On December 1st, Rapid7 announced the Community Edition of the NeXpose vulnerability management product. At the same time, we released version 3.3.1 of the Metasploit Framework, which contains the first step towards full integration between NeXpose and Metasploit. Since the release, we have made some major improvements based on community feedback and I wanted to take a minute to walk through some of the new features.
The Community Edition of NeXpose is based on the same product as the enterprise versions, but it does have a few restrictions. The community license limits the number of managed IPs to 32, disables web application scanning, and doesn't provide configurable scan templates or discovery mode. The Community Edition does not include commercial support, but a Community Portal has been setup to answer common questions and promote discussion around the product. Other than that, it is essentially an enterprise-grade vulnerability management solution available at no cost.
The Metasploit integration is implemented through the NeXpose Plugin. This plugin can be loaded from the Metasploit console and provides the ability to launch vulnerability scans and automatically import the results using a NeXpose instance (either local or remote). Commercial penetration testing tools have had support for importing vulnerability data for a long time, but these products have left the vulnerability assessment and data import steps as a manual process.
The NeXpose plugin not only combines these steps into a single command, but it can also automatically launch exploit modules after the scan is completed. As of update r7681 this plugin can also launch scans based on a existing database results, such as those imported through Nmap and other tools. Even if you don't actually use Metasploit on a day-to-day basis, this plugin can be useful in that it tells you what Metasploit modules could potentially compromise a target and help prioritize remediation efforts.
For more information on the NeXpose plugin, including a walkthrough on using the plugin to automatically scan and compromise a target, please see the Quick Start Guide on the Metasploit wiki.