VulnGen: Vulnerable Virtual Machine Generator

Abstract

Nowadays, cyberattacks are widespreading worldwide with an increasing intensity and complexity, and thus becoming a critical concern for the community. However, there is still lack of comprehensive, customizable, and hands-on training platforms tailored to the needs of emerging penetration testers and cybersecurity education. This paper presents the design and implementation of VulnGen (Vulnerable Virtual Machine Generator), a tool that facilitates a customizable virtual environment for users to practice penetration testing techniques, and concurrently allow them to prepare for examinations for esteemed cybersecurity certifications, such as Offensive Security Certified Professional (OSCP). VulnGen offers a scalable solution that enables the deployment of a virtual machine with varying levels and numbers of vulnerabilities. This paper details the methodology employed in the creation of vulnerable instances, encompassing a range of services including FTP, SMTP, SMB, NFS, POP3, and MySQL. Through extensive background research, requirements were meticulously gathered and incorporated into the development process. The implementation phase involved the utilization of industry-standard tools and techniques, resulting in a robust and user-friendly platform. The test cases were designed systematically to validate the effectiveness and authenticity of the virtual machines generated. Several technical challenges were encountered during the project, including the integration of exploits and misconfiguration scenarios within said services. These challenges were systematically addressed through careful code optimization and testing iterations. In addition, external resources and open-source codebases were leveraged to enhance the authenticity and effectiveness of the vulnerabilities. Notable incidents and challenges faced during the development process were meticulously documented, providing valuable insights for future enhancements. The VulnGen project not only serves as a valuable educational resource but also offers a flexible framework for continuous improvement and expansion. Future plans include the incorporation of additional services, post-exploitation features, and the ability to generate multiple vulnerable virtual machines including the ones with Windows OS.

Publication
In Proceedings of the 17th IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI’23), IEEE
Click the Cite button above to demo the feature to enable visitors to import publication metadata into their reference management software.
Click the Slides button above to demo Academic’s Markdown slides feature.