NeXpose v5 POC Guide
Step by Step









Version 1.2
17 Jan 2013
By Michael Lai

Senior Security Sales Engineer, APAC
CISSP, CISA, BS7799, MBA, MSc, BEng(hons)


2

Table of Contents
1. Introduction 3
2. Installation 4
3. Initial Setup 10
4. Site and Scan 16

5. Viewing Assets 28
6. Viewing Vulnerability 50
7. Using Tickets 36
8. Reporting 39
9. Scan Template 50
10. User Management 59
11. Administration 62
12. Metasploit Integration 67
13. FAQ 76
14. Evaluation Checklist 80




3

1. Introduction

As requesting from many partners and customers, they want to have something teaches them to
evaluate, or you can say “play”, the NeXpose. This POC guide will lead you to test the NeXpose in a
step-by-step approach. The structure bases on a complete evaluation cycle from installation, asset
discovery, vulnerability assessment, reporting and remediation. Apart from the product
configuration, this guide also tells where you can get more product/marketing information and
support.
For each task, for example locating an asset and assigning a ticket to an administrator, there may be
a few ways to do so. This guide will go through one way for demonstration only. So you need to
remember that learning, touching and feeling NeXpose to understand the logic is more important
than following the guide to click and input something.
This guide does not cover solution design, sizing, dynamic site, compliance (e.g. PCI) or the backend
technology of NeXpose. These topics may be covered in later version or in the formal classroom

training. Nevertheless, the information of them can be found on the Rapid7 web site.
Comparing to v1.0 released in Jan 2012, the v1.1 includes below update.
- Add IPv6 network scan
- Add Dynamic Site VMServer scan
- Add Metasploit Integration
- Update the content (e.g. screen shot) for the version 5.4.
Comparing to v1.1 released in Oct 2012, the v1.2 includes below update.
- New reporting GUI
- Update the URL for new Rapid7 web site


4

2. Installation

In this section, the steps to get the Nexpose installed correctly will be gone through. It includes
getting document, software, license and etc. In this step-by-step guide, Nexpose will be installed on
Ubuntu 10.04 LTS 64-bit. If you have not an environment for testing NeXpose, this guide will tell you
how to setup the test lab.
2.1 Download the documents. Visit and
download the Nexpose Administrator’s Guide, Nexpose User’s Guide and Nexpose Installation
Guide. If you cannot see these documents on the page, then search them.



2.2 Check the requirement. Open the Installation Guide and find “Installation Requirement”. The
requirement is shown below. Other deployment options include appliance, managed service
and private cloud (








5

2.3 Go to and download the
software for your OS. It is the same installer for all versions such as Community and Enterpriser.
The version/feature is only controlled by the license.



2.4 Run installation. Only Ubuntu is covered here. For other OS, please refer to the Installation
Guide. Open a command prompt and switch to super user with command “sudo –i”



2.5 If you need to test IPv6, ensure that you have assigned an IPv6 address to the OS and it works
(e.g. “ping6 IP_v6_addr”) before the installation.




6

2.6 Install the required package with command “apt-get install screen”. It is no harm to run this
command if the package has already installed.




2.7 Go to the directory where the installation software is stored. Ensure that the file has execution
permission. If not, use command “chmod +x NexposeSetup-Linux64.bin” to add the execution
permission.



2.8 Run the installer in GUI mode with command “./NexposeSetup-Linux64.bin”. Run the installer in
console mode with command “./NexposeSetup-Linux64.bin -c”. “./NexposeSetup-Linux64.bin –h”
will show the help. Below will go through console mode to avoid the graphic configuration.




7

2.9 Press “y” (small letter) to start the installation. The system information checked will be shown
and ensure that all items are [Pass] or [Warn]. If running on Windows, please have 8GB memory
assigned. If running on Linux, it is fine to have 4GB memory for evaluation.



2.10 The next few steps are license agreement, inputting name and company, follow the screen.

2.11 Next step is installing the Nexpose Security Console with local Scan Engine or only the Scan
Engine. In this case, select “1” for both.



2.12 Next step is the installation directory, use default “/opt/rapid7/Nexpose”. If anti-virus is

installed, this directory should be on the whitelist to bypass virus scanning.

2.13 If the hard disk free space is less than 80GB, a warning will be shown. Press “c” to continue.



8

2.14 Next step is to input the login ID and password. Follow the screen and remember the
credential. If you forget the ID or the password, there is no way to recover and you must re-
install Nexpose.

2.15 There are two additional tasks, “Create a desktop icon” and “Initialize and start Nexpose
after installation”. Just press “Y” to both.



2.16 Installation begins and it will take time to run initialization. Usually it is about 10-30 minutes
to complete the installation on Linux. But it may take up to 3-4 hours to complete on Windows.



2.17 Notice that the login URL is https://[ip_address/hostname]:3780 and
“/opt/rapid7/Nexpose/nsc/nsc.sh” is used to start Nexpose manually. Then press “Enter” to
finish the installation.



9


2.18 To manage NeXpose daemon, go to “/etc/init.d”. “./Nexposeconsole.rc status” to check
Nexpose console is running. “./Nexposeconsole.rc stop” to stop and “./Nexposeconsole.rc start”
to start the Nexpose console. “./Nexposeconsole.rc restart” to restart Nexpose console.
NeXpose console includes the web console, backend database and scan engine.



2.19 Build the test lab, below is the recommended system on the network.

- Nexpose Console + Scan Engine (just installed in this section)
- Metasploitable2: Linux host with many vulnerability including web
- Windows 2003/2008 server: with domain enabled for testing policy
- Windows 7 or Windows XP: for workstation scan

Below is the assigned IP used in this guide and you can have your own IP set.

Nexpose
192.168.152.15/24
1000::3/64
Metasploitable2
192.168.152.13/24
Windows2008
192.168.152.9/24
1000::4/64
Windows7
192.168.152.21/24
1000::2/64


2.20 To download Metasploitable2: Visit find

and click the blue “available for download” to go to the download site to download the 873MB
zip file “metasploitable-linux-2.0.0.zip”. Unzip it and run it on VM Workstation or VM Player. The
login ID and password is “msfadmin” and “msfadmin” respectively.



10

3. Initial Setup

In this section, Nexpose will be configured to be ready for scan. License activation, update and other
initialization work are covered here.
3.1 To login web console, connect to https://Nexpose_IP:3780, Firefox is recommended. Login with
the credential input during installation in 2.14. The “News” (e.g. product update) is shown after
login.



3.2 For license check, click “Administration” at the top menu bar. Locate “Security Console” at the
left then click the blue “Manage”. Click to the “Licensing” page at the left.



11

3.3 You need Enterprise License to go through this POC. If you have not, you can register one on
You can also contact
Rapid7 or Rapid7 partners to get the Enterprise License key.



3.4 Once get the license email, click the “Activate a new license” under the warning message. If
activation fails, restarting the server and login again. You will be prompted for license key
immediately. After activation, the correct license information should be shown.





12

3.5 If you fail to activate, you can
3.5.1 Before installation, confirm that hosted based firewall is disabled and NeXpose installation
folder is on the whitelist of the Anti-Virus.
3.5.2 After installation, reboot the host before activation.
3.5.3 If you are behind a proxy, you can configure it here: Administration/Security Console/Proxy
Settings
3.5.4 The IP address of the Nexpose server must be whitelisted through firewalls and URL filters
like Bluecoat/Websense. You must allow all traffic out over port 80 to updates.rapid7.com.
Please confirm this by opening up a terminal and typing in “telnet updates.rapid7.com 80”.
In the same fashion, open up IE browser and type in and you
should see a blank page if using Firewfox or a “page not found error” in IE instead of a
blocking page or connection problem error.
3.5.5 If there is no web proxy, go to Administration > Diagnostics > Command Console, run “ping
updates.rapid7.com” to test the connection to the activation server. You need to ensure that
the connection to port 80 is ALIVE.

3.5.6 NeXpose needs to reach our update server to pull down any necessary jar and zip files for
activation and updating. Since some web gateway/firewall content control may block the jar
file from some unknown sites, you may need to change policy to allow NeXpose to get the
jar file.

3.5.7 Confirm the browser in use is supported (check 2.2).
3.5.8 Clear browser cache and try activation again.

3.6 To run diagnostics, click “Administration” at the top menu bar. Locate “Troubleshooting” at the
left then click the blue “Diagnose”. Click the “Perform diagnostics” button. Ensure that all
categories have green tick status.


13


3.7 To run manual Update, click “Administration” at the top menu bar. Locate “Security Console” at
the left then click the blue “Manage”. Click “Updates” at the left. Click the “Manual Update”
button and then pass “Start manual update” on the pop up window.





3.8 To check update status, click “Administration” at the top menu bar. Locate “Security Console” at
the left, click the blue “Manage”. The “General” page shows the version and the last update
information.



14


3.9 To avoid self-scan, click “Administration” at the top menu bar. Locate “Global Settings” at the
left then click the blue “Manage”. Click “Asset Exclusions” at the left. Input the Nexpose console

IP address and then click “Save” button.


3.10 Set Web GUI timeout. Click “Administration” at the top menu bar. Locate “Security Console”
at the left then click the blue “Manage”. Click “Web Server” at the left. Set the “Session timeout”
to 1800 seconds or other comfortable value.



3.11 To check details of the new update (e.g. new vulnerability check), click “News” at the top
right.



3.12 For Linux, to view the real time system log of Nexpose, input “screen –x” on the command
prompt. The log will show the system log such as update operation and license status. Input “Ctrl
+ a + d” to quit and you will see message like “[detached from 1503.Nexposeconsole]”. Don’t use
“Ctrl + C”, “Ctrl + X” or “Ctrl + Z” which would terminate the Nexpose console.


15





3.13 To review the host security setting. If the host has anti-virus installed, ensure that the
Nexpose directory is on the whitelist. If host firewall is enabled, disable it. If host IPS/IDS is
enabled, disable it.


16

4. Site and Scan

Site is used to group together a logical collection of devices. Each site can then be scanned together
by the same scan engine. In v5.x, there are two site options. Static site is a collection of IP address, IP
range and hostname. Dynamic site is used to discover the vAsset on vCenter server. In this guide,
only static site is covered. You will know how to build a site and how to run scan on it with/without
credential.

4.1 Power on the host Metasploitable2 and Windows7. Refer to step 2.19 to 2.20.

4.2 Go to “Home” and click the “New static site” button.



4.3 Input a site name such as “My first site”. The “Importance” will be a factor for increase or reduce
the risk score of the site to fine tune the actual risk level. For example, the same vulnerability
may bring more risk on a database server than on a workstation. Leave it as “Normal” and then
press the “Next”. More about site importance in 10.8.

Very Low x 1/3
Low x 1/2
Normal x 1
High x 2
Very High x 3





17

4.4 On the “Assets” page, input the IP address range of the lab network or the IP address of the
target host. Excluded IP can be added here. Import file is supported. The accepted format is
shown at the right. In this example, only the Metasploitable2 is scanned. Click the “Next” button.



4.5 On the “Scan Setup” page, the drop down manual under “Scan Template” will list all the
available templates. Select “Full audit”. If you have multiple “Scan Engine”, you can choose one
for this site. Tick the “Enable schedule” to see the schedule scan setting.





18

4.6 Schedule scan can be started at specific data and time. Maximum scan window can be set. Scan
can be set repeated cycle (e.g. every week) and how it runs if the last scan cannot be finished
within the scanning window (e.g. continue). Disable the “Enable schedule” then click “Next”.



4.7 On the “Alerting” page, click the “Add alert” button to see the available alert setting. Alert can
be sent when a scan is started, stopped, failed, paused and resumed. Moreover, alert can be
sent if vulnerability (e.g. severe and critical) is confirmed, found (unconfirmed) or potential. The
alert options include SMTP email, SNMP and Syslog. Click “Cancel” then click “Next”.










19

4.8 NeXpose supports authentication to a wide range of systems for vulnerability scan and policy
auditing. The systems include Windows, databases, shell, web, etc. Credentials will be covered
later. Click “Next”.



4.9 Web Applications support Form base authentication and HTTP Header authentication (session
base). It will be covered later. Click “Next”.















20

4.10 Organization information such as company and contact can be added here which will be
used in the report generated for this site. Input your information and click “Next”.



4.11 Site can be set to allow specific user to access it, auditor as example. Click “Save”.



4.12 To start the first scan. The new added site is show under “Site Listing” section on the “Home”
page. Click the green “Scan” button. You can also “Edit” the site setting such as using another
scan template to scan other host.










21

4.13 Verify the site information is correct. You can exclude IP or add IP here. Click “Start now”.




4.14 The scan progress is shown. Scan can be stopped or paused at any time. The “Remaining”
time will change according what fact is found and what action will be taken by the Expert System
JESS. Scan log can be downloaded during or after the scan. The log will show what is doing in this
scan, such as “Trying form-based XSS injection” on a URL.






22

4.15 The “Discovered Assets” pane shows host’s IP, hostname, OS and vulnerabilities number.



4.16 On the “Home” tab on the top menu bar, the scan is shown under “Current Scan Listing for
All Sites” section and it can be stopped, paused or resumed here.



4.17 Site information can be found after scan. Go to the “Home” tab on the top menu bar, there
is a bar chat to show the number of vulnerability with severity level and one chart to show the
trend of the vulnerability. The site information includes number of assets, number of
vulnerability, risk score, site type (static or dynamic) and scan status.



4.18 Try to run credential scan on a Windows Domain. Refer to 2.19, setup a Windows domain

with a server and a Windows Workstation. If the Window domain contains Windows 7 or
Windows Server 2008, ensure that the “Remote Registry Service” is enabled.
1. On the computer where you want to record Shutdown Event Tracker data, click Start, click in
the Start Search box, type services.msc, and then press ENTER. Microsoft Management
Console will start with the Services snap-in open.
2. In the console pane, right-click Remote Registry and click Start.

23

4.19 Refer to 4.2 to 4.5 to build a new static site (e.g. called “Windows Domain”) with these two
Windows (Win2008 server and Win7) assets as member and select “Exhaustive” scan template.
“Exhaustive” includes patch/hotfix checking, policy compliance checking and application-layer
auditing. Click the “Browse” button and click “Exhaustive” to view the scan template,
“Exhaustive” includes the policy audit of Oracle, Lotus Domino, Windows Group, CIFS/SMB,
AS/400 and UNIX. In this case, the “Windows Group Policy” will be applied to scan the Windows
domain. Performing an exhaustive audit could take several hours to complete, depending on the
number of hosts selected. More about scan template will be discussed.







24

4.20 On the “Credential” page, add a “Microsoft Window s/Samba (SMB/CIFS) credential to login
the Window domain. Remember to test the credential before saving. Save and run the scan on
this new site “Windows Domain”. The result will be discussed in next section. The credential can
be restricted to an IP at a specific port only. If there is no restriction, all targets in the site scan

with the match service running will have this credential applied.



4.21 If there is shared scan credential for multiple sites, you can create Shared Scan Credentials.
Click “Administration” at the top menu bar and then click the blue “Create” under “Shared Scan
Credentials”.



4.22 The setting is same as 4.20 except with an additional setting called “Site assignment”. This
credential can be assigned to all sites or some specific sites.



25

4.23 Nexpose supports IPv6 network. Create a site called “IPv6 Test”, input the IPv6 IP addresses
of the Windows 2008 Server and Windows 7 (refer to 2.19). Select “Full Audit” as the scan
template and run the scan without credential. Some vulnerability should be found.




4.24 To scan a dynamic site, first of all, you need to create a Discovery Connections to connect to
the VM Server. Go to “Administration”, click the blue “Create” of “Discovery Connections”.