The Nessus vulnerability scanner from Tenable is a widely known tool for conducting vulnerability assessments of networks and devices, such as workstations, network gear, and servers. While Tenable does have a separate Active Directory security product called Tenable.ad, one capability of Nessus (as well as their enterprise solution Tenable.io) that is very rarely talked about is scanning the Active Directory configuration for vulnerabilities.
Vulnerability Coverage
Included in Nessus is a scan template called “Active Directory Starter Scan”. For some reason, it is difficult to find detailed information on this template, however, according to a blog post from Tenable, this scan runs the following ten checks on your Active Directory configuration:
- Kerberoasting: A Domain admin or Enterprise admin account is vulnerable to the Kerberoasting attack
- Weak Kerberos encryption: The Kerberos encryption is too weak on one user account leading to potential credential theft
- Kerberos pre-authentication validation: The Kerberos pre-authentication is disabled on one user account leading to potential credential theft
- Non-expiring account password: A user account may never renew its password.
- Unconstrained delegation: Unconstrained delegation is allowed on a computer account allowing potential credential theft
- Null sessions: The Anonymous or Everyone group is part of the “Pre-Windows 2000 Compatible Access” allowing null session attacks
- Kerberos KRBTGT: The Kerberos master key is too old and could be used as a backdoor
- Dangerous trust relationship: No security mechanism has been activated on a trust relationship allowing lateral movement across AD domains
- Primary Group ID integrity: A potential backdoor using the Group ID has been found on a user account
- Blank passwords: A user account may use a blank password to authenticate on the domain
Creating Credentials
Before setting up an Active Directory Starter Scan with Nessus, you’ll need to provide Nessus with Domain Admin credentials in the form of ADSI. In order to do that, I recommend creating a service account for Nessus to use.
- I created a new user in Active Directory called “NessusScan”
- Add the user account to the “Domain Admins” group
Configure Scan