Testing Rapid7 Nexpose CE vulnerability scanner

Today I want to write about another great vulnerability management solution – Nexpose Community Edition by Rapid7. What makes it special? Nexpose CE is a fully functional network vulnerability scanner that can be used for free not only by home users (Nessus Home, for example, has such restrictions), but also by the companies.

Nexpose Community Edition by Rapid7

However, the company should be quite small. By using Nexpose Community Edition you have a permission to scan only 32 ip addresses. But it could be any kind of host: Linux and Windows, Unix and network equipment. And you can scan it as often as you like, with different profiles and produce wide range of reports.

To get a 1 year license you should fill out application form.

Nexpose community registration

You should input in form your work email or email from your personal domain. If you have a domain, can register mail adress easily with Google for business or free services Mail.Ru for business and Yandex.Mail for a domain.

Work email only

You should also read Rapid7 End Useer Agreement. The most interesting part of this document is that Nexpose Community Edition Scanner should scan only 32 ip addresses. Technical you can scan 32 IP addresses, than delete them and scan another 32 IPs. But it will probably violate the license. So be careful.

Extract from Rapid7 End Useer Agreement:

(e)For Nexpose Community Edition.  Subject to the terms and conditions of this Agreement, Rapid7 hereby grants to Customer,during the applicable License Term only,a non-exclusive, non-transferable license to allow one (1) User only to use such Software (in object code form only) solely for purposes of scanning up to thirty-two (32) authorized IP addresses, solely in accordance with any restrictions on use set forth on the Product Order Form and only in accordance with the applicable Documentation.  Customer shall ensure that its use of the Software does not exceed one (1) User and that it does not use the Software to perform vulnerability scans for more than 32 IP addresses (each an “IP Address License”).  Customer may, however, deactivate such IP Address Licenses, in total, and re-allocate such IP Address Licenses to replacement IP Addresses no more than one time per six (6) month period.   NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, THE SOFTWARE IS PROVIDED “AS IS” AND ALL WARRANTIES, EXPRESS OR IMPLIED, ARE EXCLUDED AND DISCLAIMED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING BY STATUTE OR OTHERWISE IN LAW OR FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USE OF TRADE.  Sections 5.1, 5.2 and 10 shall not be applicable to the Software

If the form is filled correctly, you will be redirected to the page with links on Nexpose installers for Windows and Linux. Registration key will be sent on your email.

Next steps to get started with Nexpose Community

I have downloaded bin file for Linux and installed it in Cent OS 7  Virtual Box machine.

Installation process is easy. You just need to run file NeXposeSetup-Linux64.bin as root user.

Run file NeXposeSetup-Linux64.bin as root user

Welcome window appears with the information about Rapid7 and Nexpose.

Installer welcome window

You need to read and agree with user agreement.

Rapid7 End Useer Agreement

You can install Security Console with local Scan Engine or just a Scan Engine. Nexpose SC supports only one Scan Engine, so choose the first option.

Security Console with local Scan Engine or Scan Engine only

For testing purposes 40 Gb of virtual hard disk capacity was quite enough for me.

80 Gb is recommended

Nominally minimum 2 GB of RAM is required. I have found that minimum 3-4 Gb of RAM is needed for normal scanning. SELinux on the host should be disabled.

 SELinux on the host should be disabled

Some personal information for SSL certificates and Technical Support.

Personal information for SSL certificates and Technical Support

Default 8432 port for database.

Default 8432 port for database

Creating a new user.

Creating a new user

Checking configuration before installation.

Checking configuration before installation

Installation process takes 5-7 minutes.

Installation process

Installation is complete!

Installation is complete!
After installation you need just go to the /opt/rapid7/nexpose/nsc and run ./nsh script.

When Nexpose will started you can just go to the url https://localhost:3780 with your web browser.

Log on to Nexpose

Use login and password you created during the installation. After authorization in the scanner you will need to input the key you received earlier on your email.

Activate License

On this screen you see the differences between commercial and community editions of Nexpose. Only basic vulnerability scanning is available. No compliance management features.

Differences between commercial and community editions of Nexpose

License Details
View information about your current license, such as how many Scan Engines you can use and how many assets you can see.
License status     Activated
Expiration     Sunday, January 22, 2017 11:59:59 PM GMT
Max. scan engines     1
Max. assets     32
Max. assets w/hosted engine     0
SCADA scanning     –
Discovery scanning     –
PCI reporting     –
Web application scanning     –
Policy scanning     –
Policy Manager     –
Perpetual License     –
FDCC scanning     –
USGCB scanning     –
CIS scanning     –
DISA scanning     –
Custom policy scanning     –
Policy Editor     –
Customizable CSV Export     –
Advanced reporting     –
Multi-tenancy    –
Scan Engine Pool    –
Adaptive Security    –
Dynamic Discovery    –
Virtual Scanning    –
Mobile    –

Let’s scan something.  I have created another CentOS virtual machine as a target. To scan this host we need to create a new scanning entity, called “site” in Nexpose. You can see it on the previous screenshot: Create -> Site.

We will set the unique name for the Site.

Set the unique name for the Site

Than we will input IP addresses (assets) we would like to scan.

Input IP addresses (assets)

Adding credentials.

Adding credentials

Here you can see all authentication methods we can use for credentialed scanning:

Nexpose authentication methods

We will use Secure Shell (SSH) to connect to our target host. Filling username and password of the ssh user on the target host and root user password.

SSH configuration

News SSH account

Default scanning template: Full audit without Web Spider.

Default scanning template

Clicking on Save & Scan.

Nexpose scanning

We can see the progress of the scan clicking on “View all sites”.

View all sites

Scan is finished.

Scan is finished

When the scan is finished we can see list of detected vulnerabilities.

List of vulnerabilitiesList of vulnerabilities

Vulnerability details.

Vulnerability details

Now we will produce a vulnerability report. Create -> Report. I choose simple xml format for the report,

Produce a vulnerability report

I choose the Scan.

Сhoose the ScanСhoose the Scan

Click on button “Save & Run The Report” and here is our report.

Nexpose XML Report

In conclusion. Nexpose community edition is a great product for the small companies/startups with zero VM budget or for home networks. Even though it doesn’t provide configuration checks and WAS functionality, existing features are more than enough to establish efficient vulnerability management process.