Test Drive Of Metasploit's NeXpose Plug-In

Rapid7's acquisition of the Metasploit Project caused a lot of heads to turn. Concerns were raised about the project's future, specifically that of the Metasploit Framework. I held back from saying anything at the time because I was hoping for the best. Yesterday marked the first Metasploit Framework release that shows promise of the future by including integration with Rapid7's NeXpose vulnerability scanner.Dark Reading's "Metasploit Gets New Vulnerability Scanning Features" includes a good overview of the release and integration. Since I've been a big proponent and user of Metasploit for the past several years, I couldn't pass up the opportunity to start testing the new integration between Metasploit and NeXpose.

Since I'm not a current user of NeXpose, I registered for the NeXpose Community Edition and installed it on a supported operating system (Ubuntu 8.04 Linux LTS). The quick start guide made the process painless; within about 20 minutes, I had a fully operational NeXpose vulnerability scanner. Next, I ran "svn update" to update my Metasploit Framework install and noticed the "nexpose.rb" file in the list of new files being downloaded. This is the plug-in file that adds the integration.

After installing and updating the various software components, I followed the quick start guide for the NeXpose Plugin. If you've used the db_autopwn functionality in Metasploit, then you'll notice the process is pretty much identical. The exception is that instead of importing scan results from Nessus or Nmap, you are now getting vulnerability scan results back directly from NeXpose. Very cool. The Nessus and Nmap import feature has been available for more than three years, and it's great to see a new vulnerability scanning solution added to the mix.

Almost everything worked as expected. A NeXpose vulnerability scan showed my Windows XP Service Pack 2 virtual machine was vulnerable to CVE-2006-3439, which you might recognize as Microsoft Security Bulletin MS06-040. There is an exploit present for this vulnerability in the Metasploit Framework, but when I ran db_autopwn to match the discovered vulnerabilities with available exploit modules, none were identified. I verified the exploit worked manually, so I'm not sure what's going on, but I will be submitting a bug report to find out more.

Even with the minor hiccup (which will likely be fixed very quickly provided it's not something I'm doing wrong), I'm excited to see progress with the Metasploit Project. They've released versions with some major changes and new features that show Rapid7 is committed to keeping it going strong -- something I really hope continues. Also, it's great to see a vulnerability product that is adding functionality for users to test and verify the vulnerability really exists.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.