Educause Security Discussion mailing list archives
Re: Metasploit and NeXpose
From: Adam Pridgen <adam.pridgen () THECOVEROFNIGHT COM>
Date: Wed, 13 Jan 2010 19:30:54 -0600
Greg, NeXpose and Nessus are vulnerability scanners, and Metasploit, like Canvas or Core, is an exploitation framework that can be used to verify the vulnerabilities identified by either scanner. I have not used Metasploit or NeXpose since Metasploit was purchased by Rapid7, but I imagine the distinct advantage is a more automated process for identifying (NeXpose) and verifying (Metasploit) vulnerabilities with the added benefit of commercial support. I think the same results could be achieved with Metasploit and Nessus, but it would take some grunt work to get everything working seamlessly, if it has not already been done in an open source project, and this process would come without commercial support. Something else to consider is Rapid7 might bundle exploits into Metasploit so newer vulnerabilities that are identified by the scanner can be verified without having to rely on software,service, and system versions. Some vulnerabilities may have PoC exploits that never see the light of day, but they still exist in in OSVB, CVE, etc. This would be a good question for the sales guys ;) -- Adam On Wed, Jan 13, 2010 at 7:10 PM, Greg Vickers <g.vickers () qut edu au> wrote:
Hi all, We are reviewing scanning tools to apply to our web environment to find the problems before the bad guys do. I've gone back through the list archive and read the "Rapid7 NeXpose" thread from June last year. I've just spoken to a sales manager from Rapid7 (I was impressed, he called me in Australia after the web interface to request further information broke and I wound up emailing sales () rapid7 com) and got the blurb from them about the difference between Metasploit and NeXpose. I was wondering who here uses Metasploit or NeXpose and would be very interested in finding out if anyone has moved from Metasploit to NeXpose. We currently use Nessus for doing OS level scans and the basic cgi/web based scans Nessus can do. I would be interested in hearing people's opinions on the advantages or otherwise between Nessus and Metasploit/NeXpose. Thanks, -- Greg Vickers Phone: +61 7 3138 6902 Project Manager, IT Security Program Queensland University of Technology, CRICOS No. 00213J
Current thread:
- Metasploit and NeXpose Greg Vickers (Jan 13)
- <Possible follow-ups>
- Re: Metasploit and NeXpose Adam Pridgen (Jan 13)
- Re: Metasploit and NeXpose Michael Sana (Jan 13)
- Re: Metasploit and NeXpose Joel Rosenblatt (Jan 13)
- Re: Metasploit and NeXpose Justin C. Klein Keane (Jan 14)
- Re: Metasploit and NeXpose Matthew Wollenweber (Jan 14)
- Re: Metasploit and NeXpose Sam Stelfox (Jan 14)