Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation. It is sold as standalone software, an appliance, virtual machine, or as a managed service or private cloud deployment. User interaction is through a web browser. There is a free but limited community edition as well as commercial versions which start at $2,000 per user per year.
For downloads and more information,
visit the Nexpose homepage.
The product is actually not THAT bad. It does have a lot of nuances that must be learned. There tends to be a fairly large number of false positives. OUr organization has had issues with the scan engines randomly going into puase and therefore the scans will not complete until manual intervention has happened. Support refuses to acknowledge the issuie and multiple tickets have been opened. Support just closes the ticket without ANY resolution. Also, once opened, communication from support is non-existent. Buyer beware.
I have been using this product since 2011 and have found that it has improved considerably over that time.
I have 2 versions of Nexpose.
An MSSP version hosted at a data center that is used to scan thousands of IP's per month which are both internet facing and internal IP's. Internal IP's are scanned via deployed scan engines.
Clients love the clarity of the reports and that they can pass them directly to operations for remediation.
I also have the consultants version that I use during Pentests. Nexpose decreases the time needed markedly and gives me clear attack sufaces to exploit. I have tried Nessus and OpenVas, and Nexpose is far superior.
I find it interesting that very few of you will discuss the inherent issues that Metasploit has with regards to false positives. For example, the fingerprinting ability to properly identify a OS and once discovered flags vulnerability that "may" exist. i.e. DNS/Bind. Anyone in the scene knows that Rapid7 did a disservice by scooping up sploit and then not fixing it rather rapping a gui around. No tool is 100% granted however, while I would like very much to agree, on average 2 outta 22 findings are not accurate. Support has stated to ensure you are authenticating your scans. Issue there is the bad guys are not authenticating but running a similar nmap string to rapid 7 but MUCH shorter in allot of respects. Auditors use a surface scan non-AUTH method also. Remember the tool is not going to think like the bad guy, you have too.
This scanner has been nothing but a pain. Keep getting error messages every time I attempt to scan. “The scan cannot be completed. Java.Runtime error suse-.xml.” I tried uninstalling java and reinstalling it, I don’t know what else to do. I contacted Rapid 7 as there is nothing in their support forms. Haven’t heard back. Anyone else encounter this? If so how did you fix it?
I have been using Nexpose in a large enterprise environment for well over a year and have had great success with the product. The secret is to ensure scans are authenticated so that all possible vulnerabilities can be identified. One thing to keep in mind, not all vulnerabilities are risks in every environment. Take the time to get to know your tool!!!
The people that are complaining about Nexpose here either don't have the product configured properly for their environment, or are using the product incorrectly. There are a massive amount of satisfied customers and very small frame of negative experiences. I would blame support but then you obviously haven't worked with support lately. Times change and people improve and lately, I have had a great experience and recommend it to anyone serious about hardening their environment.
-Scanning for vulnerabilities
-Ability to manage multiple credentials from the GUI
-Reports on large sites usually aren't even possible
-GUI is worthless
-Must be proficient with Nexpose Ruby GEM
-Some of the asset group filters are broken (confirmed by support)
-Scans are limited to sites
Nexpose (from Rapid 7) is also marketed by Symantec as CCS-VM under OEM license. It is one of the best vulnerability scanners I have found. Its power lies in the discovery scan and in the discovery of vulnerabilities of various Operating Systems. Authenticated scans are non-intrusive and perform best. It uses nmap for fingerprinting OS and for discovery of open ports and services. It has a metasploit engine that performs the scans. Bundled with MetaSploit, it can be used for validating the vulnerabilities that can be exploited, thus reducing false positives and also helping to focus on the critical vulnerabilities. The only downside is web application scanning that requires configuration that is bit complex.
1. Integration with metasploit; and
2. It's a vulnerablity management solution and not just a typical scan-and-finish VA scanner.
1. Bad reporting.
2. Issue description and recommendation are just as bad as OpenVas;
3. Poor customer support and takes a long time to respond;
4. Vulnerability database is not comprehensive enough as compared with its competitors; and
5. Not value for money.
Any scanner is going to have some false positives, but Nessus users who say that they find many more FPs with Nexpose than with Nessus are probably not configuring the tool correctly. Make sure to run a credentialed scan and to scale the reliability rating for vulnerabilities accordingly. Nessus is not a bad tool, but it is not an enterprise solution, so it does not have some of the flexibility/functionality directly available. You don't compare Nessus to Nexpose. You compare Tenable SC to Nexpose.
No, it does NOT find more nessus. This product still has a long way to go. Hense why it was bought by another company (rapid7). Stick with nessus. Nothing beats it. NeXpose missed simple flash updates and gave false positives, which will just waste your time to find out the program was wrong.
While no single tool can be a "silver-bullet" in protecting networks from an internal or external perspective; Nexpose does a very thorough job.
I use the Professional Edition at work and the Community Edition at home.
Aside from some of the "Canned-Scanning" methods, the community-edition that I use for Home-based events is equally as good as the Professional.
As with any Security Vulnerability Assessment Tool, the reports are only a start to validating and finding what is really going on in the network space you are testing.
Discovery - A
Fingerprinting - B(-)
False Positives - B
Compliance - A(+) [PCI Very Strong]
Reporting - C
Logging - B(+)
Overall a solid tool to have in the kit; but not a one-stop shop to have 100% reliance on for every situation.
Along with your rating, you can use the comment form to post a review,
tutorial, tips and tricks, or anything else others will find useful.
If you develop this software (or work for the company), please don't rate it. You may leave a clarifying comment as long as you state your affiliation and don't specify a star rating (just leave it as “No rating”).