Re: Metasploit and NeXpose

[Michael Sana <msana () HPU EDU>]

Aloha,

Simple integration of Nessus and Metasploit already exists without too much grunt work. After conducting a nessus scan 
and saving it either as an nbe or xml file you can simply import it using the db function in metasploit.  A quick 
example from metasploit would be:

db_create "database name" - this creates a new database in metasploit
db_import_nessus_xml or db_import_nessus_nbe - this imports the nessus file into the database

Once the nessus data is in the database, metasploit can determine based off of CVE's what exploits are available and 
even conduct auto exploits.  Hope that helps...

mike.sana.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam 
Pridgen
Sent: Wednesday, January 13, 2010 3:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Metasploit and NeXpose

Greg,

NeXpose and Nessus are vulnerability scanners, and Metasploit, like
Canvas or Core, is an exploitation framework that can be used to
verify the vulnerabilities identified by either scanner.  I have not
used Metasploit or NeXpose since Metasploit was purchased by Rapid7,
but I imagine the distinct advantage is a more automated process for
identifying (NeXpose) and verifying (Metasploit) vulnerabilities with
the added benefit of commercial support.  I think the same results
could be achieved with Metasploit and Nessus, but it would take some
grunt work to get everything working seamlessly, if it has not already
been done in an open source project, and this process would come
without commercial support.

Something else to consider is Rapid7 might bundle exploits into
Metasploit so newer vulnerabilities that are identified by the scanner
can be verified without having to rely on software,service, and system
versions.  Some vulnerabilities may have PoC exploits that never see
the light of day, but they still exist in in OSVB, CVE, etc.  This
would be a good question for the sales guys ;)

-- Adam


On Wed, Jan 13, 2010 at 7:10 PM, Greg Vickers <g.vickers () qut edu au> wrote:
> Hi all,
>
> We are reviewing scanning tools to apply to our web environment to find the
> problems before the bad guys do.  I've gone back through the list archive
> and read the "Rapid7 NeXpose" thread from June last year.
>
> I've just spoken to a sales manager from Rapid7 (I was impressed, he called
> me in Australia after the web interface to request further information broke
> and I wound up emailing sales () rapid7 com) and got the blurb from them about
> the difference between Metasploit and NeXpose.
>
> I was wondering who here uses Metasploit or NeXpose and would be very
> interested in finding out if anyone has moved from Metasploit to NeXpose.
>
> We currently use Nessus for doing OS level scans and the basic cgi/web based
> scans Nessus can do.  I would be interested in hearing people's opinions on
> the advantages or otherwise between Nessus and Metasploit/NeXpose.
>
> Thanks,
> --
> Greg Vickers
> Phone: +61 7 3138 6902
> Project Manager, IT Security Program
> Queensland University of Technology, CRICOS No. 00213J