Connect with us

Hi, what are you looking for?



Vulnerable Services Emulator Released for Metasploit

A new tool that can emulate vulnerable services and help researchers get more from the Metasploit penetration testing platform is now available in open source.

A new tool that can emulate vulnerable services and help researchers get more from the Metasploit penetration testing platform is now available in open source.

Designed to help security researchers understand security from the attacker’s perspective, Metasploit’s main issue was that it was rather difficult to use without vulnerable services at hand. Vulnerable OS images (Metasploitable2 and Metasploitable3) have previously been available, but they weren’t enough, as only a “small subset of the thousands of Metasploit modules available for users” was included in them.

Available on GitHub, the Vulnerable Services Emulator, however, comes to solve that problem, Jin Qian notes in a blog post. It has been designed as a framework to allow researchers easily emulate the vulnerable services for penetration testing purposes.

“Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities,” Qian explains.

The tool, he says, is very easy to install and use, as all that it requires is a working Perl installation for Windows, Mac or Linux. Moreover, the emulator was designed to be language independent, with the service emulation in JSON format. Thus, anyone can quickly add, remove, or edit a service in JSON.

One thing that users should keep in mind when running the emulator, however, is that “the commands typed on the shell session spawned are actually executed on the target.” Anyone using the emulator should run it in a safe environment to avoid any issues.

The Vulnerable Services Emulator was meant to help IT professionals and engineers easily test Metasploit modules, as well as to get training on Metasploit. At the moment, the tool includes support for over 100 emulated vulnerable services, but work is being done to add “as many of the 1000+ modules in Metasploit as possible.”

Advertisement. Scroll to continue reading.

“At the core of the project, we implemented a framework (an interpreter) to execute the JSON based service description file. The current implementation is in Perl, but you can implement the framework in other programming languages of your choice,” Qian notes. Additional technical details on the tool are available on the project’s page on GitHub.

Related: Rapid7 Adds Hardware Testing Capabilities to Metasploit`

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.