Among the options listed, Nessus is primarily a vulnerability assessment tool, not an exploit tool. It is used to scan systems, networks, and applications to identify vulnerabilities but does not exploit them. On the other hand, Canvas, Core Impact, and Metasploit are exploit tools designed to actually perform attacks (safely and legally) to demonstrate the impact of vulnerabilities.References:
Tenable, Inc., "Nessus FAQs".
Questions # 22:
Which of the CVSS metrics refer to the exploit quotient of the vulnerability?
The Common Vulnerability Scoring System (CVSS) uses several metrics to assess the severity of vulnerabilities. Among them, the Temporal metric group specifically reflects the exploit quotient of a vulnerability.
Temporal metrics consider factors that change over time after a vulnerability is initially assessed. These include:
Exploit Code Maturity: This assesses the likelihood of the vulnerability being exploited based on the availability and maturity of exploit code.
Remediation Level: The level of remediation available for the vulnerability, which influences the ease of mitigation.
Report Confidence: This metric measures the reliability of the reports about the vulnerability.
These temporal factors directly affect the exploitability and potential threat posed by a vulnerability, adjusting the base score to provide a more current view of the risk.
References
Common Vulnerability Scoring System v3.1: User Guide.
"Understanding CVSS," by FIRST (Forum of Incident Response and Security Teams).
