SecGen – Create Randomly Insecure VMs

Security Scenario Generator (SecGen) generates randomised vulnerable systems. VMs are created based on a scenario specification, which describes the constraints and properties of the VMs to be created. For example, a scenario could specify the creation of a system with a remotely exploitable vulnerability that would result in user-level compromise, and a locally exploitable flaw that would result in root-level compromise.

This would require the attacker to discover and exploit both randomly selected vulnerabilities in order to obtain root access to the system. Alternatively, the scenario that is defined can be more specific, specifying certain kinds of services (such as FTP or SMB) or even exact vulnerabilities (by CVE).

SecGen - Create Randomly Insecure VMs
SecGen – Create Randomly Insecure VMs

SecGen is designed to be easily extendable with modules that define vulnerabilities and other kinds of software, configuration, and content changes.

The types of modules supported are:

  • base: a module that defines the OS platform (VM template) used to build the VM
  • vulnerability: a SecGen module that adds an insecure, hackable, state (including realistic software vulnerabilities known to be in the wild or fabricated hacking challenges)
  • service: a SecGen module that adds a (relatively secure) network service
  • utility: a SecGen module that adds (relatively secure) software or configuration changes
  • network: a virtual network card
  • generator: generates output, such as random text
  • encoder: receives input, such as text, performs operations on that to produce output (such as, encoding/encryption/selection)

Each vulnerability module is contained within the modules/vulnerabilies directory tree, which is organised to match the Metasploit Framework (MSF) modules directory structure. For example, the distcc_exec vulnerability module is contained within: modules/vulnerabilities/unix/misc/distcc_exec/.

You can read more and download the framework over here:

Notify of
Inline Feedbacks
View all comments