Advanced Ethical Hacking - Nexpose Vulnerability Scanner Tutorial

5.1 Acquiring Nexpose

At this point we've been working with Nessus as our vulnerability scanner. And I want to move over to looking at a different vulnerability scanner and this one's called Nexpose. So we're going to go get Nexpose at this point and we're going to go to the Rapid7 website. Now it's a vulnerability scanner. And one of the advantages to having a couple of vulnerability scanners is you may pick up some different things because the plug ins may be different. They may work in a slightly different way. And so we've got this vulnerability scanner. Called nexpose and one of the other advantages to using nexpose is that actually integrates with metasploit because it's the same company that's actually responsible for both of them. So acquiring nexpose is Is a pretty simple process. We just go to the Rapid7 website and then we go take a look at Nexpose. Now, there are a couple of different versions of Nexpose. One of them is the enterprise license, and that's one that you pay money for, you get full functionality, you get a number of IP addresses that you can work with in a given Situation. The downside to the community version, although it's free, is that you can only scan up to 32 IPs. And that can be limiting to a degree, because if you've got a pretty large network Network, you have to work in chunks and then delete the information out of the database. Which means that you have to store it somewhere so that you can make use of it if you're looking at a large number of hosts. So we've got a couple of different operating system possibilities here. We've got, of course, Windows. And then there are the Linux versions. So there's A Linux that's geared towards Ubuntu and they support 8.04 and 10.04, both in 32 and 64 bit. There's also a virtual appliance which you could download and run as a virtual machine if you wanted to go down that route. In this case, though, we're just going to download the 64 bit Windows And it's going to go download that. And then we'll get around to doing the installation. And as part of the installation we're actually going to have to request a license key. And similar to Nessus, this is a situation where you get one license key. It works on one system And you can't reuse it so you have to provide your email address every time you need a license key. So if you are the type of person like me sometimes, I run in virtual machines and I delete and reinstall and delete and reinstall, you have to keep requesting new licenses. So We're going to download this, and then subsequently, we'll take a look at installing and getting it up and running and configured.

5.2 Setting Up Nexpose

At this point we've acquired NexPose, we've downloaded it. And I'm going to do an installation here. I'm doing it under Linux although the process is pretty similar under Windows. So I've run the installation package here. And it's brought me an installation wizard. Pretty standard. Doing some System checking so we can figure out whether we've got the minimum requirements. Looks like we're pretty well okay. So I'm just going to do the installation now, accept the license agreement, after I've scrolled all the way down. And now it's asking me for some information for their marketing department. And say I already have a product key because I've already requested one for the purposes of this and I already have it. So Not going to bother registering for one. Although they do require you to register for a product key. And you'll get an email with the product key sent to you. So it's asking for a user name. I'm going to give it a user name. And a password. I don't need a desktop icon created. I do want to initialize and start Nexpose after the installation. So as you can see, it's a pretty standard installation process. After it's done it's going to Do the initialization that's going to bring up the Web interface, which is actually how you get to Nexpose. And it's going to ask me for the license key. So, at this point, I'm going to just let the installation run. And then, we'll pick up on how to do the set up of Nexpose, and Do all of the configuration. We'll pick that up in the next video.

5.3 Configuring Nexpose

At this point we've got Nexpose installed. Gone through the initialization process which is rather lengthy. And that's all done. I've got the license key activated. So I'm going to go to the web interface now, and I do that on the local system going to local host, port 37- 80. It is a HTTPS connection an when you go for the first time, you'll probably get a certificate error an you'll have to do whatever you do, do confirm the security acception or- The certificate. The reason for that is because it's a self certificate. So there's no certificate authority to check against and make sure that it's valid. So the first thing I want to do is I want to start doing a scan. So I've added a new static cite. Now this is community addition Which means I've only got 32 hosts that I can do at any given time. So the first thing I want to do is say Home Network and now I can go to my Assets and I can do a couple of hosts right now. Going to add These two hosts. And now I can go to next. We'll do a full audit, although there are a number of different types of scan templates that you can use. From penetration test to just a discovery scan, to HIPAA compliance, Sarbanes-Oxley compliance, and all of these others. What I want to do right now is just do a full audit. So I'm going to add some credentials here. So I'm going to say Windows credentials. And I can use the SMB or I could use SecureShell if it were Linux. In this case, it happens to be a Windows system, so I'm going to leave this alone right here to Microsoft Windows/Samba. So the domain I'm going to leave alone. I'm going to say the administrator is the account And then I'm going to give it the password. So now I can save that. And now I can go on to web applications. I'm not actually going to do any web application so I can give an organization here. This is just for Basically accounting purposes or reporting purposes it's just to keep some information about what you're actually doing in the data base so I'm not going to add that. I'm not going to add any users I'm just going to save So we're going to save this site configuration here. And now what I can do is I can kick off a scan. So it's brought up the scan, included assets, excluded assets. And I can either scan all assets or just specify one or more assets. I really want to scan all of them So we're going to kick that off, the scan is going to run at this point and really it's that simple. Just getting a scan going with Nexpose and you'll at this point, you've got a little console telling you how long the scan has been running for as it starts working, you'll see Some active hosts the number that are completed if it finds vulnerabilities they will show up here and you will get a count. You will be able to click this open and see more details once those are available. So we are going to let the scan run at this point and then when it is completed Will come back and we can take a look at the results that we've gotten from the scan.

5.4 Adding Hosts to Nexpose

So we've got a Nexpose scan that we've done some configuration on. We've actually run it. And I want to show you how to actually go about using Using Nexpose to discover some hosts on a particular network. When I configured the scan, I actually knew a couple of hosts that I want to take a look at. So I want to do a scan now, and I'm going to do next. Now I'm going to have some limitations here because of the type of Nexpose that I am running. I have just got the community edition so what I'm actually going to do is Im' going to scan a portion of that address range. So I'm going to do and I'm going to do a /27 here. So now I can do a Next. For Scan setup, I just want to do a Discover Scan because I want to see what's out there. So I'm not going to do any credentials. I'm not going to do any web applications. I don't care about the organization. And I'm not actually going to add any users because I'm really the only user of this system. So now I can do My scan here. And it's going to go scan these particular hosts here. So I'm going to do a Start Now. And what this is really going to do is, it's sort of like running Endmap. It's just going to go see what's out there, see What's available on the network that you may want to take a closer look at. So we've already got three assets that we've added. We've got .1, .27, and .17. So far it looks like it's going to take a couple of more minutes to finish. But you can see what it's doing here is It's just doing the scan of the network, seeing what hosts may be available, and it takes some time to do the loading. I'm actually just going to go back over to the home tab here, and it's a little busy at the moment so it's going to take a second to respond and come over to the home tab. So at this point we have got a list of assets that have been located and we have got some information about the operating system for all of them. So, if I were to click on one of these for example I show be able to bring up information. About. Of course, there are no vulnerabilities yet. We do have some services though that it has found that are listening. So that's how you would go about just locating hosts on the network without doing a full-blown Vulnerability scan against them. You just want to see what's out there, what services may be listening. You can just do a discovery scan using Nexpose, and then you can use that Going forward to do some deeper dives on some sub section of the hosts that you've located based on say the Operating System. And where you think you may be able to get the most bang for your buck.

5.5 Reviewing Results And Manual Checks

The scan that we were working on previously has completed at this point and you can see that we've got the site listing, we've got two assets, we've got 59 vulnerabilities and you can see when it completed Now we've got nice little charts and graphs, those are. Really nice and handy to have. What I really want to do now though is I want to go to the vulnerabilities tab over here. And see what we've got for vulnerabilities. Now one of the nice things about is will tell you whether it's Vulnerable and what may be vulnerable to. So you can see there's a column here to indicate whether it's susceptible to malware attacks. And you can see whether there's an exploit that's been published. And it will indicate where it's been published to. So if I were to click on that, you can see that we've got A vulnerability that's in the exploit database. And I can click on that and it will pop it open. So here's the exploit that's available for this particular vulnerability. So I've got a way of exploiting this vulnerability right here. This MS10-012. So we've got some other ones here. This indicates that it's Metasploit exploitable. Now one of the nice things about Nexpose is since Nexpose and Metasploit come from the same company, Rapid7, you can actually integrate the two of them so that you could use Nexpose as a way to launch Metasploit. And actually trigger this particular exploit. As it is we can find out what the exploit is. We can find out the module if I were to click on this that will take me right to the module and give me information about it. You can see that the module that we would use would be ms09_001_right. So I could use that module and I could exploit that vulnerability, and it even shows me right here how to go about using that particular exploit. So, I've got a lot of information here in Nexpose that's going to give me some pointers on Where I could go next. Now there's some findings here that we've got for example, the SNMP community name is public, there's really no exploit there, that's just the way that the application SNMP is configured, it's configured in an insecure fashion And it's got a well-known community name meaning there's not an exploit, we will just have to run an SNMP client against this particular server and find out what information that we've got available. So there's a number of other ones here as well, and we could go skimming through them but What I really want to do is kind of focus on these going forward because I know I could actually exploit these using Metaspoilt. So, when we start looking at Metaspoilt, we'll look at using these particular modules against the system's. And actually do some exploitation using Metasploit. And see where we can go getting into these particular systems.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*