In the previous Setting up Nexpose Vulnerability Scanner on our Kali Machine section, we learned how we can set up the Nexpose scanner on our Kali attacker machine. In this section, we will take a look at how we can use Nexpose to perform automated vulnerability scans on a target machine. 

But first, how does Nexpose identify vulnerabilities in a target?

The idea is very similar to what Nmap does during service discovery. However, Nexpose works on a much bigger scale than just identifying the service running on a specific port. The entire process can be summarized in the following way:

1. Host discovery: Nexpose sends out ICMP packets to identify if a host is alive or not. Based on the response, targets are marked alive.
2. Port scanning: Once a host is confirmed as alive, Nexpose sends out a flood of TCP packets to identify open ports that are listening on TCP. Simultaneously, it sends out UDP traffic to identify ports that are listening on UDP only. Nexpose can either send traffic to all ports, or to a list of ports predefined in the scan template. Scan responses and network packets are analyzed to identify the type of OS running on the target, as well.

3. Service discovery: Nexpose then interacts with the open ports on TCP as well as UDP to identify the running services.
4. OS fingerprinting: Data from both port and service scans are analyzed to identify the OS of the target system. This is not always very accurate and so Nexpose uses a scoring system to represent how certain the scan results are.
5. Vulnerability checks: Finally, the identified services are scanned for unconfirmed and confirmed vulnerabilities. To check for any unconfirmed vulnerability, Nexpose identifies the patch and version from the service banner. This information is then matched for any known vulnerabilities that may affect that particular version of the software. For example, if Nexpose finds Apache HTTP 2.4.1 is running on port 80 of a target, Apache will take this information and cross-reference its vulnerability database to identify if there are any known vulnerabilities for version 2.4.1. Based on that, it will come up with a list of common vulnerabilities and exposures (CVEs) that are assigned to that particular vulnerability. However, these are unconfirmed and therefore need to be tested manually to confirm if the vulnerability exists. Confirmed vulnerabilities, on the other hand, would be something similar to some software shipping with a default password. Nexpose would then check if the software has been left running on that default password, attempt to log in, and only report it as a vulnerability if it succeeds in the login.
6. Brute force attacks: Nexpose's scan templates are by default set to test services such as SSH, Telnet, and FTP for default username and password combinations such as 'admin':'admin' or maybe 'cisco':'cisco'. Any such finding is added to the report.
7. Policy check: As an added bonus, Nexpose checks the configurations of target machines to verify whether they are in line with baselines such as PCI DSS, HIPAA, and so on.
8. Report: Finally, all the findings are put into a report and displayed on the screen.

To summarise the entire process, here is a waterfall model of the process:

Nexpose can optionally be configured to perform web scans, discover web services, check for vulnerabilities such as SQLi and XSS, and perform web spidering.

Let's start our scanning of the target server:

1. Create an SSH tunnel to your Kali machine with local port 3780 forwarded to port 3780 on the Kali machine
2. If the Nexpose service isn't running, you can start it by issuing the following command:

sudo systemctl start nexposeconsole.service

3. Point your browser to https://localhost:3780

Once the initialization is complete, we're welcomed by the Nexpose home screen:

1. Here, we need to click on Create New Site to start a new scan on the Jenkins target that we set up earlier. Give the site any name you want:

2. Now add your target IP address. The target IP addresses can be a range of IPs, individual IPs separated by a comma, or an entire subnet with its CIDR value:

3. Set scan type to Exhaustive. There are a number of scan types available. We are using the Exhaustive scan so that Nexpose checks all ports to find any open ports, both TCP and UDP. Each individual scan type can be used for a given use case. Discovery Scan, for example, can be used to only discover hosts in a network, whereas HIPAA compliance will only check configuration and policies of a target to see if they align with the HIPAA baseline. Start the scan and wait for it to finish:

As with Nessus in Chapter 3, Exploitation on the Cloud using Kali Linux, Nexpose comes up with a bunch of information, including the services running on our target:

We also see a few vulnerabilities it has identified:

It has, however, failed to detect our vulnerable Jenkins service. Typically, a Jenkins service would have to be brute-forced to find a valid set of credentials. However, we have taken the liberty of assuming that we already have the login credentials. In the next section, we'll see how we can exploit such a vulnerable service and own the target server.