Educause Security Discussion mailing list archives

Re: Metasploit and NeXpose

From: Adam Pridgen <adam.pridgen () THECOVEROFNIGHT COM>
Date: Wed, 13 Jan 2010 19:30:54 -0600

Greg,

NeXpose and Nessus are vulnerability scanners, and Metasploit, like
Canvas or Core, is an exploitation framework that can be used to
verify the vulnerabilities identified by either scanner.  I have not
used Metasploit or NeXpose since Metasploit was purchased by Rapid7,
but I imagine the distinct advantage is a more automated process for
identifying (NeXpose) and verifying (Metasploit) vulnerabilities with
the added benefit of commercial support.  I think the same results
could be achieved with Metasploit and Nessus, but it would take some
grunt work to get everything working seamlessly, if it has not already
been done in an open source project, and this process would come
without commercial support.

Something else to consider is Rapid7 might bundle exploits into
Metasploit so newer vulnerabilities that are identified by the scanner
can be verified without having to rely on software,service, and system
versions.  Some vulnerabilities may have PoC exploits that never see
the light of day, but they still exist in in OSVB, CVE, etc.  This
would be a good question for the sales guys ;)

-- Adam


On Wed, Jan 13, 2010 at 7:10 PM, Greg Vickers <g.vickers () qut edu au> wrote:

Hi all,

We are reviewing scanning tools to apply to our web environment to find the
problems before the bad guys do.  I've gone back through the list archive
and read the "Rapid7 NeXpose" thread from June last year.

I've just spoken to a sales manager from Rapid7 (I was impressed, he called
me in Australia after the web interface to request further information broke
and I wound up emailing sales () rapid7 com) and got the blurb from them about
the difference between Metasploit and NeXpose.

I was wondering who here uses Metasploit or NeXpose and would be very
interested in finding out if anyone has moved from Metasploit to NeXpose.

We currently use Nessus for doing OS level scans and the basic cgi/web based
scans Nessus can do.  I would be interested in hearing people's opinions on
the advantages or otherwise between Nessus and Metasploit/NeXpose.

Thanks,
--
Greg Vickers
Phone: +61 7 3138 6902
Project Manager, IT Security Program
Queensland University of Technology, CRICOS No. 00213J

Current thread:

Metasploit and NeXpose Greg Vickers (Jan 13)
- <Possible follow-ups>
- Re: Metasploit and NeXpose Adam Pridgen (Jan 13)
- Re: Metasploit and NeXpose Michael Sana (Jan 13)
- Re: Metasploit and NeXpose Joel Rosenblatt (Jan 13)
- Re: Metasploit and NeXpose Justin C. Klein Keane (Jan 14)
- Re: Metasploit and NeXpose Matthew Wollenweber (Jan 14)
- Re: Metasploit and NeXpose Sam Stelfox (Jan 14)