Metasploit And Rapid7- Integration Review From a Beta-Tester

Download the Vmware Virtual Appliance

I have been conducting security assessments since 1995. When I started my consultancy, Garrison Technologies, in 1994 commercial firewalls did not exist. That being said, the ride has been interesting. I had seen the ISS scanner well before it was commercial- often shared amongst the hack and phreak crowds in the late 80′s. I utilize a combination of open source and commercial tools when conducting my assessments. For the last year Rapid7′s Nexpose has been one of the more prominent tools in my bag.

I was approached back around August 13^th to beta test and give any feedback I may have. I installed the application on a Vmware virtual appliance running Ubuntu 8.10. Installation basically consisted of installing Rapid7, and then installing Metasploit with the web interface. It was straight forward- no stumbling blocks yet..

Upon launching the scanner, and logging into the console, nothing appeared noticeably different. When reviewing scan results is when the integration was revealed. The # of exploits available were shown along with the # of vulnerabilities in the environment. Equally, when diving into results there was an additional Exploitation box where exploits where indeed available within Metasploit. Clicking through the URLs launched the Metasploit web interface, pre-loaded with results from the scan. While it was clear the UI was not written by the same group, the functionality worked great!
Download the Vmware Virtual Appliance if you:

• Are using Nessus to scan your environment
• Have a SAAS solution that is using Nessus as a back-end scanning engine
• Looking to validate the results of your vulnerability scans
• Are looking for a comprehensive vulnerability & penetration testing toolset

Those of you who are running Nessus, or leveraging vendors who use Nessus as the underlying scanning engine, I urge you to at minimum try a virtual appliance. I personally see huge reductions in false positives, and identification of vulnerabilities that Nessus does not. Equally, if you need to validate the results of your scans, to ensure the results are accurate & compromise is indeed possible, this is a great merger.