Information Security, Privacy and Regulatory Compliance - Pentration Testing

Social Engineering - It's not a new attack people

nospam@example.com (Keith Pachulski) — Sun, 08 Aug 2010 17:50:00 -0400

We had talked about this briefly on the podcast the other night, but I wanted to go into it further. it's one of those subjects that sticks with me...read into that how you want.

First off, to those of you who are reading this that don't know what social engineering is, here is the popular and generally accepted definition from wikipedia:

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

The most basic form of Social Engineering can be viewed as the "breaking the ice" between a man and a woman. Man engages woman and through various discerned observations attempts to discern some information to further the encounter.

Note: If you`re new to the social engineering game, learn to start random conversations with men and women, regardless of how awkward the situation. Once you find you can enter into conversations with ease as well as exit from them with some useful information gleaned, you're on your way. By useful information I do not mean how the current weather is =)

Women are typically better at the social engineering game than men, though some will likely disagree with me on this. That's fine though, disagree and prove me wrong. No guy that I know of can engage an executive in a short skirt, with some stiletto heels and a low cut top at a bar better than a woman. Male social engineers will typically target, if there is a choice, females. Unless the "attacker" is significantly tuned into the social engineering game, males attempting to extract information from other guys is slightly more difficult. Sex sells, so does alcohol...put the two together and it's game over..why do you think strip clubs, pornography and alcohol are still around....

Yea, this should be addressed in training. Though I've found that discussion of sex and alcohol walk a thin line with some entities. Because you know. God forbid the truth be told and we discuss such "taboo" subjects...seriously, get off the damn high horse...

The most common method social engineers will use, is the telephone. This has as of late been coined Vhishing. For the record, I hate the mass media for diluting the common definition and trying to create new coined phrases to address one portion of the social engineering attacks. Doing so only confuses the issue, so to the guy who made the phrase Vhishing..I hope you get a gaping paper cut and someone dumps lemon juice on it. Anyhow, when creating the social engineering defense training program this must be included in it. It must also be included in the organizational operations procedures along with the required methodology for reporting suspicious phone calls. One thing I recommend in my training on social engineering defenses is should any employee on the phone feel a call has become questionable, engage the internal security team. Let them deal with the phone call and have the employee remain on the line in silent mode, acting as on the job training. These types of encounters should also be included in the internal security training.

Training is where it begins, the training has to be realistic though. Chris Nickerson probably gave one of the best realistic training scenario's when he stood on stage and morphed himself though numerous different personalities without any interruption between each transition. Bearing in mind of course that Chris is an exception to the rule and most social engineers are not at that level of manipulation..yet anyhow.

So what is the point of this you're likely asking yourself at this point. We're establishing the framework for the defense. The defense will typically develop itself in some type of training, whether it be formal or informal. In my experience, executives have been the least receptive to this training. Why, because they feel that they are not able to be manipulated due to their intellectual superiority. If you're an executive and you are reading this and you fall into that category; sorry, you are not superior you are just plain stupid. The most receptive to training have been the line level tech support and engineer type personnel. They are also aware they are typically the individuals being targeted.

The telephone was given much press recently with the DEFCON Social Engineering Contest. This was both a success and a failure. The contest itself was a success as it gave further proof that social engineering as an attack vector is still possible, I know..as if this needed proof right..I`m being gentle. The failure however, was not with DEFCON or the contest, but within the Public and Private Sectors in response to this. In speaking with several people about this, there were a flurry of internal communications just before the contest went off. In general, this is what social engineering is, they use a phone..don't release any information. For real...this is not training people. The other failure was there was, at least to my knowledge, no follow-up training. It was more of a yea, it came..it went..status quo..

FAILURE

Email and IM are other popular methods, email taking the most frequent over IM though. Everyone is aware of it, and amazingly many people are still happy to click on that link or open that email attachment. Again, include the attack vector in your training. There is nothing more annoying than that HR executive click on a link to learn to "optimize" his staff, load the java applet which pushes the reverse shell to some system in china. No names here of course...you know who you are...

Face-to-face encounters, in there numerous forms, are by far the most effective next to the phone calls. We are human, we like to interact, we like to be helpful. Hell, I`ll admit it, I got engineering by two guys last week sitting in a room talking techie..of course it wasn't till after we finished the conversation that I said to myself..shit..I got punk'd. Technical security people are few and far between, we love interfacing with others in the field. Don't fall prey, the training should reflect as such. Never release any interesting information, duh..even me. I admit my flaws..can you =) Good social engineers will flourish in the face to face encounters, smooth talking, well versed in various operational functions from accounting executive to janitor..switch your personality on the drop of a dime. In the end, if the identity of the individual cannot be verified, remove them from the facility. You training and procedures should dictate as such. This is also a requirement under several regulations such as PCI^[?].

General conversation is a relatively easy route, especially when targets are more than happy to speak about sensitive information with their colleagues on the phone or on the Metro/Subway. Loose lips sink ships people..seriously close them. Shoulder surfing falls into this as well. If you're reading, writing discussing it in public you're jeopardizing the security of the information. Address it in the training, enforce and reprimand on violations. Social Networking I like to dump in here as well, don't type it if it doesn't belong there. Training to address the insecurities of social networking sites, their lack of security and privacy as well as the vast methods to obtain the information on these sites....train train train..oh, policies covering it and enforcement of those policies.

Piggy-backing is still very popular, even in highly secure locations I've used this very recently. The smoker, the lost-soul, the I lost my card..all must be addressed. The training and policy must reflect the importance. Employee's must learn to confront those who do not appear as an identifiable badged employee, must confront those with no ID, require internal security to be contacted to verify those who fall into the suspicious. Those employee's allowing others to piggy-back must be reprimanded, even terminated. Again, policy is only as good as the enforcement. If your training and policy state one thing, the enforcement must follow or the policy and training are useless.

Dig through the crap, yes I mean that literally. I have on some occasions, prior to giving a training session, went through dumpsters a day or two before the session was to begin and bring with me any interesting information I found. Of course the interesting information ranged from credit card numbers of customers to ACH transaction receipt with the full account numbers tossed right into dumpsters. On other occasions full medical records of patients who have switched doctors. If you were one of those customers by the way..I love you for making my job easy and I hate you for not following your own policies on the proper disposal of information..but I mean that in the most endearing way =) Also, interesting information can include other tidbits like business cards of vendors..

This was not meant to rehash the overabundance of articles detailing common tactics. This is meant as items you need to address, and that I address, in the internal training programs.

Social Engineering Training
-What is Social Engineering
-How does it occur
--Phone
--Email/IM
--Face-to-face
-Internal Security Team Intro and Points of Contact
-Procedure on reporting Social Engineering Incidents to the Internal Security Team

If your internal policies and procedures do not address Social Engineering in its various states, or you do not have internal policies, now would be a good time to start on that project. If you lack the internal policies and are looking for templates, SANS has a template repository online..check it out.

The policies must address what Social Engineering is from a high level as well as the penalties for not complying with the possible. The defined penalties must be both accepted by executive management and enforceable.

The procedures must be explicit in this is what you need to do if you feel you are the target of a social engineering attack. The procedure must of course reference the policy to note the potential repercussions if the employee does not abide as well the potential impact to the organization for non-compliance.

Policies and Procedures are only as good as they can be enforced..and they must be enforced or they are useless. The training must be as realistic as possible and note the importance for compliance with the policies and procedures. Any deviation will result in a failure of a portion or the entirety of the program.

Nikto with NMAP for Web Server Scanning

nospam@example.com (Keith Pachulski) — Sun, 20 Jun 2010 16:15:00 -0400

Nikto is a lightweight, portable, PERL based web application scanner. The only requirements for Nikto to run are PERL and NET SSLeay, NET SSLeay is only needed if you plan on auditing SSL based applications. Nikto requires you to input the targets from the command line, because of this we’ll also be using NMAP with the http-headers NSE scripts to identify and gather basic information on HTTP based services for this overview. Nikto, as a standalone package, does not include the ability to perform port/service scanning. As such, NMAP will additionally need to be installed on the system performing the audits. NMAP is not a requirement; it just makes things easier…

Required Software/Packages:

Nikto

http://cirt.net/nikto2

Net SSLeay

http://search.cpan.org/CPAN/authors/id/S/SA/SAMPO/Net_SSLeay.pm-1.25.tar.gz

NMAP

http://www.nmap.org/download

NMAP HTTP-Headers NSE

http://nmap.org/svn/scripts/http-headers.nse

NMAP with NSE to discover potential Web Applications

This section assumes you are running at minimum nmap 5.21, nmap 5.2x is required for the application awareness checking of nmap. To begin, we will be probing the targets systems to discover all services and identify what is running on them using the service aware nmap config, but also using the http-headers nse to gather interesting information about the system(s) with potential web applications. From the nmap output, we’ll be targeting those systems running some type of web application. Side Note: for those services that show up as unknown, be sure to manually probe them later. nmap --script http-headers.nse -p 1-65535 –A

I’m targeting all ports here via nmap as some people still believe security through obscurity is a valid mechanism, don’t overlook anything. There are several other options for service level probing you may want to investigate, but for this I’m doing the quick and dirty.

Once nmap has completed its run, it will spit out everything it found to the console, from that list we will target the services to be audited with Nikto.

$ nmap --script http-headers.nse 192.168.0.1 -A

Starting Nmap 5.21 ( http://nmap.org )
NSE: Script Scanning completed.
Nmap scan report for 192.168.0.1
Host is up (0.0012s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.3 ((CentOS) mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8)
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS) mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.4 Perl/v5.8.8)

Installing Nikto and targeting the discovered web applications

Obtain the Nikto package and the NET SSLeay packages from the following locations:

Install NET SSLeay then untar the nikto package to your home directory, update Nikto

./nikto.pl –update

From the nessus NSE scan above, we found the following services in operation that are of interest:

80/tcp open http Apache httpd 2.2.3
5801/tcp open vnc-http RealVNC 4.0
3000/tcp open http WEBrick httpd 1.3.1
443/tcp open ssl/http Apache httpd 2.2.3

At the command line, we target these web applications specifically with Nikto by using the following type of command:

./nikto –h 'target' -p 80,443,5801,3000 –ssl –output report.html

As Nikto is performing the targeted assessment, any potential issues will be displayed to the console. As the scan is occuring, all results are output to the html file with the details of the scan along with the corresponding OSVDB^[?] identifiers broken down by service port tested.

The export format may additionally be set to either csv or XML as needed: report.csv, report.xml

Executing nmap and passing the results directly to nikto

This is useful when you want/need to check all active web servers in the target subnet(s). The following executes the nmap scan of the target subnet then pipes the discovered hosts to nikto.

nmap 192.168.0.0/24 -oG - | ./nikto.pl -output subnet.html -h -

Closing

Nikto standalone, I wasn't overly thrilled with. But again, in a pinch it is a nice tool to keep in the box. In testing nikto, some scans were needed to be run several times for nikto to actually do what it had been configured to do via the command line. The reporting isn't that clean, still leaves a lot of room for interpretation and understanding of common issues.

Update: Social Mining Tools and Sites

nospam@example.com (Keith Pachulski) — Sat, 13 Mar 2010 12:36:00 -0500

Short list of some interesting sites and tools for performing some simple social mining and information gathering...

Social Engineering Toolkit is a tool based around social engineering that integrates into metasploit. I'll be going into this tool more in later entries.

- SET includes some really useful addons such as generating PDF's with metasploit payloads to "autopwn" your targets..download the most recent via svn and check it out

The following sites are good starting points in developing your target base by searching for the specific person or an organization.

- Addict-o-Matic
- Social Mention
- Entity Cube
- Yasni

Facebook Applications

- Advanced Search 2.0 Beta
- Google Social Search

Quick and Dirty - Exploit Suggestor (exploitsuggestor.py) a python script

nospam@example.com (Keith Pachulski) — Tue, 23 Feb 2010 23:25:02 -0500

Exploit suggestor is a really quick and dirty tool that checks specific ports coded into the python script. If the portscanner (TCP SYN/ACK - it's slow so be patient) finds an open port, it grabs the banner. Once it has the banner, if references a local list containing known vulnerable banners. If it finds a banner if then references exploit-db to find a matching exploit.

exploitsuggestor

There is a typo in the script though for the Vuln.txt file. After getting the python script:

wget http://www.whitec0de.com/tool/exploitsuggestor.py && chmod 755 exploitsuggestor.py

Run the following in the same directory you saved the python script to:

wget http://www.whitec0de.com/tool/Vuln.txt -O vuln.txt

Not a horrible pocket tool when full versions of your favorite tools are not available.

Nmap 5 UDP Application Recognition

nospam@example.com (Keith Pachulski) — Sat, 06 Feb 2010 10:20:00 -0500

In prior versions of nmap, the UDP scanning portion was essentially useless. It was not a flaw in the nmap program, but in how UDP as a transport behaves. With the new version of nmap, they've began to build application awareness of UDP services into nmap with some limitations.

Typically when scanning for UDP services, there were generally two expected response types. The first would be the receipt of some type of ICMP error message indicating that the UDP port was not open through an ICMP port or the host was unreachable via an ICMP host unreachable. The second expected "response" would be no response which would indicate that either there was some type of firewall in the path of the target that was configured to not generate ICMP error messages or that there was an actual service listening on the destination port. This of course made service discovery gernally useless from the point of UDP services.

If a port was closed, verified by the icmp port unreachable error, nmap will report the port as closed.
If the nmap host received an ICMP error code 1, 2, 9, 10, or 13, nmap will report the port as filtered.
In the destination port generates some type of response traffic, nmap will report the port as open.
If nmap receives no responose whatsoever, nmap will report the port as open|filtered.

That is until nmap, with this new version, begin to become application aware and being able to "speak" to certain UDP services. In doing this it would know how to issue expected responses to UDP services in order to verify there is an actual service listening.

To use the new UDP service, you would run the scans with the -sU. This flag option is only available as root, which won't affect most of the people who are actually reading this:

e.g.: nmap -sU -sT -A -p 1-65535 target

[root@keithpachulski keithp]# nmap -sU -p 123,500 192.168.10.254

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-06 10:08 EST
Nmap scan report for 192.168.10.254
Host is up (0.0016s latency).
PORT STATE SERVICE
123/udp open ntp
500/udp open isakmp
MAC Address: 00:1B:8F:D3:4C:62 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

The same of course can also be performed directly through metasploit when logged into the msfconsole as root:

msf > db_connect
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > db_nmap -sU -p 123,500 192.168.10.254

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-06 10:09 EST
Nmap scan report for 192.168.10.254
Host is up (0.0050s latency).
PORT STATE SERVICE
123/udp open ntp
500/udp open isakmp
MAC Address: 00:1B:8F:D3:4C:62 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

At this time, only the following UDP services are supported though I`m sure this list will quickly be expanded upon:

udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADUIS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda

Something to keep in mind though when using the UDP scanner portion of nmap. A full UDP port scan of all 65535 ports, which is required by some regulatory bodies such as the PCI^[?]-DSS, can take upwards of 18 hours to complete. This can be minimized by using the --host-timeout option and designated what time in seconds you want to give each host to respond to the UDP query:

nmap -sU -p 123,500 192.168.10.254 --host-timeout 10s

In specifying the host-timeout, you have the option to designate the value as 's' for seconds, 'm' for minutes and 'h' for hours.

Metasploit/NeXpose integration from the webconsole on CentOS

nospam@example.com (Keith Pachulski) — Sat, 30 Jan 2010 10:25:00 -0500

In integrating the use of the two products, this will walk you through the step by step setup and use for this to work with success.

Download the latest copy of ruby, currently 1.9.1 - ruby 1.9.1

Configure ruby as follows:

cd ruby-x
./configure --prefix=/opt/msf3 --enable-pthread --enable-shared
make && make install

Add ruby to your PATH: export PATH=/opt/metasploit3/bin:$PATH

After installing ruby, download and install the latest rubygems

- untar the ball, enter into the directory and execute ruby setup.rb

Install libpcap-devel via yum: yum search libpcap-devel

- cd /opt/msf3/external/pcaprub/
- ruby extconf.rb
- make && make install

After you have ruby and rubygems installed, downloaded the most recent version of metasploit or update it via svn

- svn checkout https://www.metasploit.com/svn/framework3/trunk /opt/msf3/

Install the database driver, choose one or both:
- gem install sqlite3-ruby
- gem install mysql
- gem install postgres-pr

Download and install NeXpose if you haven't done so already. Don't go any further until NeXpose is installed and operational.

Start the metasploit console: ./msfconsole

Create the database: db_create
- [*] Creating a new database instance...
- [*] Successfully connected to the database

After the database has been created, load the nexpose plugin: load nexpose
- [*] NeXpose integration has been activated
- [*] Successfully loaded plugin: nexpose

Connect to the NeXpose instance: nexpose_connect "username" "password" 127.0.0.1 3780 ok

Launch your first scan and automatically pass results to metasploit for processing

- nexpose_scan -x -t full-audit

To see the full list of nexpose_connect options, execute the following: nexpose_connect -h

If there are any successful exploitations as a result of the scan, you will be presented with the following:

- [*] Command shell session 1 opened

To view the active sessions, execute the following: sessions -l -v

Full results from the audit can be viewed by logging into the NeXpose web console.

Disconnect from NeXpose via the metasploit msfconsole or weird things happen: nexpose_disconnect

Suggestion, once this is all working correctly and you`re happy; Setup metasploit to update daily or however often you prefer via cron

* svn update /opt/msf3/

When attempting to execute future metasploit/nexpose session, be sure to reconnect to the database before connecting to nexpose:

- ./msfconsole
- db_connect
- nexpose_connect "same stuff as above"

And you`re done...go have some fun now..

Metasploit Web Console via Squid Reverse Proxy

nospam@example.com (Keith Pachulski) — Thu, 21 Jan 2010 10:02:00 -0500

The goal of this was relatively simple. I wanted metasploit to be accessible remotely so that after I run an audit with NeXpose I can then actively test the discovered vulnerabilities from the metasploit webconsole. After debating a few ways in my head I decided to utilize Squid as a reverse proxy performing MySQL authentication on the connection attempts to the Metasploit web console.

Unfortunately the rpm version of squid installed from the CentOS iso does not have the squid_db_auth installed. So, I`ll need to revisit that section at a later date. Of course, after reviewing some of the information for the squid_db_auth module, the authentication credentials are passed via cleartext from squid to the MySQL server. As such, I`ll likely work on developing a round-robin setup where Squid will forward connection requests to Apache, then have apache use the auth_mysql to hash and salt the password before sending it over the wire. After the connection has been authenticated, using mod_proxy then pass the connection to the metasploit web console.

Sounds complicated yes, but do you really want some anklebiter in China hacking the Pentagon from your server?

First off, download the latest framework from the metasploit website

Metasploit

If you do not have rubygems installed, you`ll need that as well before the metasploit web console will even start:

Check rpm and locate for giggles before downloading and installing another version:

rpm -qa | grep rubygem or locate rubygem - If nothing is found, then download and install as described in the next two steps.

rubygems

ruby setup.db, as root, to actually install rubygems

Once you have ruby gems installed, cd into the msf directory and test the metasploit webrick installation to ensure there are no issues:

./msfweb

If it start with no errors, ctrl+C to stop the server then launch the server as a background process:

./msfweb -d

Now for the basic squid reverse proxy configuration before we start with the MySQL authentication, if you even want that.

First define the source address or netblock you`ll be coming from to access the metasploit console in squid.conf

acl our_networks src 192.168.1.0/24
http_access allow our_networks
http_reply_access allow our_networks

http_port 80 defaultsite=localhost vhost
cache_peer 127.0.0.1 parent 55555 0 no-query originserver

Make sure localhost is defined in your /etc/hosts file as 127.0.0.1 or this will not work. Also, you have to redirect port 80 to 55555. If you try to use any other port as the reverse proxy port, the console application will not work as it by default tries to connect to port 80 on the server. All other portions of the metasploit application will however work, so if you do not plan on using the command line console, feel free to set the http_port to anything you want.

Once you make these modifications start, or restart, squid. At this point you should be able to connect to your server on its public, non-loopback, address and as long as you're coming from some system on the 192.168.1.0/24 netblock you should now be presented with the metasploit webconsole.

At this point you have metasploit running, with squid doing source address checking/access control. If you additionally want squid to authenticate users attempting to access the metasploit application you'll need to perform the following.

For monitoring both successful and failed access to the metasploit web console and users attempting to use it as an open proxy, I added /var/log/squid/access.log to the OSSEC^[?] configuration. I'll be discussing OSSEC in great detail in a blog post to be coming shortly..well, relatively shortly.

Product Comparison - Nessus 4.2.0 vs. Rapid7 NeXpose

nospam@example.com (Keith Pachulski) — Tue, 12 Jan 2010 11:15:00 -0500

I've been a Nessus user for quite some time now, likely as far back as version 1. I've liked the product up till the most recent release of 4.2.0. I began having all sorts of problems. Audits not completing, when they did complete the report either would not generate or if it did generate it would present large black boxes sporadically throughout the report, the console would crash or restart without warning...

After contacting Tenable support, I was told some of the most outrageous excuses such as "We don't support scans through firewall", "We don't support scanning that large of a network segment", "You report is to large, you need to add this filter to remove some of the entries to have the report generate".

With that said, Tenable all I can offer you is this. Before your next product release, I suggest you download NeXpose from Rapid7 and seriously reconsider how your product functions and what the end-user security community actually needs.

Installation and Setup

Both products were easy to install, Nessus required no dependencies and installed after about 5 minutes. NeXpose required one dependency which took approximately 2 minutes to locate and install. After which the install process was approximately 5 minutes.

Functionality

If you download Nessus, you're restricted to only auditing for Windows vulnerabilities. If you want more, you need to buy the professional feed for $1200.00 a year.

NeXpose is fully functional with the only restriction on the "Community" version being that you cannot have more tha 32 IP's in the UI at a given time and regulatory audits are disabled. NeXpose also integrated directly with Metasploit. This makes the actual testing portion of the audit process far easier as you can just hop down to the console and test for the reported vulnerabilities rather than hunting for the source to actually verify a reported issue.

Front-End

Nessus has the very sexy front-end UI, while NeXpose has the php front-end. I honestly prefer the php front end, it loads faster and doesn't chew up a large chunk of memory. If you like flashy stuff though, the Nessus UI would likely hook you.

Audit Policies

Nessus comes with no pre-configured audit policies and while there is some user documentation, once you configure your first policy and it fails you`ll learn most of the options they`ve described in the User Guide are neither support or recommended by Tenable.

NeXpose - comes with several preconfigured policies to test for not only regulatory regulations such as PCI^[?], SARBOX, HIPAA^[?], web application audit, "full" and "exhaustive" audits or a full blown penetration test.

This of course makes the auditors jobs much easier as they do not need to spend 20 minutes trying to develop a working audit policy, run it then work out the bugs by reconfiguring the policy as with Nessus.

Audit Function and Reporting

With Nessus, after you've created your policy and finally executed the scan, you are offered a single technical report. Within the report provided by Tenable you'll have cursory overviews of the detected vulnerabilities along with the occasional CVSS^[?] score assigned to a vulnerability^[?]. From there, you have no other option but to generate your report and start the process or going to your external vulnerability management system, adding all the issues, then beginning the process of addressing the individual vulnerabilities. The actual report are only available to be generated in HTML or the Nessus specific file formats. Nessus used to have a PDF option but they removed it with version 4.x.x.

With Nessus; if you want to re-audit the system(s), you need to repeat the processing of entering the IP or netblock to rescan and assign the policy. Time consuming and slightly annoying.

NeXpose on the other hand, once you enter the IP or netblock information into the UI. The information is stored and you can setup an automated schedule process. With this you can say every 3 months for example, for those PCI-DSS folks out there, re-audit this specific asset. Yes, with NeXpose you can create an asset object.

Once the audit has been completed, the NeXpose console will list out all vulnerabilities discovered. It will also provide you with an overall CVSS score for the entire asset as well as Risk score per system within the asset group. Unlike Nessus you have two reporting options, Technical and Executive. The Executive report offer the high level overview along with graphs, charts and risk levels. The technical reports provides a complete list of all discovered issues, how the issues were discovered along with a step by step on how to resolve the issues.

NeXpose reports are also able ot be customized to the type of vulnerabilities you wish to report, such as "All Vulnerabilities", "Critical Vulnerabilities" or "Critical and Severe Vulnerabilities". Reports are able to be generated in PDF, XML or HTML.

In additional to the exhaustive reporting NeXpose provides, it also gives you the ability to track the issue directly through the NeXpose console. Once an issue has been resolved, you click on the "exclude" image and you are requested to enter why you are excluding the vulnerability. This integrated vulnerability management system makes the analysts life easier as all of the information he/she needs it contained within the single system. The entire life cycle from discovery, verification and resolution all resides on a single webpage.

The other added bonus, NeXpose runs off an integrated postgresql database. If an analyst should so desire, custom reporting can be retrieved from the database as needed.

In closing, if you are a Nessus user. I would strongly urge you to go to the rapid7 website and download NeXpose..kick the wheels and give it a spin. I promise you that you will not be disappointed.

NeXpose
Nessus