Rapid7 chose to publish a free version of their NeXpose scanner. The software is available for less then a month, and still has to prove itself to the general community. We are publishing the experiences of our first look on this product. The NeXpose Community integrates with Metasploit, and the integration will be covered in the next article.
Installation The installation is simple enough - just run the installer. It asks for a username/password for the web interface, and then installs itself. There are no errors when installing on Windows 7, XP SP3 and Win2003 Server.
Start up on Windows 7 was not successful. NeXpose Community just threw a lot of access denied error messages. As far as i could understand, the access denied messages are because of an attempt to modify the registry which is protected under Windows 7. Even when using Run As Administrator i got the same results.
The run was successful from the Windows2003 server installation. The first start up was extremely slow, it ran for more then 15 minutes configuring and updating itself. After that, the web interface is available for login at https://serverip:3780
In order to scan you need to configure a Site, with target IP's within it. You can add several target IP's within the same site. The scanning options include the following scanning templates:
- Full audit : Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.
- Exhaustive : Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.
- Penetration test : Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing NeXpose to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.
You can run the scan at scheduled intervals as well as manually. Once you initiate the scan, the scanning engine is very fast, and usually completes Penetration Test scan within 5-7 minutes on a fast link.
The scan results are presented in a very clear manner, for each site separately. The Penetration Test template on a Damn Vulnerable Linux 1.5 with active HTTP target was scanned in less then 3 minutes, and identified the following vulnerabilities
- PHP Multiple Vulnerabilities Fixed in version 4.4.9
- PHP Unspecified 'glob' Vulnerability
- PHP Crafted UTF-8 Inputs Buffer Overflow
- Apache Signals Sent to Arbitrary Processes Denial of Service
- PHP session.save_path/error_log Values Not Checked Against open_basedir and safe_mode
- Apache mod_imap/mod_imagemap Cross-Site Scripting Vulnerability in imagemap File Menus
- HTTP TRACE Method Enabled
- ICMP timestamp response
NeXpose Community is a valuable addition to the free tools that each security professional can use in his/hers work. It is very useful in terms of automated audits, and very interesting that it integrates with the Metasploit Exploit Framework. It still has glitches and issues on some platforms, but all tools are work in progress, so for the time being just add it to your toolset, don't replace any tools with it.
Talkback and comments are most welcome
Possible Emerging Player In InfoSec Market?
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
WMI Scanning - Excellent Security Tool