nessus scan intepretation based upon on credentials?

Question

Can someone clearly state the difference between running a nessus scan with/out credentials? What would happen if i scan a unix based system with no credentials and about the same time using ssh account?

How would the results differ> And in what occasions one is preferred over other

Answer 1

Credentialed scanning is preferred to non-credentialed scanning as it is able to run scripts that are executed on the host machine in order to directly identify versions or software that might be vulnerable as well as to check for vulnerabilities that might me present. A non credentialed scan basically makes educated guesses based on network banner grabs and TCP/IP stack information that it observes, in order to find out what vulnerabilities are present.

An uncredentialed scan is equivalent to running around a house and checking the locks on the doors/windows by attempting to open it. On the other hand, a credentialed scan is like having the key to the house, so that you can examine the locks from the inside of the house and see what type of lock it is, whether it is susceptible to vulnerabilities or not, and who has a copy of the keys.

Credentialed scans provide much more information on the systems but require much more coordination and effort then a simple non credentialed scan. It also requires a level of trust between the scanning host and the target host.

Answer 2

You might want to go ahead with Unauthenticated scans in case of Black-box testing, where you have no information about the target in your scope. This may lead to a lot of False Positives.

However, in case of White-box/Grey-box testing, you should go ahead with Credentialed scans. This will also rule out the possibilities of getting false positives and will give a comprehensive report of findings