Credentials used SQL query

vojtech_vevera · October 15, 2021, 2:23pm

Hi all,

is there a way how to get the information about which credentials were used in successful login to asset?

We have few thousands of assets scanned and few dozens credentials saved. We need to separate these in some logical way to sub-sites and rescan them.

Is there a custom SQL query that would do this? I was reading the documentation and there seems to be nothing that would help with this.

Thank you all in advance.

scott_lambert1 · October 15, 2021, 2:57pm

Hi Vojtech,

I have asked this question to Rapid7 support in the past, and so far, I have not found a way to list the specific credential that was successful or unsuccessful on an asset. We have multiple credentials configured as well based on OS and environment (e.g. production, non-prod, DMZ, etc) and typically run ad-hoc scans on a group of assets that we think should authenticate with a single credential while we’re getting that credential configured on that group of assets. That way, we know only one credential is being attempted, and if it fails, we know which one needs to be corrected.

I also use the “test credential” feature in the Shared Credential configuration page to spot check assets in question. That allows you to test the credential without running a full scan.

Best regards,
Scott

vojtech_vevera · October 20, 2021, 9:18am

Hi Scott,

Thank you for a great info.

One additional question:

Is there a way to access the Nexpose DB and look for this value? It seems as an obvious thing to be there, so it might be worth it trying to pull it out throu SQL query.

Thank you a lot in advance.

scott_lambert1 · October 20, 2021, 3:12pm

Hi Vojtech,

As far as I can tell, the info around which specific credential was used is not stored anywhere. I use a SQL queries to determine auth status on different asset groups, but I haven’t found a way to pull the exact credentials that were used on a particular asset.

The dim_aggregated_credential_status table and associated values will tell you whether you were able to authenticate or not, and the dim_credential_status table will tell you a little more about the level of authentication achieved. The fact_asset_scan_service table will tell you the auth status per service (e.g. SSH, CIFS, etc.).

Scott

trevor_capps · October 20, 2021, 7:27pm

This is something we’ve struggled with too. Rapid7 is aware and there is a feature enhancement request for it their queue. There is currently no way to get the data you are looking for.