Vulnerability assessment with Nexpose

December 27, 2013 by

Nexpose is one of the leading vulnerability assessment tools. The Nexpose community edition is a free program and the other editions are paid ones. In this article, we will use the free Nexpose community edition, which has the ability to scan 32 hosts. The user interface is clean and reporting is robust. Nexpose sports an easy-to-use, well-organized dashboard and, like most of the products we have looked at, it supports a wide range of compliance reporting including PCI. To download Nexpose, just register yourself at the website and download it.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Open the browser and go to http://localhost:3780 and we will see the Nexpose home page.

In the home page, we can see there is a "Site Listing" section; click on "New Static Site" and it will give "Site Configuration" settings.

The first configuration setting is for "General Information." As can be seen in the above figure, we gave a name for "Site," set the Importance to "Very High," and added some description about the site; now we click on "Next."

The "Assets" configuration page has two sections, as can be seen in the above figure: "Included Assets" and "Excluded Assets." In the "Included Assets" section, we provide two target IP address. If you are going to scan the whole network range, then you will give the whole IP range like this: If you have some selected IP list then you can import that file by using the "Import list" function. "Excluded Assets" is used for excluding assets from scanning. If you are going to scan the whole IP range and you want to exclude some of the IPs from the scan, put those IPs in excluded assets. After completing this, click on "Next" for the next configuration.

The next configuration is for "Scan Setup," where the first option is for "Scan Template." Select a template for scanning to meet your needs. Here we are using the "Full audit" template for our scan.

"Enable schedule" is a unique feature in Nexpose that provides a schedule-based audit. It allows you to set a start date and time, as well as the duration of scan. If you are using a regular based audit, then this feature is a great thing for security auditors. After finishing the "Scan Setup," click on "Next."

The next configuration is for "Credentials Listing." Basically, here we can give the system a username and password for performing a credential-based scan. For a Windows system, we have to give SMB account credentials and, for a Linux system, we have to give SSH credentials. Here we are not giving any credentials so just skip it and click on "Next."

The next configuration is for "Web Applications." We don't need to do anything here, so click on "Next."

The next configuration is for information about the organization for which we are going to perform a vulnerability assessment; Nexpose will use this information in the report. Fill in the form or skip it and click on "Next."

The last configuration is for "Access Listing." If there is more than one Nexpose console user, we can set permissions for the user who can access this site. Click on "Save" and the configuration will be saved.

Here we can see in the site listing section that our created site, Oscorp Corporation, is added and it is ready for scan. Click on "Scan"; on the right-hand side there is a play button.

It will prompt in a new window to start a new scan; here we can see our targeted IP address. Click on "Start" now.

As can be seen in above figure, our scan has started and, in the "Discovered Assets" section, we can see our target IP's system name and the operating system it is running.

Once the scan will completed we can see here "Assets Listing," which we have already seen, and "Assets by Operating System." In this section, Nexpose lists all assets by operating system. Here mine is showing Microsoft Windows 7 Ultimate Edition and the other one is Microsoft Windows XP. Another section is "Assets by Software," where Nexpose lists all installed software in the targeted IP.

Next click on the "Vulnerabilities" tab to see all the vulnerabilities. Here we can see "Exposures." The first icon means susceptible to malware attacks, the second is for a metasploit exploitable, and the third one is for a published exploit. So now let's check what these three icons do. Click on the "M" icon.

It shows the exploits that are available in metasploit and also the skill needed to exploit this vulnerability, which means we can exploit this vulnerability by using metasploit. And the other icon shows that the exploit has been published, so we can download those exploits from the exploit db.

Next click on the malware icon to see what information it gives.

It shows the available malware kits from which we can exploit this vulnerability.

We can see in above figure some of the malware kits available for this vulnerability.

Now we will move on to the report section; click on the "Reports" tab.

Give a name for the report in the name field and select a report template type.

Next select the report format. Here we have selected PDF format. Then select "Sites" and click on the plus icon.

Select the site from "Select Report Scope." Here we select our Oscorp Corporation and click on "Done."

Our report is generated here; click on the report to view it.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.




Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.