Asee peer logo

Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education

Download Paper |


2019 ASEE Annual Conference & Exposition


Tampa, Florida

Publication Date

June 15, 2019

Start Date

June 15, 2019

End Date

June 19, 2019

Conference Session

Poster Session

Tagged Division

Computing and Information Technology

Page Count




Permanent URL

Download Count


Request a correction

Paper Authors


Arati Banerjee University of Central Florida

visit author page

Undergraduate Researcher in a National Science Foundation supported research experience at the University of Central Florida.

visit author page


Damla Turgut University of Central Florida

visit author page

Damla Turgut is an Associate Professor at the Department of Computer Science at University of Central Florida. She received her BS, MS, and PhD degrees from the Computer Science and Engineering Department of University of Texas at Arlington. Her research interests include wireless ad hoc, sensor, underwater and vehicular networks, as well as considerations of privacy in the Internet of Things. She is also interested in applying big data techniques for improving STEM education for women and minorities. She is PI and Co-PI for NSF-funded REU and RET programs respectively. Her recent honors and awards include 2017 University Excellence in Professional Service Award and being featured in the UCF Women Making History series in March 2015. She was co-recipient of the Best Paper Award at the IEEE ICC 2013. Dr. Turgut serves as a member of the editorial board and of the technical program committee of ACM and IEEE journals and international conferences. She is a member of IEEE, ACM, and the Upsilon Pi Epsilon honorary society.

visit author page


Cliff C Zou University of Central Florida

visit author page

Dr. Cliff Zou received his PhD degree from Department of Electrical & Computer Engineering, University of Massachusetts at Amherst, in 2005, and MS and BS degree from University of Science & Technology of China in 1999 and 1996, respectively. Currently he is an Associate Professor in Department of Computer Science and the Program Coordinator of Digital Forensics Master program in University of Central Florida. His research interests focus on cybersecurity and computer networking. He has published more than 80 peer-reviewed research papers, and has obtained more than 5800 Google Scholar Citations. He is a Senior Member of the IEEE.

visit author page

Download Paper |


Facing the increasing needs of cybersecurity professionals from US public and private sectors, many universities have created various cybersecurity education programs. Penetration testing is one of the most critical cybersecurity education components. In preparing penetration testing labs or experiments, computer systems such as virtual machine (VM), that have various vulnerabilities should be set up as attacking targets. However, not many readily available vulnerable VM machine systems exist, and it is also time-consuming and technically difficult to fine tune vulnerabilities in those systems. For example, to set up Windows XP system as penetration testing target, we only have WinXP VM with service pack 2, service pack 3, and fully security-patched versions to use. This inevitably misrepresents the gradual state of security of WinXP systems over time. In this paper, we present an easy-to-use and automatic approach to create fine-grained vulnerable Windows systems for cybersecurity educators. In the real world, Windows systems do not implement a sweep of security patches all at once. As each vulnerability is discovered, a new security patch will be released accordingly. Given this reality, cybersecurity educators need to provide a virtual Windows VM system with a fine grain of vulnerabilities to better echo the ever-changing levels of vulnerabilities and security patches in the world. We sought to create an automatic tool that can produce virtual machines that simulate different points in the Windows operating systems life cycle when security patches were implemented. The tool partially removes security patches in reverse order to their update time to a predefined time, and hence leaving the system vulnerable to all attacks that later updates were able to stop. While removing the patches using non-invasive, system-provided methods, this tool ensures that no foreign vulnerabilities are introduced. With the ability to fine-tune the system to various levels of security, educators are able to provide a more realistic and accurate penetration testing target system.

Banerjee, A., & Turgut, D., & Zou, C. C. (2019, June), Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education Paper presented at 2019 ASEE Annual Conference & Exposition , Tampa, Florida. 10.18260/1-2--32308

ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2019 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015