The new Metasploit version also audits passwords that can compromise entire virtual data centers.
“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services1,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “IPv6 is like a parallel universe for intruders. Since most companies focus on the IPv4 side of their networks, security assessments must audit IPv6-enabled internal and external hosts to ensure they don’t lead to a breach. In one case, we audited an organization that had blocked zone transfers on their DNS server for IPv4, but left this common flaw wide open on IPv6.”
Security assessments must cover IPv6, even in IPv4 networks
Even though most companies haven’t strategically rolled out IPv6, most new servers, desktops, and mobile devices now configure local IPv6 interfaces out of the box. For example, the default setting in Windows 7 and Windows Server 2008 is to prefer the IPv6 link-local address over the IPv4 address for network shares and management communication. Many organizations are also preparing for the transition by configuring external assets to accept requests from the global IPv6 internet.
Companies typically have a tight grip on the IPv4 side of the network, but less so on IPv6 interfaces, which can introduce dangerous misconfigurations, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. As many vendors are retro-fitting IPv6 to their products, features for IPv4 and IPv6 are often uneven, increasing the likelihood of misconfigurations or vulnerabilities. Some defense mechanisms, such as older IPS systems, may even be completely blind to IPv6 traffic.
Metasploit can now conduct penetration tests on IPv6 networks to uncover these security issues, which can often be easily solved by changing the system’s configurations. To accelerate the coverage of IPv6-related vulnerabilities as they emerge, Rapid7 encourages the security community to contribute exploits and modules to the open source Metasploit Framework.
Auditing VMware vSphere web services passwords is critical
Metasploit can now run brute force attacks against VMware vSphere Web Services to identify weak passwords. The attack tries common passwords using known information, such as host names and user names, and mutates the passwords to cover complexity requirements. Once an attacker has obtained the password, he can take control of the virtualization host.
“If an attacker finds a weak password on your VMware vSphere Web Service, they may as well have the keys to your physical data center,” said Moore. “Metasploit enables you to audit the security of your virtual hosting passwords to identify threats before a breach occurs.”
During its discovery scan, Metasploit automatically identifies whether a system is a virtual guest or host. Metasploit can also now use compromised vmauthd credentials to collect screenshots of guest virtual machines.