Millions of IT professionals all over the world want to get into the hot field of security, and Metasploit is a great place to start. Metasploit Framework is free, used by more penetration testers than any other tool, and helps you understand security from the attackers perspective. There’s one problem: it’s hard to use Metasploit without vulnerable services to play against.
To help, the Metasploit team has created vulnerable OS images (Metasploitable2 and Metasploitable3), each containing dozens of vulnerable services that a user can cut his/her teeth with. However, these images contain small subset of the thousands of Metasploit modules available for users. You may wonder why we don’t have vulnerable services available for testing and training every module. The reason is simple: it can be very time-consuming and difficult to configure vulnerable services. First, you have to obtain the vulnerable software, and then install, and configure each service. Sometimes, older software is simply unavailable for download, either because it is too old, or because the vendor removed it for security reasons. Depending on the software, setting up even one vulnerable service can take hours, if not days. While Metasploitable VMs makes the job of setting up your first vulnerability lab much easier, it is still not simple.
We developed the Vulnerable Services Emulator to fill this gap. It is a framework that makes it easy to emulate the vulnerable services for penetration testing purposes. Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities. It is like a high-interaction honeypot, but specially tuned to be exploitable.
This tool is very easy to install and use. All you need to run it is a working Perl installation for your favorite OS (Windows, Mac or Linux). Directions for installing the tool, which only takes a minute, are on Github page for this project.
In addition to learning, the emulator can be used to perform system testing on Metasploit modules themselves, providing feedback to the community on how to make modules more effective. But, the ultimate goal of the project is to help the community learn and make it even easier to get into penetration testing and Metasploit!
Here we are emulating a vulnerable printer service that is targeted by the Metasploit module exploits/windows/iis/ms01_023_printer. The IP address 0.0.0.0 means we will bind to 0.0.0.0, and be accepting connections on any network interface. The default IP to bind is “127.0.0.1” which only connects from the same host. This is more secure when your Metasploit instance is installed on the same server.
Here is the Metasploit configuration, which is configured to target the emulated service. You can see a session is established. Note that the commands are actually executed on the target, so please run this emulator in a safe environment if you don’t want it to be owned ?
That’s pretty easy right? What’s even nicer about this framework how easy it is to develop a new emulated vulnerable service. We know developers have very different preferences on programming languages, so instead of implementing the vulnerable services using a particular language, the framework describes vulnerable service interactions in JSON. It’s not a programming language per se but it has enough logic for service emulation. The following is the description for the vulnerable printer service.
|Simple JSON description on an emulated service|
“desc”: “set payload windows/shell_reverse_tcp”,
[“regex”, “GET http://.*/NULL.printer?”],
[“HTTP/1.1 200 OKrnContent-Length: 0rnrn”, [“action”, [“connect”, “:4444”]]]
In the above JSON code, the most important part is the “seq” section, which represents the sequence of messages used for the exploit. It has an even number of entries (in this case, there are 2 entries). The odd-numbered entries are conditions. When a message comes in, it’s matched against the odd-numbered entries starting from the first; when there is a match, the corresponding even-numbered entries will be the action. Typically, the action involves sending a response. But it can also include an action such as making a new connection (like connecting back as a metepreter session in our case). This makes it easy to emulate vulnerable services and trigger them to set up a connection back to attacker.
At the core of the project, we implemented a framework (an interpreter) to execute the JSON based service description file. The current implementation is in Perl, but you can implement the framework in other programming languages of your choice.
The github project, we will have more technical details on the tool and its usage. It’s our hope that this tool can help you to enjoy a better learning experience in the exciting field of security and eventually become a security professional. Be sure to let us know if you have any feedback!