I use a SQL Query to gather information on compliance failures. The query gives me the scan date, host name, and the failed rule. does anyone know the name of the field that lists the Remediation Steps (fix) information? Here is the query that I am using: select da.ip_address, da.host_name, dpr.title as Rule_Name, dprs.description as Complaince_Status, fpr.date_tested as "Date Tested" from fact_asset_policy_rule as fpr join dim_asset as da on fpr.asset_id = da.asset_id join dim_operating_system as dos using (operating_system_id) join dim_policy as dp on fpr.policy_id = dp.policy_id join dim_policy_rule as dpr on fpr.rule_id = dpr.rule_id join dim_policy_result_status as dprs on fpr.status_id = dprs.status_id
Posted by Stephen R. Harashack 3 months ago
Hi all, I am just looking for some insight, best practices, or dos/don'ts from anyone that has tried creating custom scan / report templates specifically looking for vulnerabilities related to findings from an external security rating vendor (i.e. SecurityScorecard, BitSight, etc.). The goal here would be to mirror the findings from the rating vendor in a Nexpose report. Any information / insight would be greatly appreciated, thanks!
Posted by Brett von Reyn 3 months ago
Hi, I'm trying to integrate splunk with Nexpose using the TA Add-on but is not sending the logs, I have already set up everything as described but still does not work. I have the data input added on the forwarder and the account set up. these are the logs that I get from the TA-Rapid7_nexpose.log 2018-09-10 14:48:57,905 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 14:48:58,005 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 14:48:58,006 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 14:48:58,198 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 14:48:58,307 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,181 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,311 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,311 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:33,511 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,609 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,725 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,836 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,837 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:34,036 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,138 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,249 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,355 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,356 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:34,543 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,643 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,743 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,841 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,841 INFO nx_logger:38 - Saving changes made on configuration screen... 2018-09-10 15:02:34,937 INFO nx_logger:38 - Sucessfully retrieved stored config for Nexpose. 2018-09-10 15:02:34,953 INFO nx_logger:38 - Password retrieved. 2018-09-10 15:02:35,110 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,111 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:35,300 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,428 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,429 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:35,622 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,726 INFO nx_logger:38 - Executing nexpose_setup.py I would like to see if I there is way to see more logs and troubleshoot this, Thanks. Ernesto M.
Posted by Ernesto Melendez 3 months ago
So I am trying to have our various server admin teams look into the assets with missing credential scans and so I need to add a column for OS. I literally have spent all day trying to figure this out and am still stumped. It should not be this hard.... Might anyone have some other ideas? This is the closest I have come but I need those IDs to mean something to a human (just general Windows or Linux would actually do if push comes to shove). WITH max_certainty AS ( SELECT asset_id, max(certainty) AS certainty FROM dim_asset_operating_system GROUP BY asset_id ), asset_cred_status AS ( SELECT DISTINCT fa.asset_id, CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL' WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS' ELSE 'N/A' END AS auth_status FROM fact_asset fa JOIN dim_aggregated_credential_status dacs ON (fa.aggregated_credential_status_id = dacs.aggregated_credential_status_id) ) SELECT acs.asset_id, da.ip_address, da.host_name, acs.auth_status, operating_system_id, ROUND(mc.certainty::numeric, 2) AS certainty FROM asset_cred_status acs JOIN dim_asset da ON (da.asset_id = acs.asset_id) JOIN max_certainty mc ON (mc.asset_id = da.asset_id)
Posted by Lora Fulton 3 months ago
We use Skybox for ingesting and reporting on data from InsightVM. On 8/13/18, Skybox began showing a critical vulnerability for CVE-2017-7779: Mozilla Firefox 54, Firefox ESR 52.2 and Thunderbird <52.3 Remote Code Execution Vulnerability. However, when reviewing data from Skybox for previous days this vulnerability did not appear. It also does not currently appear in InsightVM as a vulnerability for any of our assets. I looked at several of the assets, and they do not show the affected software installed. In Skybox, the History tab of the vulnerability shows that on 8/12 there was the following change: New Related Source was added: Rapid7\cifs-share-everyone-readable. I opened a case with Skybox, and they pushed it back to Rapid7. I've opened a case with Rapid7, but haven't gotten anywhere. InsightVM shows no assets with the vulnerability for CVE-2017-7779. I'm not understanding how the "Cifs share readable by everyone" vulnerability is associated with a vulnerability for Firefox/Thunderbird from 2017, and why assets that don't have Firefox/Thunderbird installed are showing this vulnerability in Skybox. Has anyone else seen this issue recently?
Posted by John Magnetta 3 months ago
Currently the infrastructure admin sends us a a note or a request for scheduling scans but they are expecting to schedule scans on their own which I am trying to build a UI/API for them to just schedule a scan without directly logging into Nexpose. Can I use any API or Nexpose supports only a few? Looking for a automated approach rather than a manual one
Posted by MJ 3 months ago
Hello, i need an sql query which will produce the total amount of assets scanned, total amount assets scanned which were successfully authenticated, which were unsuccessfully authenticated, and which were not attempted to authenticate due to lack of authentication parameters. I saw separate queries that will provide me that data but i need it all in one report is it possible? Thanks.
Posted by Maxim Vovk 3 months ago
On a number of machines Windows 10 and Windows 7 scan results are showing "Partial Credential Success". I created an inbound rule to the firewall for RPC Endpoint mapper, also created firewall rules for WMI, and enabled the registry key for AllowRemoteRPC. This resolved the issue for 2/5 test machines. When comparing Wireshark logs of a working machine and a machine which is showing the credential failure with these changes in place. Both machines send a bind request for ISystemActivator and request a remote instance + receive a response. On the working device it then binds to IRemUnknown2 and does a bunch of queries via IWbemServices on the machine which is not working it instead binfs to IOXIDResolver and does a Complex Ping then moves on to another part of the Nexpose Scan skipping the additional queries. I've been at this for a couple of days, is there documentation somewhere I am missing with a list of services which must be running for this to function properly? I believe I am past this being a firewall issue as I don't see anything that appears to be getting blocked in wireshark but I could be wrong. Any assistance in location documentation for proper configuration on machines to be scanned would be greatly appreciated.
Posted by Shane Burke 3 months ago
Hi Mark, Do we still need a scan engine setup in one of the host on network if we already have agent installed on all the hosts (assets) that we want to scan? if answer is no , then how does communication between a agent and console needs to be established. I understand the distributed scan engine, scans assets over the network while this engine is paired with console through which we run the scan and get the vulnerability information. How is agent in this case if different from engine?
Posted by RamaKrishna 3 months ago
Is it possible to create a report that excludes vulnerabilities posted after a certain date? Ex. patching occurs on a Monday, new vulnerability comes out on a Tuesday, report is ran on a Wednesday showing that devices are non-compliant.
Posted by Hunter Brindley 3 months ago
Good day, Is there a query we can run in Nexpose that can present the data as organized below? The result being that the rows of IP Addresses/Servers can match the column of the applications risk score (i.e. Server1 has risks in both Adobe Reader and Flash). Thanks in advance. D Laden IP Name Operating System Vulnerabilities Risk Java Adobe Reader Adobe Flash Microsoft Wire Shark 192.168.1.1 SERVER1 Server 2008 R2, Enterprise Edition 581 235907 169935 61554 192.168.1.2 SERVER2 Server 2008 R2, Standard Edition 691 209365 71453 128586 6141 192.168.1.3 SERVER3 Server 2012 R2 Standard Edition 384 204333 21536 170173 7161 192.168.1.4 SERVER4 Server 2008 Enterprise Edition 190 204323 111046 87541 192.168.1.5 SERVER5 Server 2012 R2 Standard Edition 612 196834 189088 192.168.1.6 SERVER6 Server 2012 R2 Standard Edition 603 192990 186932 192.168.1.7 SERVER7 Server 2012 R2 Standard Edition 592 189127 182663 192.168.1.8 SERVER8 Server 2012 R2 Standard Edition 622 187238 176151 5852 192.168.1.9 SERVER9 Server 2012 R2 Standard Edition 327 186298 2593 170174 8217 192.168.1.10 SERVER1 Server 2008 R2, Enterprise Edition 563 185495 179753
Posted by Drew Laden 3 months ago
Hi, I'm learning to use Metasploit on a publicly accessible over openvpn CTF machine. I cannot get reverse shell using Metasploit, where I’m very confident that should work - people in forum confirm this. I’m running kali VirtualBox VM on Windows 7 host on laptop. I can ping and turned off windows firewall. I also tried to install everything fresh on desktop PC on Windows 10 with fresh kali VM. Did you experience similar problems or do you have any hint for me? My ifconfig: eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.x.x.x netmask 255.255.255.0 ... lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 ... tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.y.y.y netmask 255.255.254.0 destination 10.y.y.y ... I know from forum I should user tun0 IP. Only one time I had meterpreter session. It was timed out. But now I can not get new session, despite all parameters are the same. I use tun interface. What could be a problem in your opinion? I tried to exploit multiple times. I did set TARGET and set PAYLOAD and set LHOST again. I reseted target machine multiple times, but no luck – no session. But the same worked - only once. I cannot understand this. Current status: msf exploit(exploit) > exploit [] Started reverse TCP handler on 10.y.y.y:4444 [] Exploit completed, but no session was created. msf exploit(exploit) > show options Module options (exploit): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes Path to target webapp Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST targetIP yes The target address RPORT 80 yes The target port (TCP) SRVHOST 10.y.y.y yes Callback host for accepting connections SRVPORT 9000 yes Port to listen for the debugger SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.y.y.y yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name 0 Automatic There must be something else to setup. E.g. there is a remark for LHOST “an interface may be specified”. Should I make: “setg interface tun0”? Or should I somehow clean up my Metasploit? Thanks
Posted by Roman Graf 3 months ago