Skip navigation
All Places > Nexpose > Blog
1 2 3 4 Previous Next


233 posts

Relax while Nexpose does the work for you

You may have received notifications that you need to update your Nexpose database soon in order to continue receiving product updates. You may have been putting it off because it sounds like a pain.


Good news: it’s simple!


Have you seen the Staples commercials with the “easy button?” Nexpose basically has that for the update. You don’t have to go in to your database and mess around with an upgrade wizard. Nexpose handles all that for you. All you have to do is open up Nexpose and make a few clicks.


On the migration page, click a few buttons in the indicated order. Sit back and relax while you wait for the migration steps to complete.


To see how easy it is, check out this short video:

Migrating to the latest version of PostgreSQL


To learn more about the cool stuff you can get once you migrate, see the previous blog post “Get on the Path to Superpowers in only 1 hour!

Relax and enjoy your updated Nexpose!


Update Tuesday, August 2015

Posted by dpicotte Employee Aug 13, 2015

This month’s update includes 14 Microsoft security bulletins (52 CVEs), with three being rated as critical. One of these vulnerabilities has already affected MS office (MS15-081) and has been detected as being exploited in the wild. As per the norm, Adobe has also released a high priority Air\Flash security patch (APSB15-19) to address 34 CVEs on multiple affected platforms (IE, Edge, Windows, Macintosh, Android and iOS).


Microsoft seems to have implemented a new strategy for Windows 10, as they are now releasing a single KB specific to the platform that addresses all applicable bulletins (in this case 6 of the 14). For administrators this allows a single patch to be installed for addressing all security issues – greatly reducing the burden of patch implementation. We see this is a very positive step forward for Microsoft and will be interested to see what, if any, additional changes the make to the patch process moving forward.


  • MS15-079: resolves 13 CVEs on all supported versions (7-11) of Internet Explorer (likely to be exploited in the near future).
  • MS15-080: resolves 16 CVEs in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight.
  • MS15-081: resolves 8 CVEs in Microsoft Office (2007 – 2016) on both Windows and Mac and SharePoint servers (2010, 2013).
  • MS15-082: resolves 2 CVEs in nearly all supported platforms (Windows 10 being the only exception) that could allow remote code execution via the remote desktop protocol (RDP) functionality. This bulletin is rated “Important” as it is not believed that exploitation is occurring in the wild. CVE-2015-2472 requires a man-in-the-middle (MiTM) attack to exploit (decreasing the likelihood of a successful attack) and CVE-2015-2473 requires user interaction to exploit.
  • MS15-083: resolves 1 CVE in Vista SP2 and Server 2008 SP2 systems that support SMB and requires authentication credentials (a valid session).
  • MS15-084: resolves 3 CVEs in nearly all supported platforms (Windows 10 being the only exception). The vulnerability impacts systems supporting SSLv2 with MSXML and the “fix” is simply to use a secure communication protocol.
  • MS15-085: resolves 1 CVE on all Windows platforms, exploitation in the wild has been detected however to exploit this vulnerability, an attacker would have insert a malicious USB device into a target system. The physical access requirements of this exploit make mass exploitation far less likely (remind your users to not plug in randomly found USB devices).
  • MS15-086: resolves 1 CVE in System Center Operations Manager (SCOM) 2012, the cross-site scripting (XSS) vulnerability requires user interaction with a maliciously crafted URL. Exploitation of this vulnerability is not likely.
  • MS15-087: resolves 1 CVE in Windows 2008 and Microsoft BizTalk Server (2010 -2013 R2), he cross-site scripting (XSS) vulnerability requires user interaction with a maliciously crafted URL. Exploitation of this vulnerability is not likely.
  • MS15-088: resolves 1 CVE on all Windows platforms, exploitation of this information disclosure vulnerability has not yet been detected in the wild however exploitation in the near future is likely (requires the chaining of multiple IE vulnerabilities for exploitation).
  • MS15-089: resolves 1 CVE in nearly all supported platforms (Windows 10 being the only exception) that could allow WebDAV SSLv2 sessions to be partially decrypted. Exploitation is unlikely to occur.
  • MS15-090: resolves 3 CVEs in nearly all supported platforms (Windows 10 being the only exception) that could allow an elevation of privilege due to a vulnerability in the sandboxing functionality of the Windows Object Manager or Windows Registry or Windows Filesystem.
  • MS15-091: resolves 4 CVEs in Edge on Windows 10 (that’s a first since RTM) that could allow remote code execution (RCE), exploitation of these vulnerabilities requires a user to visit a maliciously crafted webpage. Exploitation of this vulnerability in the near future is rated as likely.
  • MS15-092: resolves 3 CVEs on all Windows platforms running .NET 4.6 (likely only Windows 10 systems at this point in time). The exploitation of elevation of privilege vulnerability in the RyuJIT compiler would grant the same permissions as the running user.

Welcome to the Windows 10 era, administrators enjoy patching yet another platform.

A couple of weeks back I told you all about the new capability to add custom protocol support in Nexpose.  At first we had opened the github repo up as invitation only.  I'm excited to tell you that since then we've expanded the testability, added more protocols, and  as of last week we opened it to the public.


One of the best things about improving protocol detection is increased scan speed.  Getting accurate detection reduces the amount of time it takes before Nexpose gives up trying to identify an unknown service.  In the demo I was showing at Black Hat last week, we saw hosts go from an 8 minute scan to a 5s scan (96x faster), simply by adding support for a single unknown port.


As with before, we are eager for our users (and other interested parties) to fork the repo for your own projects.  If you are working on detection for a custom protocol, or just something that Nexpose is not identifying well in your environment, we're here to help.

The deadline to update your PostgreSQL 9.4.1 is almost here!


For users who have not updated their Nexpose deployment to PostgreSQL 9.4.1 the deadline to upgrade – August 27th - is quickly approaching and time is running out.


Why Upgrade?

So what’s the big deal about PostgreSQL 9.4.1? While the upgrade itself will not grant you superpowers, it is the first step in getting your superhero cape and tights.


Here are 3 reasons why:

1. Many customers have reported significant performance improvements after migrating (though the performance impact also depends upon your underlying infrastructure).  And who wouldn’t want enhanced speed and performance?


2. It lays the foundation for your Nexpose deployment to support, and scale with new powerful Nexpose features and enhancements in future Nexpose releases. 


3. In fact – the upgrade is so integral to future Nexpose versions that without PostgreSQL 9.4.1, you will not be able to apply product updates after Aug 27, 2015. If you do not migrate by that date, you will not be able to take advantage of these superpower-like future Nexpose features.

How To

Our step-by-step instructions and intuitive wizard make the upgrade process a breeze.  And depending upon the size and complexity of your environment will take you between 20 and 90 minutes to complete – from beginning to end.


View the steps to migrate to the latest version now:

Migrating to the latest version of PostgreSQL

In the webinar, “Detecting the Bear in Camp: How to Find your True Vulnerabilities”, Jesika McEvoy and Ryan Poppa discussed what it takes to be successful in a vulnerability centric world. Many companies fall short when it comes to remediation after spending too much time trying to scan everything and find every vulnerability. Jesika and Ryan shared best practices for how to avoid this mistake and focus on remediation that matters the most to your organization’s vulnerability management program. Read on for the top takeaways from this webinar:


1) Simply Communicate – Good communication can’t be overvalued – not just within your own team, but across all remediation teams, leadership, auditors, and more. Handing out large, general vulnerability reports won’t drive any progress. Never distribute information without context. Make sure your results are delivered in a targeted and actionable format to the teams they’re relevant to (ie. desktop results to the desktop team, network results to the network team, etc.). Steps given out must be actionable so that a repeatable process is created, and so teams have a real idea of how to create a solid plan for getting the remediation done right. Be able to give a summary to business leaders that have ownership over different remediation teams so they can coordinate, drive, and prioritize tasks as needed.


2) Set Clear-Cut Goals – Set goals that drive remediation and success. Incorporate your process into the overall workflow at your organization in a timely manner that teams can come to expect, and include assignment dates for accountability. It’s up to you to understand where your greatest risks are when formulating goals. Think about where your focus needs to be to get the best bang for your buck when reducing risk at your organization. Progress can be big and sweeping, or small and incremental, as long as the importance and impact of each change is communicated and understood across teams.


3) Measure & More – Be able to prioritize assets, measure overall success, and demonstrate success to others. Have a standard that is easy to measure against and that can provide visibility into what is being accomplished overall, and how your organization may need to invest from a security and training perspective to drive improvement. If progress isn’t being made on a certain team, find out whether it’s due to laziness or being overworked. Create competition among remediation teams wherever possible to foster a competitive spark and allow them to understand if and where they’re improving and contributing to the organization’s progress.


For the in-depth view of how to improve remediation and optimize your vulnerability management program (and for some great bear analogies): view the on-demand webinar now.


Learn more on this subject and all things security all summer long at Rapid7’s free Security Summer Camp.


Patch Tuesday, July 2015

Posted by dpicotte Employee Jul 16, 2015

Administrators and security teams are in for a hectic week tackling 14 Microsoft security bulletins, 2 Adobe updates addressing 4 CVEs for Flash\Shockwave and Oracle has released their quarterly update for 63 of their product suites (including Java, Oracle DB, MySQL and Solaris).


Of the 14 Microsoft security bulletins, 4 remote code execution vulnerabilities are rated as “Critical” including an Internet Explorer (IE) vulnerability that affects all known versions (v6 - v11) and CVE-2015-2373 a vulnerability in remote desktop allowing remote code execution. Overall a ton of updates but nothing that initially comes across as out of the ordinary. The remaining bulletins address elevation of privilege vulnerabilities and are rated as important by Microsoft.


Summary of Oracle’s Critical Patch Update Advisory:

  • Oracle Database Server: 10 new security fixes (highest CVSS score: 9.0)
    • Including 2 remotely exploitable vulns that don’t require authentication
  • Oracle Fusion Middleware: 39 new security fixes (highest CVSS score: 7.5)
    • 36 of these vulnerabilities may be remotely exploitable without authentication
  • Oracle Hyperion: 4 new security fixes (highest CVSS score: 7.5)
  • Oracle Enterprise Manager Grid Control: 3 new security fixes (highest CVSS score: 5.5)
  • Oracle E-Business Suite: 13 new security fixes (highest CVSS score: 5.0)
  • Oracle Supply Chain Products Suite: 7 new security fixes (highest CVSS score: 5.0)
  • Oracle PeopleSoft Products: 8 new security fixes (highest CVSS score: 6.2)
  • Oracle Siebel CRM: 5 new security fixes (highest CVSS score: 9.3)
  • Oracle Commerce Platform: 2 new security fixes (highest CVSS score: 6.4)
  • Oracle Communications Applications: 2 new security fixes (highest CVSS score: 10.0)
  • Oracle Java SE: 25 new security fixes (highest CVSS score: 10.0)
  • Oracle Sun Systems Products: 21 new security fixes (highest CVSS score: 10.0)
  • Oracle Virtualization: 11 new security fixes (highest CVSS score: 7.8)
  • Oracle MySQL: 18 new security fixes (highest CVSS score: 6.5)
  • Oracle Berkeley DB: 25 new security fixes (highest CVSS score: 6.9)


Reminder to all: 2015-07-14 was the last update for Windows Server 2003, it is now at end-of-life (EOL) and will no longer received updates unless you’ve aquired an extended support contract from Microsoft.

Enjoy the patching frenzy.

A growing threat to many organizations is personal mobile devices used by employees at work and the risk of data loss created by these devices accessing sensitive company information. After a program is in place to effectively manage vulnerabilities in PCs, organizations should begin to take a look at other areas of exposure and mobile is a leading candidate.


We recently added mobile device discovery and vulnerability assessment capabilities to Nexpose to support organizations that are looking to shore up their security program and help reduce the risk of data exposure from mobiles.  This new capability is free to all Nexpose Enterprise and Ultimate customers with mobile assets not counting against your licensed IPs.


How it works



We work with a companys Microsoft Exchange - on-premise or Office365 - to discover and identify the device and its operating system.  The discovery process uses Microsoft’s PowerShell technology to query Exchange for devices that have established an ActiveSync connection with the server, or alternatively, LDAP to query ActiveDirectory for the same information. The query collects data that is used in conjunction with our extensive mobile device fingerprint database to identify the device along with its mobile operating system.



Once the operating system version and device type is known we are then able to assess the device for vulnerability risk and provide a risk score like other assets scanned by Nexpose.  One of the nice benefits of this integration through Exchange is that a traditional physical scan of the device is not required. It’s more of a virtual scan based on information already provided to Exchange as part of the ActiveSync protocol.




Step 1: Mobile Connection

To setup a mobile site in Nexpose you’ll need to first create an “Exchange ActiveSync” connection.  In the Assets tab of the Site Configuration wizard select the “Connection” button and then the “Create Connection” sub menu.  Here you’ll notice three different Exchange ActiveSync connection type options – LDAP, WinRM/Powershell and WinRM/Office365.  While the LDAP may be the easiest set-up, we recommend using the Win/RM options if possible as it provides more detailed information (such as when the device last connected) which enable users to zero in on the most relevant device data, ignoring “stale” devices.




This option is only available for on-premise Exchange installations.  It requires the FQDM of your AD server and credentials for a user that has been granted rights to view msExchActiveSyncDevice objects.


The WinRM/Powershell and WinRM/Office365

These connection types are very similar.  The WinRM/Powershell option is meant for on-premise Exchange installations and the Office365 is for organizations that are on Microsoft’s hosted solution.  Both options require two sets of credentials as well as the FQDN name of an on-premise Windows server that has WinRM enabled and configured.  Access to a WinRM enabled machine is required to allow Nexpose to run the PowerShell scripts used to query Exchange.  One of the credentials are for a user that has been granted access to WinRM on the specified WinRM server and the other is for a user that has been granted View-Only Organization Management access on the Exchange server.  Finally, for on-premise installation the FQDN of the Exchange server is also required.


Step 2: Creating a site

Once your mobile connection has been created it can then be used in the creation of a site.  When the site is setup you’ll then need to perform a scan.  During the scanning process Nexpose will query the Exchange server and import any new devices as well as reassess the devices based on the current content release. Once the scan is complete, mobile assets with their associated risk score will be displayed.  These assets behave like any other asset discovered by Nexpose and can be tagged, placed in dynamic asset groups, and all other standard Nexpose asset features.




We’re excited to be providing this new capability to Nexpose and hope that you’ll take advantage of it.  By expanding your vulnerability assessment capabilities to mobile you’ll be ahead of the curve and well prepared in protecting your organization from this new threat vector.

On July 9, 2015, the OpenSSL team has announced a vulnerability in specific versions of OpenSSL 1.0.1 and 1.0.2. This vulnerability is listed as “high severity” because it can fail to correctly validate that a certificate presented is issued by a trusted Certificate Authority, leaving systems vulnerable to man-in-the-middle (MITM) attacks. To learn more, see Tod Beardsley’s blog post at nssl-certificate-authority-impersonation and the OpenSSL advisory at

The good news is that these versions of OpenSSL are not widely deployed, and not included in most Linux distributions.

One of the great features within Nexpose is the ability to create dynamic asset groups. A dynamic asset group allows users to create a grouping of discovered assets based on a set of user-defined criteria across the entire organization. In addition, the lists are dynamic. Therefore, every time Nexpose runs any scan in your environment, the list of assets in the dynamic asset group are dynamically updated based on the filter criteria that you have chosen. This dynamic asset group can then be used in reporting, so that you can tailor your reports based on the asset filter criteria that you have developed.

So for the OpenSSL vulnerability, you don't have to scan your assets again to determine this information. Nexpose will use the information discovered in the last scan, so you can easily start any needed mitigation process instantly after the creation of the Dynamic Asset Group. You can scan your assets again if you so choose, as the asset information will be updated with any new information after every scan.

One of the criteria that a user can use to create a Dynamic Asset Group is the installed software discovered on an asset. If you are already using Nexpose to conduct authenticated scans of your Linux systems, you can quickly create a Dynamic Asset group to search for systems that have these vulnerable versions of Open SSL. (If you are not already conducting authenticated scans, see below for another option).

Note: Administrator-level authentication is required so that the scans will have been able to check the software versions on the target machines. For more information on scan credentials in *nix machines, see the Nexpose Help or User’s Guide under Discover- Configuring Scan CredentialsAuthentication on Unix and related targets.

To create a Dynamic Asset Group that searches for machines with vulnerable versions of OpenSSL:

  1. On the Nexpose home page, select New dynamic asset group.

  1. Under Filtered Asset Search, select Software name from the menu, make sure the condition is contains, and enter OpenSSL 1.02c.
  2. Click the plus sign to add additional filters.
  3. Repeat the process with OpenSSL 1.0.2b, OpenSSL 1.0.1n, and OpenSSL 1.0.1o.
  4. Toggle the setting to Match any of the specified filters.

  1. Click Search.
  2. In many cases, there will be no results found. This means no vulnerable versions of distributions with OpenSSL were found on your scanned machines.

  1. If there are results found, mitigate the vulnerability as indicated in the advisory.

If you do not have existing authenticated scans, or if you want to cross-check the results of the previous method, you can create a different Dynamic Asset Group that checks for specific services, and then you can manually check those machines for vulnerable versions of OpenSSL.

To search for assets running relevant services:

  1. On the Nexpose home page, select New dynamic asset group.


  1. Under Filtered Asset Search, select Service name from the menu, make sure the condition is contains, and enter HTTPS.
  2. Click the plus sign to add additional filters.
  3. Repeat the process with FTPS, SMTP-S, IMAP-S, and POP3-S
  4. Toggle the setting to Match any of the specified filters.

  1. Click Search.
  2. You will likely find a number of results.

You can manually investigate the software versions on each machine.

Using Dynamic Asset Groups to search for potentially affected machines can save you a lot of time, since you don’t have to perform a new scan. This method can be modified and applied to similar scenarios.

Those of you who pay close attention to our release notes saw that last week, (June 17, 2015) with the Nexpose 5.14.3 release, we made good on something I wrote about here in the first part of the year.  The Nexpose team is extremely excited to announce the initial availability of our new protocol fingerprinting framework.  For the first time end users can extend Nexpose’s protocol fingerprinting capabilities!


The coverage toolkit provides Nexpose users with a mechanism for authoring content that at this time includes protocol fingerprinting, unauthenticated (remote) vulnerability coverage.   The ambition of the framework is to provide a simple, intuitive framework to describe what you want to send to the target, what you expect to get back, and what that means. Feedback is welcomed and encouraged.


At this point I'm sure you are all popping open bottles of the finest baby duck and toasting to victory.  What?  Not quite?  Because we have not shown you in the slightest how to use it yet.  Of course.  Okay, I hear you, but there is a method to this madness.  This is intentionally a soft launch.  If I ran into you at UNITED, you heard about it from me, no doubt, but this blog post is the first written explanation you could have seen.  The feature is there, we are shipping some coverage that uses it, but until YOU, the interested Nexpose user starts to take this and make it their own it won't really get off the ground.


So here's what we're doing: we've set up a github repo with guidance and examples for contributors to get feedback on their coverage creation efforts. For the time being this is a private github repo but we are eager to grant access to the coverage-toolkit repo to a select number of customers who are interested in prototyping custom content and getting feedback on their work from Nexpose developers.


How does this relate to Recog?  The Coverage Toolkit supplements but does not replace Recog.  Recog provides service identification support for protocols that Nexpose (and Metasploit) support.  The Coverage Toolkit lets a user add support for new Protocols and override existing protocol implementations.


Every question and contribution we get will help strengthen and expand our offering.  Please reach out to me (Ross Barrett) through the Community or on twitter if you would like access to the coverage-toolkit sandbox.


EDIT: A number of people have reached out to tell me that the link to the coverage-toolkit repo is yielding a 404 error message.  As mentioned in the original post for the time being this is a private repository and a 404 is how github responds when you try to access a private repo that you don't have access rights to.  If you would like access, please contact me here or via twitter.

A highlight of the Nexpose 5.15 release is the addition of Infoblox Trinzic DDI to the growing list of Dynamic Discovery sources.  With nearly 8,000 customers worldwide, Infoblox is a market leader in DNS, DHCP and IP address management.  Building upon existing support for Microsoft DHCP log monitoring, released this past spring, Nexpose customers that use Infoblox to manage DHCP activity can now detect previously unknown devices whenever they connect to the network, providing a more complete understanding of their surface area of risk.


Configuring a Dynamic Discovery Connection for Infoblox


The Dynamic Discovery connection for Infoblox works by listening on a TCP or UDP port to receive syslog messages sent from the Infoblox Trinzic appliance to a Nexpose scan engine. Infoblox connections can be configured along with other Dynamic Discovery sources from the Administration page, or during the Site Configuration process, and require the designation of a port and protocol.




Once the connection is in place, assets detected from Infoblox that have not been scanned are automatically imported into Nexpose and visible in the Discovered table of the Assets page.


Identify and Close the Gaps


As I described in a previous blog post, Dynamic Discovery connections in Nexpose enable security professionals to quickly identify gaps in their threat exposure management program. By leveraging the advanced network control capabilities of Infoblox, Nexpose helps you understand your complete attack surface and find vulnerabilities you are missing today.


Patch Tuesday, June 2015

Posted by dpicotte Employee Jun 9, 2015

This month Microsoft has released 8 security bulletins, affecting all supported platforms through remote code execution and elevation of privilege. Of the 8 Microsoft security bulletins, two are critical. Both critical bulletins (MS15-056 and MS15-057) are phishing based attacks requiring execution of a specially crafted website or specially crafted Microsoft Office file. An escalation of privilege could be possible in Microsoft Exchange Server (MS15-064) by means of Server-Side Request Forgery (SSRF) [CVE-2015-1764] and Cross-site Request Forgery (CSRF) [CVE-2015-1771]; Administrators, be sure to patch your Exchange servers ASAP.


Accompanying Microsoft's patch updates, Adobe has also released a security update for Adobe Flash Player and AIR affecting Windows, Macintosh and Linux. These updates result in vulnerability fixes for 13 CVEs that could potentially enable an attacker to control affected systems. 


Overall this is a pretty low key Patch Tuesday release. However, be vigilant that users are paying special attention to phishing attacks.

As of Nexpose 5.13, Nexpose makes it easier for you to gain an asset centric-view of your environment, which will help you with tracking and reporting. An asset is a single device on a network that the application discovers during a scan.  As you may have noticed, Nexpose 5.13 included new functionality: you can now scan asset groups. An asset group is a logical collection of managed assets.

Nexpose enables you to configure your environment in two ways:

  1. Assets can be restricted to their scan group (labeled in the product as a site). This mean that the same asset, in different containers, are considered unique.
  2. Assets can be global across your entire network. Therefore, all assets in all sites are linked.

The following image highlights the two options.

Asset linking diagram

Asset linking is an option that a Global Administrator can set for your entire Nexpose installation. The configuration page describes some scenarios and important considerations for enabling this option. Review the considerations before enabling.

Enable asset linking

In most cases, we highly recommend that you enable the option so you can track your progress in the situation described above: performing different scans of the same distinct individual devices.

Note: Enabling this feature is required if you are going to scan dynamic asset groups in order to ensure that the asset will be updated in multiple sites from a reporting perspective.

With certain network configurations, it may be more beneficial not to enable the option. The case for not enabling it is when you have devices with very similar configurations that do not overlap sites. An example is a chain of retail stores where each store has the same network configuration and IP subnets across their different stores.

For more information, see the Resources section of the Nexpose Help or User's Guide.

Example case

Following is an example of how an organization can use this feature, once it is enabled, to improve their asset tracking.

One typical way to categorize assets is by physical location. You might have an office in Houston, an office in Missoula, and an office in Berlin. You can create a site in Nexpose for each and scan those sites. This is an effective way to arrange your scans, because you can place a Scan Engine in each location to reduce traffic on your network.

Sites by location

There are many other ways to categorize assets. For instance, these could include IP address range, operating system, business context (which might be represented by user-added tags), and more. In Nexpose, you can use asset groups to contain these categorized assets.

Create asset group by operating system

As of Nexpose 5.13, you can scan asset groups. You can do this by configuring a site in Nexpose to scan the asset group or groups. This allows you to scan assets according to business context or other categories.

Configuring a scan of an asset group

An option to scan each asset with the engine most recently used for that asset allows you to scan such logical groupings while using the Scan Engine that makes the most logistical sense for the asset.

Scan with most recently used engine

Even if you are categorizing and scanning the same assets in different ways, you may want to view and report on the entire scan history of an asset, no matter how it was scanned. Also as of Nexpose 5.13, if you have enabled asset linking, you can review the comprehensive history, no matter how the asset was scanned. As the scan occurs, Nexpose will compare the asset to assets in other scans. If enough characteristics match, the assets will be identified as the same asset.

Asset history including different scans

At Rapid7, we are always looking to improve Nexpose based on customer requests. We hope you enjoy using this new feature.

Recently in Computerworld, a security manager reported on a frightening realization about the user account he was using in his unnamed vulnerability scanner.

The product I use relies on a user account to connect to our Microsoft Windows servers and workstations to check them for vulnerable versions of software, and that user account had never been configured properly. As a result, the scanner has been blind to a lot of vulnerabilities.

For more details, see spot.html


Making sure you use the correct credentials is an important way to check what someone could reach on your network. Nexpose leverages credentials to gain accurate version and configuration information. The vast majority of all vulnerabilities are only detectable with authenticated device access: this is true of all vulnerability scanning products and is a result of the secure design of devices on your network. Should you choose to scan your environment without properly configured credentials, bear in mind that you'll likely be missing the majority of vulnerabilities (false negatives) and the results obtained are more likely to be inaccurate (false positives).


In addition, Nexpose uses an expert system at the core of its scanning technology in order to chain multiple actions together to get the best results when scanning. For example, if it is able to use default configurations to get local access to an asset, then it will trigger additional actions using that access. The effect of the expert system is that you may see scan results beyond those directly expected from the credentials you provided; for example, if some scan targets cannot be accessed with the specified credentials, but can be accessed with a default password, you will also see the results of those checks. This behavior is similar to the approach of a hacker and enables Nexpose to find vulnerabilities that other scanners may not.


To help you avoid a similar situation to that anonymous security manager's and get the most from your Nexpose installation, here are some resources we offer:

- The Nexpose Help and User's Guide provide information on what credentials are needed. This information is in the Configuring Scan Credentials section.

- There is an option to test your credentials in the Scan Configuration in the Nexpose interface, in the Authentication tab. You can enter the address of a computer, and Nexpose will test whether it can successfully use those credentials to access that computer.


In addition, you can intentionally conduct a test for a situation such as the one described in the article. You can select an application you know should be able to be accessed on a particular machine with particular credentials, scan that machine with those credentials, and confirm that it indeed finds the expected results.


Another option is to run a report on vulnerabilities, such as the XML Export report. In the Scope section, select Vulnerability Filters. Under By Check Results, select Vulnerable and non-vulnerable. After running the scan and report, look for checks that look at software versions. If your credentials are configured correctly, these checks will appear with a "not vulnerable" result. If the credentials are not configured correctly, these checks will not appear in the report at all.


By making sure you are using a correctly configured username and password to scan for vulnerabilities, you increase your ability to find and fix things you didn't know about, and keep them from hurting you.

Originally posted April 24, 2015


We found out on Tuesday night that we won the SC Magazine Awards for Best Vulnerability Management Solution. I am extremely honored and glad that we won, and we owe it entirely to our amazing customers who have stayed with us over the years and helped us shape Nexpose into what it is today. We truly believe that customers are at our core and they are our partners—not in crime, but in anti-crime.


I can't help but reflect on how much Rapid7 and Nexpose have grown since I started at Rapid7 around 4 years ago.


Vulnerability management has been around since the 90's and the market is mature, but it's still a problem that isn't 'solved.'  Security teams still have way too many vulnerabilities to remediate and need to prioritize what matters to the business in order to be effective. The target is constantly moving with the modern network that includes virtualization, mobile, and cloud assets that introduce risks at lightning speed.  And the threat landscape isn't slowing down either, look at all the 'celebrity' vulnerabilities that have come out in the past year including Heartbleed, Poodle, Sandworm, Bashbug (aka shellshock).  However, you can't forget about old vulnerabilities, as according to the Verizon DBIR, '99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published,' even some published way back in in 1999.

'About half of the CVEs exploited in 2014 went from publish to pwn in less than a month.' - Verizon DBIR 2015


The adversary is no longer a script kiddie playing around in their mom's basement; now there's an entire ecosystem of tools and providers for the adversary.  There are multiple layers: From malware authors, to distributors, to markets to purchase stolen credentials, credit cards, or health records.  Almost anyone can rent botnets to perform DDoS for a couple hundred dollars.  They've even done the weaponizing for you and you buy exploit kits that are fully supported.  This is dangerous as even those kits are containing zero days like Angler exploiting an Adobe 0-day.

'No matter how high or smart walls, focused adversaries will find other ways over, under, around, and through,' Yoran said. 'You must understand what matters to your business and what is mission critical [and] defend it with everything you have.'
-Amit Yoran, RSA Keynote 2015


Don't make it easy for the adversary.  Breaches are not going away—just look at all the recent breaches at Anthem, JP Morgan Chase, Home Depot, Sony, and Target.  As Amit said, you must understand what matters and defend it with everything you have.


Our mission is to help our customers to manage their threat exposure to reduce the chance of a breach.  This is why we've combined Nexpose and Metasploit under our overarching Threat Exposure Management solution. And because of this last October, we introduced Nexpose Ultimate, a new Edition of Nexpose, and the first and only unified solution for vulnerability management, vulnerability validation, and controls effectiveness testing.  Nexpose and Metasploit are available in a single package and the only tool to offer integrated closed-loop vulnerability validation.  RealContext allows you to focus on reducing the risk that matters to your business, quickly and efficiently.  And RealRisk provides a granular risk scoring system based on threat intelligence, such as malware and exploit exposure, CVSSv2 and temporal risk metrics.  Only Nexpose Ultimate combines both offensive and defensive technologies to understand what threats really matter to your organization.

'A CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.'
-- Verizon DBIR 2015

Winning this award means a lot to all of us here at Rapid7 and we've won it for 2 years in a row.  We've all worked very hard innovating and building a solution that gives our customers the best chance at reducing the risk of a breach.  We can't wait to keep delivering value and solving challenges our customers are facing.


Special thanks to our product management team for continuing to innovate and drive the product forward, engineering team for building an amazing product, and our customer service and customer success management team for being there for our customers.

And again, we'd like to thank our customers who've stayed with us and help us improve our products.


View the full report and all the other winners of SC Magazine US Awards 2015

Recently, I had the opportunity to speak with a Rapid7 customer from a Fortune 100 company.  Any security professional charged with protecting an organization of this size and complexity faces no shortage of challenges, so I was particularly struck by one statement from our conversation.


"The most difficult thing that befalls security teams is knowing what to scan."

This lack of visibility can hamstring security efforts at organizations large and small.  With trends such as BYOD, virtualization and cloud (part of what Gartner refers to as 'The Nexus of Forces') becoming ever more prevalent, maintaining an accurate view of the risk surface area is proving to be an increasingly difficult proposition.


Improving Visibility With Dynamic Discovery

To help mitigate this problem, Rapid7 is continuing to expand the Dynamic Discovery capabilities of Nexpose.  With the recent release of Nexpose 5.13, there are now four discovery connection types to help uncover assets that may otherwise elude a traditional scheduled scanning strategy.

Amazon Web Services
Exchange ActiveSync
Microsoft DHCP
VMware vSphere

By establishing a connection to Exchange ActiveSync, Nexpose is now able to identify and evaluate mobile devices that access the network through a mail server, addressing a class of assets that is often a blind spot for security teams.  Similarly, by monitoring DHCP log activity, Nexpose can now detect previously unknown devices whenever they connect to the network.


These new connection methods, in conjunction with the existing connections to VMware vSphere and Amazon Web Services, help security pros stay on top of their constantly evolving environment.




To see Dynamic Discovery in action, watch this recent Feature Friday video.


Closing the Gap

With Dynamic Discovery connections in place, users can quickly identify any gaps that exist in their threat exposure management program.  The Assets page includes a pie chart that displays the total count of known assets and which of these assets have not been assessed for vulnerabilities or compliance.




To help close these gaps, Nexpose offers the ability to create a dynamic site.  Rather than defining the scope of a scan by an IP range or some other method of grouping a collection of known assets, a dynamic site determines site membership based on a Dynamic Discovery connection.  As a result, scanning strategies can evolve as the network evolves to meet current and future business needs.


Moving to Adaptive Security

Rapid7 is helping customers evolve to Adaptive Security, an approach to building a security program that adapts to the changing  IT and threat landscape.  Knowing your weak points is the first step.  Over the next few weeks and months we'll be adding even more Adaptive Security capabilities to Nexpose. For example, what if you could detect when that conference room laptop that always seems to miss its scan window connects to the network, and then automatically scan it?  Or is that virtual machine that just got turned on adding significant risk because it missed patching cycles?


Sound interesting?  If you're a current Rapid7 customer, make plans to join us at the Rapid7 UNITED Security Summit in June to learn more about our approach to Adaptive Security.

Filter Blog

By date: By tag: