Re: Metasploit and NeXpose

["Justin C. Klein Keane" <jukeane () SAS UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  one thing to remember when evaluating Metasploit is that it is an
exploitation framework and makes for a poor vulnerability scanner
because it only finds vulnerabilities that have published exploits.
Developing exploits for vulnerabilities is a tedious and thankless job,
and so many vulnerabilities are discovered and patched without anyone
ever taking the time to create an working (repeatable, reliable) exploit
for the vulnerability.  Vulnerability scanners like Nessus or Nexpose
will search for vulnerabilities based on service signatures (to
determine versions, patching, etc.) and report on all known
vulnerabilities.  Conversely metasploit will only search for vulnerable
services for which there is an exploit.  Because many of the "bad guys"
(and security researchers) develop exploits without publishing them to
the wider world, if you rely on Metasploit as a vulnerability scanner
there is a high probability that you would miss vulnerabilities for
which exploits actually do exist.  It's important to distinguish between
the roles of vulnerability scanners and exploit frameworks in order to
avoid a false sense of security.

Justin C. Klein Keane

Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 520
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)

On 01/13/2010 10:29 PM, Joel Rosenblatt wrote:
> Hi,
>
> We have been using Nexpose for over a year and are happy with the product.
>
> Thanks,
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
> --On Thursday, January 14, 2010 11:10 AM +1000 Greg Vickers
> <g.vickers () qut edu au> wrote:
>
> > Hi all,
> >
> > We are reviewing scanning tools to apply to our web environment to
> > find the problems before the bad guys do.  I've gone back through the
> > list archive and
> > read the "Rapid7 NeXpose" thread from June last year.
> >
> > I've just spoken to a sales manager from Rapid7 (I was impressed, he
> > called me in Australia after the web interface to request further
> > information broke and
> > I wound up emailing sales () rapid7 com) and got the blurb from them
> > about the difference between Metasploit and NeXpose.
> >
> > I was wondering who here uses Metasploit or NeXpose and would be very
> > interested in finding out if anyone has moved from Metasploit to NeXpose.
> >
> > We currently use Nessus for doing OS level scans and the basic cgi/web
> > based scans Nessus can do.  I would be interested in hearing people's
> > opinions on the
> > advantages or otherwise between Nessus and Metasploit/NeXpose.
> >
> > Thanks,
> > --
> > Greg Vickers
> > Phone: +61 7 3138 6902
> > Project Manager, IT Security Program
> > Queensland University of Technology, CRICOS No. 00213J
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAktPKwQACgkQR4a3EW2yjlQ6DACfacOJWQPiSRNUpmVuiu3jqUgl
AEoAn38w/NVmCwVRBwIm39SsLQqQzQGe
=Fq0H
-----END PGP SIGNATURE-----