What's your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world's top websites now offer IPv6 services, most companies haven't formulated an IPv6 strategy for the network. However, the issue is that most devices you have rolled out in the past 5 years have been IPv6-ready, if not IPv6-enabled. Windows 7 and Windows Server 2008 actually use IPv6 link-local addresses by default. Also think about all the other clients, servers, appliances, routers, and mobile devices you've added to your network in recent years. If you're honest, how do you know that your network is not vulnerable to IPv6 attacks right now?
That's why even if you haven't set up an IPv6 network internally yet, you should test for IPv6 vulnerabilities. Here are some common security issues that you may find:
- Misconfiguration: Not actively planning for IPv6 can introduce dangerous misconfiguration, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. One organization we audited left zone transfers on their DNS server open for IPv6, but blocked for IPv4
- Uneven features: Many systems vendors are having to retrofit IPv6 into their products. Because Rome wasn't built in a day, IPv6 features often lag behind for a while. This uneven feature support for IPv6 can lead to security issues.
- No IPv6 defenses: Some defense mechanisms, such as older IPS systems, may simply be blind to IPv6 traffic, letting it pass through without scrutiny.
Metasploit can now conduct penetration tests on IPv6 networks to uncover these security issues, enabling you to find these issues:
The new IPv6 support is now available in all current editions of Metasploit - download your latest copy now. Security researchers working on IPv6 vulnerabilities can now submit a Metasploit exploit or auxiliary module for use by the security community through Github.
If you're interested in more in-depth information, HD Moore is offering a free training on IPv6 security on March 28. Register now to get it on your calendar!