In the previous blog post, we walked through creating a virtual machine and installing Nexpose Community for use in a small lab environment. In this post, we'll highlight key features of Nexpose, run Discovery and Vulnerability scans and finally generate a report to assist with remediating those pesky vulnerabilities.
To log into your Nexpose Console, open your browser and navigate to: https://localhost:3780, then input the credentials you specified during the installation.
Once Nexpose has finished initializing, you will be brought to the Home screen. If there has been a recent update, or if this is your first time accessing the console, you will see the release notes splash page. The release notes will display after a successfully completed update to inform you of the changes/updates made to Nexpose. Click the Home icon to be sent to that dashboard. You can review past release notes at any time under the News link at the top right of the console.
From the Home dashboard, you can easily see and manage your sites, scans and asset groups. So first things first – let's set up a new site. Hit the New Static Site button and you're taken to the Site Configuration page. As you navigate using the Next button, site configuration pretty much speaks for itself. Choose a name for the site that will give you an idea of what might be contained/scanned (ie., Secret Batcave Lab, MyHax, etc) and proceed to the Assets option at the left side of the screen.
[Note: Nexpose default session timeout is set to 600 seconds. I've found I end up timing out often and needing to log back in. The setting for timeout can be adjusted under Administration -> Security Console Configuration -> Web Server]
Since we are using the (free) Community edition of Nexpose, we are able to scan and store vulnerability data for up to 32 IP addresses. In order to maximize efficiency for this edition, you will need to know the IP address scheme and range being used by your LAN. If you are using a Linksys, Netgear or D-Link router, your IP address will probably default to a variation of 192.168.1.x. If you are using an Apple Airport Base Station variant, you'll most likely be in the 10.0.1.x range.
Insert the IPs you want to scan, then hit next. At the Scan Setup menu, we can select the type of scan we want to run. This time, we want to run a Discovery Scan. The aggressive discovery scan can produce more thorough and accurate results, but there is a risk you may cause some kind of interruption with your devices. We'll go ahead and run the regular Discovery Scan for this, but we can always come back and change to the Aggressive style if the results are not what we need. We won't have any External Scan Engines available, so the ‘Local Scan Engine' option is what we need. For this scan, we won't use any of the remaining options, so you can go ahead and Save the site.
You should be taken back to the Home dashboard with your shiny new site listed near the top. Right now, we're ready to run the Discovery Scan, so go ahead and click the green Scan button to the right. As the scan runs, you will be able to see progress made as Nexpose works through the discovery and OS fingerprinting procedures.
Once the scan is complete, we should now have a complete listing of all the active (online) assets on your network. Now for the good part – the Vulnerability Scan.
Head back to the Home dashboard and hit the Edit button for the site we just scanned. Under Scan Setup, select the ‘Full Audit' option from the Scan Template drop down. The only other menu we are concerned with at this point is the Credentials menu. Click to it and you should see the option to add New credentials. Here, you'll add an administrator account and specify the service Nexpose will attempt to utilize for connecting to the host.
There are a plethora of options for connecting to hosts, so make sure to select the correct protocol for your particular operating system(s). Nexpose will consecutively attempt to use relevant credentials for each host, so if you need to input multiple sets of credentials simply rise and repeat the process. Once you finish plugging everything in, hit Save and click Scan again at the Home dashboard to begin the Full Audit scan. You can confirm the scan template at the last minute by noting the specified Scan template above the included assets listing in the Start New Scan window.
This scan will take a bit longer, depending on how many assets you are scanning and how many different sets of credentials are needed. As Nexpose scans, you will see updates per device in the Scan Progress window, and once the scan is complete, you should get something like this:
Congratulations! You (almost guaranteed) have vulnerabilities! You can sort your assets in descending or ascending order by clicking the column title. You can also drill down into each asset by clicking the IP Address or NetBIOS name. Here, you will get a detailed look at the vulnerability findings, asset information and the ability to continue to look at specific information about each vulnerability, proof of discovery and remediation path. Nexpose will default to listing vulnerabilities in descending order of Severity according to its Real Risk ranking system.
If you would like to see a consolidated perspective of all the data we just gathered, click over to the Reports dashboard. From here, provide the name, format and report template you would like to generate. Nexpose Community edition provides an Executive Report and an Audit Report template. The Executive report will give a highlight with key numbers and graphs – the Audit Report is more comprehensive and focuses on a thorough reporting of vulnerabilities found and provides a direct remediation plan. For this first report, I recommend choosing an Audit Report in HTML format. That way, you can click through the more detailed report and research vulnerabilities you might have questions about. Under the Scope menu, you have the option to specify which site (or asset group) you would like a report for. For this first report, hit the Select sites button and select your site. Hit Save, then Save again at the top of the menu. The report should generate in just a few moments, and you will be well on your way to securing your network!
One of the best ways to find out about new features is to poke around and try things out. If you aren't sure about something, we have a great community of users ranging from casual to professional that are constantly learning from each other. Poke around, ask around – don't hesitate to reach out and share things you have learned as well!