The new Metasploit version also audits passwords that can compromise entire virtual data centers. This is part of the ongoing development of Rapid7’s innovative vision for security risk assessment for virtualized environments. The first step of this vision was the ability to dynamically discover and scan virtual assets, introduced in Rapid7’s vulnerability management solution, Nexpose. This resulted in Rapid7 becoming the first vulnerability management vendor to be included in VMware’s reference architecture.
“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services1,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “IPv6 is like a parallel universe for intruders. Since most companies focus on the IPv4 side of their networks, security assessments must audit IPv6-enabled internal and external hosts to ensure they don’t lead to a breach. In one case, we audited an organization that had blocked zone transfers on their DNS server for IPv4, but left this common flaw wide open on IPv6.”
Security Assessments Must Cover IPv6, Even In IPv4 Networks
Even though most companies haven’t strategically rolled out IPv6, most new servers, desktops, and mobile devices now configure local IPv6 interfaces out of the box. For example, the default setting in Windows 7 and Windows Server 2008 is to prefer the IPv6 link-local address over the IPv4 address for network shares and management communication. Many organizations are also preparing for the transition by configuring external assets to accept requests from the global IPv6 internet.
Companies typically have a tight grip on the IPv4 side of the network, but less so on IPv6 interfaces, which can introduce dangerous misconfigurations, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. As many vendors are retro-fitting IPv6 to their products, features for IPv4 and IPv6 are often uneven, increasing the likelihood of misconfigurations or vulnerabilities. Some defense mechanisms, such as older IPS systems, may even be completely blind to IPv6 traffic.
Metasploit can now conduct penetration tests on IPv6 networks to uncover these security issues, which can often be easily solved by changing the system’s configurations. To accelerate the coverage of IPv6-related vulnerabilities as they emerge, Rapid7 encourages the security community to contribute exploits and modules to the open source Metasploit Framework.
During the RSA Conference, HD Moore and Tas Giakouminakis founder & CTO of Rapid7, will speak on a panel session titled, "Rising to the Challenge of Vulnerability Management in an IPv6 World" on March 1, 2012 at 8:00 a.m. In addition, HD Moore will provide a free online training on how to uncover IPv6-related security issues on March 28th at 2 p.m. Eastern Time.
Auditing VMware vSphere Web Services Passwords Is Critical
According to the analyst firm Gartner, “more than 80% of enterprises now have a virtualization program or project.”2 Virtual machines are often used to run anything from business-critical servers to development and testing platforms.
To help automate server deployments and management, VMware, the global leader in virtualization and cloud infrastructure, offers programming interfaces that enable IT professionals to administer virtual machines remotely. These APIs require passwords for authentication.
Metasploit can now run brute force attacks against VMware vSphere Web Services to identify weak passwords. The attack tries common passwords using known information, such as host names and user names, and mutates the passwords to cover complexity requirements. Once an attacker has obtained the password, he can take control of the virtualization host.
“If an attacker finds a weak password on your VMware vSphere Web Service, they may as well have the keys to your physical data center,” said Moore. “Metasploit enables you to audit the security of your virtual hosting passwords to identify threats before a breach occurs.”
During its discovery scan, Metasploit automatically identifies whether a system is a virtual guest or host. Metasploit can also now use compromised vmauthd credentials to collect screenshots of guest virtual machines.
Rapid7 will provide a demo of the virtualization security feature in a webcast on March 21st at 2 p.m. Eastern Time.
Pricing and Availability
Metasploit 4.2 is available immediately from www.rapid7.com. The new features are available in both the open source and commercial editions of Metasploit. For information on pricing please contact [email protected] For a free trial, please visit http://www.rapid7.com/downloads/metasploit.jsp.
Rapid7 will be providing demonstrations of Metasploit 4.2 at booth #438 at the RSA Conference in San Francisco, CA next week.
Rapid7 is the leading provider of security risk intelligence solutions. Rapid7's integrated vulnerability management and penetration testing products, Nexpose and Metasploit, empower organizations to obtain accurate, actionable and contextual intelligence into their threat and risk posture. Rapid7's solutions are being used by more than 2,000 enterprises and government agencies in more than 65 countries worldwide, while the Company's free products are downloaded more than one million times per year and enhanced further by over 125,000 security community users and contributors. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. The Company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.com.