We are running monthly reports that includes Vulnerability/Proof/Solution information for the 10 highest risk machines per site. There are different ways to output the vulnerability info via the built-in templates or SQL query, but I have no idea how to select 10 machines with the highest risk per site automatically. The idea is to have many sites in the scope. The vulnerability solution can be a rollup. I am looking for the fields below: IP Address Hostname Risk Score Vulnerability Title Vulnerability Description CVEs (maybe in a comma delimited list) CVSS score Patch required If it won't make it too complicated, Certainty and Owners fields would be great as well.
Posted by prashanth sedhumadhavan 3 months ago
Hi, I just installed Metasploit Framework on Windows 10. It installed correctly, but I have a problem. I am trying to connect to the database in msfconsole. After running db_status, it says there's a database but it's not connected. I tried "msfdb init" and "msfdb.bat init" but it gives the error: Starting database at C:/Users/MikeH/.msf4/db...failed C:/metasploit-framework/bin/../embedded/framework/msfdb:68:in `readlines': No such file or directory @ rb_sysopen - C:/Users/MikeH/.msf4/db/log (Errno::ENOENT) from C:/metasploit-framework/bin/../embedded/framework/msfdb:68:in `tail' from C:/metasploit-framework/bin/../embedded/framework/msfdb:119:in `start_db' from C:/metasploit-framework/bin/../embedded/framework/msfdb:195:in `init_db' from C:/metasploit-framework/bin/../embedded/framework/msfdb:316:in `<main>' Also, "systemctl start PostgreSQL" doesn't work either. So how do I fix this so I can start using framework? On Windows. Please reply. Thanks
Posted by Mike Held 3 months ago
I used to be able to pull status of engines via the Ruby API bindings Connection.list_engines. With API v3, I see no way to pull engine status from the API. The best I can get is lastRefreshDate. Am I missing something, or is this truly gone? Forcing a refresh and checking for error would be an OK work-around - but I don't see that either.
Posted by Noah Birnel 4 months ago
Hi all, I am using Nexpose and having a difficulty with managing vulnerabilities which actually share the same solution. For example, 15 PHP CVE-xxx vulnerabilities exist and all of them needs to be resolved by updating the PHP version. This situation leads to a massive increase in vulnerability numbers in reports, and assigned people have difficult times since they need to go on the same type of vulnerability several times. Actually I am looking for an option like the one in Nessus which is "Hide results from plugins initiated as a dependency". Does anyone have any recommendation for us to make things easier about this situation? Top remediation report helps this a little bit, however, the console still lists all vulnerabilities. Regards
Posted by Onur A 4 months ago
Can I review criticality value of vulnerability? For example, I have vulnerability in python, It's cvss score is 9 - high. I've made an analysis and made a conclusion, that the risk of vulnerability exploitation is low for us and want to reset criticality of this vulnerability to low. How can I do it in Nexpose?
Posted by Maxim Korovenkov 4 months ago
Hello I know there are a few policy checks to test whether accounts like the local admin/guest accounts are disabled but is there a way to check if any other accounts are listed disabled within Nexpose? It looks like a list of accounts and groups are enumerated once an asset is scanned but I don't see any way to check their status.
Posted by Robert DeBellis 4 months ago
Looking through Nexpose for libssh server banners I haven't seen the banners being fingerprinted. I've done initial triage with SQL reports Via SSH banners but I was curious if anyone else has already written a solid libssh fingerprint that I can borrow to write a basic vulnerability check? https://www.libssh.org/security/advisories/CVE-2018-10933.txt https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ My Initial libssh banner report: ``` WITH asset_ips AS ( SELECT asset_id, ip_address, type FROM dim_asset_ip_address dips ), asset_addresses AS ( SELECT da.asset_id, (SELECT array_to_string(array_agg(ip_address), ',') FROM asset_ips WHERE asset_id = da.asset_id AND type = 'IPv4') AS ipv4s, (SELECT array_to_string(array_agg(ip_address), ',') FROM asset_ips WHERE asset_id = da.asset_id AND type = 'IPv6') AS ipv6s, (SELECT array_to_string(array_agg(mac_address), ',') FROM dim_asset_mac_address WHERE asset_id = da.asset_id) AS macs FROM dim_asset da JOIN asset_ips USING (asset_id) ), asset_names AS ( SELECT asset_id, array_to_string(array_agg(host_name), ',') AS names FROM dim_asset_host_name GROUP BY asset_id ), banners AS ( SELECT da.asset_id AS asset_id, dasc.port AS port, ds.name AS ds_name, ' [' || dasc.name::text || ': ' || array_to_string(array_agg(dasc.value),', ')::text || ']' AS banner_info FROM dim_asset da JOIN dim_asset_service_configuration dasc USING (asset_id) JOIN dim_service ds USING (service_id) GROUP BY da.asset_id, da.ip_address, dasc.port, ds.name, dasc.name ) SELECT da.ip_address AS "Asset IP Address", an.names AS "Asset Names", csv(ds.name) AS "Sites", banners.port, banners.ds_name, csv(banners.banner_info) AS "Banner Info" FROM dim_asset da LEFT OUTER JOIN asset_addresses aa USING (asset_id) LEFT OUTER JOIN asset_names an USING (asset_id) JOIN banners using (asset_id) JOIN dim_site_asset using (asset_id) JOIN dim_site ds USING (site_id) WHERE banners.banner_info ilike '%libssh%' GROUP BY da.ip_address, da.ip_address, ds.name, banners.port, banners.ds_name, an.names, ds.name ORDER BY da.ip_address, banners.port ```
Posted by BrianWGray 4 months ago
I'm seeing some vulnerabilities show up and I am unable to determine where the conclusion is coming from . The proof simply states that the software is installed but I do not see it. Where can I see the details of the check InsightVM is for, for example, flash_player-cve-2018-15967-adobe-flash-apsb18-31-windows-30-0-0-154. There must be a file or registry key it is seeing to think this is an issue.
Posted by Charles Burch 4 months ago
Currently have a ticket open with support, but I am curious if anyone else that is utilizing the agents, are getting the issue with the agent not sending the beacon? This is not an issue on all of our assets, but a full reinstall of the agent did not fix the issue. The correct addresses are whitelisted and are able to telnet using port 443 to verify they can establish a connection. The agents were working for a good period of time, then we have around 10% of our assets that have agents have stopped scanning. 2018-09-21 13:46:20,478 [WARNING] [agent.agent_beacon]: Failed to send beacon: No server available 2018-09-21 13:46:20,478 [WARNING] [agent.agent_beacon]: Beacon did not run successfully! I tried searching the KB and noticed another user had a similar issue but did not see any replies. I was curious if anyone else was experiencing this at all?
Posted by Andrew Vaughan 4 months ago
Posted by asad tanwir 4 months ago
When creating a custom policy with the XML document, I want to change a check so that it makes sure something is not configured, rather than configured to a specific group or specifically no one. For example, in this section: "<xhtml:p>To implement the recommended configuration state, set the following Group Policy setting to <xhtml:span class="inline_block">No One</xhtml:span>:</xhtml:p> <xhtml:code class="code_block">" Instead of setting it to "no one", I want to make sure it is not configured. How can I do this?
Posted by Connor Blanchette 4 months ago
Following the documentation, I am trying to filter out some containers. Current param is --skipByImage ^rancher\S* Still getting entries from containers whose image begins with rancher I've tried --skipByImage='^rancher\S*', --skipByImage='/^rancher\S*/gm' and several other permutations. Could use some help with this. Thanks.
Posted by Christopher Krull 4 months ago
I want to add a list of ip's (currently in a csv file) that i want to exclude and add it to the global exclusions list on nexpose ideally via a ruby script to automate the process. I know we can add ip's to an asset group but can the same process be done for adding Ip's to the global exclusion list? can anyone point me in the right direction or have an example of a ruby script i can use to help me get started? Thanks for your help in advance.
Posted by Yasin Patel 4 months ago
Hi, we are planning Nexpose deployment in the way of having one Nexpose engine inside a site where the Nexpose console doesn't have access (the engine initiates communication with the console) and the AD server and DNS server are both inside this site (again not visible to the console). We must use an AD connection so I have couple of questions how it exactly works: 1) It's said it pulls assets from AD once a day. At what time? Is it configurable? Can the result of it be seen in a log file? 2) Who pulls the assets from AD, console? Engine? Is it configurable? 3) Does AD connection pulls only asset names, no assets' IPs? (AFAIK AD doesn't hold IP addresses but to be 100% sure). 4) Who and at what event exactly resolves assets IP addresses based on the names gained from AD? Console? Engine? Is it configurable? Does it do it at the first discovery scan only and then if IP is already assigned to an asset it doesn't recheck it in DNS? Or does it? Thanks. J.
Posted by Jiri Dohnal 4 months ago
Working to setup integration between InsightVM and Jira for remediation tickets and wanted to see how others are doing it. Is there a specific project type that people have found more useful to use than others or ones that do not work?
Posted by Sean 4 months ago