With your new site configured, you are now set to configure your first scan:
1. Click the New Manual Scan button shown in Figure 4-4. You should see
the Start New Scan dialog shown in Figure 4-5, which prompts you for the
assets you want to scan or exclude. In this example, we are scanning our
default Windows XP system.
2. Double-check your target IP address to be sure that you’re not about to
scan the wrong device or network inadvertently, and click the Start Now
button to begin.
3. NeXpose should dynamically refresh the page as the scan progresses.
Wait until the status for both Scan Progress and Discovered Assets shows
Completed, as shown in Figure 4-6. Under the Scan Progress section, you
can see that our single scanned device has 268 vulnerabilities detected,
and under Discovered Assets, you are provided with more information
about the target such as the device name and its operating system. Now
click the Reports tab.
If this is your first time running NeXpose and you have completed only one
scan, the Reports tab should show that you have generated no reports.
1. Click New Report, as shown in Figure 4-7, to start the New Report wizard.
Figure 4-7: The NeXpose Reports tab
2. Enter a friendly name, and then in the Report format field, select NeXpose
Simple XML Export, as shown in Figure 4-8, so that you will be able to
import the scan results into Metasploit. You can select from different report
templates and configure the time zone if you happen to be conducting
your pen test on the road. Click Next when you are ready to proceed.
Figure 4-8: Selecting a name and format for the report
3.In the subsequent window, add the devices you want to be included in
the report by clicking Select Sites to add your scanned target range, as
shown in Figure 4-9. Then click Save.
Figure 4-9: Selecting the site for inclusion in the report
4. In the Select Devices dialog, select the targets to include in your report
and then click Save.
5. Back in the Report Configuration wizard, click Save to accept the remaining
defaults for the report. The Reports tab should now list the newly created
report, as shown in Figure 4-10. (Be sure to save the report file so that
you can use it with the Framework.)
Importing Your Report into the Metasploit Framework
Having completed a full vulnerability scan with NeXpose, you need to import
the results into Metasploit. But before you do, you must create a new database
from msfconsole by issuing db_connect . After creating that database you’ll import
the NeXpose XML using the db_import command. Metasploit will automati-
cally detect that the file is from NeXpose and import the scanned host. You
can then verify that the import was successful by running the db_hosts command.
(These steps are shown in the following listing.) As you can see at , Metasploit
knows about the 268 vulnerabilities that your scan picked up.
> db_connect postgres:[email protected]/msf3
> db_import /tmp/host_195.xml
Importing ‘NeXpose Simple XML’ data
Importing host 192.168.1.195
Successfully imported /tmp/host_195.xml
msf > db_hosts -c address,svcs,vulns
To display the full details of the vulnerabilities imported into Metasploit,
including Common Vulnerabilities and Exposures (CVE) numbers and other
references, run the following:
msf > db_vulns
As you can see, running an overt vulnerability scan with full credentials
can provide an amazing amount of information—268 vulnerabilities found
But, of course, this has been a very noisy scan, likely to attract lots
of attention. These types of vulnerability scans are best used in a pen test
where being stealthy is not required.
Running NeXpose Within MSFconsole
Running NeXpose from the web GUI is great for fine-tuning vulnerability
scans and generating reports, but if you prefer to remain in msfconsole, you
can still run full vulnerability scans with the NeXpose plug-in included in
To demonstrate the difference in results between a credentialed and non-
credentialed scan, we will run a scan from with Metasploit without specifying
a username and password for the target system. Before you begin, delete any
existing database with db_destroy , create a new database in Metasploit with
db_connect , and then load the NeXpose plug-in with load nexpose as shown next:
msf > db_destroy postgres:[email protected]/msf3
[*] Warning: You will need to enter the password at the prompts below
msf > db_connect postgres:[email protected]/msf3
msf > load nexpose
[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
With the NeXpose plug-in loaded, have a look at the commands loaded
specifically for the vulnerability scanner by entering the help command. You
should see a series of new commands at the top of the listing specific to run-
msf > help
Before running your first scan from msfconsole, you will need to connect
to your NeXpose installation. Enter nexpose_connect -h to display the usage
required to connect; add your username, password, and host address; and
accept the SSL certificate warning by adding ok to the end of the connect
> nexpose_connect -h
nexpose_connect username:[email protected][:port] <ssl-confirm>
nexpose_connect username password host port <ssl-confirm>
> nexpose_connect dookie:[email protected] ok
Connecting to NeXpose instance at 192.168.1.206:3780 with username dookie…
Now enter nexpose_scan followed by the target IP address to initiate a scan, as
shown next. In this example, we are scanning a single IP address, but you
Vulnerabili ty S canni ng
43could also pass a range of hosts to the scanner (192.168.1.1-254) or a subnet
in Classless Inter-Domain Routing (CIDR) notation (192.168.1.0/24).
> nexpose_scan 192.168.1.195
Scanning 1 addresses with template pentest-audit in sets of 32
Completed the scan of 1 addresses
After the NeXpose scan completes, the database you created earlier
should contain the results of the vulnerability scan. To view the results, enter
db_hosts , as shown next. (In this example, the output has been trimmed by filter-
ing on the address column.)
msf > db_hosts -c address
Svcs Vulns Workspace
—- —– ———
As you can see, NeXpose has discovered seven vulnerabilities. Run db_vulns
to display the vulnerabilities found:
msf > db_vulns
Although this scan has found significantly fewer than the 268 vulnerabilities
discovered with our prior use of NeXpose through the GUI with credentials,
you should have enough vulnerabilities here to get a great head start on
exploiting the system.