- Nexpose Console + Scan Engine just installed in this section - Metasploitable2: Linux host with many vulnerability including web - Windows 2003/2008 server: with domain enabled for tes
Trang 1NeXpose v5 POC Guide
Trang 2Table of Contents
1 Introduction 3
2 Installation 4
3 Initial Setup 10
4 Site and Scan 16
5 Viewing Assets 28
6 Viewing Vulnerability 50
7 Using Tickets 36
8 Reporting 39
9 Scan Template 50
10 User Management 59
11 Administration 62
12 Metasploit Integration 67
13 FAQ 76
14 Evaluation Checklist 80
Trang 31 Introduction
As requesting from many partners and customers, they want to have something teaches them to evaluate, or you can say “play”, the NeXpose This POC guide will lead you to test the NeXpose in a step-by-step approach The structure bases on a complete evaluation cycle from installation, asset discovery, vulnerability assessment, reporting and remediation Apart from the product configuration, this guide also tells where you can get more product/marketing information and support
For each task, for example locating an asset and assigning a ticket to an administrator, there may be
a few ways to do so This guide will go through one way for demonstration only So you need to remember that learning, touching and feeling NeXpose to understand the logic is more important than following the guide to click and input something
This guide does not cover solution design, sizing, dynamic site, compliance (e.g PCI) or the backend technology of NeXpose These topics may be covered in later version or in the formal classroom training Nevertheless, the information of them can be found on the Rapid7 web site
Comparing to v1.0 released in Jan 2012, the v1.1 includes below update
- Add IPv6 network scan
- Add Dynamic Site VMServer scan
- Add Metasploit Integration
- Update the content (e.g screen shot) for the version 5.4
Comparing to v1.1 released in Oct 2012, the v1.2 includes below update
- New reporting GUI
- Update the URL for new Rapid7 web site
Trang 42 Installation
In this section, the steps to get the Nexpose installed correctly will be gone through It includes getting document, software, license and etc In this step-by-step guide, Nexpose will be installed on Ubuntu 10.04 LTS 64-bit If you have not an environment for testing NeXpose, this guide will tell you how to setup the test lab
2.1 Download the documents Visit https://community.rapid7.com/community/nexpose and
download the Nexpose Administrator’s Guide, Nexpose User’s Guide and Nexpose Installation Guide If you cannot see these documents on the page, then search them
2.2 Check the requirement Open the Installation Guide and find “Installation Requirement” The requirement is shown below Other deployment options include appliance, managed service and private cloud (http://www.rapid7.com/products/nexpose/tech-specs.jsp)
Trang 52.3 Go to http://www.rapid7.com/products/nexpose/compare-downloads.jsp and download the software for your OS It is the same installer for all versions such as Community and Enterpriser The version/feature is only controlled by the license
2.4 Run installation Only Ubuntu is covered here For other OS, please refer to the Installation Guide Open a command prompt and switch to super user with command “sudo –i”
2.5 If you need to test IPv6, ensure that you have assigned an IPv6 address to the OS and it works (e.g “ping6 IP_v6_addr”) before the installation
Trang 62.6 Install the required package with command “apt-get install screen” It is no harm to run this command if the package has already installed
2.7 Go to the directory where the installation software is stored Ensure that the file has execution permission If not, use command “chmod +x NexposeSetup-Linux64.bin” to add the execution permission
2.8 Run the installer in GUI mode with command “./NexposeSetup-Linux64.bin” Run the installer in console mode with command “./NexposeSetup-Linux64.bin -c” “./NexposeSetup-Linux64.bin –h” will show the help Below will go through console mode to avoid the graphic configuration
Trang 72.9 Press “y” (small letter) to start the installation The system information checked will be shown and ensure that all items are [Pass] or [Warn] If running on Windows, please have 8GB memory assigned If running on Linux, it is fine to have 4GB memory for evaluation
2.10 The next few steps are license agreement, inputting name and company, follow the screen
2.11 Next step is installing the Nexpose Security Console with local Scan Engine or only the Scan Engine In this case, select “1” for both
2.12 Next step is the installation directory, use default “/opt/rapid7/Nexpose” If anti-virus is installed, this directory should be on the whitelist to bypass virus scanning
2.13 If the hard disk free space is less than 80GB, a warning will be shown Press “c” to continue
Trang 82.14 Next step is to input the login ID and password Follow the screen and remember the
credential If you forget the ID or the password, there is no way to recover and you must install Nexpose
re-2.15 There are two additional tasks, “Create a desktop icon” and “Initialize and start Nexpose after installation” Just press “Y” to both
2.16 Installation begins and it will take time to run initialization Usually it is about 10-30 minutes
to complete the installation on Linux But it may take up to 3-4 hours to complete on Windows
2.17 Notice that the login URL is https://[ip_address/hostname]:3780 and
“/opt/rapid7/Nexpose/nsc/nsc.sh” is used to start Nexpose manually Then press “Enter” to finish the installation
Trang 92.18 To manage NeXpose daemon, go to “/etc/init.d” “./Nexposeconsole.rc status” to check Nexpose console is running “./Nexposeconsole.rc stop” to stop and “./Nexposeconsole.rc start”
to start the Nexpose console “./Nexposeconsole.rc restart” to restart Nexpose console
NeXpose console includes the web console, backend database and scan engine
2.19 Build the test lab, below is the recommended system on the network
- Nexpose Console + Scan Engine (just installed in this section)
- Metasploitable2: Linux host with many vulnerability including web
- Windows 2003/2008 server: with domain enabled for testing policy
- Windows 7 or Windows XP: for workstation scan
Below is the assigned IP used in this guide and you can have your own IP set
1000::3/64 Metasploitable2 192.168.152.13/24
login ID and password is “msfadmin” and “msfadmin” respectively
Trang 10
3.2 For license check, click “Administration” at the top menu bar Locate “Security Console” at the left then click the blue “Manage” Click to the “Licensing” page at the left
Trang 113.3 You need Enterprise License to go through this POC If you have not, you can register one on
http://www.rapid7.com/products/nexpose/nexpose-enterprise-trial.jsp You can also contact Rapid7 or Rapid7 partners to get the Enterprise License key
3.4 Once get the license email, click the “Activate a new license” under the warning message If activation fails, restarting the server and login again You will be prompted for license key
immediately After activation, the correct license information should be shown
Trang 123.5 If you fail to activate, you can
3.5.1 Before installation, confirm that hosted based firewall is disabled and NeXpose installation folder is on the whitelist of the Anti-Virus
3.5.2 After installation, reboot the host before activation
3.5.3 If you are behind a proxy, you can configure it here: Administration/Security Console/Proxy Settings
3.5.4 The IP address of the Nexpose server must be whitelisted through firewalls and URL filters like Bluecoat/Websense You must allow all traffic out over port 80 to updates.rapid7.com Please confirm this by opening up a terminal and typing in “telnet updates.rapid7.com 80”
In the same fashion, open up IE browser and type in http://updates.rapid7.com and you should see a blank page if using Firewfox or a “page not found error” in IE instead of a blocking page or connection problem error
3.5.5 If there is no web proxy, go to Administration > Diagnostics > Command Console, run “ping updates.rapid7.com” to test the connection to the activation server You need to ensure that the connection to port 80 is ALIVE
3.5.6 NeXpose needs to reach our update server to pull down any necessary jar and zip files for activation and updating Since some web gateway/firewall content control may block the jar file from some unknown sites, you may need to change policy to allow NeXpose to get the jar file
3.5.7 Confirm the browser in use is supported (check 2.2)
3.5.8 Clear browser cache and try activation again
3.6 To run diagnostics, click “Administration” at the top menu bar Locate “Troubleshooting” at the left then click the blue “Diagnose” Click the “Perform diagnostics” button Ensure that all
categories have green tick status
Trang 133.7 To run manual Update, click “Administration” at the top menu bar Locate “Security Console” at the left then click the blue “Manage” Click “Updates” at the left Click the “Manual Update” button and then pass “Start manual update” on the pop up window
3.8 To check update status, click “Administration” at the top menu bar Locate “Security Console” at the left, click the blue “Manage” The “General” page shows the version and the last update information
Trang 143.9 To avoid self-scan, click “Administration” at the top menu bar Locate “Global Settings” at the left then click the blue “Manage” Click “Asset Exclusions” at the left Input the Nexpose console
IP address and then click “Save” button
3.10 Set Web GUI timeout Click “Administration” at the top menu bar Locate “Security Console”
at the left then click the blue “Manage” Click “Web Server” at the left Set the “Session timeout”
to 1800 seconds or other comfortable value
3.11 To check details of the new update (e.g new vulnerability check), click “News” at the top right
3.12 For Linux, to view the real time system log of Nexpose, input “screen –x” on the command prompt The log will show the system log such as update operation and license status Input “Ctrl
+ a + d” to quit and you will see message like “[detached from 1503.Nexposeconsole]” Don’t use
“Ctrl + C”, “Ctrl + X” or “Ctrl + Z” which would terminate the Nexpose console
Trang 153.13 To review the host security setting If the host has anti-virus installed, ensure that the Nexpose directory is on the whitelist If host firewall is enabled, disable it If host IPS/IDS is enabled, disable it
Trang 164 Site and Scan
Site is used to group together a logical collection of devices Each site can then be scanned together
by the same scan engine In v5.x, there are two site options Static site is a collection of IP address, IP range and hostname Dynamic site is used to discover the vAsset on vCenter server In this guide, only static site is covered You will know how to build a site and how to run scan on it with/without credential
4.1 Power on the host Metasploitable2 and Windows7 Refer to step 2.19 to 2.20
4.2 Go to “Home” and click the “New static site” button
4.3 Input a site name such as “My first site” The “Importance” will be a factor for increase or reduce the risk score of the site to fine tune the actual risk level For example, the same vulnerability may bring more risk on a database server than on a workstation Leave it as “Normal” and then press the “Next” More about site importance in 10.8
Very Low x 1/3 Low x 1/2 Normal x 1 High x 2 Very High x 3
Trang 174.4 On the “Assets” page, input the IP address range of the lab network or the IP address of the target host Excluded IP can be added here Import file is supported The accepted format is shown at the right In this example, only the Metasploitable2 is scanned Click the “Next” button
4.5 On the “Scan Setup” page, the drop down manual under “Scan Template” will list all the
available templates Select “Full audit” If you have multiple “Scan Engine”, you can choose one for this site Tick the “Enable schedule” to see the schedule scan setting
Trang 184.6 Schedule scan can be started at specific data and time Maximum scan window can be set Scan can be set repeated cycle (e.g every week) and how it runs if the last scan cannot be finished within the scanning window (e.g continue) Disable the “Enable schedule” then click “Next”
4.7 On the “Alerting” page, click the “Add alert” button to see the available alert setting Alert can
be sent when a scan is started, stopped, failed, paused and resumed Moreover, alert can be sent if vulnerability (e.g severe and critical) is confirmed, found (unconfirmed) or potential The alert options include SMTP email, SNMP and Syslog Click “Cancel” then click “Next”
Trang 194.8 NeXpose supports authentication to a wide range of systems for vulnerability scan and policy auditing The systems include Windows, databases, shell, web, etc Credentials will be covered later Click “Next”
4.9 Web Applications support Form base authentication and HTTP Header authentication (session base) It will be covered later Click “Next”
Trang 204.10 Organization information such as company and contact can be added here which will be used in the report generated for this site Input your information and click “Next”
4.11 Site can be set to allow specific user to access it, auditor as example Click “Save”
4.12 To start the first scan The new added site is show under “Site Listing” section on the “Home” page Click the green “Scan” button You can also “Edit” the site setting such as using another scan template to scan other host
Trang 214.13 Verify the site information is correct You can exclude IP or add IP here Click “Start now”
4.14 The scan progress is shown Scan can be stopped or paused at any time The “Remaining” time will change according what fact is found and what action will be taken by the Expert System JESS Scan log can be downloaded during or after the scan The log will show what is doing in this scan, such as “Trying form-based XSS injection” on a URL
Trang 224.15 The “Discovered Assets” pane shows host’s IP, hostname, OS and vulnerabilities number
4.16 On the “Home” tab on the top menu bar, the scan is shown under “Current Scan Listing for All Sites” section and it can be stopped, paused or resumed here
4.17 Site information can be found after scan Go to the “Home” tab on the top menu bar, there
is a bar chat to show the number of vulnerability with severity level and one chart to show the trend of the vulnerability The site information includes number of assets, number of
vulnerability, risk score, site type (static or dynamic) and scan status
4.18 Try to run credential scan on a Windows Domain Refer to 2.19, setup a Windows domain with a server and a Windows Workstation If the Window domain contains Windows 7 or Windows Server 2008, ensure that the “Remote Registry Service” is enabled
1 On the computer where you want to record Shutdown Event Tracker data, click Start, click in the Start Search box, type services.msc, and then press ENTER Microsoft Management
Console will start with the Services snap-in open
2 In the console pane, right-click Remote Registry and click Start
Trang 234.19 Refer to 4.2 to 4.5 to build a new static site (e.g called “Windows Domain”) with these two Windows (Win2008 server and Win7) assets as member and select “Exhaustive” scan template
“Exhaustive” includes patch/hotfix checking, policy compliance checking and application-layer auditing Click the “Browse” button and click “Exhaustive” to view the scan template,
“Exhaustive” includes the policy audit of Oracle, Lotus Domino, Windows Group, CIFS/SMB, AS/400 and UNIX In this case, the “Windows Group Policy” will be applied to scan the Windows domain Performing an exhaustive audit could take several hours to complete, depending on the number of hosts selected More about scan template will be discussed
Trang 244.20 On the “Credential” page, add a “Microsoft Window s/Samba (SMB/CIFS) credential to login the Window domain Remember to test the credential before saving Save and run the scan on this new site “Windows Domain” The result will be discussed in next section The credential can
be restricted to an IP at a specific port only If there is no restriction, all targets in the site scan with the match service running will have this credential applied
4.21 If there is shared scan credential for multiple sites, you can create Shared Scan Credentials Click “Administration” at the top menu bar and then click the blue “Create” under “Shared Scan Credentials”
4.22 The setting is same as 4.20 except with an additional setting called “Site assignment” This credential can be assigned to all sites or some specific sites
Trang 254.23 Nexpose supports IPv6 network Create a site called “IPv6 Test”, input the IPv6 IP addresses
of the Windows 2008 Server and Windows 7 (refer to 2.19) Select “Full Audit” as the scan template and run the scan without credential Some vulnerability should be found
4.24 To scan a dynamic site, first of all, you need to create a Discovery Connections to connect to the VM Server Go to “Administration”, click the blue “Create” of “Discovery Connections”
Trang 264.25 Input the VM Server login configuration and credential
4.26 Go to the Home page, click the “New dynamic site” button
4.27 There should be only one vConnection exists which is added in 4.25 Click the “Discover
assets” button
4.28 The discovered VM Guest Image will be shown You can click the “Add filters” button to filter
the VM
Trang 274.29 Some conditions are available to set the filter For example, you can apply the filter to list
the power on VM Or, just in this case, reset the filter and just click “Create dynamic site” button
4.30 Input the “Name” and Description, click “Save”
4.31 A new site will be created Comparing with a static site, the “Assets” are discovered by the
vConnection and you cannot add/delete any IP/host here If there is change at the VM Server, it
will be reflected in next scan
Trang 28- Charts and graphs at the top of the Sites page provide a statistical overview of sites,
including risks and vulnerabilities
- The site information includes number of assets, number of vulnerability, risk score, site type (static or dynamic) and scan status
Trang 295.3 The console displays a page for that site, including recent scan information, statistical charts and graphs, and a list of assets On this page, you can view important security-related information for each asset which can help you prioritize remediation projects: the number of available exploits, the number of vulnerabilities, and the risk score
5.4 On the site page, scroll down to the bottom, the discovered assets with be shown with
hostname, OS and other vulnerability related information in the “Asset Listing” table Click the IP address or the Name of one of the detected asset
5.5 The “Asset Properties” will be shown at the top followed by the “Vulnerability Listing”
Trang 305.6 If the vulnerability should be excluded based on some reasons, for example it is acceptable that the asset response to ping, you can click to add this vulnerability to the
“Vulnerability Exception Listing”
5.7 The “Service Listing” section will show the scanned network service (e.g FTP), application
running (e.g vsFTPd 2.3.4), port used, vulnerabilities number, etc Administrator can check the service here to see any abnormal service is running
5.8 The “User and Group Listing” section will show the user and group found Administrator can see any strange ID is here in case it is created by previous employee or backdoor malware
5.9 Database is always the core system to be protected The “Database Listing” pane shows the scanned database The “File and Directory Listing” pane shows the detected file system structure
Trang 31
5.10 At the bottom is the asset “Fingerprints” If you cannot view the fingerprinting section, click the “Dashboard Customization” icon at the top right Fingerprinting is a set of methods by which Nexpose identifies as many details about the asset as possible By inspecting properties such as the specific bit settings in reserved areas of a buffer, the timing of a response, or a unique acknowledgement interchange, Nexpose can identify indicators about the asset's hardware and operating system The last column is the Certainty level to show how confident Nexpose is for OS identification
5.11 To view result of policy scan of “Windows Domain”, refer to 5.2 to select the site “Windows Domain” and select one asset (e.g Windows 7) You can find the policy status of each element in the policy to be compared on the “Standard Policy Listing” table You can also find the installed software on the “Installed Software Listing” table Without credential, Nexpose can only scan the host from external point of view such as the vulnerability of the network services With credential, Nexpose can look into the system setup such as registry key and installed software
Trang 325.12 Assets can be grouped Click “Assets” at the top bar Click the blue “View” of the “Asset groups” Two different kinds of "snapshots" can be created The dynamic asset group is a
snapshot that potentially changes with every scan; and the static asset group is an unchanging snapshot
5.13 A dynamic asset group contains scanned assets that meet a specific set of search criteria You define these criteria with asset search filters, such as IP address range or hosted operating systems The list of assets in a dynamic group is subject to change with every scan Click the
“New dynamic asset group” You can apply a search filter for the dynamic group
For example, define a dynamic group for all web servers in “My first site” The condition will be
“Service name contains HTTP” and “Site name is My first site” The search result shows the assets meeting the condition Click the “Create asset group” button
Trang 33Click the “Create asset group” button Input the name, description and adding user if you want
to assign this group to be managed by specific person
Click “Save” to store the new added dynamic group and it is shown on the “Asset Group Listing”
5.14 A static asset group contains assets that meet a set of criteria that you define The list of assets in a static group does not change unless you alter it manually
Trang 345.15 To view assets by the operating systems running on them, go to the “Assets” tab on the top menu bar and click the blue “View” of the “Operating systems” at the left The console displays the “Operating Systems” page, which lists all the operating systems running in your network and the number of instances of each operating system Click the link for an operating system to view the assets that are running it
5.16 To view assets by the services they are using, go to the “Assets” tab on the top menu bar and click the blue “View” of the “Services” at the left The console displays the “Services” page, which lists all the services running in your network and the number of the number of instances
of each service Click the link for a service to view the assets that are running it
Trang 35
5.17 To view assets by the software running on them, go to the “Assets” tab on the top menu bar
and click the blue “View” of the “Software” at the left The console displays the “Software” page,
which lists the software that Nexpose found running in your network, the number of instances
of program, and the type of program Click the link for a program to view the assets that are running it Nexpose only lists software for which it has credentials to scan An exception to this would be when Nexpose discovers a vulnerability that permits root/admin access
Trang 366 Using Tickets
You can use the Nexpose ticketing system to manage the remediation workflow and delegate
remediation tasks NeXpose ticketing system and remediation report covered later are designed as asset oriented Ticket is associated with an asset and contains information about one or more vulnerabilities
6.1 To find an asset with vulnerability Click “Assets” tab and then the blue “View” of the “All” at the left
6.2 On the “Asset Listing” table, click the IP address of the asset to be assigned a ticket
6.3 Click the “Open a ticket” button under the “Vulnerability Listing” pane
Trang 376.4 To configure a ticket, input a “Name”, set the “Priority” and assign to one person Go to the
“Vulnerabilities” page and click “Select vulnerabilities” to select the vulnerability to be fixed Finally, click “Save” button to save the ticket
6.5 To view or update a ticket, go to the “Tickets” tab on the top menu bar Find and click the ticket name such as “Fix the Web Server” shown in below screenshot
Trang 386.6 Ticket can be assigned to another administrator, added/removed vulnerability to be fixed, set to different priority, added comments on “History” Page, etc
Trang 397 Reporting
Reports provide many varied ways to look at scan data, from business-centric perspectives to
detailed technical assessments You can learn everything you need to know about vulnerabilities and how to remediate them, or you can just list the services are running on your network assets
7.1 To create a report, go to “Reports” tab then click “New” button
7.2 Input a name and time zone (e.g GMT +0800), for example, “My First Report”
7.3 Select “Document”, “Export” or “All” to show the available templates Move the mouse on the template to check what information will be shown in the report Select “Audit Report”
7.4 Select the file format Depending on the selected template nature, the available format will be shown For example, “PCI Executive Summary” only has RTF format Select “PDF”
Trang 407.5 Define scope of the report
7.6 Click “Select Sites, Assets, or Asset Groups” to decide which asset IP will be included in the
report Select the site “My first site”
7.7 You can filter the vulnerability by clicking “Filter report scope based on vulnerabilities” icon You can filter by severity level (critical only, critical + severe or all) You can also include one or
multiple vulnerability category For example, the report can only include Web related
vulnerability but not the OS or other vulnerability if the reader is the web administrator In this example, select “All severities” and “Include all” categories