NeXpose is Rapid7’s vulnerability scanner that scans networks to identify the devices running on them and performs checks to identify security weaknesses in operating systems and applications. It then analyzes the scan data and processes it for inclusion in various reports.
Rapid7 offers multiple versions of NeXpose, but we’ll use the Community edition because it’s free. If you plan to use NeXpose commercially, see the Rapid7 site (http://www.rapid7.com/vulnerability-scanner.jsp) for information on the various versions and their capabilities and pricing.
Our target for scanning will be a default installation of Windows XP SP2 as configured in Appendix A. We will first perform a basic overt scan of our target and import the vulnerability scan results into Metasploit. We will close out this section by showing you how to run a NeXpose vulnerability scan directly from msfconsole rather than using the web-based GUI, eliminating the need to import a scan report.
After installing NeXpose Community, open a web browser and navigate to https://<youripaddress>:3780. Accept the NeXpose self-signed certificate, and log in using the credentials you created during setup. You should next be presented with an interface similar to the one shown in Figure 4-2. (You’ll find complete installation instructions for NeXpose at the Rapid7 website.)
On the NeXpose main page, you will notice a number of tabs at the top of the interface:
The Assets tab
displays details of computers and other devices on your network after they have been scanned.The Reports tab
lists vulnerability scan reports after they have been generated.The Vulnerabilities tab
gives you details on any vulnerabilities discovered during your scans.The Administration tab
allows you to configure various options.
Buttons in the main body of the page let you perform common tasks such as creating a new site or setting up a new vulnerability scan.
Prior to running a vulnerability scan with NeXpose, you need to configure a site—a logical collection of devices such as a specific subnet, a collection of servers, or even a single workstation. These sites will then be scanned by NeXpose, and different scan types can be defined for a particular site.
To create a site, click the New Site button on the NeXpose home page, enter a name for your site and a brief description, and then click Next.
In the devices step, shown in Figure 4-3, you have quite a bit of granularity in defining your targets. You can add a single IP address, address ranges, hostnames, and more. You can also declare devices, such as printers, to exclude from scans. (Printers frequently don’t take kindly to being scanned. We have seen instances in which a simple vulnerability scan caused more than one million pages of pure black to be placed in the queue to print!) Click Next when you have finished adding and excluding devices.
At the scan setup step, you can choose from several different scan templates, such as Discovery Scan and Penetration test; select the scanning engine you want to use; or set up an automated scanning schedule. For purposes of this initial walk-through, keep the default selections and click Next to continue.
Add credentials for the site you want to scan, if you have them. Credentials can help create more accurate and complete results by performing in-depth enumeration of installed software and system policies on the target.
On the Credentials tab, click the New Login button, type a username and password for the IP address you want to scan, and then click Test Login to verify your credentials then save them.
Last, click Save to complete the New Site wizard and return to the Home tab, which should list your newly added site, as shown in Figure 4-4.
With your new site configured, you are now set to configure your first scan:
Click the New Manual Scan button shown in Figure 4-4. You should see the Start New Scan dialog shown in Figure 4-5, which prompts you for the assets you want to scan or exclude. In this example, we are scanning our default Windows XP system.
Double-check your target IP address to be sure that you’re not about to scan the wrong device or network inadvertently, and click the Start Now button to begin.
NeXpose should dynamically refresh the page as the scan progresses. Wait until the status for both Scan Progress and Discovered Assets shows Completed, as shown in Figure 4-6. Under the Scan Progress section, you can see that our single scanned device has 268 vulnerabilities detected, and under Discovered Assets, you are provided with more information about the target such as the device name and its operating system. Now click the Reports tab.
If this is your first time running NeXpose and you have completed only one scan, the Reports tab should show that you have generated no reports.
Click New Report, as shown in Figure 4-7, to start the New Report wizard.
Enter a friendly name, and then in the Report format field, select NeXpose Simple XML Export, as shown in Figure 4-8, so that you will be able to import the scan results into Metasploit. You can select from different report templates and configure the time zone if you happen to be conducting your pen test on the road. Click Next when you are ready to proceed.
In the subsequent window, add the devices you want to be included in the report by clicking Select Sites to add your scanned target range, as shown in Figure 4-9. Then click Save.
In the Select Devices dialog, select the targets to include in your report and then click Save.
Back in the Report Configuration wizard, click Save to accept the remaining defaults for the report. The Reports tab should now list the newly created report, as shown in Figure 4-10. (Be sure to save the report file so that you can use it with the Framework.)
Having completed a full vulnerability scan with NeXpose, you need to import the results into Metasploit. But before you do, you must create a new database from msfconsole by issuing db_connect. After creating that database you’ll import the NeXpose XML using the db_import command. Metasploit will automatically detect that the file is from NeXpose and import the scanned host. You can then verify that the import was successful by running the db_hosts command. (These steps are shown in the following listing.) As you can see at , Metasploit knows about the 268 vulnerabilities that your scan picked up.
msf >db_connect postgres:[email protected]/msf3msf >db_import /tmp/host_195.xml[*] Importing 'NeXpose Simple XML' data [*] Importing host 192.168.1.195 [*] Successfully imported /tmp/host_195.xml msf >db_hosts -c address,svcs,vulnsHosts ===== address Svcs Vulns Workspace ------- ---- ----- --------- 192.168.1.195 8 268
To display the full details of the vulnerabilities imported into Metasploit, including Common Vulnerabilities and Exposures (CVE) numbers and other references, run the following:
msf > db_vulnsAs you can see, running an overt vulnerability scan with full credentials can provide an amazing amount of information—268 vulnerabilities found in this case. But, of course, this has been a very noisy scan, likely to attract lots of attention. These types of vulnerability scans are best used in a pen test where being stealthy is not required.
Running NeXpose from the web GUI is great for fine-tuning vulnerability scans and generating reports, but if you prefer to remain in msfconsole, you can still run full vulnerability scans with the NeXpose plug-in included in Metasploit.
To demonstrate the difference in results between a credentialed and noncredentialed scan, we will run a scan from with Metasploit without specifying a username and password for the target system. Before you begin, delete any existing database with db_destroy, create a new database in Metasploit with db_connect, and then load the NeXpose plug-in with load nexpose as shown next:
msf >db_destroy postgres:[email protected]/msf3[*] Warning: You will need to enter the password at the prompts below Password: msf >db_connect postgres:[email protected]/msf3msf >load nexpose[*] NeXpose integration has been activated [*] Successfully loaded plugin: nexpose
With the NeXpose plug-in loaded, have a look at the commands loaded specifically for the vulnerability scanner by entering the help command. You should see a series of new commands at the top of the listing specific to running NeXpose.
msf > helpBefore running your first scan from msfconsole, you will need to connect to your NeXpose installation. Enter nexpose_connect -h to display the usage required to connect; add your username, password, and host address; and accept the SSL certificate warning by adding ok to the end of the connect string:
msf >nexpose_connect -h[*] Usage: [*] nexpose_connect username:password@host[:port] <ssl-confirm> [*] -OR- [*] nexpose_connect username password host port <ssl-confirm> msf >nexpose_connect dookie:[email protected] ok[*] Connecting to NeXpose instance at 192.168.1.206:3780 with username dookie...
Now enter nexpose_scan followed by the target IP address to initiate a scan, as shown next. In this example, we are scanning a single IP address, but you could also pass a range of hosts to the scanner (192.168.1.1-254) or a subnet in Classless Inter-Domain Routing (CIDR) notation (192.168.1.0/24).
msf > nexpose_scan 192.168.1.195
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
msf >After the NeXpose scan completes, the database you created earlier should contain the results of the vulnerability scan. To view the results, enter db_hosts, as shown next. (In this example, the output has been trimmed by filtering on the address column.)
msf > db_hosts -c address
Hosts
=====
address Svcs Vulns Workspace
------- ---- ----- ---------
192.168.1.195 8 7 default
msf >As you can see, NeXpose has discovered seven vulnerabilities. Run db_vulns to display the vulnerabilities found:
msf > db_vulnsAlthough this scan has found significantly fewer than the 268 vulnerabilities discovered with our prior use of NeXpose through the GUI with credentials, you should have enough vulnerabilities here to get a great head start on exploiting the system.