A. Banerjee, C. Zou, and D. Turgut

Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education


Cite as:

A. Banerjee, C. Zou, and D. Turgut. Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education. In 2019 ASEE Annual Conference & Exposition Conference, June 2019. https://peer.asee.org/32308

Download:

Download 

Abstract:

Facing the increasing needs of cybersecurity professionals from US public and private sectors, many universities have created various cybersecurity education programs. Penetration testing is one of the most critical cybersecurity education components. In preparing penetration testing labs or experiments, computer systems such as virtual machine (VM), that have various vulnerabilities should be set up as attacking targets. However, not many readily available vulnerable VM machine systems exist, and it is also time-consuming and technically difficult to fine tune vulnerabilities in those systems. For example, to set up Windows XP system as penetration testing target, we only have WinXP VM with service pack 2, service pack 3, and fully security-patched versions to use. This inevitably misrepresents the gradual state of security of WinXP systems over time. In this paper, we present an easy-to-use and automatic approach to create fine-grained vulnerable Windows systems for cybersecurity educators. In the real world, Windows systems do not implement a sweep of security patches all at once. As each vulnerability is discovered, a new security patch will be released accordingly. Given this reality, cybersecurity educators need to provide a virtual Windows VM system with a fine grain of vulnerabilities to better echo the ever-changing levels of vulnerabilities and security patches in the world. We sought to create an automatic tool that can produce virtual machines that simulate different points in the Windows operating systems life cycle when security patches were implemented. The tool partially removes security patches in reverse order to their update time to a predefined time, and hence leaving the system vulnerable to all attacks that later updates were able to stop. While removing the patches using non-invasive, system-provided methods, this tool ensures that no foreign vulnerabilities are introduced. With the ability to fine-tune the system to various levels of security, educators are able to provide a more realistic and accurate penetration testing target system.

BibTeX:

@inproceedings{Banerjee-2019-ASEE,
  title={{Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education}},
  author={A. Banerjee and C. Zou and D. Turgut},
  booktitle={2019 ASEE Annual Conference & Exposition Conference},
  year={2019},
  month={June},
  note = "https://peer.asee.org/32308",
  abstract = {Facing the increasing needs of cybersecurity professionals from US public and private sectors, many universities have created various cybersecurity education programs. Penetration testing is one of the most critical cybersecurity education components. In preparing penetration testing labs or experiments, computer systems such as virtual machine (VM), that have various vulnerabilities should be set up as attacking targets. However, not many readily available vulnerable VM machine systems exist, and it is also time-consuming and technically difficult to fine tune vulnerabilities in those systems. For example, to set up Windows XP system as penetration testing target, we only have WinXP VM with service pack 2, service pack 3, and fully security-patched versions to use. This inevitably misrepresents the gradual state of security of WinXP systems over time. In this paper, we present an easy-to-use and automatic approach to create fine-grained vulnerable Windows systems for cybersecurity educators. In the real world, Windows systems do not implement a sweep of security patches all at once. As each vulnerability is discovered, a new security patch will be released accordingly. Given this reality, cybersecurity educators need to provide a virtual Windows VM system with a fine grain of vulnerabilities to better echo the ever-changing levels of vulnerabilities and security patches in the world. We sought to create an automatic tool that can produce virtual machines that simulate different points in the Windows operating systems life cycle when security patches were implemented. The tool partially removes security patches in reverse order to their update time to a predefined time, and hence leaving the system vulnerable to all attacks that later updates were able to stop. While removing the patches using non-invasive, system-provided methods, this tool ensures that no foreign vulnerabilities are introduced. With the ability to fine-tune the system to various levels of security, educators are able to provide a more realistic and accurate penetration testing target system. },
}

Generated by bib2html.pl (written by Patrick Riley, Lotzi Boloni ) on Sun Mar 03, 2024 18:41:15