June 15, 2019
June 15, 2019
October 19, 2019
Computing and Information Technology
Facing the increasing needs of cybersecurity professionals from US public and private sectors, many universities have created various cybersecurity education programs. Penetration testing is one of the most critical cybersecurity education components. In preparing penetration testing labs or experiments, computer systems such as virtual machine (VM), that have various vulnerabilities should be set up as attacking targets. However, not many readily available vulnerable VM machine systems exist, and it is also time-consuming and technically difficult to fine tune vulnerabilities in those systems. For example, to set up Windows XP system as penetration testing target, we only have WinXP VM with service pack 2, service pack 3, and fully security-patched versions to use. This inevitably misrepresents the gradual state of security of WinXP systems over time. In this paper, we present an easy-to-use and automatic approach to create fine-grained vulnerable Windows systems for cybersecurity educators. In the real world, Windows systems do not implement a sweep of security patches all at once. As each vulnerability is discovered, a new security patch will be released accordingly. Given this reality, cybersecurity educators need to provide a virtual Windows VM system with a fine grain of vulnerabilities to better echo the ever-changing levels of vulnerabilities and security patches in the world. We sought to create an automatic tool that can produce virtual machines that simulate different points in the Windows operating systems life cycle when security patches were implemented. The tool partially removes security patches in reverse order to their update time to a predefined time, and hence leaving the system vulnerable to all attacks that later updates were able to stop. While removing the patches using non-invasive, system-provided methods, this tool ensures that no foreign vulnerabilities are introduced. With the ability to fine-tune the system to various levels of security, educators are able to provide a more realistic and accurate penetration testing target system.
Banerjee, A., & Turgut, D., & Zou, C. C. (2019, June), Board 26: Automatic Creation of Fine-Grained Vulnerable Windows System for Penetration Testing Education Paper presented at 2019 ASEE Annual Conference & Exposition , Tampa, Florida. 10.18260/1-2--32308
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2019 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015