Metasploit Identifies IPv6 Security Risks

Penetration Testing Solution Assesses Virtual Datacenter Security

Boston, MA — 2月 22, 2012

Rapid7, the leading provider of security risk intelligence solutions, today announced that the new version of its leading penetration testing solution, Rapid7® Metasploit 4.2, allows organizations to assess the security posture of IPv6 enabled systems. Metasploit users can now fully test whether IPv6 addresses on their network are vulnerable to cyber-attacks. This is particularly important for organizations that have not consciously rolled out IPv6 on their IPv4 network, often neglecting the new version of the internet protocol completely.

The new Metasploit version also audits passwords that can compromise entire virtual data centers. This is part of the ongoing development of Rapid7's innovative vision for security risk assessment for virtualized environments. The first step of this vision was the ability to dynamically discover and scan virtual assets, introduced in Rapid7's vulnerability management solution, Nexpose. This resulted in Rapid7 becoming the first vulnerability management vendor to be included in VMware's reference architecture.

"The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world's top web sites now offering IPv6 services1," said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. "IPv6 is like a parallel universe for intruders. Since most companies focus on the IPv4 side of their networks, security assessments must audit IPv6-enabled internal and external hosts to ensure they don't lead to a breach. In one case, we audited an organization that had blocked zone transfers on their DNS server for IPv4, but left this common flaw wide open on IPv6."

Security Assessments Must Cover IPv6, Even In IPv4 Networks

Even though most companies haven't strategically rolled out IPv6, most new servers, desktops, and mobile devices now configure local IPv6 interfaces out of the box. For example, the default setting in Windows 7 and Windows Server 2008 is to prefer the IPv6 link-local address over the IPv4 address for network shares and management communication. Many organizations are also preparing for the transition by configuring external assets to accept requests from the global IPv6 internet.

Companies typically have a tight grip on the IPv4 side of the network, but less so on IPv6 interfaces, which can introduce dangerous misconfigurations, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. As many vendors are retro-fitting IPv6 to their products, features for IPv4 and IPv6 are often uneven, increasing the likelihood of misconfigurations or vulnerabilities. Some defense mechanisms, such as older IPS systems, may even be completely blind to IPv6 traffic.

Metasploit can now conduct penetration tests on IPv6 networks to uncover these security issues, which can often be easily solved by changing the system's configurations. To accelerate the coverage of IPv6-related vulnerabilities as they emerge, Rapid7 encourages the security community to contribute exploits and modules to the open source Metasploit Framework.

During the RSA Conference, HD Moore and Tas Giakouminakis founder & CTO of Rapid7, will speak on a panel session titled, "Rising to the Challenge of Vulnerability Management in an IPv6 World" on March 1, 2012 at 8:00 a.m. In addition, HD Moore will provide a free online training on how to uncover IPv6-related security issues on March 28th at 2 p.m. Eastern Time.

Auditing VMware vSphere Web Services Passwords Is Critical

According to the analyst firm Gartner, "more than 80% of enterprises now have a virtualization program or project."2 Virtual machines are often used to run anything from business-critical servers to development and testing platforms.

To help automate server deployments and management, VMware, the global leader in virtualization and cloud infrastructure, offers programming interfaces that enable IT professionals to administer virtual machines remotely. These APIs require passwords for authentication.

Metasploit can now run brute force attacks against VMware vSphere Web Services to identify weak passwords. The attack tries common passwords using known information, such as host names and user names, and mutates the passwords to cover complexity requirements. Once an attacker has obtained the password, he can take control of the virtualization host.

"If an attacker finds a weak password on your VMware vSphere Web Service, they may as well have the keys to your physical data center," said Moore. "Metasploit enables you to audit the security of your virtual hosting passwords to identify threats before a breach occurs."

During its discovery scan, Metasploit automatically identifies whether a system is a virtual guest or host. Metasploit can also now use compromised vmauthd credentials to collect screenshots of guest virtual machines.

Rapid7 will provide a demo of the virtualization security feature in a webcast on March 21st at 2 p.m. Eastern Time.

Pricing and Availability

Metasploit 4.2 is available immediately from www.rapid7.com. The new features are available in both the open source and commercial editions of Metasploit. For information on pricing please contact info@rapid7.com.  Rapid7 will be providing demonstrations of Metasploit 4.2 at booth #438 at the RSA Conference in San Francisco, CA next week.

1 Alexa stats as quoted on http://bgp.he.net/ipv6-progress-report.cgi
2 Virtualization Reality, Gartner

About Rapid7

Rapid7 security analytics software and services reduce threat exposure and detect compromise for 3,000 organizations across 78 countries, including over 250 of the Fortune 1000. We understand the attacker better than anyone and build that insight into our solutions to improve risk management and stop threats faster. We offer advanced capabilities for vulnerability management, penetration testing, controls assessment, incident detection and investigation across your assets and users for virtual, mobile, private and public cloud networks. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.

Media Contact