An authenticated scan provides a more comprehensive view of system vulnerabilities by examining the target both externally, via the network, and internally, using valid user credentials. For an authenticated scan, the scanner logs into the target system using pre-configured user credentials, which are used to authenticate to various services on the target.
The scanner will try credentials on all targets with a corresponding service, for example SSH credentials will be tried if the scanner detects an SSH server. You can add multiple credentials of the same type to a scan, and the scanner will try to authenticate with them one at a time until authentication is successful.
Scan results might be limited by the permissions associated with these user accounts.
Add credentials for authenticated scans
Complete this task to add and save credentials to be used for authenticated network scans.
Prerequisites
Before initiating an authenticated scan, complete the following prerequisites on your target hosts:
Create dedicated service accounts.
We highly recommend creating dedicated service accounts on your target devices specifically for the network scanner. Avoid using existing administrative accounts or personal user accounts. This practice enhances security by limiting the potential impact if the credentials are ever compromised and allows for granular control and auditing of scanner activities.
Ensure that required access rights are configured and remote access is enabled.
The service accounts must have the necessary permissions to collect system information and perform vulnerability checks remotely. Additionally, the respective remote access protocols must be enabled on the target devices.
For Windows Targets (SMB/WinRM): Follow the guidelines in the Get started with Cortex Network Scanner section.
For Linux Targets: The service account must have permissions to execute commands via SSH.
Ensure the SSH daemon (sshd) is running on the target device.
Verify that password authentication (or public key authentication, if configured) is enabled for the service account in the sshd_config file (located typically at /etc/ssh/sshd_config).
Verify firewall and network security device configuration.
Remote access traffic must not be blocked by any firewalls (host-based or network-based) or other network security devices (e.g., intrusion prevention systems, network access control).
For Windows Targets:
Windows Defender Firewall: Ensure inbound rules are configured to allow traffic for "File and Printer Sharing" (TCP ports 139, 445) and/or "Windows Remote Management" (TCP port 5985 for HTTP, 5986 for HTTPS).
Network Firewalls: If there's a network firewall between the scanner and the target, ensure that TCP ports 139, 445, 5985, and 5986 are open for communication from the scanner's IP address to the target's IP address.
For Linux Targets
Host-based Firewall (e.g., ufw, firewalld): Ensure that SSH traffic (TCP port 22) is allowed. For example, using
ufw: sudo ufw allow ssh.Network Firewalls: Ensure that TCP port 22 is open for communication from the scanner's IP address to the target's IP address.
Add and save the credentials to be used for authenticated scans on the Credential Management page.
Navigate to → → → .
The Credential Management page lists all of your saved credentials.
Click + Add Credentials in the upper right.
Provide information in the following fields:
Name: Provide a descriptive name for this set of credentials.
Description: Optionally, provide a description.
Service: Select one of the service and credential types from the dropdown menu and add the credentials:
SSH (Username/Password): Requires username, password, port.
SSH (Username/SSH Key): Requires username, passphrase (optional), port. You will also upload your private SSH key in PEM or OpenSSH format.
SMB: Requires username and password.
ESXI: Requires a VMware vSphere UI username and password.
Click Save Credential. Your new credentials will appear in the list on the Credential Management page.
Note
For security reasons, you cannot edit saved credentials, but you can delete them and create new ones as needed.
Test saved credentials
Cortex Network Scanner provides a convenient method for validating stored authentication credentials against target hosts. This functionality ensures that the credentials are valid and can be successfully used for authenticated scans.
When testing credentials, you'll specify one or more scanners and target hosts. Cortex Network Scanner will attempt to login to the hosts with the credentials and report back the results, without scanning for vulnerabilities. You can view credential test history and test results for each set of credentials
The solution supports authentication testing via SSH and SMB protocols.
Navigate to → → → .
Right-click on a credential in the table, and select Test Credential.
Provide the following information on the Test Credentials dialog box:
Network: Select a network to be scanned.
Network Scanner(s): Select one or more Cortex Network Scanners.
Configure the targets by selecting previously defined target groups or manually adding and excluding targets.
Select Target Groups: Select one or more previously saved Target Groups from the drop-down menu.
Or
Manually Add Targets: List the targets to be scanned. Targets can be IP addresses, IP ranges, CIDR ranges, or hostnames.
Manually Exclude Targets: (Optional) List the targets to be excluded from the scan.
View credential test history and results
You can view the test history for each credential. For each entry in the history table, you can also view the credential test results, which includes the list of target IP addresses and whether the credential was successful or a failure for each target. Perform the following steps to view the credential test history and credential test results.
Navigate to → → → .
In the Credential Management table, click on the credentials you want to test.
The Credential Test History page will open.
To view the test results for one of the credential test history entries, click on that row in the table.
The Credential Test Results page will open, which displays the list of targets that the credentials were tested on and whether each test was successful or not.