# Nessus

## Authenticated/Credentialed Scan

#### Enable Administrative Shares

When credentials are provided in the form of username and password, Nessus uses SMB anonymous $IPC login to check if SMB is running on the target, and then uses the credentials on IPC$ and ADMIN$ shares to verify the credentials and scans the file system for vulnerabilities.

```
Anonymous IPC$ login to test SMB service:
net use \\<Target_IP>\ipc$ "" /user:""

Credential check using SMB:
net use \\<Target_IP>\admin$ /user:<username> <password>

You could simply goto \admin$ on windows explorer on the target machine to check 
if the account is a local administrator.
```

Note: The credentials provided to Nessus must be a local administrator on the target machine.

```
//Open cmd.exe in administrative mode.

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
```

### Enable RemoteRegistry Service

Nessus scans through the registry remotely to find deprecated software information. Enable the RemoteRegistry service such that Nessus can trigger it and start and stop for the scan.

```
// Enable the service and set it to Manual start

sc config RemoteRegistry start= demand
```

### Enable "File & Printer Sharing"

```
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
```

Set the firewall rules to allow Nessus IP only to connect to the target machine.

### References

* <https://community.tenable.com/s/article/Troubleshooting-Credential-scanning-on-Windows>
* <https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/network-pentesting/nessus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.