Metasploit identifies IPv6 security risks

Rapid7 announced that the new version of its penetration testing solution, Rapid7 Metasploit 4.2, allows organizations to assess the security posture of IPv6 enabled systems.

Metasploit users can now fully test whether IPv6 addresses on their network are vulnerable to cyber-attacks. This is particularly important for organizations that have not consciously rolled out IPv6 on their IPv4 network, often neglecting the new version of the internet protocol completely. The new Metasploit version also audits passwords that can compromise entire virtual data centers.

This is part of the ongoing development of Rapid7’s innovative vision for security risk assessment for virtualized environments. The first step of this vision was the ability to dynamically discover and scan virtual assets, introduced in Rapid7’s vulnerability management solution, Nexpose. This resulted in Rapid7 becoming the first vulnerability management vendor to be included in VMware’s reference architecture.

“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services1,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “IPv6 is like a parallel universe for intruders. Since most companies focus on the IPv4 side of their networks, security assessments must audit IPv6-enabled internal and external hosts to ensure they don’t lead to a breach. In one case, we audited an organization that had blocked zone transfers on their DNS server for IPv4, but left this common flaw wide open on IPv6.”

Even though most companies haven’t strategically rolled out IPv6, most new servers, desktops, and mobile devices now configure local IPv6 interfaces out of the box. For example, the default setting in Windows 7 and Windows Server 2008 is to prefer the IPv6 link-local address over the IPv4 address for network shares and management communication. Many organizations are also preparing for the transition by configuring external assets to accept requests from the global IPv6 internet.

Companies typically have a tight grip on the IPv4 side of the network, but less so on IPv6 interfaces, which can introduce dangerous misconfigurations, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. As many vendors are retro-fitting IPv6 to their products, features for IPv4 and IPv6 are often uneven, increasing the likelihood of misconfigurations or vulnerabilities. Some defense mechanisms, such as older IPS systems, may even be completely blind to IPv6 traffic.

Metasploit can now conduct penetration tests on IPv6 networks to uncover these security issues, which can often be easily solved by changing the system’s configurations. To accelerate the coverage of IPv6-related vulnerabilities as they emerge, Rapid7 encourages the security community to contribute exploits and modules to the open source Metasploit Framework.

Virtual machines are often used to run anything from business-critical servers to development and testing platforms. To help automate server deployments and management, VMware offers programming interfaces that enable IT professionals to administer virtual machines remotely. These APIs require passwords for authentication.

Metasploit can now run brute force attacks against VMware vSphere Web Services to identify weak passwords. The attack tries common passwords using known information, such as host names and user names, and mutates the passwords to cover complexity requirements. Once an attacker has obtained the password, he can take control of the virtualization host.

During its discovery scan, Metasploit automatically identifies whether a system is a virtual guest or host. Metasploit can also now use compromised vmauthd credentials to collect screenshots of guest virtual machines.

The new features are available in both the open source and commercial editions of Metasploit.