Successful Login: Windows

• 24269 - WMI Available
• 10394 - Microsoft Windows SMB Log In Possible
• 10400 - Microsoft Windows SMB Registry Remotely Accessible
• 10428 - Microsoft Windows SMB Registry Not Fully Accessible Detection
• 57033 - Microsoft Patch Bulletin Feasibility Check
• ​20811 - Microsoft Windows Installed Software Enumeration (credentialed check)
• 26921 - Windows Service Pack Out-of-Date
• 34252 - Microsoft Windows Remote Listeners Enumeration (WMI)
• 35703 - SMB Registry : Start the Registry Service during the scan
• 35704 - SMB Registry : Stop the Registry Service after the scan
• 24272 - Network Interfaces Enumeration (WMI)
• 19506 - Nessus Scan Information (Settings)*

*Note: For 19506, "Credentialed Checks: yes" in the output indicates a successful scan

Successful Login: Linux

• 22869 - Software Enumeration (SSH) (General)
• 12634 - Authenticated Check: OS Name and Installed Package Enumeration (Settings)
• 25221 - Remote listener enumeration (Linux / AIX)
• 33851 - Network daemons not managed by the package system
• 19506 - Nessus Scan Information (Settings)*

*Note: For 19506, "Credentialed Checks: yes" in the output indicates a successful scan

Oracle Database

• 22073 - Oracle Database Detection
• 10658 - Oracle Database tnslsnr Service Remote Version Disclosure
• 11219 - Nessus SYN scanner* OR 14272 - Netstat Portscanner (SSH)*

*Note: These port scanners are used to determine which port the Oracle Database service was found on

​Login Failure/Permission Failure

• 11149 - HTTP login page: Provides a means for HTTP login info, but it also returns login failures when an error occurs.
• 21745 - OS Security Patch Assessment Failed: See More Information below.
• 24786 - Nessus Windows Scan Not Performed with Admin Privileges: This means the account provided for Windows did not have administrator privileges on the scanned host.
• 26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry: This means the target's registry was not available. This is most likely caused by the Remote Registry setting not being configured correctly either in the scan policy or on the target.
• 35705 - SMB Registry : Starting the Registry Service during the scan failed: Indicates failure to start the Remote Registry service on the target.
• 35706 - SMB Registry : Stopping the Registry Service after the scan failed: Indicates failure to stop the Remote Registry service on a target after a scan.

More information for plugin 21745 - OS Security Patch Assessment Failed

The plugin 21745 error "unable to create a socket" indicates that Nessus was unable to connect to the system. In this case, it means Nessus was unable to successfully complete the TCP handshake on port 445. This could be for a number of reasons:

• Nessus is unable to connect due to network issues
• A network or host- based firewall is blocking the connection attempts
• Due to network latency, a timeout is reached before the connection occurs
• The user that started the scan does not have permission to scan the given host and/or port

If the user sees this error in plugin 21745 every time authentication fails for a given host, that likely means Nessus is having connection issues due to one of the conditions listed above. Nessus users have no host or port restrictions by default, so this can only occur if an admin explicitly put such a restriction in place. To determine if this is the case, view the rules file.

To find the rules file:

• Log into Nessus as an administrator.
• Select Configuration > Advanced Settings.
• Scroll down to the rules setting.

Note: If Nessus has too many open sockets during a scan, an error message may indicate this problem in nessusd.dump or nessusd.messages.

Local Authentication

These plugins authenticate to the remote host, gather the information necessary for local checks, and enable local checks. Their output and audit trails provide details of any problems that were encountered.

• 97993 - OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library): Enables local checks over SSH.
• 12634 - Authenticated Check : OS Name and Installed Package Enumeration: Enables local checks over SSH.
• 10394 - Microsoft Windows SMB Log In Possible: Enables local checks over SMB.
• 19762 - SNMP settings: Enables local checks over SNMP.
• 73204 - Citrix NetScaler Version Detection: Enables local checks over SSH, SNMP, or NTP.
• 72816 - Palo Alto Networks PAN-OS Version Detection: Enables local checks over HTTP if not already enabled over SSH.
• 57399 - VMware vSphere Installed Patches: This gathers info via the HTTPS SOAP API which triggers other plugins to enable local checks.
• 57400 - VMware vSphere Installed VIBs: This gathers info via the HTTPS SOAP API which triggers other plugins to enable local checks.

Third-party Local Checks

These plugins gather information about the host from a third party and enable local checks.

• 80860 - Patch Management: Get Packages from Symantec Altiris: Enables "local" checks via Symantec Altiris.
• 65703 - Patch Management: HCL BigFix Get Installed Packages: Enables "local" checks via IBM BigFix (previously known as Tivoli Endpoint Manager).
• 84231 - Patch Management: Red Hat Satellite Get Installed Packages: Enables "local" checks via Red Hat Satellite 6.
• 84238 - Patch Management: Red Hat Satellite Server Settings: Enables "local" checks via Red Hat Satellite 5.
• 63062 - VMware vCenter Data Collection: Enables "local" checks via VMware vCenter.

Windows Access Checks

These plugins check for the required privileges/access for Windows local checks and set required KB entries in order for Windows local checks to be performed.

• 10400 - Microsoft Windows SMB Registry Remotely Accessible: Logs registry access issues that prevent local checks from being enabled.
• 10428 - Microsoft Windows SMB Registry Not Fully Accessible Detection: Tests registry access and sets "SMB/registry_full_access" if successful.
• 13855 - Microsoft Windows Installed Hotfixes: Logs registry and share access issues that prevent local checks from being enabled.
• 57033 - Microsoft Patch Bulletin Feasibility Check: Sets the flag "SMB/MS_Bulletin_Checks/Possible" based on the results on plugin 13855.

Summarize Specific Auth / Local Checks Issues

These plugins provide summaries of particular types of auth / local checks issues that have been reported by other plugins and report the plugins that encountered these issues.

• 102094 - SSH Commands Require Privilege Escalation: Reports commands that failed due to lack of privilege escalation or due to failed privilege escalation. Commands reported here may not have prevented local checks from running but may have caused the plugin associated with each command to fail to produce the expected output. This causes authentication to report as successful, but with insufficient access.
• 110695 - OS Security Patch Assessment Checks Not Supported: Reports that local checks were unavailable for the identified device or operating system and includes the report of the plugin that logged the unavailability of local checks. In this case, the credentials may be correct and login may have been successful, but checks cannot be run against the host for another reason, such as if the target is an OS type for which there is no plugin support.
• 150799 - Target Access Problems by Authentication Protocol - Maximum Privilege Account Used in Scan: Reports that log in was successful and that the credentials can escalate to the highest level of privilege possible on the host, but that the scanner still encountered permissions issues while scanning. For more information on this plugin, please see the related Research Highlight.

Summarize Authentication Status

These plugins provide summaries of the overall authentication status for the target. A given target should trigger at least one of these plugins.

• 141118 - Target Credential Status by Authentication Protocol - Valid Credentials Provided: Reports protocols with successful authentication. This identifies that the protocols specified were able to authenticate to the target successfully at least once. This may be paired with other plugins.
• 110095 - Target Credential Issues by Authentication Protocol - No Issues Found: Reports protocols with successful authentication and no reported privilege/access issues.
• 110385 - Target Credential Issues by Authentication Protocol - Insufficient Privilege: Reports protocols with successful authentication that also had privilege/access issues logged for the successful credentials.
• 104410 - Target Credential Status by Authentication Protocol - Failure for Provided Credentials: Reports protocols with only authentication failures.
• 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided: Reports protocols that were detected in the scan as available for authentication but that did not have credentials provided to attempt authentication with.
• 117885 - Target Credential Issues by Authentication Protocol - Intermittent Authentication Failure: Reports protocols with successful authentication that also had subsequent authentication failures logged for the successful credentials.

Notes:

• A given target usually triggers at least one of these unless no services are detected supporting protocols that Nessus uses for authentication. Audit trails should indicate this.
• Authentication status is reported per protocol. This means if there are multiple authentication protocols available on the target with different authentication statuses, it is possible to see both Authentication Success and Authentication Failure.
• For a given protocol, if both access/privilege problems were encountered and service/authentication problems were encountered, it is possible to see both plugins 110385 and 117885.

Summarize Local Checks Status

These plugins provide summaries of overall local checks status for the target. In the case of issues or errors logged by previous plugins, these plugins provide a list of the issues/errors logged along with the reporting plugin and protocol if available.

• 21745 - OS Security Patch Assessment Failed: Reports that local checks were not enabled due to an error/failure and lists the details of the errors/failures. Focus on "Local Checks Not Run" rather than the "Authentication Failure" section. While authentication failure is one failure that can cause local checks be disabled, there are many other types of errors and failures that prevent enabling local checks.
• 117886 - OS Security Patch Assessment Not Available: Reports that local checks were not enabled for an informational reason and lists details.
• 117887 - OS Security Patch Assessment Available: Reports that local checks were enabled. If available, this includes the account and protocol used for local checks.

ADDITIONAL RESOURCES

An additional list of plugins useful for troubleshooting Nessus scans can be found here.