Educause Security Discussion mailing list archives
Re: Metasploit and NeXpose
From: "Justin C. Klein Keane" <jukeane () SAS UPENN EDU>
Date: Thu, 14 Jan 2010 09:32:37 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, one thing to remember when evaluating Metasploit is that it is an exploitation framework and makes for a poor vulnerability scanner because it only finds vulnerabilities that have published exploits. Developing exploits for vulnerabilities is a tedious and thankless job, and so many vulnerabilities are discovered and patched without anyone ever taking the time to create an working (repeatable, reliable) exploit for the vulnerability. Vulnerability scanners like Nessus or Nexpose will search for vulnerabilities based on service signatures (to determine versions, patching, etc.) and report on all known vulnerabilities. Conversely metasploit will only search for vulnerable services for which there is an exploit. Because many of the "bad guys" (and security researchers) develop exploits without publishing them to the wider world, if you rely on Metasploit as a vulnerability scanner there is a high probability that you would miss vulnerabilities for which exploits actually do exist. It's important to distinguish between the roles of vulnerability scanners and exploit frameworks in order to avoid a false sense of security. Justin C. Klein Keane Sr. Information Security Specialist Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences 3600 Market St. Room 520 Philadelphia, PA 19104 215.898.0236(p) 215.573.3166(f) On 01/13/2010 10:29 PM, Joel Rosenblatt wrote:
Hi, We have been using Nexpose for over a year and are happy with the product. Thanks, Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Thursday, January 14, 2010 11:10 AM +1000 Greg Vickers <g.vickers () qut edu au> wrote:Hi all, We are reviewing scanning tools to apply to our web environment to find the problems before the bad guys do. I've gone back through the list archive and read the "Rapid7 NeXpose" thread from June last year. I've just spoken to a sales manager from Rapid7 (I was impressed, he called me in Australia after the web interface to request further information broke and I wound up emailing sales () rapid7 com) and got the blurb from them about the difference between Metasploit and NeXpose. I was wondering who here uses Metasploit or NeXpose and would be very interested in finding out if anyone has moved from Metasploit to NeXpose. We currently use Nessus for doing OS level scans and the basic cgi/web based scans Nessus can do. I would be interested in hearing people's opinions on the advantages or otherwise between Nessus and Metasploit/NeXpose. Thanks, -- Greg Vickers Phone: +61 7 3138 6902 Project Manager, IT Security Program Queensland University of Technology, CRICOS No. 00213JJoel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAktPKwQACgkQR4a3EW2yjlQ6DACfacOJWQPiSRNUpmVuiu3jqUgl AEoAn38w/NVmCwVRBwIm39SsLQqQzQGe =Fq0H -----END PGP SIGNATURE-----
Current thread:
- Metasploit and NeXpose Greg Vickers (Jan 13)
- <Possible follow-ups>
- Re: Metasploit and NeXpose Adam Pridgen (Jan 13)
- Re: Metasploit and NeXpose Michael Sana (Jan 13)
- Re: Metasploit and NeXpose Joel Rosenblatt (Jan 13)
- Re: Metasploit and NeXpose Justin C. Klein Keane (Jan 14)
- Re: Metasploit and NeXpose Matthew Wollenweber (Jan 14)
- Re: Metasploit and NeXpose Sam Stelfox (Jan 14)