NeXpose Community Edition - Our First Look

Rapid7 chose to publish a free version of their NeXpose scanner. The software is available for less then a month, and still has to prove itself to the general community. We are publishing the experiences of our first look on this product. The NeXpose Community integrates with Metasploit, and the integration will be covered in the next article.


Installation The installation is simple enough - just run the installer. It asks for a username/password for the web interface, and then installs itself. There are no errors when installing on Windows 7, XP SP3 and Win2003 Server.

First run
Start up on Windows 7 was not successful. NeXpose Community just threw a lot of access denied error messages. As far as i could understand, the access denied messages are because of an attempt to modify the registry which is protected under Windows 7. Even when using Run As Administrator i got the same results.
The run was successful from the Windows2003 server installation. The first start up was extremely slow, it ran for more then 15 minutes configuring and updating itself. After that, the web interface is available for login at https://serverip:3780

First Scan
In order to scan you need to configure a Site, with target IP's within it. You can add several target IP's within the same site. The scanning options include the following scanning templates:

  • Full audit : Performs a full network audit of all systems using only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. Only default ports are scanned, and policy checking is disabled, making this faster than the Exhaustive scan.
  • Exhaustive : Performs an exhaustive network audit of all systems and services using only safe checks, including patch/hotfix checking, policy compliance checking, and application-layer auditing. Performing an exhaustive audit could take several hours or even days to complete, depending on the number of hosts selected.
  • Penetration test : Performs an in-depth penetration test of all systems using only safe checks. Host-discovery and network penetration options will be enabled, allowing NeXpose to dynamically discover additional systems in your network to target. In-depth patch/hotfix checking, policy compliance checking, and application-layer auditing will not be performed.
These templates and their behaviour cannot be modified in the NeXpose Community.

You can run the scan at scheduled intervals as well as manually. Once you initiate the scan, the scanning engine is very fast, and usually completes Penetration Test scan within 5-7 minutes on a fast link.

Scan Results
The scan results are presented in a very clear manner, for each site separately. The Penetration Test template on a Damn Vulnerable Linux 1.5 with active HTTP target was scanned in less then 3 minutes, and identified the following vulnerabilities
  • PHP Multiple Vulnerabilities Fixed in version 4.4.9
  • PHP Unspecified 'glob' Vulnerability
  • PHP Crafted UTF-8 Inputs Buffer Overflow
  • Apache Signals Sent to Arbitrary Processes Denial of Service
  • PHP session.save_path/error_log Values Not Checked Against open_basedir and safe_mode
  • Apache mod_imap/mod_imagemap Cross-Site Scripting Vulnerability in imagemap File Menus
  • HTTP TRACE Method Enabled
  • ICMP timestamp response
The reporting, although crippled compared to the commercial versions of NeXpose is still very good. You can schedule report generation and sending, and you can configure a baseline for each report - you get comparative results of the changes between the scans. This is very useful for automated scanning and information required by IT Auditors and Information Security Officers.

Conclusions
NeXpose Community is a valuable addition to the free tools that each security professional can use in his/hers work. It is very useful in terms of automated audits, and very interesting that it integrates with the Metasploit Exploit Framework. It still has glitches and issues on some platforms, but all tools are work in progress, so for the time being just add it to your toolset, don't replace any tools with it.

Talkback and comments are most welcome

Related posts
Possible Emerging Player In InfoSec Market?
Nessus vs Retina - Vulnerability Scanning Tools Evaluation
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis
WMI Scanning - Excellent Security Tool

6 comments:

MariJewel said...

Glad to know that I am one of the lucky peeps to have the first look on the NeXpose Community edition :D

Bozidar Spirovski said...

Quite correct. I modified the text to be more clear - it is OUR first look at the product. I'm sure there have been many more first looks :)

Anonymous said...

Just as an FYI Win7 and XP are both not currently supported OS's so it could explain the errors ;-)

Bozidar Spirovski said...

Indeed XP and Win7 are unsupported, but a simple test to see what manifestations occur was still in order. There may be situations where although not officially supported a software will still run. No harm in trying

Sean Reynolds said...

Useful software, thanks a lot.

Anonymous said...

I managed to get it working in Windows 7 by disabling UAC ( which is probably bit over the top in retrospect ) and setting it to run in Windows Server 2003 SP1 compatability mode.

Designed by Posicionamiento Web