A new tool that can emulate vulnerable services and help researchers get more from the Metasploit penetration testing platform is now available in open source.
Designed to help security researchers understand security from the attacker’s perspective, Metasploit’s main issue was that it was rather difficult to use without vulnerable services at hand. Vulnerable OS images (Metasploitable2 and Metasploitable3) have previously been available, but they weren’t enough, as only a “small subset of the thousands of Metasploit modules available for users” was included in them.
Available on GitHub, the Vulnerable Services Emulator, however, comes to solve that problem, Jin Qian notes in a blog post. It has been designed as a framework to allow researchers easily emulate the vulnerable services for penetration testing purposes.
“Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities,” Qian explains.
The tool, he says, is very easy to install and use, as all that it requires is a working Perl installation for Windows, Mac or Linux. Moreover, the emulator was designed to be language independent, with the service emulation in JSON format. Thus, anyone can quickly add, remove, or edit a service in JSON.
One thing that users should keep in mind when running the emulator, however, is that “the commands typed on the shell session spawned are actually executed on the target.” Anyone using the emulator should run it in a safe environment to avoid any issues.
The Vulnerable Services Emulator was meant to help IT professionals and engineers easily test Metasploit modules, as well as to get training on Metasploit. At the moment, the tool includes support for over 100 emulated vulnerable services, but work is being done to add “as many of the 1000+ modules in Metasploit as possible.”
“At the core of the project, we implemented a framework (an interpreter) to execute the JSON based service description file. The current implementation is in Perl, but you can implement the framework in other programming languages of your choice,” Qian notes. Additional technical details on the tool are available on the project’s page on GitHub.
Source: SANS ISC SecNewsFeed @ March 3, 2017 at 09:15AM