Nexpose

Certified Administrator

Copyright Rapid7 2018 v 18.4.2

Introductions
• About your instructor
• About you
• Who are you?
• What is your experience level with Nexpose?
• What are your responsibilities/expectations?
Agenda
Day 1 Day 2
• Introduction to Nexpose • Planning Your Deployment
• Nexpose Architecture • Create and Pair Scan Engines
• Navigating the User Interface • Credentials and Scanning
• Scan Process • Exception Workflow
• Scan Templates • Troubleshooting
• Organizing Your Data • Risk Strategies
• Security Analytics • Reporting
• Manage Users • Practice Exam

3
Introduction to
Nexpose
Objectives:
• Understand the vulnerability management lifecycle
• Understand the challenges of vulnerability management
and how Nexpose can help address them
Vulnerability Management Lifecycle

Discover

Prioritize
Verify
Assets

Remediate Assess

Report

5
Challenges Facing Today’s Organizations

Visibility gaps of security Ransomware and

risks to business extortion will increase
Key
Security Industrial IoT hacks will Internal threats will
increase increase
Challenges
Cyber-offense and Costly compliance
cyber-defense capacities requirements
will increase

Employee Churn Lack of documentation

and standardization

6
Nexpose Vulnerability Management

Know Your Network Manage Risk Effectively Simplify Your Compliance

• Security assessment for • Use critical threat • Perform fast, unified security
the modern network awareness from Metasploit & compliance assessment
• Identify what’s important to • Prioritize business risks • Automate workflows
your business that matter • Leverage built-in Audit &
• Use attacker mindset to • Create concise actionable PCI report templates
find weaknesses remediation plans

7
Efficient Security Assessment
• Nexpose provides a holistic view of your network connected devices
• Unified scanning
• OS
• Applications
• Web
• Database
• Configuration
• Consolidated reporting

8
 Across Modern Networks

• Comprehensive Visibility

• Physical, virtual, and cloud

• Real-time discovery

• Expert scanning system

9
 Understand Business Context
• Automatic classification
• Identify important systems and assign remediation owners

10
Nexpose Architecture
Objectives:
• Understand the components of the Nexpose
Architecture
Nexpose Components

Nexpose Security Console (NSC)

Nexpose Scan Engine (NSE)

Nexpose Database

Java Expert System Shell (JESS)

Nexpose API

12
Encryption Types
To ensure the security of the application, we use the following types of encryption
algorithm keys in these areas:
• Identification/authentication: RSA
• Credential password storage: RSA
• Connection to the Web interface: RSA and HTTP over TLS
• SSL can be enabled if needed

• Credential encryption: 3DES encrypted with RSA

• Security Console to Scan Engine communication: TLSv1.2,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for backwards compatibility,
and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

13
Nexpose Security Console (NSC)
• Centralized Administration
• Configuration, Presentation
• Accessible by port 3780 by default, but changeable
• https://[Server IP]:3780
• Contains scan sites, assets, scan templates, reports, policies,
asset groups, administration, user management
• Communication needs
• To updates.rapid7.com (80)
• To support.rapid7.com (443)

14
Nexpose Scan Engine (NSE)
• The Workhorse
• Responsible for running scans against assets
• Scan Engines do not store scan data. Instead, they immediately send the
data to the Security Console.
• Managed by the console
• Console controls scan configuration and dispatching/scheduling
• Software and vulnerability check updates are pushed from the console

15
Nexpose Scan Engine (NSE)
• Types:
• Local – Integrated to the Console
• Distributed – Deployed remotely
• Hosted – Offered by Rapid7 to scan externally facing assets
• System requirements different for Engines vs. Consoles
• No asset information is stored for a lengthy duration
• Just holds the vulnerability checks and some logs
• Primary means of communication
• From NSC to NSE (40814)
• From NSE to NSC (40815)

16
Nexpose Database
• PostgreSQL 9.4.x
• Integrated into the console
• Can be separated for scalability, but rarely necessary
• Can be tuned for optimal performance
• No direct database access, however…
• Contains a Reporting Data Model for ease of custom reporting
• Ability to export to other MS-SQL, Oracle and MySQL
• Data warehouse/replication to another PostgreSQL server

17
Java Expert System | JESS
• Designed to think like an expert
(attacker)
• Continuously feeds newly discovered
information back into the program to
dig deeper and identify more
vulnerabilities
• Provides efficiency during the scan
process
• Reduces false positives/adverse effects

18
Nexpose API
(Application Programming Interface)
• Methods
• API 1.1/1.2 - XML over HTTPS
• RESTful APIv3
• Ruby Gem (Library)
• Leverages the API and AJAX
• Common Uses
• Third-party Integrations
• Workflow Automation
• Simple Utilities
• Dive Deeper in Advanced Vulnerability Manager Course

19
 DISTRIBUTED (INTERNAL)
SCAN ENGINES
TCP 40814

TCP 40815 NSE NSE

CONSOLE / LOCAL SCAN ENGINE

Console/API: https://x.x.x.x:3780
NSC
ALL TCP/UDP PORTS
TCP 40814

SCAN TARGETS
http://updates.rapid7.com:80 NSE
TCP 5432

ALL TCP/UDP PORTS

https://support.rapid7.com:443
Hosted Scan Engines
TCP 40814

20
Nexpose VS InsightVM
• InsightVM includes all features found in Nexpose Enterprise, including our
traditional on premise scan engines.
• As part of the Rapid7 Insight Platform, users get:
• Exposure Analytics
• Live dashboards
• Unified agent across all Insight products
• Remediation workflow planning
• In-product integrations
• Subscription-pricing model

21
Navigating the UI
Objectives:
• Understand components of the Nexpose Console
Accessing the Console
• https://[Console_IP]:3780
• Supported Browsers:
• Chrome
• Firefox/Firefox ESR
• IE 11/Microsoft Edge
• Others work, but not supported
• (i.e. Safari, Ice Weasel)
• Login with the credential defined during the
console installation

23
Top Menu Items

• Create – Shortcut to create sites, groups, tag, reports

• Calendar – feature showing scans and reports in a timeline

• Help – Access online help and news

• Notifications – alerts when new updates are available or content is added

24
Top Menu Items

• Search – use keyword or filtered asset searches

• User – view/update user preferences, change color scheme, or logout

• Home Page Items – Add previously removed home page items

25
Left Side Navigation Menu
• Home – holistic view of assets, site, groups.
• Assets – view detailed data on discovered assets
• Vulnerabilities – analyze comprehensive vulnerability
information
• Automated Actions – Dynamic automation
• Policies – create policies to fit requirements of your
environment
• Reports – create, edit, and view reports
• Tickets – basic internal ticketing system
• Administration – perform a variety of administrative tasks

26
 Home Page Click and
Drag to
Zoom
Risk and
Assets
Over Time
Hamburger
to Print

Asset
Overview

27
Home Page
Scan Now,
Edit or
Delete a
Site

Site
Overview

Click to
sort
columns

Current
Scan
Statistics

28
Home Page
Asset
Group
Overview

Asset Tags
Overview

29
DEMO - NAVIGATING THE USER INTERFACE
The Scan Process
Objectives:
• Understand the Scanning Process
• The Importance of the Scan Template
 Scan Process Overview

Unconfirmed Confirmed
Service OS
Discovery Port Scan Vulnerability Vulnerability Policy Checks
Fingerprinting Fingerprinting
Checks Checks

32
NSC > NSE: Go and find all ‘alive’ devices

Using ICMP Ping, ARP Ping, TCP and/or UDP Port Scanning

33
NSC > NSE: What Services are running on the open ports?

Use NMAP Helper Libraries

34
 NSC > NSE:
What Services are we dealing with?

• Service Fingerprinting
• Nexpose will try and determine services/processes are running on open
ports detected in the previous step.
• Methods:
• Banner-grabbing
• IP Stack Analysis
• Service fingerprinting for custom configuration
• Map custom port to service name
• default-services.properties

35
 NSC > NSE:
What OS are we dealing with?

• OS Fingerprinting using information collected from the previous scan stages

the scan attempts to guess which operating system is running on the asset.
• Recog is a framework for identifying products, services, operating systems,
and hardware
• Matching fingerprints against data returned from various network probes
• Simple to extract useful information from web server banners, snmp system description
fields
• Consists of both XML fingerprint files and an assortment of code, mostly in Ruby, that
makes it easy to develop, test, and use the contained fingerprints.
• A score indicating how certain the scan is about its guess is kept and the
highest ranked guess is used for other stages of the scan.
36
 NSC > NSE:
What OS are we dealing with?

• OS Fingerprinting
• Credentialed vs. Non-credentialed scans.
• Only scans using administrator/root will provide a Certainty of 1.
• Credentials with less than administrator/root privileges may show a
Certainty of 0.85
• Credentialed scans are necessary for policy scans, client side and some
system configuration related vulnerability detection.

37
• Unconfirmed Vulnerability Checks
• Primarily include checks based on patch and version information. These checks determine that a
version of software etc. is known to have an issue but does not confirm the specific issue exists.
An example may be that a version of software ships with a default password. The check would
determine that that version of software is present and may have default credentials even if the
credentials have already been changed.

• Confirmed Vulnerability Checks

• A confirmed check may go a step further than our Unconfirmed Vulnerability check by specifying
that a specific OS, Application, and specific version of each must be present before it tries to take
an action to verify if a vulnerability exists. For the example where a vulnerable version of software
is present that is known to ship with a known default password the check may attempt to login
with those known credentials to verify if the credentials have been changed.

38
• Policy Checks
• During this stage checks focused on determining asset configurations and
alignment with predefined baselines defined in policy files.

39
• USGCB policies
• United States Government Configuration Baseline
• FDCC policies
• Federal Desktop Core Configuration
• DISASTIGS
• Defense Information Systems Agency Security Technical
Implementation Guides
• CIS Benchmarks
• Center for Internet Security

40
SCAN TEMPLATES
Objectives:
• Understand the role of Scan Templates in Nexpose
• Learn the steps to create a Scan Template
Scan Templates
• Defines ‘how’ to discover/scan assets
• Discovery
• Vulnerabilities
• Policy Checks
• Web Spidering

42
 Scan Template Configuration
• Each Scan Template
can be cloned for
ease of customization
• Depending on what
type of checks you
opt for will determine
what variables you
can customize

43
 Demo & Lab 1:
Creating Custom
Templates

44
Organizing Your Data
Objectives:
• Understand the role of sites and developing a site strategy
• Learn to leverage asset groups for analysis and reporting
• Learn to leverage asset tags for providing context
Nexpose Containers
• Sites
• All things scan related
• The What, How, When
• Dynamic (vSphere/AWS) and Static
• Asset Groups
• Grouping of common/like assets
• Reporting and Analysis focused
• RealContext (Asset Tags)
• Adds context to assets

46
Site Overview
Scan
Scan Engine Schedule
(Optional)

Scan Alerts
Templates (Optional)

Scan Nexpose Credentials

Targets Site (Optional)

47
Site Strategy
• Break up your environment in a way that:
• Is easy to manage
• Makes sense to your organization
• Achieves your scanning goal/objectives
• Aligns with change control requirements
• Aligns with technical and business owners
• Work with, and involve, your scanning constituents to devise the best approach

48
Site Strategy – By Location
• Geographical or Logical
• Los Angeles, Boston, New York, London
• 10.1.1.x/24, 10.1.2.x,24, VLAN10, VLAN20
• Internal, External
• Benefits
• Smaller number of sites/scans = ease of management
• Concerns
• Large number of assets per site = longer scan times
• Lack of granular scheduling
• Lack of granularity with scan templates

• 49
Site Strategy – Asset Function
• Desktops, Mobile, Servers, Printers, Database, Web
• Benefits
• More granular schedule
• Reduced scan time
• Different scan templates based on asset function
• Concerns
• Requires periodic reconciliation of assets on the network vs. what is being
scanned
• Multiple scan templates to configure/manage

50
Site Strategy – By Platform/Product
• Windows, Linux, Cisco, etc..
• Benefits
• Specific scan templates per platform
• Detailed reporting where specific remediation teams for certain
systems
• Concerns
• Requires periodic reconciliation of assets on the network vs.
what is being scanned
• Multiple scan templates to configure/manage

51
Site Strategy – Hybrid
• By location and specific function
• HQ – Desktops
• Remote Office – Desktops
• Datacenter – Servers
• Pros
• Efficient chunks = more regular scans
• Focused scans for specific requirements
• Flexible scheduling
• Cons
• Possibility of large number of sites

52
Demo & Lab 2:
Creating Sites

53
Asset Group Overview
• Nexpose Asset Groups:
• Provide the ability to perform targeted asset reporting
• Provide the ability to provide or limit user access to scan data
• Aggregates assets from one or more sites for vulnerability analysis

Dynamic Static
Subject to change Constant data set

Automatically clean/update Comparative reporting

“Real time” perspective “Frozen time” perspective

54
 Demo & Lab 3:
Create Asset Groups

55
RealContext (aka Asset Tagging)

• Allows the ability to provide business context around your assets by applying
tags
• Built-in Tags
• Criticality
• Location
• Owner
• Custom Tags
• Examples: PCI, DMZ, SOC, XYZ Network, DEV, Production, XYZ Application,
etc..

56
RealContext – Tagging Assets

57
RealContext - Adjust Risk By Criticality
• Apply risk multipliers to assets
• Adjust configurable risk score multiplier based on criticality
• Disabled by default

58
RealContext Best Practices
• Apply risk multipliers to Dynamic Asset Groups
• Examples:
• Public-facing/DMZ assets = Higher Risk
• Assets with sensitive data = Higher Risk
• Infrastructure service assets = Lower Risk
• Use Sites and Asset Groups to bulk tag assets
• Use filtered asset search to bulk tag assets

59
Demo & Lab 4:
RealContext

60
Security Analytics
Objectives:
• Learn about Nexpose Security Analytics
• Learn the types of automated actions
• Learn how to create and use automated actions
Security Analytics – Automated
Actions
• Certain “Trigger” events initiate Full Attack Visibility and Assessment
automated actions

• Automatically discover and assess DHCP

new assets as they join the network

• Track your risk as assets come and VMWARE

go from the network

MOBILE
• No more waiting for scans to run
AWS

62
Automated Actions
• Automated action can be turned on/off
• You can have as many automated actions as necessary
• Best Practice: avoid conflict (adding asset to two sites, for example)

63
New Vulnerability Released
• Make instant decisions to scan
based on new vulnerabilities
that have been released (added
to Nexpose).

• Only scans for the vulnerabilities

that meet the threshold.

• Can set threshold by Risk or

CVSS Score

64
New Asset Discovered
• Allows you to make decisions
on scanning assets when they
are first discovered
• Filter based on asset criteria
• Actions include:
• Add to a Site,
• Add to a Site and Scan
Immediately

65
Known Asset Discovered
• You can make instant decision
for assets that are known to
exist
• Filter based on asset criteria
• Actions Include:
• Tag the Asset
• Add the Asset to another
Site
• Scan the Asset Now

66
TIE File Reputation Event
• Integration with DXL and TIE from McAfee
(formerly Intel Security) allows your
security team to gain insight in to your
assets and automatically prioritize assets
when compromises are detected

• Automatically report vulnerabilities

(including title, Nexpose vulnerability ID,
CVSS score, detection time, and ePO agent
ID) as they are found, enabling other
solutions like firewalls and monitoring tools
to take actions dependent on those
discoveries.
 Status of Automated Actions
• The colors of the activity markers also change to indicate whether the action completed successfully
on that date.
• Initiated (blue): The action was triggered.
• Retry (orange): The action was triggered, but was unable to complete for some reason.
• Error (red): The action is currently in an error state. Something needs to be resolved so the action
can be performed.
 Demo & Lab 5:
Automated Actions

69
Managing Nexpose Users
• Understand the aspects of access control in Nexpose
• Learn about custom roles
• Learn how to create or update users
• Learn about password policies
 Active Directory/LDAP/Kerberos
• Connect InsightVM to third-party authentication sources
• Microsoft Active Directory/LDAP
• Kerberos
• SAML 2.0
• Caveats
• No AD Group Support
• Usernames are Case Sensitive (i.e. InsightVM and AD username
must match exactly)
• Two Factor Authentication requires the use of a time-based
one-time password application such as Google Authenticator
and can only be enabled by a Global Admin.

71
Password Policy
• Establish Policy for all Nexpose (non-AD) users
• Minimum / Maximum Password Length
• # of alpha characters
• # of numeric characters
• # of symbols
• Expiration

• Any new users added must adhere to new policy

• Existing users must adhere upon password change

72
Granular Role-Based Access
• Built-in roles for common levels of functionality
• Ability to create custom roles

73
Custom Roles & Asset Permission
• Create a role that fits your
specific needs

• Custom roles are added to the

role menu

• Permissions can be granted by:

• Site
• Asset Group
• Reports

74
 Demo & Lab 6:
Create and Manage Users

75
Planning your Deployment
Objectives:
• Understand various vulnerability scanning perspectives
• Make the best use of your available resources to gain the
scanning coverage needed to meet your objectives
Deployment Architecture
• Highly Scalable Scan Engines

• Unified Platform & Management Console Firewall

Engine

Management
• Flexible
Console Engine

Deployment
• Standards-based
Engine

Open API and Pre-

API Build Connector

77
Scan Perspectives
• Deployment architecture
• Scan Engine placement, in-line networking devices, types of devices
• Objectives for scanning
• Compliance, vulnerability management, validation
• Streamlining running and scheduling scans
• Asset availability, scan windows, data for reporting

78
Scan Perspective - Internal
• Scan traffic from engines located behind your perimeter firewall
• Targets devices located on the company intranet
• Provides the ‘inside looking in’ perspective
• Addresses risk due to:
• Trusted insiders
• Curious/Rogue employees

79
Scan Perspective - Internal
YOUR INTERNAL
DMZ Satellite Office
NETWORK 1000 Assets
50 Assets

NSE
VPN
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250 Assets

NSC / NSE
NSE

80
 Scan Perspective - External
• Scan traffic originates from an NSE located outside your perimeter firewall
• Targets devices located on the company extranet
• Provides the ‘outside looking in’ perspective
• True attacker perspective of your network
• Rapid7 offers these ‘Hosted Services’ and SONAR

81
Scan Perspective - External

DMZ YOUR NETWORK

50 Assets
Only OPEN
Ports
Rapid7 Datacenter

Headquarters
2000 Assets

TCP 40814

NSC / NSE

82
 Scan Perspective - Hybrid
• Scans utilize multiple strategically located NSE’s
• Can be both internal/externally located
• Use Cases for a Distributed Scanning Strategy
• Large number of target IP addresses
• Highly segmented network
• Bandwidth restrictions

83
Scan Perspective - Hybrid Rapid7 Datacenter

YOUR INTERNAL
DMZ NETWORK
50 Assets
Only OPEN
Ports

NSE

Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250 Assets

NSC / NSE
NSE

84
Scan Engine Placement
• For the most efficient performance and comprehensive scan results,
scan engines should:
• Be located as close as possible to the assets being scanned
• Be placed inside demilitarized zones, secure network environments
• Be distributed to geographical regions/locations, depending on the number
of assets to be scanned and bandwidth between the engine and the target
assets
• Be placed behind, or very least whitelisted though firewalls and other
security controls

85
Project Sonar
• Project Sonar is a community effort to improve security through the active
analysis of public networks.
• This includes running scans across public internet-facing systems, organizing the
results, and sharing the data with the information security community.
• Sonar regularly ‘scans the internet’ and gathered data is archived and made
publicly available in cooperation with the University of Michigan.
'Scanning' a Sonar site *does not* perform a Nexpose query of those assets, it simply retrieves
archived scan data from Sonar.

https://github.com/rapid7/sonar/wiki
System Requirements
• Factors that feed into determining the deployment architecture and resource
requirements are:

# and
Scan Data
Frequency
Retention
of Reports

Scan Report
Frequency Retention

Total # of Deployment Network

IP’s Scanned Architecture Architecture

88
 System Requirements

Minimum Recommended
Processor 2 GHz+ processor or higher 2 x 2 GHz QC processor or higher

Memory 8 GB RAM (64 Bit) 16-96 GB (64 bit)*

Storage 80 GB 80GB – 1TB+*

(Console)
Storage 10 GB 40-80 GB*
(Engine)
Network 100 Mbs 1000 Mbs

Browser Firefox, Firefox ESR, Chrome, Microsoft Edge, IE 11

* Dependent on many factors, including number of IPs, scan frequency, data retention policies, report quantity, and report complexity

89
System Scaling Best Practices

While a single scan engine is capable of scanning in excess of 20,000 assets per day, it is
recommended to distribute scans across multiple scan engines for optimal performance.
Currently Supported Operating Systems
64-bit versions of the following platforms are supported.

• Ubuntu Linux 14.04 LTS

• Ubuntu 16.04 LTS
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2016 R2
• Microsoft Windows 8.1
• Microsoft Windows 7 SP1
• Red Hat Enterprise Linux Server 7
• Red Hat Enterprise Linux Server 6

91
Installing Nexpose
Objectives:
• Install Nexpose on a Windows/Linux Server
Windows Installation
• Latest Installer
• https://kb.help.rapid7.com/v1.0/docs/insightvm-and-nexpose-
installers-md5sum-files-and-virtual-appliances
• Console + Scan Engine or Scan Engine Only
• Services
• Nexpose Security Console - Automatic
• Download the appropriate md5sum file to ensure that the installer
was not corrupted during download.

93
Linux Installation
• Latest Installer
• https://kb.help.rapid7.com/v1.0/docs/insightvm-and-nexpose-installers-
md5sum-files-and-virtual-appliances
• chmod +x Rapid7Setup-Linux64.bin
• Console + Scan Engine or Scan Engine Only
• Textual-based Installer
• ./Rapid7Setup-Linux64.bin –c
• Disable SELinux
• Download the appropriate md5sum file to ensure that the installer was not
corrupted during download.

94
 Installation Process
• Default Install Directory
• C:\Program Files\rapid7\nexpose
• /opt/rapid7/nexpose
• Verify you meet the minimum
requirements
• Default PostgreSQL Listener Port: 5432
• Company Info
• Uses this information to create SSL
certificates and be included in requests to
technical support
• Create an initial Admin user with strong
password

95
Manage Scan Engines
Objectives:
• Learn How To Create A Scan Engine
• Learn How To Manually Pair An Engine
• Learn About Engine Pooling
Scan Engine Quantity
• Not an exact science…
• How many assets do you want to scan?
• How fast do you want to scan them?
• How much resources are you allocating to your engines?

97
Scan Engine Performance
• Scan times vary
• Non-credentialed scans on a single asset can take an average of 5 minutes,
depending on the device type, with no web spidering.
• Credentialed scans on a single asset can take an average of 7-10 minutes,
depending on device type, with no web spidering.
• Web spider Non-credentialed scans on a single asset can be around 15
minutes.
• Web spider credentialed scans on a single asset can be around 20 minutes.
• Adjust simultaneous assets per engine count in scan template to fully utilize
scan engine.

98
Scan Engine Management
Force
Update the
Engine

Engines
Current
Status

Currently
Running
Refresh the Version
Status

99
Pairing a Distributed Scan Engine
• Console to engine configuration communicates on port 40814
• Engine to console configuration communicates on port 40815
• Two step pairing process:
• Generate key in Console
• Install and authorize the console on the engine

100
Scan Engine Management
• Updates
• Console updates the distributed engines
• Product and Content
• Scan Engine Pools
• Combine two or more engines into a logical engine
• Distributes the load of assets in a scan
• Ideal for large number of assets in a single site
• Overlapping scans may queue, causing delays, so start times should be
staggered.

101
 Demo & Lab 7:
Pair a Scan Engine

102
Credentialed Scanning
Objectives:
• Learn The Importance Of Using Credentials
• Learn The Different Types Of Credentials
• Learn How To Add Shared And Site Credentials
Credentialed Scans
• Allows target assets to be
scanned with authentication
• 100% OS/Service Fingerprint
• Identify local/client-side patch
and configuration vulnerabilities
• Reduces false-positives
• Allow for policy/configuration
benchmark scans

104
 Credential Management
Two types of scan credentials available:
• Shared
• Shared scan credentials allow a user to use the same credentials across multiple sites
• Can select which sites to apply
• Site-specific
• Site-specific credentials limit the credentials scope to just the assets defined in the site

105
Credential Management
• You can use Nexpose to
perform credentialed scans
on assets that authenticate
users with SSH public keys.
This method, also known as
asymmetric key encryption,
involves the creation of two
related keys, or large,
random numbers:
• a public key that any entity
can use to encrypt
authentication information
• a private key that only trusted
entities can use to decrypt the
information encrypted by its
paired public key

106
 Demo & Lab 8:
Manage Credentials

107
Vulnerability Exceptions
Objectives:
• Learn Why Exceptions Are Important
• Understand The Exception Workflow
• Learn How To Create And Approve Vulnerability Exceptions
Exceptions
• Prevents excepted vulns from being calculated in charts, graphs, reports
• Reason
• Compensating Control
• Acceptable Use/Risk
• False Positive
• InsightVM exception workflow allows for dual control
• Vulnerability Exception Scopes can include:
• All instances on an asset
• All instances on all assets
• All instances in the selected asset groups
• Exception Expiration
• Report created specifically for Vulnerability Exceptions

109
Exception Submission and Review

110
Exception Status
Expiration Date

Exception Scope

111
 Demo & Lab 9:
Create an Exception

112
Troubleshooting
Objectives:
• Learn How To Run Diagnostics
• Learn About The Various Log Files In Nexpose
• Learn How To Use Other Support Resources and the
Administration Page
Administration

114
Nexpose Diagnostics
• Administration->Troubleshooting->Diagnose->Perform
Diagnostics
• Review all items in red
• Firewall issues
• Experiencing UI inconsistencies?
• Database maintenance tasks

115
Log Locations
• Linux Console: /opt/rapid7/nexpose/nsc/logs/
• nsc.log, nse.log, access.log, auth.log, initdb.log, mem.log
• Windows Console: \Program Files\rapid7\nexpose\nsc\logs
• nsc.log, nse.log, access.log, auth.log, initdb.log, mem.log
• Engines
• Similar directory BUT nsE instead of nsC
• /opt/rapid7/nexpose/nse/logs/

116
Logs
• By default ‘DEBUG’ level message are NOT displayed
• Why? | Resources
• Can this be changed? | You bet!
• [installation_directory]/nsc/conf/user-log-settings.xml
• Uncomment the following line by removing the opening and closing
comment tags:
• <!-- <property name="default-level" value=“DEBUG"/> -->

117
Logs
ACCESS.LOG Accessed resources, i.e. the Web interface.
API call, API version and the IP address of the API client

MEM.LOG Problems with memory. Mem.log shows scanning and reporting memory usage.

AUTH.LOG Log in, log off, account lockouts

NSC.LOG System and application level event tracking. Updates, scheduling of operations, or
communication issues with distributed Scan Engines
Good for tracking any Maintenance Mode activity

NSE.LOG Troubleshoot specific checks. If a check produces an unexpected result, you can
look here to determine how the scan target was fingerprinted

UPDATE.LOG Contains all information pertaining to update tasking.

118
Other Tools
• Report Errors in OS Fingerprinting
from Individual Asset
• Download Log from
Administration>History>Download
Log
• View Statistics from
Administration>Events>View

119
Patch Management
• InsightVM updates
• Product
• Coverage
• OS Patch management on InsightVM devices is not managed by Rapid7
• You only need to download either a Virtual Appliance Security Console or
a Virtual Appliance Scan Engine. The Security Console already includes a
local scan engine.
• For deploying an additional Scan Engine, please download the Virtual
Appliance Scan Engine on a separate Virtual Appliance. The Virtual
Appliances use Ubuntu 16.04, which have been pre-hardened according to
CIS Ubuntu Linux 16.04 LTS Benchmark v1.0.0.

120
Troubleshooting
Challenge

121
Vulnerability and Risk
Scoring
Objectives:
• Understand the importance of risk scoring
• Understand the common vulnerability scoring system (CVSS)
• Learn the various Nexpose risk scoring strategies
 Vulnerability and Risk Scoring
• The Need for Standardized Scoring
• Created to address the need for
defining & quantifying detected
Vulnerabilities across enterprise
platforms
• Historically, vulnerability scoring
had been done on a vendor specific
level
• No standardization meant that
intercommunication/integration
between enterprise security
applications could not share
vulnerability information

123
CVSS History

• CVSS v.1
• Research commissioned in 2003;
DHS accepted in 2004
• Public launch at RSA in 2005;
Active until 2007
• CVSS v.2
• Public launch in June, 2007; PCI
mandated in July, 2007
• CVSS v.3
• Released in late 2015

124
CVSSv2 Base Metrics
Exploitability Metrics Impact Metrics • Scored relative to overall impact
• No awareness of cases which a flaw in one app
impacts other apps
• Access Vector • Confidentiality
• Access Vector may be unable to rate local system
• Access Complexity • Integrity access with physical hardware attacks
• Authentication • Availability • Authentication scores biased towards None/Single

CVSSv3 Base Metrics

Exploitability • Scored relative to impact of affected
Impact Metrics Scope component
Metrics
• Scope supports cases which the vulnerable
• Access Vector • Confidentiality • Unchanged entity is distinct from affected entity
• Local and Physical are now distinct in AV
• Access Complexity • Integrity • Changed
• Privileges required indicates greatest privs
• Privileges Required • Availability required for exploit vs number of
• User Interaction authentications required

125
CVSS Exploitability Metrics
Access Vector Access Complexity Authentication
Local (L) High(H) Multiple(M)
Scoring Value = .395 Scoring Value =.35 Scoring Value =.45

Adjacent Network (A) Medium(M) Single(S)

Scoring Value = .646 Scoring Value = .61 Scoring Value =.56

Network (N) Low(L) None (N)

Scoring Value = 1.0 Scoring Value =.71 Scoring Value =.704

126
CVSS Impact Metrics
Confidentiality Availability Integrity
None(N) None(N) None(N)
Scoring Value =0.0 Scoring Value =0.0 Scoring Value =0.0

Partial(P) Partial(P) Partial(P)

Scoring Value =.275 Scoring Value =.275 Scoring Value =.275

Complete(C) Complete(C) Complete(C)

Scoring Value =.660 Scoring Value =.660 Scoring Value =.660

127
CVSS Base Metric Group

BASE METRIC GROUP Vectors

AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]

Access Authentication Integrity

Vector
Access Availability
Confidentiality
Complexity
128
 CVSS Calculating Base Score

Base score for an example vulnerability:

AV:N/ AC:L/Au:N/ C:N/ I:N/A:C/

Access Vector = Network = 1.0 Confidentiality = None = 0.0

Access Complexity = Low = .71 Integrity = None = 0.0

Authentication = None = .704 Availability = Complete = .66

129
CVSS Base Scoring Formulas

Impact = 10.41*(1-(1-Confidentiality)*(1-Integrity)*(1-Availability))

Exploitability = 20* AccessVector*AccessComplexity*Authentication

f(impact) = 0 if Impact=0, 1.176 otherwise

BaseScore = (((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))

130
CVSS Base Scoring - Exploitability
Calculate the Exploitability value:

AV:N/AC:L/Au:N/C:N/ I:N/A:C/
Exploitability = 20* AccessVector*AccessComplexity*Authentication

Exploitability = 20* (1.0(Network) *.71(Low)*.704(None))

Exploitability = 10.0
131
CVSS Base Scoring - Impact

Calculate the Impact value:

AV:N/AC:L/Au:N/C:N/I:N/A:C/
Impact = 10.41*(1-(1-0.0(None) )*(1-0.0(None))*(1-.66(Complete))

Impact =6.9
132
CVSS Base Scoring – f(Impact)
Calculate the f(Impact) value:

f(Impact) = 0 if Impact=0, 1.176 otherwise

Impact =6.9(calculated using Impact equation in step 2)

f(Impact) = 1.176
133
CVSS Calculating Base Score
Exploitability = 10.0 (Step 1)
Impact =6.9 (Step 2)
f(Impact) = 1.176 (Step 3)
BaseScore=(( (0.6*6.9) +(0.4*10.0)–1.5)*1.176)

BaseScore = 7.8
134
OpenSSL “Heartbleed” Flaw (CVE-2014-0160)
CVSSv2 CVSSv3

Network-accessible, low exploit Network-accessible, low complexity, no

complexity, no authentication, partial privileges needed, user interaction not
impact to confidentiality, and no required, scope unchanged, high impact
impact to integrity nor availability: to confidentiality, no impact to integrity,
Base score: 5.0 and no impact to availability:
(AV:N/AC:L/Au:N/C:P/I:N/A:N) Base score: 6.1
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Resources: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
135
Vulnerability and Risk Scoring

• A practical approach to determining which detected

Vulnerabilities present the greatest risk and
likelihood of exploitation to enterprise assets.

• Vendor specific scoring Algorithms used to

determine Risk values

136
Real Risk
• This default strategy analyzes potential types of exposures associated with
vulnerabilities
• The algorithm applies exploit and malware exposure metrics for each vulnerability
to CVSS base metrics for asset impact
• Confidentiality, Integrity, and Availability
• Access Vector, Access Complexity, and Authentication
• Time, Exposure, Malware, Metasploit Modules

137
Temporal
This strategy indicates how time continuously increases likelihood of compromise.
The calculation applies the age of each vulnerability, based on its date of public
disclosure, as a multiplier of CVSS base metrics for likelihood (access vector, access
complexity, and authentication requirements) and data impact (confidentiality,
integrity, and availability).

(CVSSAV + CVSSC + CVSSI + CVSSA )!

VulnAgeInDays 
+
(CVSSAC CVSSAU ) 2

138
TemporalPlus
• This strategy provides a more
granular analysis of vulnerability
impact, while indicating how time
continuously increases likelihood
of compromise.
• TemporalPlus risk scores will be
higher than Temporal scores
because TemporalPlus expands the
risk contribution of partial impact
vectors.

139
Weighted
• This strategy applies user-defined site importance to a calculation of asset and
vulnerability data to reflect your unique security priorities.
• Factors include:
• Number and severity of vulnerabilities discovered on each asset
• Number and types of services running on each asset
• Class of each asset and its associated risk.
• User assigned a weight or level of importance to any sites

 ((NC * SC )+ (NS * SS )+ (NM * SM )) 

RD =  +  SR  RW
 50 PO 

140
PCI 2.0 ASV Risk
• Based on Payment Card Industry Data
Security Standard (PCI DSS) Version
2.0.
• Scale ranges from 1 (lowest severity)
to 5 (highest severity).
• Approved Scanning Vendors (ASVs)
and other users can assess risk from a
PCI perspective.

141
Demo & Lab 10:
Risk Scoring

142
REPORTING
Objectives:
• Learn how to create report templates
• Learn about the various types of report formats
• Discover useful reports for building a sustainable vulnerability
management program
Report Configuration

Report
Schedule
Report
Report
Specific
Template
Configuration

Nexpose Report
Report Scope Distribution
Report and Access

144
Report Formats
• Nexpose provides a flexible, easy to use, reporting
• Export in a variety of formats

145
Report Templates
• Customizable Templates
• Report Templates are made up of Report
Sections
• You can edit the template and define which
sections to utilize
• You cannot edit the sections themselves –
they are static
• Static Templates
• Report structure/format cannot be modified
• SQL Query Export Template
• Query the Nexpose reporting data model
directly

146
Report Templates
• Database Export Template
• Export directly to MS-SQL, Oracle or MySQL
• CSV Export Template
• Choose fields to export
• XML
• CyberScope
• SCAP
• XCDDF

147
Demo & Lab 11:
Create Reports

148
Certification Overview
and Practice Exam
Objectives:
• Prepare for the Nexpose Certified Administrator exam
Get Certified
• This course includes one attempt at the NCA online exam
• 75 questions: 120 minutes
• Passing score of 80%
• Open book/documentation/notes/product

150
Additional Resources
• https://www.rapid7.com/for-customers/
• https://help.rapid7.com/nexpose/en-us/

• Materials from this course (slide deck and lab guide)

• A running instance of Nexpose, with global admin privileges

151
Review and Practice
Exam
Practice Exam
1. What permissions listed allows a user to view vulnerability data for a site
named ‘HQ’? (Select all that apply)

a. A role that allows View Site Asset Data and access to the ‘HQ’ site
b. A role that allows View Group Asset Data and access to the ‘HQ’ site
c. Everyone can see vulnerability findings if they have access to the ‘HQ’ site
d. Global Administrator access
e. None of the above

153
Practice Exam
2. Why is it recommended to use valid credentials with vulnerability scans?

a. To obtain maximum accuracy and visibility into vulnerability findings.

b. To confirm the NSC users identify before scanning
c. To ensure a secure session between the NSE and the host(s)
d. For logging and accountability purposes

154
Practice Exam
3. When sending your diagnostic information to support.rapid7.com you are
doing it over a TLS-encrypted session over port 443.

a. True
b. False

155
Practice Exam
4. The default risk model for Nexpose is:

a. Weighted risk
b. Real risk
c. Temporal risk
d. PCI ASV 2.0 Risk

156
Practice Exam
5. To edit a built-in scan template you would:

a. Edit the template directly

b. Delete and re-create the template
c. Copy and paste the template into a new site
d. Copy the template, make changes, and save as a new template, leaving
the old as-is

157
Practice Exam
6. If the error message "Not enough memory to complete scan" occurs during a
scan, which of the following actions should be considered?

a. Run fewer simultaneous scans

b. Lower the number of scan threads allocated by your scan template
c. Power off the console
d. Both A and B
e. Both A and C

158
Practice Exam
7. What is the minimum RAM system requirement (in GB) for Nexpose console
installations?

a. 32
b. 4
c. 16
d. 12
e. 8

159
Practice Exam
8. Which of the following report data export formats can Nexpose output?

a. CSV Export
b. XML Export
c. Database Export
d. CyberScope XML Export
e. All of the above

160
Practice Exam
9. You have configured a scan for a class C network with the
asset scope of 192.168.1.0/24, used the built in scan template
named ‘Full Audit’, and enabled syslog alerts to your SIEM at
10.1.4.2. You have scheduled the scan. Your scan has completed
as scheduled, but your Policy Evaluation report has no data.
What is the likely cause?

a. The Full Audit template does not include Policy checks.

b. The Syslog alerts are not being delivered correctly.
c. The scan has likely failed.
d. You have input the scope incorrectly.

161
Practice Exam
10. What URL would you use if trying to reach a remote Nexpose install on
another server?

a. http://servername/nsc:3780
b. https://localhost:3780
c. https://serverIPaddress:3780
d. https://serverIPaddress:40814

162
Practice Exam
11. You have a single dual-processor Nexpose console with 8GB of RAM and a
diverse geographic network. You currently have no additional scan engines
installed. You are attempting to scan 12 class C networks. Your scans seem to
be failing and you are seeing ‘out of memory’ errors entries in the console log.
What is the BEST course of action that you should take to resolve the issue?

a. Increase the console's RAM.

b. Deploy Remote Scan Engines and reassign scans to the engines
c. Increase available memory by stopping unnecessary services.
d. Spread your scans over a longer period.

163
Practice Exam
12. Specify the items to which you can apply custom tags: (Select all that apply)

a. An individual asset
b. Asset groups
c. Sites
d. Reports
e. Scan templates

164
Practice Exam
13. Performing a filtered asset search is the first step in creating what type of
asset groups?

a. Full
b. Asset
c. Dynamic
d. Site

165
Practice Exam
14. Which of the following is a factor in the determination of vulnerability
severity levels?

a. Temporal Scores
b. CVSS Scores
c. Weighted Scores
d. SANS Vulnerability Scores

166
Practice Exam
15. Match the following log names to the proper description:

Log Name Description

1. access.log a. scan engine system and application level events
2. auth.log b. memory-intensive operations, such as scanning
and reporting
3. nsc.log c. resources that are being accessed such as pages in
the Web interface
4. nse.log d. maintenance mode activity
5. mem.log e. logon or logoff, authentication failures, account
lockouts

167
Directions regarding product certification:

1) Register as a new user here: https://rapid7.csod.com/

2) Upon initial login, you will see our welcome page. Select Learning ->
Browse for Training. Add the applicable certification to your cart.
3) Input Voucher Code: In your confirmation email

On your transcript page, you will be able to toggle the status of your exam
attempt and, should you pass, print out your certificate of completion. If
you have any questions/comments/concerns please reach out
to [email protected] and we would be happy to assist.

168
Advanced Vulnerability Manager
• SQL Query Reports – understand the reporting data model and
learn to create custom queries for export

• Nexpose API – learn about Nexpose automation capabilities using

the API, learn to interact with the API to perform routine tasks.

• Scripting with the Nexpose Ruby Gem –learn the basics of Ruby
scripting and leverage the Nexpose Gem to automate routine
tasks and extend functionality

• Nexpose Best Practices – learn tips and tricks to tune and

optimize Nexpose to achieve the best performance and results.

• Advanced Troubleshooting - learn the various ways to

troubleshoot Nexpose issues.

169
 We want your feedback!!
Please take 2 minutes to fill out this survey about the class:

https://www.surveygizmo.com/s3/2181474/Rapid-7-Training-Feedback-Survey

170