Introduction
Vulnerability testing (also known as vulnerability assessment or scanning) is the inspection of one or more network services, resources or daemons on a network to check for the presence of known potential security vulnerabilities. Penetration testing is the determination that potential security vulnerabilities are (or are not) present in one or more network services, resources or daemons on a network by attempting to actually exploit them. Vulnerability Remediation is the implementation of measures that will remove known security vulnerabilities or that will minimize their impact when an attempt to exploit them occurs. This article explains the differences between vulnerability testing and penetration testing.
A vulnerability scanning tool is used to conduct vulnerability tests. As this article explains, a vulnerability scanning tool is only one of a wide variety of different penetration testing tools that may be used during a penetration test, along with a wide variety of testing techniques and methods. There are major differences between vulnerability scanning and penetration testing, as any company that offers penetration testing services will be quick to point out. A Google search of the web for “vulnerability assessment vs penetration testing” will find many articles describing those differences.
Vulnerability Testing
Vulnerability scanning tools are, for the most part, the same between Internet Protocol version 4 (IPv4) and IPv6, and many support both protocol families. There are many open source and commercial vulnerability scanning tools. There are also many articles available on the web reviewing and recommending such tools. This Open Web Applications Security Project (OWASP) article is only one among many listings of such tools.
Such tools generally detect and then inspect services or daemons that are listening on a specific network address, on any address in the address space of a network, or within a defined subset of the address space for a network, and then report the existence of any potential security vulnerabilities discovered during the inspection. Daemons are mostly IP version agnostic, so detection and vulnerability assessment is the same for IPv4 and IPv6. For a more in-depth discussion of the differences between vulnerability scanning in IPv4 versus IPv6, see this article.
The main differences between IPv4 and IPv6 are in the ability to detect services and daemons. It is rather easy to search a /24 IPv4 subnet. There are only 254 possible addresses. The smallest of IPv6 subnets are usually /64s (18 quintillion addresses!). You obviously cannot scan an entire /64 in a reasonable manner provided the addresses of the services and daemons listening on that subnet are securely assigned. Stateless Address Autoconfiguration (SLAAC) or Dynamic Host Configuration Protocol version 6 (DHCPv6) assigned addresses where the DHCPv6 server assigns randomized values are examples of secure assignment methods. Examples of insecure assignment methods include manually assigning addresses sequentially over a small range or embedding the IPv4 address of each service or daemon together with a static prefix/suffix in the IPv6 address of that service or daemon.
An attacker must then rely on active discovery of services and daemons on a network by exploiting Internet Control Message Protocol version 6 (ICMPv6) vulnerabilities or by passively monitoring the network. The same goes for IPv4 as well, although on a greatly reduced scale. Some say that there is a bright side to this: it is also harder for attackers to find services and daemons on an IPv6 network. But remember, attackers only have to find one vulnerable service or daemon, we have to protect them all!
Penetration Testing
While there is no one “right” way to conduct a comprehensive penetration test, there are many ways to conduct a penetration test which produces inconclusive or incomplete test results. Some of the open source communities and noncommercial groups that have developed guidelines describing comprehensive penetration testing processes include:
1. Penetration Testing Executive Standard (PTES) v1.0, 2014
(The PTES is a detailed, comprehensive document. An overview of the PTES is available in this article, which also mentions the next 3 guidelines.)
2. Penetration Testing Framework, 2014
3. Information Systems Security Assessment Framework, 2020 (An overview of the ISSAF is available in this article.)
4. Open Source Security Testing Methodology Manual (OSSTMM), 2010
5. PenTesters Framework (PTF) v2.0, 2018 (an evolutionary descendant of the PTES in item 1 above)
Discussions in these guidelines often do not distinguish between IPv6 and IPv4. Many of the specific testing techniques and methods described in these guidelines are internet protocol agnostic, applying to both IPv6 and IPv4. Others need to be modified due to differences between the protocols, which means some tests will need to be performed twice, once for each protocol. The Impact of IPv6 on Penetration Testing, 2012, and Testing the security of IPv6 implementations, 2014, are papers that discuss the need for those modifications.
When conducting specific penetration tests, however, the internet protocol being used must always be considered. Various commercial, government and academic organizations have tested a variety of tools to evaluate their support for IPv6 and reported their findings. A few of these reports are identified below. A single database or website that consolidates the findings does not exist.
- Results for web applications and server testing are given in this: Master Thesis: Penetration Testing over IPv6, Jun, 2012.
- The results of another analysis of penetration testing tools is described here.
- Search the University of Amsterdam System and Network Engineering OS3 Archive of Master's Theses from 2003-2004 to 2021 (https://www.os3.nl/archive/research_projects) for testing topics, such as “Security of IPv6 and DNSSEC for penetration testers, 2010-2011” (an expanded version was subsequently published in book form, ISBN-13: 978-3848422814). (Those Master's Theses are grouped by academic year).
- Search the System Administration Networking and Security (SANS) Institute white papers topics such as IPv6, for example "A Complete Guide on IPv6 Attack and Defense”. [Use the scroll bar on the left side of the search window to scroll through the white papers.]
Vulnerability Remediation
The Cybersecurity Infrastructure Security Agency (CISA) published Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Nov, 2021, providing guidance on how to remediate vulnerabilities identified in the Known Exploited Vulnerability (KEV) Catalog. At the same time, the CISA also issued Reducing the Significant Risk of Known Exploited Vulnerabilities, a web friendly version of that directive prescribing timelines for remediating the risks identified therein.