130 likes | 147 Views
Automatic Creation of Fine-Grained Vulnerable Window Systems for Penetration Testing Education. Arati Banerjee, Cliff C. Zou, Damla Turgut University of Central Florida. Acknowledgement: This work is supported by the NSF under grant DGE-1723587 and NSF REU Site grant CNS-1560302.
E N D
Automatic Creation of Fine-Grained Vulnerable Window Systems for Penetration Testing Education AratiBanerjee, Cliff C. Zou, DamlaTurgut University of Central Florida Acknowledgement: This work is supported by the NSF under grant DGE-1723587 and NSF REU Site grant CNS-1560302
Abstract Penetration testing, as a critical component in cybersecurity training, often requires setting up virtual machines (VM) with various vulnerabilities. However, it is usually time-consuming and technically difficult to fine tune vulnerabilities in VM systems. In this paper, we present an automatic security patch removal tool that can fine tune various Windows VM systems to precise levels of vulnerabilities, and easily employed by students and educators alike. This tool can create virtual machines that simulate different security states in the Windows operating system timeline and gives a more realistic view of the every-changing state of cybersecurity to the students pursuing an education in the field.
The Value of Cybersecurity Education Cybersecurity is a race against time Secure systems are only secure for so long – until new vulnerabilities are discovered Majority of breaches occur because of human error – many a result of improperly configured and/or maintained systems The need for well-trained cybersecurity professionals is growing rapidly – faster than the creation of available training tools
Contributions In this paper, we present an easy-to-use tool to remove security patches from a Windows virtual machine to a user-defined point. This tool is: • Fine-grained – providing precise control of the system • Cost-effective – compared to systems many schools pay in to • Non-invasive - reducing the risk of introducing unrealistic vulnerabilities • Useful for penetration testing on Windows machines
Initial Approach: Automatic Security Patch Removal for Windows XP VM • First attempts to remove updates in reverse order through the command line • Unsuccessful – there is no command line operation • Attempts at running uninstall.exe were met with interruptions from confirmation pop-ups • Attempted automation • no simple solution, undermining the accessibility goal of this project • Discovered “System Restore Files” used to back out of updates • Successfully restored the machine to a point using a restore file from another virtual machine
Automatic Patch Removal for Windows 7 VM • First attempts to remove updates the same way in Windows 7 • Unsuccessful – system files like the ones used in this project were protected from even admin access • Returned to “old thinking” – what about the command line? • Research revealed the Windows Update Standalone Installer (wusa.exe) • The installer could uninstall updates from the command prompt, and suppress all graphical user interface (GUI) pop-ups • Initially attempted a batch script with no success – switched to PowerShell
PowerShell Script to automatically removal of Win7 security patches (user can specify upto which KB number patch to be removed)
The script can: • Isolate the KB numbers of the security updates specific to the machine • Uninstall the updates in reverse order • End at a user-specified point, provided as the Knowledge Base (KB) number • Run successfully on Windows 8.1, and possibly Windows 10
Steps to Run the PowerShell Script • Copy the script into the virtual machine - preferably via shared folder • In start menu search field, search for 'powershell', right-click the 'WiondowsPowershell' and click 'Run as Administrator' option. This will bring up a powershell command window. • In the Powershell command window, run 'Set-ExecutionPolicy-ExecutionPolicy Bypass -Scope Process'. This will enable executing a local unsigned PowerShell script in the current session. • Type the script name and press enter to execute.
Removal of all Security Patches • Enter invalid KB number will enable the script to removal all security patches • on Win7 VM, first run will remove 108 security updates, but leave 8 security updates untouched • On second run of the script, only 1 security update left (KB2884256). This update cannot be uninstalled even manually
Before Patch Removal After running Patch Removal Script
Conclusion In this paper, we propose a tool for cybersecurity educators to run penetration testing on finely-tuned vulnerable Windows systems. The prototype presents a promising proof of concept, and can revert a virtual machine to a desired point through a lightweight, flexible script with minimal user input.