Rapid7 Community Edition

0 views
Skip to first unread message

Leanna Perr

unread,
Jul 27, 2024, 5:55:37 AM7/27/24
to lantcreddebuck

The community edition of Nexpose is limited to 32 IP address targets. Personally I think this is a pretty reasonable license, as it allows a small to mid-size business to gain valuable information on security vulnerabilities on their network without having to budget for a commercial product. Definitely a plus when compared to the Nessus vulnerability scanner that has a free version that is only licensed for non-commercial (home) use.

rapid7 community edition


Download ––– https://urllie.com/2zR8Jl



Head over to the Rapid7 site and download the version that applies to your operating system, whether you are running Windows or Linux there are binaries available for each. We have Ubuntu 12.04 on our system running 64 bit so we downloaded the file NeXposeSetup-Linux64.bin.

The installer does a quick check to confirm the system is suitably equipped to handle the power of the Nexpose engine. As you can see in the screenshot the requirements are pretty decent. We initially received a warning about the package "screen" being missing, which after a quick "apt-get install screen" we were able to restart the process and get the installation underway.

First up is to create a site with assets. Now here I made a mistake by starting a Virtualbox guest that I was going to try scanning. My host machine has 4GB of RAM and a Core 2 Quad processor. Starting the 1GB guest proceeded to kill my system, with swap thrashing away as RAM was swapped in and out for the Guest virtualbox. Basically NeXpose needs RAM, lots of it and it will take it. I was only accessing the web interface, with no scans running and my box was pretty much dead. Had to hit alt - f2 to grab a console and killed the VM. Eventually the system came back to normal.

Seems my session timed out while the disk was thrashing. Lesson learnt - use NeXpose on a dedicated host with lots of RAM. They recommend 8GB and from my experience that is a good starting point.

For example this screenshot shows that there is a Database vulnerability with Postgres being open to anyone. Not really. This is the NeXpose Postgres database and it is only listening on 127.0.0.1, but since this was the target IP address NeXpose thought it was open to all.

Overall seems like a decent product, definitely good value for small business with its free community edition. Will require some upfront costs for a dedicated system with the resources to run it. Web interface seems well laid out and has in depth risk reporting that would need to be used over time to determine how effective it might be for an organisation.

Of course for anyone using this vulnerability scanner within their organisation we would like to highlight the fact that this would complement our own hosted open source scanners. For example the online nmap port scan is a valuable tool for testing open ports on external facing systems and the OpenVAS vulnerability scanner would make a good "second opinion" to correlate with results from Nexpose.

NeXpose is a vulnerability manager, and it is available in free and paid versions. This tool was one of the first headlining products that put its producer, Rapid7, on the map. Rapid7 is also the sponsor of the Metasploit project, enabling Metasploit Framework to be distributed for free while producing the paid tool Metasploit Pro as an income generator. Rapid7 takes the same approach as NeXpose.

NeXpose is a vulnerability manager. This category of security tool is an automated penetration testing system. A vulnerability manager works through a list of tricks that hackers try, which is distilled into the necessary conditions for each attack vector to work.

NeXpose is always on. This constant check sweeps a system when it is first launched and then checks new components when they are added. News of a new exploit also provokes action from NeXpose. So, this service gives a constant live list of vulnerabilities.

A nice feature of NeXpose is the ability to connect the system to Metasploit Pro. When this integration is activated, NeXpose marks exploits that can be examined further. This allows the network manager to run the attack that the detected weakness facilitates and confirm whether the system is genuinely vulnerable.

When NeXpose scans a system and spots weaknesses, it lists those exploits in its dashboard and gives each a score from 1 to 1000, with 1000 being the highest priority. This is a much finer-grained scoring system than many vulnerability scanners, which use a categorization system that runs from 1 to 10 or just labels the severity of a problem as Low, Medium, or High.

Two more important features of NeXpose are its Policy Assessment and Remediation Reporting modules. The Policy Assessment service scans the system and recommends alterations to settings and practices to improve system security. The Remediation Reporting service lists the top 25 actions the IT Department should take to reduce security vulnerabilities. This list changes as the teamwork through the solutions. This provides an excellent task list for technicians to follow.

The base version of NeXpose is the Community Edition, which is free to use. However, rapid7 also produces a paid version, which is just called Nexpose. Rapid7 is a leading cybersecurity system producer. Its ownership of both NeXpose and Metasploit draw comparisons because both have Community versions plus paid versions. However, the journey of Nexpose has been quite different from that of Metasploit.

Rapid7s approach to the development of NeXpose was the reverse of the model that is applied to Metasploit. NeXpose began as a commercial product and then branched out to include a free Community Edition. The list of paid editions has altered over the years. At one point, NeXpose was available as Ultimate, Enterprise, Consultant, and Express editions.

No matter how good NeXpose is, it will be shelved one ay, and signals for Rapid7 indicate that day could be soon. So whether you are in the market looking for a vulnerability manager for the first time or considering replacing NeXpose, several perfect substitutes are available.

InsightVM is a cloud-based SaaS package, while Nexpose is an on-premises package. Despite being a software bundle that you run yourself, the Nexpose system is priced by capacity, which is similar to the pricing structure that you would expect from a subscription-based SaaS package. Rapid7 owns both products and would prefer that buyers go for the InsightVM package, Rapid7 has benefitted from its association with Nexpose that has built up a large following from its open source Community Edition, which is now hard to find.

Nexpose is able to scan all types of network devices, including switches, routers, and network appliances, such as hardware firewalls. In each case, you will need to ensure SSH access is enabled for the device and enter the access credential in the Nexpose console when you add the device for scanning.

The risk score is a ranking of the severity of a particular asset risk, which is required for some data privacy standards, such as PCI DSS. Nexpose assigns a score to each scanned asset and it offers two risk-scoring models:

The temporal model increases the risk score with the passage of time. This is because newly discovered exploits are known by very few people who are unlikely to get around to all of the computers in the world immediately. Older exploits are known by many hackers and so the likelihood that the scanned system will be attacked by this method is much higher.

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company, Rapid7.

Its best-known sub-project is the open-source[3] Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced[4] that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

Like comparable commercial products such as Immunity's Canvas or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added an open core proprietary edition called Metasploit Pro.[5]

Metasploit's emerging position as the de facto exploit development framework[6] led to the release of software vulnerability advisories often accompanied[7] by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug.[8][9] Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006.

To choose an exploit and payload, some information about the target system is needed, such as operating system version and installed network services. This information can be gleaned with port scanning and TCP/IP stack fingerprinting tools such as Nmap. Vulnerability scanners such as Nessus, and OpenVAS can detect target system vulnerabilities. Metasploit can import vulnerability scanner data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.[10]

The free version. It contains a command line interface, third-party import, manual exploitation and manual brute forcing. This free version of the Metasploit project also includes Zenmap, a well known security scanner, and a compiler for Ruby, the language in which this version of Metasploit was written.[11]

64591212e2
Reply all
Reply to author
Forward
0 new messages