Skip to main content

Metasploit & Nexpose tutorial Part -I

   NEXPOSE EXPOSED

    You will learn more about NeXpose and Metasploit features, their usage and how you can best utilize these tools in order to perform penetration testing or a security assessment of your organization. Specifically, in this module, you will be able to learn more about NeXpose, the great vulnerability assessment and management software available on the market. In the field of security testing or penetration testing, a vulnerability assessment plays an important role in order to successfully penetrate into any network or system. To achieve this goal or perform the tasks, you need a cutting edge vulnerability assessment tool in order to assess the security of the target network or, in other words, perform a vulnerability assessment. 

NeXpose isn’t the only tool available in the market to perform vulnerability assessment, however, it is one of the best among the industry leading tools in vulnerability assessment. 

 Basically, the vulnerability assessment leads to the exploitation phase in the ethical hacking or penetration testing lifecycle and NeXpose gives you an edge and represents how you can exploit the discovered vulnerability. 

 Industry Comments:

http://www.scmagazine.com/rapid7-nexpose-v55/review/3796/ 

  Like any other security product, NeXpose has certain requirements for its installation. You should know in detail how you can get the most out of this tool.

NeXpose Installation Requirements 

Minimum Hardware 

• 2 GHz+ processor 

• 8 GB RAM (64 bit) 

• 80 GB+ available disk space (10 GB for Community Edition) 

• 10 GB+ available disk space for scan engines 

• English operating system with English/United States regional settings 

• 100 Mbps network interface card+ 

Operating Systems 

64-bit versions of the following platforms are supported: 

• Microsoft Windows 7, Windows 8, Server 2008 (R2), Server 2012, Server 2012 (R2) 

• Red Hat Enterprise Linux 5.x, 6.x 

• Ubuntu Linux 10.04 LTS, 12.04 LTS

• Kali Linux 1.0.x 

• Virtualized Machines on VMware ESXi 5.x, VMware vCenter Server 4.x, VMware vCenter Server 5.

NeXpose Editions 

  NeXpose comes in a couple of different editions with the flexibility and capabilities ranging from individual user to the ultimate level as shown in the below figure.


Details on all of these editions are available on the rapid7 official page on this link. 

http://www.rapid7.com/products/nexpose/editions.jsp. 

Our workshops will use the consultant edition in our lab.

Why Use NeXpose? 

  In the overall penetration testing or ethical hacking lifecycle, “Vulnerability Assessment & Management” is the actual phase where you discover potential vulnerabilities in the targeted network or system. There are many tools available in order to automate this process that enable security professionals or administrators to effectively determine the security posture of their network. 

  NeXpose helps in different ways to achieve this goal and provides support for performing an in-depth vulnerability assessment. This tool is better than the other vulnerability assessment tools available in the market. The best part is that it provides details on available exploits on exploit-db and Metasploit Framework for the discovered vulnerabilities and creates files in the same configuration as the Metasploit Modules, which you can use to configure Metasploit for exploitation. NeXpose has great compatibility with the Metasploit Framework, which gives it another edge in the industry and an advantage for security testers. 

 NeXpose also comes in a standalone virtual box that you can integrate into your virtual servers as a separate deployment. NeXpose scan engine and its security console gives another edge for its performance and better reliability. You will further explore this tool’s features in the workshop and a complete walkthrough of its usage.

 NeXpose Components 

NeXpose architecture is distributed into two main components; a central server, and one or more scanning engines. The central server is called the NSC (NeXpose Security Console) and the scan engine is called NSE (NeXpose Scan Engine). The main purpose of a central server is to run a Web server process in order to provide access to its users and connect with a backend database for information storage and a scan engine to scan assets. 

     Additional scan engines can be placed similarly within the network to originate scanning under the control of the NSC. This is a distributed architecture with scan engines and servers communicating over a secure connection. 

 If you have a NeXpose Security Console (NSC), it will perform the following operations: 

 • It communicates with Scan Engines to start scans, retrieve scan information, and store scan data. 

 • It provides a Web interface for managing all NeXpose operations. 

 • It downloads product and content updates from the Rapid7 update server. 

 • The Security Console Appliance also includes a local Scan Engine. 

 • If you have a NeXpose Scan Engine (NSE), your appliance performs asset discovery, vulnerability         detection, and policy compliance testing. A Security Console controls it.

Vulnerability Assessment & NeXpose 

  In today’s war of performing vulnerability assessments with the available tools in the industry, one of the biggest challenges for any vulnerability management program is the analysis of scan results. If you want good, verifiable and actionable results, in order to effectively remediate them, you need some solutions for the discovered vulnerabilities, or else you can be overwhelmed with false positives that can affect the overall vulnerability assessment process or the program. 

  The above NeXpose architectural model provides a design to solve this problem and have flexibility for building a simpler vulnerability check model with a higher degree of accuracy. Vulnerability scans with NeXpose generate real risk analysis, credible remediation plans and easy to use data management functions. This is achieved by an extensive Vulnerability Detection based on proactive scanning of systems and services; it also covers websites and databases. 

  To provide more focused and dedicated scans, NeXpose has templates to be used for different multiple predefined scan types and you will get the flexibility to create your own. However, the existing templates cover a wide range of scenarios and include full/normal audit, denial-of-service, penetration testing and database testing. 

 Moreover, NeXpose can also help you to identify known vulnerabilities along with the configuration compliance issues for:

• Web sites/services 

• Databases 

• Network equipment 

• Operating systems 

• Applications 

 All this detection happens during the same scan and from the same scan engine, hence it makes it simpler for you to configure and to get all the information you need at one time for any usage.

Vulnerability Reporting and NeXpose 

 For an ethical hacker, or a professional penetration tester, the main challenge is to report what he or she has been doing in the overall vulnerability assessment or exploitation phases or the complete ethical hacking lifecycle execution. This requires some good presentations along with the technical details, as well as a business related management summary so that an ethical hacker can explain what he or she has been performing while trying to ethically hack the targeted network. To achieve these tasks when you are finished with vulnerability scans or compliance scans, you can now assess the risk and determine what is most important for the targeted network environment. NeXpose includes several reports that help with this, including: 

• Prioritized Remediation Report 

• Top 10 Vulnerability Report 

• Audit Report

These reports conclusively cover all available patches and all known vulnerabilities in the targeted network environment and provide a prioritized list of which remediations will have the most impact on risk in the environment. 

 NeXpose also offers the flexibility to report on the assets and vulnerabilities that are important in the targeted network environment by means of rich asset and vulnerability filtering. Such reports can be automated from the UI or API so that as soon as a scan completes, remediation owners get the accurate and detailed information they need to do their jobs and stakeholders can get accurate information on how risk is changing over time. Report generation is another major factor to make this tool the best among the best because it will not disappoint you if accuracy in report generation is of more importance than simply dumping the report content. 

 In summary, NeXpose provides a detailed and in-depth vulnerability assessment and management along with a step ahead assistance in the exploitation phase of penetration testing or ethical hacking. It is recommended to have detailed hands-on skills if you want to stand out from others in the penetration testing field. 

 We hope this has been informative for you and thank you for completing the module. In the next module, a Metasploit in depth study will be covered and later we will explore how to work with NeXpose and Metasploit together to perform an extensive security assessment.


Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more