system.

Run the following commands from an elevated command prompt.
Note: Replace <username> and <password> with the credentials the scan is using. Also, change <Target_IP> to the target's IP address.

net use \\<Target_IP>\ipc$ /user:<username> <password> 
net use \\<Target_IP>\admin$ /user:<username> <password>

These commands should return "The command completed successfully." If it does not, then:

• Check the credentials.
• Check the account has sufficient privileges.

Remote Registry Test

Run the following command to check if the remote registry is running.
Note: Change <Target_IP> to the target's IP address.

reg query \\x.x.x.x\hklm

If this returns registry keys, the service is running and accessible.  If this returns "ERROR: The network path was not found." then the service is not running and must be enabled.

WMI Troubleshooting and Test

From another Windows host that can reach the scan target over the network:

• Run wbemtest from the Start Menu.
• Click 'Connect' in the upper-right corner.
• In the Namespace field, enter the target namespace as '\\target_host_ip\root\cimv2'. Thus, if the scan target is located at 10.10.0.63, enter '\\10.10.0.63\root\cimv2'.
• In the Credentials section, enter the credentials of the scanning account. Use 'domain\username' syntax in the User field.
• Click Connect in the upper-right corner.
• If successful, the wbemtest window should list the namespace as \\target_host_ip\root\cimv2. In the IWbemServices section below, a number of buttons should appear.
• Click Query... and enter the following query exactly in the popup, then click Apply: 'select DomainRole from Win32_ComputerSystem'
• A Query Result window with a single entry reading 'Win32_ComputerSystem=<no key>' should appear. Double-click that entry.
• In the Instance of Win32_ComputerSystem window, scroll down in the Properties list. A DomainRole entry should appear, with a value of 2, 3, 4 or 5.

If the test above failed, do the following on the scan target:

WMI Troubleshooting steps

• Ensure that the WMI service is enabled and running.
• Ensure the scan user has access to the root/CIMV2 namespace:
  • Open wmimgmt.msc.
  • In the left-hand panel, right-click WMI Control (Local) and choose Properties.
  • Click the Security tab, expand the Root folder, and select the CIMV2 folder. Click the Security button.
  • In the 'Security for ROOT/CIMV2' window, click the Advanced button.
  • Confirm that the scanning account, or a group which it belongs to, is listed in this window. Click on the relevant entry and click the View button.
  • Confirm that the permissions entry covering the scanning account has both the Enable Account and Remote Enable permissions set.
• Add the scanning account to the Distributed COM user group on the scan target.
  • Alternatively, open Component Services (dcomcnfg) from the Start Menu.
  • In the left panel, expand Component Services, then Computers, and right-click on My Computer. Select Properties.
  • In the COM Security tab of the My Computer Properties window, click the Edit Limits button in the Access Permissions section. Ensure that the scanning account has all permissions.
  • Repeat the previous step with the Edit Limits option under the Launch and Activation Permissions section.

Testing from a Linux Host

The program smbclient can be used as an alternative method of testing if the Nessus scanner is running on a Linux system that is scanning the Windows-based host. To install smbclient, run the following command as root:

yum install samba-client

To test the IPC$ share, use the following command. This command is similar to how Nessus checks the share.
Note: Change <Target_IP> to the target's IP address. Change <username> and <password> to the credentials that Nessus uses.

smbclient //<Target_IP>/IPC$ -U <username>%'<password>'

• If this returns "smb: \>", then the credentials and permissions work.
• If this returns "session setup failed: NT_STATUS_LOGON_FAILURE", then:
  • Check the credentials.
  • Check that the account has sufficient privileges.

​​Still Having Issues

If you continue to have authentication issues after completing this process, open a case with Technical Support providing the following information:

• A detailed description of what troubleshooting steps have already been tried
• A Nessus DB. For more information, see Collecting nessus.db Scan Results from Tenable Products

ADDITIONAL RESOURCES

Microsoft - Net use
ServerFault - Windows shares via command line with user/pass, without mapping the drive?
TechRepublic - Use the PushD & PopD commands for quick network drive mapping in Windows 7
Nessus - Credentialed Checks on Windows
smbclient man page