How to Scanning with NeXpose

NeXpose is Rapid7’s vulnerability scanner that scans networks to identify the devices running on them and performs checks to identify security weaknesses in operating systems and applications. It then analyzes the scan data and processes it for inclusion in various reports.

Rapid7 offers multiple versions of NeXpose, but we’ll use the Community edition because it’s free. If you plan to use NeXpose commercially, see the Rapid7 site (http://www.rapid7.com/vulnerability-scanner.jsp) for information on the various versions and their capabilities and pricing.

Our target for scanning will be a default installation of Windows XP SP2 as configured in Appendix A. We will first perform a basic overt scan of our target and import the vulnerability scan results into Metasploit. We will close out this section by showing you how to run a NeXpose vulnerability scan directly from msfconsole rather than using the web-based GUI, eliminating the need to import a scan report.

Configuration

After installing NeXpose Community, open a web browser and navigate to https://<youripaddress>:3780. Accept the NeXpose self-signed certificate, and log in using the credentials you created during setup. You should next be presented with an interface similar to the one shown in Figure 4-2. (You’ll find complete installation instructions for NeXpose at the Rapid7 website.)

On the NeXpose main page, you will notice a number of tabs at the top of the interface:

- The Assets tab displays details of computers and other devices on your network after they have been scanned.

- The Reports tab lists vulnerability scan reports after they have been generated.

- The Vulnerabilities tab gives you details on any vulnerabilities discovered during your scans.

- The Administration tab allows you to configure various options.

Buttons in the main body of the page let you perform common tasks such as creating a new site or setting up a new vulnerability scan.

The New Site Wizard Prior to running a vulnerability scan with NeXpose, you need to configure a site—a logical collection of devices such as a specific subnet, a collection of servers, or even a single workstation. These sites will then be scanned by NeXpose, and different scan types can be defined for a particular site.

1. To create a site, click the New Site button on the NeXpose home page, enter a name for your site and a brief description, and then click Next.

2. In the devices step, shown in Figure 4-3, you have quite a bit of granularity in defining your targets. You can add a single IP address, address ranges, hostnames, and more. You can also declare devices, such as printers, to exclude from scans. (Printers frequently don’t take kindly to being scanned. We have seen instances in which a simple vulnerability scan caused more than one million pages of pure black to be placed in the queue to print!) Click Next when you have finished adding and excluding devices.

3. At the scan setup step, you can choose from several different scan templates, such as Discovery Scan and Penetration test; select the scanning engine you want to use; or set up an automated scanning schedule. For purposes of this initial walk-through, keep the default selections and click Next to continue.

4. Add credentials for the site you want to scan, if you have them. Credentials can help create more accurate and complete results by performing indepth enumeration of installed software and system policies on the target.

5. On the Credentials tab, click the New Login button, type a username and password for the IP address you want to scan, and then click Test Login to verify your credentials then save them.

6. Last, click Save to complete the New Site wizard and return to the Home tab, which should list your newly added site, as shown in Figure 4-4.