Nessus 3.2 BETA - IPv6 Scanning

Nessus 3.2 will support scanning of IPv6 addresses. The current BETA (released as Nessus 3.1.3) can be used to perform scans of IPv6 addresses. This blog entry shows how to use the current Nessus 3.2 BETA to perform such a scan from the UNIX command line.

Why Scan for IPv6 Addresses?

More and more operating systems are shipping with IPv6 enabled by default. Both Vista and OS X ship with IPv6 stacks. The presence of IPv6  on your network may dramatically alter how computers communicate with each other and connect to the Internet. Communication that occurs over IPv6 may not be blocked by local or network firewalls, observed by network IDS or even correctly logged by your SIM.

For compliance and corporate governance reasons, if you are not detecting IPv6 enabled devices, then you may have unauthorized or mis-configured devices and not know it.

And lastly, one of the more interesting abuses of IPv6 is that in some default situations, an unauthorized or compromised IPv6 host can "declare" itself the router, and then make your entire internal network globally available through the use of a tunnel.

Scanning IPv6 Enabled Systems

If you are used to scanning IPv4 enabled systems, IPv6 can add some new twists. For example, having an active IPv6 address might not allow you to connect to the TCP and UDP services as you can under IPv4. Simply installing an IPv6 address and then scanning the system might not allow connectivity to the various UDP or TCP services.

If you do add an IPv6 address to a host, you may need to restart the application(s) for them to actually "bind" to the IPv6 TCP or UDP 6 sockets. In some cases, depending on the OS and the application, a system reboot may be required or even new application software.

Obtaining Nessus 3.1.3

The current BETA of Nessus 3.2 is available as Nessus 3.1.3 for many different Linux packages and also FreeBSD. If you have an operational Nessus 3.0.x install (such as the currently available 3.0.5 release) you should consider running the 3.2 BETA on a separate host and not upgrade an operational server.

Target Selection

Before running any IPv6 scans, your Linux or FreeBSD scanner needs an IPv6 address on one or more of its interfaces.

IPv6 addresses can be specified directly in the list of targets. In addition, to "ping" the local network for any listening IPv6 addresses the "link6" target can be used.

When specifying a local IPv6 address (starting with fe80::) for Nessus scans, the local network interface of the scanning device must be appended with a "%" sign. For example, the following IPv6 target addresses are correct:

• link6%eth0
• fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0
• fe80::212:17ff:fe57:333b%dc0

If you were scanning a non-local address, the interface name would not be required. Both full and compressed IPv6 notation is supported.

Running a Scan from the Command Line

When running a Nessus scan from the command line, the nessus client tool is used to connect to a remote Nessus scanner with the following format:

nessus -c <policy> <IP> <port> <user> <pass> <target file> <output file>

For scanning IPv6 networks, nothing is really that different from the command line except that the target file contains IPv6 names. During testing for this blog entry, I used two different text files that had content as shown below:

[root@smog bin]# cat ipv6.txt
fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0
[root@smog bin]# cat link.txt
link6%eth0

The file ipv6.txt contained the IPv6 address of an OS X system as shown here:

Running a scan from the command line looked like this (with passwords obscured):

nessus -c policy.txt 127.0.0.1 1241 user password ./ipv6.txt ./output.txt

The policy.txt file is any type of .nessusrc file you would normally use to scan an IPv4 host.

Below is the raw results from scanning two different IPv6 addresses. Notice that one host has nothing reported for it, while the second host was able to connect to the SSH daemon on port 22:

Nessus Scan Report
------------------

SUMMARY

- Number of hosts which were alive during the test : 2
- Number of security holes found : 1
- Number of security warnings found : 0
- Number of security notes found : 7

TESTED HOSTS

fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0 (Security holes found)
fe80::212:17ff:fe57:333b%eth0 (Security notes found)

DETAILS

+ fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0 :
. List of open ports :
   o general/tcp (Security notes found)
   o ssh (22/tcp) (Security hole found)

. Information found on port general/tcp

    fe80::216:cbff:fe92:88d0 resolves as
     fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0.

. Information found on port general/tcp

    Information about this scan :

    Nessus version : 3.1.3
    Plugin feed version : 200703200708
    Type of plugin feed : Release
    Scanner IP : fe80::20c:29ff:fed1:8965
    Port range : default
    Thorough tests : no
    Experimental tests : no
    Paranoia level : 0
    Report Verbosity : 1
    Safe checks : yes
    Max hosts : 40
    Max checks : 5
    Scan Start Date : 2007/4/15 11:47
    Scan duration : 592 sec

. Vulnerability found on port ssh (22/tcp) :

    The account 'root' has the password 'root'.  An attacker may use it to
    gain further privileges on this system

    Risk factor : High
    Solution : Set a password for this account or disable it
    CVE : CVE-1999-0502

. Information found on port ssh (22/tcp)

    Remote SSH version : SSH-1.99-OpenSSH_4.5

    Remote SSH supported authentication :
     publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive

. Information found on port ssh (22/tcp)

    Synopsis :

    The remote service offers an insecure cryptographic protocol

    Description :

    The remote SSH daemon supports connections made
    using the version 1.33 and/or 1.5 of the SSH protocol.

    These protocols are not completely cryptographically
    safe so they should not be used.

    Solution :

    Disable compatibility with version 1 of the protocol.

    Risk factor :

    Low / CVSS Base Score : 3
    (AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C)
    CVE : CVE-2001-0361
    BID : 2344
    Other references : OSVDB:2116

. Information found on port ssh (22/tcp)

    The remote SSH daemon supports the following versions of the
    SSH protocol :

      . 1.33
      . 1.5
      . 1.99
      . 2.0

    SSHv1 host key fingerprint : 57:9a:2e:56:72:62:b6:57:8c:7b:0d:32:b1:aa:15:bf

+ fe80::212:17ff:fe57:333b%eth0 :
. List of open ports :
   o general/tcp (Security notes found)

. Information found on port general/tcp

    fe80::212:17ff:fe57:333b resolves as fe80::212:17ff:fe57:333b%eth0.

. Information found on port general/tcp

    Information about this scan :

    Nessus version : 3.1.3
    Plugin feed version : 200703200708
    Type of plugin feed : Release
    Scanner IP : fe80::20c:29ff:fed1:8965
    Port range : default
    Thorough tests : no
    Experimental tests : no
    Paranoia level : 0
    Report Verbosity : 1
    Safe checks : yes
    Max hosts : 40
    Max checks : 5
    Scan Start Date : 2007/4/15 11:47
    Scan duration : 631 sec

------------------------------------------------------
This file was generated by the Nessus Security Scanner

Notice that one host had "nothing" to report, but could be pinged via IPv6. The second host (a new lab Fedora Core 6 server) had IPv6 enabled and also a major vulnerability ("root" password of "root").

Working with Nessus Clients

Any Nessus client that supports scanning of a "hostname" supports a scan of IPv6 addresses. Nessus clients currently do not have any support for scanning IPv6 ranges.

In addition, when scanning an IPv6 host, don't forget to place the trailing network interface (i.e. "%eth0", "%dc0", .etc) of the Nessus scanner to tell it which NIC to use to perform the scan.

Perhaps the most useful type of quick scan is to do one against "link6%eth0" to ping the local subnet for any listening IPv6 systems. Here is an example screen shot from such as scan performed with a pre-BETA copy of the new Nessus 3.2 Windows client:

For More Information

Please send any feedback to Tenable regarding issues found with IPv6 support in the Nessus 3.2 BETA.

We are also interested in learning more about any plans organizations may have for large scale IPv6 technology deployments and how this may effect your network monitoring, logging and auditing requirements.

If you are interested in testing more aspects of the Nessus 3.2 BETA, we've previously blogged about new features in it at these links:

• Nessus 3.2 BETA -- Example WMI Library Usage
• Nessus 3.2 BETA Available for testing