Metasploit has three ways to integrate with Nexpose vulnerability scanner. I've heard some confusion about what the different options are, so I'd like to summarize them here briefly:
- Importing Nexpose reports: This is a simple, manual file import. Apart from Nexpose, Metasploit can import about 13 different third-party reports from vulnerability management solutions and web application scanners. This feature works in all Metasploit editions.
- Initiate a Nexpose scan from Metasploit: If you have Nexpose installed on the same machine, you can initiate a vulnerability scan from Metasploit. Once completed, the results are automatically imported into Metasploit. This feature also works in all Metasploit editions.
- Integrate with your Nexpose infrastructure: If you have a Nexpose vulnerability managment infrastructure in place, especially if they comprise several scan engines located on various sites around the globe, your best option is to integrate Nexpose directly with Metasploit. Metasploit can connect with any number of Nexpose consoles to query and import vulnerability reports from the scan engines. The advantage of this option is that you don't have to conduct a new scan and you don't have to manually export/import any files. This feature is exclusive to Metasploit Pro.
If you're using Metasploit Pro, you also have the option to tag your imports, for example by source or time. This enables you to later filter or report by import.
Both Metasploit and Nexpose are available as free community editions as well as commercial enterprise editions. To get your free community version, download Metasploit Community Edition or Nexpose Community Edition now!