NeXpose FAQ - Answers

Scanning

What types of devices does NeXpose analyze during a scan?

NeXpose will scan and analyze any device with an IP Address, including servers, desktops, switches, routers, printers, and IP phones. In fact NeXpose is capable of fingerprinting and analyzing over 11,000 different types of network devices.

back

Will NeXpose scan external devices?

Yes. Rapid7 offers a Hosted Scan Engine Service. The Rapid7 Data Center scanning engines perform the scan on demand or as part of scheduled workflow, then deliver the results to the customer through encrypted channels to the NeXpose Central Web Console inside their firewall. The Console allows customers to view and analyze the scanning data from both external and internal scans, as well as control the scanning process.

back

How many different types of vulnerabilities does NeXpose detect?

NeXpose specializes in the breadth as well as the depth of vulnerability scanning. NeXpose can scan for vulnerabilities in the hardware, operating system, and network layer, such as Cisco, Windows, Linux, Unix, Solaris, AS/400, and BSD. As well as scanning for service and application layer vulnerabilities such as Lotus Notes, Oracle, Exchange, Apache, IIS, Adobe Acrobat, Internet Explorer and many more.

back

How can NeXpose detect Denial of Service (DoS) vulnerabilities without bringing the network host down?

When NeXpose tests a host for a Denial of Service (DoS) vulnerability, it sends specially crafted packets that are designed to not impact the host availability. By analyzing the response, NeXpose can determine if the host is vulnerable to a DoS attack without flooding it with traffic and causing a service interruption.

back

How does NeXpose handle false positives and false negatives?

False positives and false negatives are bugs. For any scan data that appears to be incorrect, send the following information to Rapid7 support: Operating System, Version, Release (including service pack, kernel version or other relevant info) The version of NeXpose, How the software updates are applied.

back

What types of pre-defined scan templates are included with NeXpose?

NeXpose includes the following scan templates: Full Audit, Exhaustive, Denial of Service, Internet DMZ, Penetration Test, HIPAA Compliance, Sarbanes-Oxley Compliance, Web-Spider, Safe Audit.

back

Does NeXpose require credentials to scan a target network?

NeXpose is capable of scanning with or without credentials. Most of the vulnerability checks do not require credentials, however, some checks, such as Windows hotfix checking and policy auditing, require that NeXpose have local or domain credentials.

back

Where can I add credentials to a scan?

Credentials can be added from the Site Management page under the Credentials pull-down. Credentials can be added for all supported services or a specific service. Additionally, a set of credentials can be specified for all devices or restricted to a specific device.

back

How do I log in with credentials?

Logging in with credentials is port-specific and is added using the "Credentials” tab during site creation. First click on "New Login” button then select the appropriate service from the drop down menu. Finally, enter the appropriate credentials and click ‘test login’. NeXpose will try to login via the interface before you save the credentials to make sure login is correct, port is open and basically that it will work.

You can also test the credentials if you telnet to the windows port or oracle port from the NeXpose server to the server you are scanning. Use "telnet ”, otherwise it will attempt to use the standard telnet port.

back

Can NeXpose scan across XP's personal firewall?

  • If XP’s personal firewall is enabled, properly configured, and no exceptions have been made in the firewall’s ACL then NeXpose will not be able to see the device.
  • To allow NeXpose to "see” these devices during a scan either disable the firewall or configure an exception to allow access from the NSC’s source IP address.
back

How do I set up an "asset discovery" scan?

  • Make sure your license is installed using NeXpose Security Console commands, update now and show licenses
  • In the NeXpose browser-based interface, go to: Administration--> Scan Templates--> Manage
  • Scroll down to 'Safe network audit' and click the copy icon to the right and name the copy to Asset Discovery (for example)
  • Under scan template configuration--> service discovery, (un-check ICMP and TCP will do a full port scan on all devices) or (check ICMP and TCP for port scanning on live devices)
  • Under scan template configuration--> vulnerabilities, click on Disable Vulnerability Categories
  • Check all the boxes. You have to check all of them individually. There is no 'check all'. Do this for all 3 pages then click Save at the bottom of the screen and these vulnerabilities will be added to the disabled list
  • Click Save at the top of the vulnerability configuration page to save the new Asset Discovery scan you just built.
  • Go back to 'Home' on the main menu and 'create a new site'
  • Under Devices, enter ranges of subnets to scan. It would look something like:

    10.1.90.1-10.1.90.255
    192.168.8.0/24
    and so on

  • Under Scan Setup, select the new site that you just created (i.e. Asset Discovery)
  • Save the site and start a scan
back

Where are / How do I edit my default policy files?

NeXpose can audit security policy elements for Oracle, Lotus Notes/Domino, and Microsoft Windows.

  • The Oracle policy is specified in an XML configuration file located in:
    {NeXpose_Install_Dir}/plugins/java/1/OraclePolicyScanner/1/oracle.xml
  • The Lotus Notes/Domino policy configuration file located in:
    {NeXpose_Install_Dir}/plugins/java/1/NotesPolicyScanner/1/domino.xml
  • For Microsoft Windows policy audits, NeXpose uses Windows .inf Security Templates located in:
    {NeXpose_Install_Dir}/plugins/java/1/WindowsPolicyScanner/1/
back