Banerjee, A., & Turgut, D., & Zou, C. C. (2019, June), Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education  Paper presented at 2019 ASEE Annual Conference & Exposition , Tampa, Florida. 10.18260/1-2--32308

\bibitem{asee_peer_32308}
  Banerjee, A., \& Turgut, D., \& Zou, C. C. (2019, June), \emph{Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education}
  Paper presented at 2019 ASEE Annual Conference \& Exposition , Tampa, Florida.
  10.18260/1-2--32308

Arati Banerjee, Damla Turgut, and Cliff C Zou.  "Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education".  2019 ASEE Annual Conference & Exposition , Tampa, Florida, 2019, June.  ASEE Conferences, 2019.  https://peer.asee.org/32308 Internet.  10 Jul, 2024

\bibitem{asee_peer_32308}
  Arati Banerjee, Damla Turgut, and Cliff C Zou.
  "Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education".
  \emph{2019 ASEE Annual Conference \& Exposition , Tampa, Florida, 2019, June}.
  ASEE Conferences, 2019.
  https://peer.asee.org/32308 Internet.  10 Jul, 2024

@INPROCEEDINGS{asee_peer_32308
author = "Arati Banerjee, Damla Turgut, and Cliff C Zou"
title = "Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education"
booktitle = "2019 ASEE Annual Conference \& Exposition "
year = "2019"
month = "June"
address = "Tampa, Florida"
publisher = "ASEE Conferences"
note = {https://peer.asee.org/32308}
number = {10.18260/1-2--32308}
}

TY  - CPAPER
AB  - Facing the increasing needs of cybersecurity professionals from US public and private sectors, many universities have created various cybersecurity education programs. Penetration testing is one of the most critical cybersecurity education components. In preparing penetration testing labs or experiments, computer systems such as virtual machine (VM), that have various vulnerabilities should be set up as attacking targets. However, not many readily available vulnerable VM machine systems exist, and it is also time-consuming and technically difficult to fine tune vulnerabilities in those systems. For example, to set up Windows XP system as penetration testing target, we only have WinXP VM with service pack 2, service pack 3, and fully security-patched versions to use. This inevitably misrepresents the gradual state of security of WinXP systems over time.
In this paper, we present an easy-to-use and automatic approach to create fine-grained vulnerable Windows systems for cybersecurity educators. In the real world, Windows systems do not implement a sweep of security patches all at once. As each vulnerability is discovered, a new security patch will be released accordingly. Given this reality, cybersecurity educators need to provide a virtual Windows VM system with a fine grain of vulnerabilities to better echo the ever-changing levels of vulnerabilities and security patches in the world. We sought to create an automatic tool that can produce virtual machines that simulate different points in the Windows operating systems life cycle when security patches were implemented. The tool partially removes security patches in reverse order to their update time to a predefined time, and hence leaving the system vulnerable to all attacks that later updates were able to stop. While removing the patches using non-invasive, system-provided methods, this tool ensures that no foreign vulnerabilities are introduced. With the ability to fine-tune the system to various levels of security, educators are able to provide a more realistic and accurate penetration testing target system.
AU  - Arati Banerjee
AU  - Damla Turgut
AU  - Cliff C Zou
CY  - Tampa, Florida
DA  - 2019/06/15
PB  - ASEE Conferences
TI  - Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education
UR  - https://peer.asee.org/32308
DO  - 10.18260/1-2--32308
ER  -